Privacy Policy

The Service is operated by Suraj Wadje, a sole proprietor in India, who is the “data fiduciary” under India's Digital Personal Data Protection Act, 2023 (“DPDP Act”) for personal data processed through this Service.

Contact for any privacy question, complaint, or rights request: support@inrok.in.

This Policy applies to the inrok.in marketing site, the dashboard at app.inrok.in, and the zrok controller we operate on infrastructure inside India.

• Account data — email address, display name, password hash (Argon2id). Used to authenticate you, recover access, and send transactional email about your account.
• Service data — Tunnel names, configurations, zrok account tokens and metadata. Used to operate Tunnels on your behalf.
• Usage data — bandwidth bytes per Tunnel and per Account, request counts, monthly cycle markers. Used to enforce the 100 GiB beta cap and to size the Service.
• Operational logs — IP address, user agent, timestamps, API request paths and response status. Used for security investigation, audit, and SOC 2 controls.
• Audit log — immutable record of account mutations and authentication events. Used for security review and to satisfy regulatory record-keeping requirements.
• Email engagement metadata — delivery, bounce, and complaint status returned by our email provider. Used to maintain deliverability of transactional mail.

We do not inspect, store, or analyse the payload of traffic passing through your Tunnels. The Service routes packets; it does not perform deep packet inspection, content scanning, or advertising profiling. Only the operational metadata listed above is retained.

We process your personal data on the basis of (a) your consent at signup and via the cookie banner where applicable, and (b) contractual necessity to deliver the Service you have requested. Some processing — security logging, abuse defence, fraud prevention — is performed on the legitimate-interest grounds permitted by §7 of the DPDP Act.

We share personal data with a small number of subprocessors that provide infrastructure for the Service. Each is contractually bound to confidentiality and to processing data only on our instructions.

• Google Cloud Platform (GCP) — Cloud Run hosts the dashboard and Cloud SQL hosts the SaaS database, both in the GCP Mumbai region. Primary data residency: India.
• Cloudflare (free tier) — CDN and DDoS protection for inrok.in and app.inrok.in. Traffic through user Tunnels does NOT route through Cloudflare.
• ZeptoMail (Zoho) — transactional email delivery (signup verification, password reset, account notifications). Receives email address and display name only.
• zrok controller and frontends — operated by us on Indian VPS infrastructure on top of the OpenZiti network. No additional third-party processor for tunnel traffic.
• Microsoft Clarity (Microsoft Corporation) — behavioural analytics on the marketing site: heatmaps, anonymized session recordings, click and scroll telemetry. Processed on Microsoft Azure infrastructure (global). Only loaded when you accept analytics on the cookie banner. Subject to the Microsoft privacy statement and the Clarity terms of use.

Razorpay will be added as a payment processor when paid plans launch in a future release; this Policy will be updated before any billing data is collected.

• Account data — retained while your Account is active; deleted within 30 days of Account deletion (a 30-day soft-delete window allows you to recover an accidentally deleted Account).
• Service and usage data — retained for 90 days after collection (sufficient for monthly-cycle reconciliation and recent-history debugging), then deleted.
• Operational logs — retained for 90 days for security investigation; longer retention only on legal hold.
• Audit log — retained indefinitely (immutable, required for SOC 2 controls). On Account deletion, user identifiers are redacted (your userId becomes deleted-<id>) so the audit trail remains valid without retaining your personal identifiers.
• Email engagement metadata — retained for 30 days, then summarized to aggregate bounce / complaint counts.

• Access and correction (§11) — request a copy of the personal data we hold about you or ask us to correct inaccuracies. Email support@inrok.in; we respond within 30 days.
• Erasure (§11) — request deletion of your Account and personal data. Email support@inrok.in. A self-service deletion flow is in development.
• Data portability — request an export of your Account data. We provide a JSON + CSV bundle on request. A self-service export flow is in development.
• Withdraw consent — delete your Account to withdraw consent for Account-level processing, or revisit the cookie banner via the “Cookie preferences” link in the footer to revoke consent for analytics cookies.
• Grievance redressal — email support@inrok.in. If your concern is not resolved within 30 days, you may escalate to the Data Protection Board of India under §27 of the DPDP Act.

Essential cookies (no consent required)

• A session cookie on app.inrok.in — httpOnly, secure, SameSite=Lax — required to keep you signed in. We cannot deliver the Service without it.
• inrok_cookie_consent on inrok.in — a first-party cookie storing your banner choice for 365 days, so we do not re-prompt you on every page.

Analytics cookies (consent-gated)

Microsoft Clarity sets two cookies on the marketing site only if you click Accept analytics on the cookie banner:

• _clck — persistent (about one year), correlates your visits so Clarity can compute aggregate heatmaps without re-counting the same browser.
• _clsk — session (about one day), groups events into a single browsing session.

Selecting Reject — essential only suppresses Clarity entirely. You can change your choice at any time via the Cookie preferences link in the footer.

No advertising cookies

We do not run ad networks, retargeting pixels, or third-party marketing trackers.

Primary data is hosted in GCP Mumbai (India). Cloudflare, ZeptoMail, and Microsoft Clarity may process metadata through global infrastructure (Cloudflare's edge network, Zoho's hosting region, Microsoft Azure). Each is subject to their respective data-processing agreements. As of the “Last updated” date above, none of these processors is listed on the Government of India's restricted-country list under §16 of the DPDP Act.

The Service is not directed at users under 18 years of age. If we learn that we have collected personal data from a person under 18, we will delete it.

• Passwords are hashed with Argon2id.
• All connections to the Service use TLS 1.2 or higher.
• Sensitive fields (for example, your stored zrok account token) are encrypted at rest with AES-256-GCM.
• Authentication, account mutation, and security events are recorded in an immutable audit log.
• We follow SOC 2 controls as a building block toward formal certification once the Service exits beta.

Material changes will be communicated by email or in-product notice; minor edits are reflected here with the “Last updated” date above. The commit history of the file apps/marketing/src/app/privacy/page.tsx in our public repository is the audit trail of every change.

Privacy questions, rights requests, complaints: support@inrok.in.