Privacy Policy

FISTT (“we”, “our”, or “us”) operates a technology platform that connects clients with independent experts for live video, audio, and chat consultations. This Privacy Policy (“Policy”) applies to all personal data we collect and process when you use:

• The FISTT mobile application for clients (available on iOS and Android);
• The FISTT Expert mobile application (available on iOS and Android);
• The Companion Web App at fisttapp.com/talk;
• The website fisttapp.com.

This Policy applies to all users of the Platform, including clients seeking consultations, experts offering services, and visitors to fisttapp.com.

This Policy is drafted in compliance with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 (“DPDP Act”), to the extent applicable and in force.

This Policy forms part of and should be read alongside our Terms & Conditions. Capitalised terms not defined in this Policy have the meanings given in the Terms & Conditions.

The entity responsible for the collection and processing of your personal data (“data fiduciary” as defined under the DPDP Act) is:

FISTT
Email: support@fisttapp.com
Website: fisttapp.com
Address: India

For privacy-specific enquiries or to exercise your data rights, please contact our Grievance Officer as set out in Section 14.

We collect the following categories of personal data from you:

• Full name
• Email address
• Mobile phone number
• Profile photograph (optional but recommended)
• Date of birth (to verify age eligibility)
• Securely hashed account password

• Professional credentials, qualifications, degrees, and certifications
• Areas of expertise and professional biography
• Government-issued identity document (for KYC verification — stored securely, not displayed publicly)
• Bank account number and IFSC code, or UPI identifier (for processing earnings payouts)
• Consultation fee per minute and availability schedule

• Session metadata: start time, end time, duration, and session type (video, audio, or chat)
• Session Code generated for Companion Web App access
• In-session text chat messages and any files shared during a Session
• Post-session ratings and written reviews

• Transaction amounts, currency, and timestamps
• Razorpay order identifiers and payment reference numbers
• Wallet balance and transaction history
• Expert payout records and bank/UPI details

Important: FISTT does not store full payment card numbers, CVV codes, OTPs, or net banking credentials. All payment card and bank transaction data for client payments is processed directly and securely by Razorpay Software Private Limited, a PCI-DSS certified payment aggregator, in accordance with their own privacy policy.

• Device type, model, manufacturer, and operating system version
• FISTT application version
• Internet Protocol (IP) address
• Browser type and version (Companion Web App users)
• Push notification device token
• Unique device identifiers (as permitted by platform OS policies)

• Features used and screens viewed within the Application
• Expert search queries and filters applied
• Expert profiles viewed or saved
• Session history and frequency of Platform use
• Time spent in the Application

• Messages exchanged with FISTT customer support
• Feedback, bug reports, and survey responses

Under Rule 3 of the SPDI Rules, 2011, certain categories of personal data are classified as “sensitive personal data or information” (SPDI). To the extent that your use of the Platform involves the following categories, FISTT collects and processes them solely with your consent and subject to heightened security measures:

• Financial information: Expert bank account and UPI details collected for payout processing.
• Health information: In the event you use the Platform for health or wellness related consultations, information disclosed during such Sessions may constitute health data. FISTT does not actively request health data; any health information shared is done voluntarily by the User during a Session.

FISTT does not collect passwords in plain text, biometric data, or information relating to sexual orientation as SPDI.

We collect personal data through the following means:

• Directly from you: When you register an account, complete your profile, book or conduct a Session, make a payment, contact our support team, submit a rating or review, or respond to surveys.
• Automatically: When you use the Platform, through server logs, session analytics, device identifiers, and similar technical means. This includes data collected through Supabase and LiveKit infrastructure.
• From third-party authentication providers: If you choose to register or sign in using a third-party account (such as Google or Apple Sign In), we receive basic profile information (name, email address) from that provider, subject to your consent and that provider’s privacy settings.
• From payment processors: Transaction confirmation data from Razorpay following payment or payout processing.

We process your personal data for the following specific purposes, on the corresponding legal bases:

• Creating, verifying, and managing your account;
• Displaying Expert profiles and enabling Client-Expert matching;
• Facilitating, connecting, and supporting live Sessions;
• Processing Client payments through Razorpay;
• Processing Expert payouts via bank transfer or UPI;
• Sending transactional notifications (session confirmations, receipts, payout updates);
• Providing customer support and resolving disputes.

• Verifying Expert identity and professional credentials (KYC);
• Detecting, investigating, and preventing fraudulent transactions, chargebacks, and abuse of the Platform;
• Monitoring for violations of our Terms & Conditions and Prohibited Conduct policy;
• Maintaining audit logs for security and dispute resolution purposes.

• Retaining financial and payment records as required under the Income Tax Act, 1961 and applicable GST legislation;
• Responding to lawful requests from courts, law enforcement agencies, and regulatory authorities;
• Complying with obligations under the IT Act, 2000 and rules made thereunder;
• Issuing TDS certificates and tax reports to Experts as required by law.

• Analysing aggregated and anonymised usage patterns to improve the Platform’s features, performance, and user experience;
• Conducting internal research and development.

• Sending promotional offers, product updates, and newsletters to Users who have opted in.

You may withdraw consent to marketing communications at any time by using the unsubscribe link in any marketing email or by updating your notification preferences within the Application. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

Where we process sensitive personal data (financial information or health information as described in Section 3.8), we do so only with your explicit prior consent, obtained at the time of data collection, and for the purposes described above.

We do not sell, rent, or trade your personal data to third parties for their own commercial purposes. We share your personal data only in the following circumstances:

• Between Platform Users: Your display name and profile photograph are visible to other participants in any Session you join. Expert profiles, including name, professional biography, areas of expertise, consultation fees, and aggregate ratings, are visible to all Client users of the Platform.
• Sub-processors: We share personal data with third-party service providers who process it on our behalf under binding contractual confidentiality and data protection obligations. See Section 7 for full details.
• Legal and regulatory requirements: We may disclose personal data where required to do so by applicable law, binding court order, or at the request of a competent law enforcement agency or regulatory authority, including in response to lawful requests under the IT Act, 2000, the Code of Criminal Procedure, 1973, or other applicable Indian legislation. We will, to the extent legally permissible, notify you of such requests.
• Business transfers: In the event of a proposed or completed merger, acquisition, corporate restructuring, or sale of all or substantially all of FISTT’s assets, your personal data may be disclosed to prospective acquirers and transferred as part of the transaction, subject to confidentiality obligations and, where required by applicable law, prior notice to you.
• Protection of rights and safety: We may disclose personal data where we reasonably believe disclosure is necessary to protect the safety, rights, or property of any person, to prevent fraud, or to enforce our Terms & Conditions.

We use the following carefully selected sub-processors to operate and deliver the Platform. Each processes personal data only on our documented instructions, under contractual data processing obligations, and only to the extent necessary for their specific function.

Role: Real-time video, audio, and data channel infrastructure for Sessions.
Data processed: Audio and video streams during Sessions; Session connectivity metadata (e.g., connection quality, join/leave events).
Note: Live audio and video streams are transmitted through LiveKit’s infrastructure but are not stored by LiveKit beyond what is necessary for real-time transmission. FISTT does not record Session audio or video.
Transfer safeguard: Contractual data processing agreement incorporating appropriate transfer protections.

Role: Cloud database hosting, user authentication, encrypted file storage, and serverless edge function execution.
Data processed: All application data as described in Section 3, except payment card data handled by Razorpay.
Transfer safeguard: Contractual data processing agreement incorporating appropriate transfer protections.

Role: Payment aggregation and transaction processing for Client payments; payout processing for Expert earnings.
Data processed: Payment transaction data, order identifiers, Client payment method information, and Expert bank/UPI details for payouts.
Regulatory status: Licensed by the Reserve Bank of India as a payment aggregator. Governed by Razorpay’s Privacy Policy for data processed in their capacity as a data controller for payment compliance purposes.

Role: Push notification delivery to mobile devices.
Data processed: Device push notification tokens and notification payload content (e.g., session alerts, support messages).
Transfer safeguard: Contractual data processing agreement incorporating appropriate transfer protections.

Role: Application distribution through the Apple App Store and Google Play Store.
Data processed: As per their respective privacy policies and app distribution agreements. FISTT does not have direct access to payment data from in-app purchases processed by Apple or Google.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected and to comply with our legal, regulatory, and contractual obligations. Our standard retention periods are:

• Account and profile data: Retained for the duration of your active account and for two (2) years following account deletion or permanent suspension, to support fraud prevention, dispute resolution, and regulatory compliance.
• Session metadata (duration, timestamps, participants): Two (2) years from the date of the Session.
• In-session chat messages and shared files: Ninety (90) days from the date of the Session, after which they are permanently deleted unless you request earlier deletion or applicable law requires longer retention.
• Payment and transaction records: Seven (7) years from the date of each transaction, as required for compliance with the Income Tax Act, 1961, applicable GST legislation, and financial audit requirements.
• Expert KYC documents: For the duration of the Expert’s active account and two (2) years following account termination.
• Push notification tokens: Until you log out, uninstall the Application, or until one (1) year of account inactivity, whichever occurs first.
• Customer support communications: Three (3) years from the date of the relevant communication.
• Server logs and audit logs: Two (2) years.

After the applicable retention period, personal data is securely and permanently deleted or irreversibly anonymised. Anonymised, aggregated data (which can no longer identify any individual) may be retained indefinitely for analytics and research purposes.

We implement industry-standard technical and organisational security measures designed to protect your personal data from unauthorised access, use, disclosure, alteration, and destruction. Our security practices include:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher);
• Encryption at rest: Sensitive data stored in our database infrastructure, including KYC documents and financial details, is encrypted at rest;
• Access controls: Strict role-based access controls ensure that only authorised FISTT personnel with a legitimate business need can access personal data;
• Authentication: Secure authentication mechanisms including token-based session management;
• Vendor security: All sub-processors are contractually required to maintain appropriate security standards;
• Incident response: We maintain documented procedures for identifying, assessing, and responding to personal data breaches.

These measures are maintained in accordance with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Despite these measures, no method of data transmission over the internet or electronic storage system is completely secure. We cannot guarantee absolute security. In the event of a personal data breach that is reasonably likely to cause harm to affected Users, we will notify those Users and the appropriate authorities as required by applicable law, within the timeframes prescribed.

You are responsible for maintaining the confidentiality of your account credentials. Please notify us immediately at support@fisttapp.com if you believe your account has been compromised.

Under the Digital Personal Data Protection Act, 2023, the IT Rules, 2011, and other applicable Indian law, you have the following rights in respect of your personal data. To exercise any of these rights, please contact us at support@fisttapp.com. We will acknowledge your request within seven (7) days and respond within thirty (30) days. We may need to verify your identity before processing your request.

You have the right to obtain a summary of the personal data we hold about you and a description of the purposes for which it is being processed. You can access and review much of your account data directly within the Application.

You have the right to request that we correct personal data that is inaccurate, incomplete, or out of date. For most account information (name, email, profile photo), you can make corrections directly within the Application settings.

You have the right to request the erasure of personal data that is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other lawful basis for processing. We will comply with valid erasure requests subject to our legal obligations to retain certain data (see Section 8) and our legitimate interests in fraud prevention. Following a valid deletion request, your personal data will be erased within thirty (30) days, subject to applicable retention obligations.

You have the right to receive a copy of personal data you have provided to us in a structured, commonly used, and machine-readable format, where technically feasible. You may also request that we transmit that data to another data fiduciary where doing so is technically feasible.

Where we process your personal data on the basis of your consent (including for marketing communications or for the processing of sensitive personal data), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent to marketing communications within the Application notification settings or by clicking “Unsubscribe” in any marketing email.

Under the DPDP Act, 2023, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. To register a nominee, please contact us at support@fisttapp.com.

You have the right to raise a complaint with our Grievance Officer regarding any aspect of our personal data processing. See Section 14 for contact details. If you are not satisfied with the resolution provided by FISTT, you may escalate your complaint to the Data Protection Board of India (once constituted and operational under the DPDP Act) or such other competent authority as may be prescribed.

The FISTT website (fisttapp.com) and Companion Web App (fisttapp.com/talk) use the following technologies:

• Essential session storage: We use sessionStorage in your browser to store your Session authentication token and Session Code for the duration of your browser session. This data is cleared automatically when you close the browser tab. This is strictly necessary for the Companion Web App to function.
• Essential cookies: We may set minimal essential cookies required to maintain the security and functionality of your session on the website. These cookies do not track you across websites and are not used for advertising.

We do not use advertising cookies, behavioural tracking cookies, or third-party analytics cookies on our website. We do not serve targeted advertising.

You can control cookie behaviour through your browser settings. Please note that disabling essential cookies may prevent the Companion Web App from functioning correctly.

The FISTT mobile Application does not use browser cookies. The Application stores your authentication token and user preferences in secure local device storage (using the operating system’s secure storage APIs). This data remains on your device and is not accessible to other applications.

The Platform is not directed at or intended for use by children under 13 years of age. We do not knowingly collect or solicit personal data from any person under 13.

If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will take immediate steps to delete that data from our systems and terminate the associated account.

If you are a parent or legal guardian and believe that a child under 13 in your care has provided personal data to FISTT without your consent, please contact us immediately at support@fisttapp.com.

To deliver the Platform, we use sub-processors including LiveKit, Inc. and Supabase, Inc. which are headquartered in the United States and may store and process personal data on servers located outside India.

By using the Platform, you acknowledge that your personal data may be transferred to and processed in countries other than India. We take steps to ensure that appropriate contractual safeguards and protections are in place for such transfers, consistent with the requirements of applicable Indian data protection law including the DPDP Act, 2023 (as and when the relevant provisions come into force). These safeguards include binding data processing agreements with our sub-processors that require them to protect personal data to a standard consistent with Indian law.

Your financial data for Client transactions is processed by Razorpay, which is India-based and subject to RBI regulations.

In accordance with the Information Technology Act, 2000, the SPDI Rules, 2011, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, FISTT has designated a Grievance Officer to handle complaints and enquiries relating to the processing of personal data and the operation of this Policy.

Grievance Officer: FISTT Support Team
Designation: Grievance Officer, FISTT
Email: support@fisttapp.com
Address: India
Available: Monday to Friday, 10:00 AM – 6:00 PM IST (excluding public holidays)

FISTT will acknowledge all privacy complaints within thirty-six (36) hours of receipt and will endeavour to resolve them within thirty (30) days.

If you are dissatisfied with our response, you may escalate your complaint to:

• The Data Protection Board of India, once constituted and operational under the Digital Personal Data Protection Act, 2023;
• The appropriate consumer forum under the Consumer Protection Act, 2019; or
• Such other authority having jurisdiction under applicable law.

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or the Platform’s features. We will notify you of material changes by:

• Updating the “Last updated” date at the top of this page;
• Posting a notice within the Application; and/or
• Sending an email notification to the address registered with your account, where the changes are significant.

Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree with any changes, you must stop using the Platform and may request account deletion in accordance with your rights under Section 10.3.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us at:

FISTT
Email: support@fisttapp.com
Website: fisttapp.com