- 00TL;DR — the short version
- 01Who we are (Data Fiduciary)
- 02What we collect
- 03Lawful basis for processing
- 04How we use it
- 05How the AI works with your data
- 06Who we share it with (Data Processors)
- 07Your rights as a Data Principal
- 08How long we keep it
- 09Cookies & storage
- 10Children (DPDP § 9)
- 11How we protect it
- 12Grievance Officer (IT Rules 2021)
- 13Changes to this policy
- 14Contact us about privacy
TL;DR — the short version
What we collect, in plain words.We’re an AI music-search engine — you describe a moment, we suggest songs and link you to the platforms that actually play them. We don’t host audio. Most of what we store is the prompts you type, the songs you tap, and what helps the AI get smarter for you.
- We collect: account info, search + playback history, device + IP basics, support messages, and your feedback.
- We don’t collect: your phone contacts, your microphone, audio you record, or any payment details — nothing on Gaana Bta costs money right now.
- We never sell your data. We do show ads (via Ezoic) and use Google Analytics — both only run if you say yes in the cookie banner.
- We’re in beta. Your usage data and feedback are used to debug and improve the platform — anonymised wherever feasible.
- We use AI (existing third-party model providers — we haven’t built our own model) on your prompts to score song matches. An in-app opt-out toggle isn’t built yet — email privacy@gaanabta.com to opt out.
- You have rights under the Digital Personal Data Protection Act, 2023 — access, correct, erase, nominate, withdraw consent. We honour all of them.
Who we are (Data Fiduciary)
The operator of gaanabta.com · New Delhi, India.For the purposes of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Data Fiduciary for Gaana Bta is:
(individual, sole-proprietorship basis —
no company incorporated yet)
India
(privacy point of contact)
Gaana Bta is currently a beta experiment run by an individual operator — Indian law does not require a registered company to operate an online service, and all obligations under the DPDP Act, the IT Act 2000, and the IT Rules 2021 are honoured by the operator personally. If a company or LLP is later incorporated to run the service, this policy will be updated and you will be notified (§ 13 — Changes).
You are the Data Principal — the natural person whose Personal Data we process. This policy explains how we do that, what your rights are, and how to enforce them.
What we collect
Account, usage, device, support tickets.We collect four kinds of Personal Data:
Email, bcrypt-hashed password, display name (optional), preferred language, account creation timestamp, IP at signup, verification status. Names & usernames are not visible to other users by default.
Your search prompts, songs you tap, deep-links you open (Spotify / YouTube / Apple Music / JioSaavn / Gaana / Wynk), saved tracks, timestamps. This is what trains the AI to find better songs for you.
Browser / OS, screen size, approximate location (city + state, from IP — not GPS), and referrer info. We don’t use device-fingerprinting for tracking.
If you submit a contact-us ticket — your message, reply email, conversation history. Anonymous tickets are tied only to that email; logged-in tickets attach to your account. Ticket content may be processed by AI for summaries, analysis, and automated replies (see § 5).
We do not intentionally collect “sensitive personal data” as defined in Rule 3 of the SPDI Rules, 2011 (financial details, biometrics, health, sexual orientation, caste, religion). If you submit such data inside a support ticket, we treat it under the heightened safeguards in § 9 of the DPDP Act.
Lawful basis for processing
Consent and "legitimate uses" under §§ 6–7, DPDP Act.Under the DPDP Act, we may process Personal Data only on a lawful basis. We rely on two:
- Consent (§ 6). Clear, specific, informed, and unambiguous — given when you create an account or accept a cookie category. You can withdraw consent at any time via Cookie preferences in the footer (for analytics / ads) or by emailing privacy@gaanabta.com (for everything else); withdrawal is as easy as granting was.
- Certain legitimate uses (§ 7). For example: voluntary sign-up to use the service, security/fraud prevention, compliance with Indian law, responding to a Government request, and emergencies.
Where we rely on consent, we ask separately for each purpose. Refusing a non-essential purpose (e.g. AI training) does not degrade your core search experience.
How we use it
AI matching, account safety, support, legal.The data above powers six things, in this order of weight:
- AI song matching. Your prompt is interpreted (mood, language, scene, lyric meaning) against our song index. We log the result to learn what worked.
- Improving the beta. While Gaana Bta is in beta, your feature usage, playback behaviour, crash / error reports, and the feedback you send us are analysed — anonymised or aggregated wherever feasible — to find bugs, tune performance, and decide what to build next. This is a condition of participating in the beta (see Terms § 3).
- Personal recommendations. Your taste graph (what you tap, what you save) refines the model just for you. Stays on your account.
- Support. If you wrote a ticket, we read and reply — by email for anonymous users (magic-link), in-app for logged-in users. AI assists here: tickets may be automatically summarised, categorised and analysed, and some replies may be drafted or sent by AI (see § 5). You can always escalate to a human by replying.
- Safety & abuse. Rate-limiting, spam detection, banning ToS-violating accounts. We log IPs to defend against abuse.
- Legal compliance. Responding to lawful requests under § 91 CrPC, § 35 of the DPDP Act, and fraud investigations. We push back on anything that looks like overreach.
How the AI works with your data
Prompt → meaning vector → match. Email us to opt out.Our search is an embedding-based meaning matcher. When you type “first crush, college vibe”, we convert your prompt to a meaning vector, score every indexed song against it, and rank by mood / tempo / language / lyric fit.
We have not built our own AI model. Gaana Bta relies on existing third-party AI model providers for embeddings and prompt interpretation. Prompts sent to those providers are anonymised — account identifiers are stripped first — and the providers process them under their own terms as our Data Processors.
But note: prompts are stored on our servers linked to your account. Anonymisation applies to what leaves for the AI provider — on our side, your search prompts and search-job records stay tied to your account for search-credit accounting, your search history, and abuse prevention. They follow the account retention schedule in § 8 and are included in your data export and account deletion.
Your prompts may be used to improve the service — but only in an anonymised, aggregated way. An in-app opt-out toggle is not built yet (it’s on the beta roadmap). Until it ships, email privacy@gaanabta.com from your account email and we will exclude your prompts manually — without any loss of search quality.
Your rights as a Data Principal
Access · correct · erase · nominate · grievance.The DPDP Act, 2023 (§§ 11–14) grants you the following rights. We honour each, free of charge, within the statutory timelines:
A summary of the Personal Data we process and the third parties we have shared it with. Download as JSON from Profile → Data & export.
Edit your email, language preference, display name. Inaccurate or incomplete data — request correction; we act within 7 days.
Delete your account and Personal Data. Some records (tax, fraud, court orders) we must retain by law — we tell you which and for how long.
Nominate another individual to exercise your rights if you die or become incapacitated.
Withdraw any consent at any time. As easy as granting it. Processing already done remains lawful.
Reach our Grievance Officer (see § 12 below) for any complaint. We acknowledge within 24 h and resolve within 15 days.
Anonymous users. If you only used the contact form without an account, email privacy@gaanabta.com from the same address — we’ll find the records and act on your request.
If we don’t resolve it. You may approach the Data Protection Board of India (§ 18, DPDP Act) at dpb.gov.in for adjudication.
How long we keep it
Account: while active. Tickets: 1 year. Logs: 90 days.Different data has different retention rules. We delete by category, on a rolling schedule:
- while account activeAccount info, taste graph, saved tracks
- while account activeSearch prompts & search-job records (tied to your account for credit accounting + history; anonymised before any AI provider sees them)
- + 30 days after deleteRecoverable in case of accident
- 1 yearSupport tickets, conversation history
- 90 daysRequest logs, IP addresses, abuse traces
- 180 daysCommunication records under Rule 4(2)(a), IT Rules 2021 (for Significant Social Media Intermediaries — pre-emptive compliance)
- indefiniteAnonymised aggregate stats (no Personal Data)
Children (DPDP § 9)
Under 18 needs verifiable parental consent in India.Gaana Bta is intended for users aged 13 and older. Under § 9 of the DPDP Act, Personal Data of a child (anyone under 18 in India) may be processed only with the verifiable consent of a parent or lawful guardian.
We will not:
- process a child’s data in a way likely to cause detrimental effect on their well-being;
- knowingly direct tracking, behavioural monitoring, or targeted advertising at children;
- knowingly collect data from anyone under 13.
If you believe a child has signed up without parental consent, email privacy@gaanabta.com — we delete the account within 7 days.
How we protect it
Encrypted at rest + in transit. Least-privilege access.We follow the “reasonable security practices and procedures” standard under § 8(5) of the DPDP Act + Rule 8 of the SPDI Rules 2011 (ISO/IEC 27001-aligned). Specifically:
- Data is encrypted at-rest (AES-256) and in-transit (TLS 1.3).
- Passwords are hashed with bcrypt; we never see plaintext.
- The admin panel hard-locks PII — even super admins cannot see your name, last name, or password (only a masked email).
- Automated security scanning (static analysis, dependency CVE checks, secret detection) runs on every code change. During the beta we do not yet run a formal third-party audit programme or a bug bounty — if you find a vulnerability, please report it to grievance@gaanabta.com.
Breach notification. Under § 8(6) of the DPDP Act, if a personal-data breach occurs we will notify the Data Protection Board of India and the affected Data Principals in the form and manner prescribed by the Board. CERT-In notification under the 6-hour rule (CERT-In Direction 20(3)/2022) is honoured separately.
Grievance Officer (IT Rules 2021)
Acknowledge in 24 h · resolve in 15 days.As required by Rule 3(2)(a) of the IT (Intermediary Guidelines) Rules, 2021 and § 13 of the DPDP Act 2023, we publish the contact details of our Grievance Officer below. The Grievance Officer acknowledges receipt of a complaint within 24 hours and disposes of it within 15 days.
Changes to this policy
We email everyone 30 days before any material change.We may update this policy as we add features or comply with new law. For material changes (anything that affects what we collect, how we use it, or who we share it with), we email every registered user at least 30 days before the change takes effect.
The latest version is always at this URL. Past versions are archived at gaanabta.com/legal/archive.
Contact us about privacy
privacy@gaanabta.com · response within 7 days.For any privacy-specific question, request, or complaint, write to our Data Protection Officer:
New Delhi
India
dpb.gov.in
We reply to every privacy request within 7 days, with a substantive resolution within 30 days (DPDP timeline for grievance redressal under § 13). If we can’t act on your request, we tell you why and what your appeal options are.
This policy is alive.
Tell us if anything’s unclear.
We rewrite this whenever we find a paragraph that sounds like a lawyer wrote it. Spotted one? Let us know — we’ll fix it and credit you in the changelog.