AKSHO
Privacy policy
Effective 26 June 2026
Who we are
Aksho is operated by Rajdatta Sakharam Sawant, a sole proprietor carrying on business as "Aksho" (Udyam Registration No. UDYAM-MH-31-0061037), with registered office at 982, Gangai, Bhatwadi Road, Kanduli, Kaleli, Kudal, Sindhudurg, Maharashtra 416519, India ("we", "us", "our").
For privacy questions, contact support@aksho.in.
1. The short version
- Aksho is a private workspace for India's photographers and content creators.
- Your studio business records are end-to-end encrypted on your device. We cannot read them. That data is unlocked only with your password or PIN, which we never hold.
- We do hold some account and operational information (like your email, studio name, phone, and login activity) that we can read, because we need it to run the Service.
- We do not sell your data, show you ads, or run advertising trackers.
- Your data is stored in India (Mumbai). Some operational metadata is handled by service providers located outside India (listed in Section 6).
- You have rights over your personal data (Section 11), and a Grievance Officer to contact (Section 12).
2. Scope
This policy applies to personal data we process when you use Aksho (the
web app at app.aksho.in and the Android
application com.tryaksho.app). Aksho is offered in India only.
3. The personal data we process
| Category | Includes | Can we read it? |
|---|---|---|
| Authentication | Email, password (Argon2id hash), MFA secret (encrypted), wrapped encryption-key envelopes | No — hashed / wrapped |
| Account profile | Studio name, name, phone, account status, push token | Yes — to operate your Account |
| Signup request | Name, studio, email, phone while pending approval | Yes |
| Studio business data | Clients, shoots, expenses, vendors, equipment, payments, notes, attachments | No — end-to-end encrypted |
| Friends Network | Connected studios, pending requests (names, emails) | Yes — visible to both parties |
| Shoot assignments | Event date, type, location, free-text "about the client" line, notes, quote | Yes — excludes client identifying details by design |
| Payment & billing | Razorpay customer / subscription IDs, status, billing dates | Yes — references and status only, never card / UPI / bank credentials |
| Crash & technical | Stack traces, device model, OS version, app version | Yes — via crash-reporting provider |
| Authentication logs | Sign-in timestamps and IP addresses | Yes — short retention |
What we do not collect: your browsing history outside
the app, your contacts list, precise GPS location, photos beyond those
you explicitly attach, advertising analytics, or
microphone / camera / calendar access. The Android app declares only the
INTERNET permission.
4. How your end-to-end encryption works
Your studio business data is encrypted on your device using a key that exists only on your device and is protected by your password and your 6-digit PIN. We store only an opaque encrypted envelope. We, and our database provider, can store, replicate, and back up that envelope but cannot decrypt or read its contents without your password or PIN — which we never receive or store.
Two consequences: (a) we cannot recover this data for you if you forget both your password and PIN (or your PIN, if you have enabled PIN-only mode) — so keep them safe and export backups via Reports → Export; and (b) the “we can't read it” promise covers your studio business data, not the operational metadata in Section 3 that we need in readable form to run the Service.
5. Why we process your data, and our legal basis
We process your data to: create and manage your Account; provide the Service and its features (including the Friends Network you choose to use); process payments and activation; send transactional emails and (on Android, with your permission) push notifications; diagnose crashes and keep the Service secure; and comply with law. Under the DPDP Act we rely on your consent and on legitimate uses such as providing the service you have voluntarily signed up for. You can withdraw consent where processing relies on it (Section 11).
6. Sharing and sub-processors
We do not sell, rent, or monetise your data, and we run no advertising or third-party tracking. We share data only with service providers (“sub-processors”) needed to run Aksho:
Supabase Inc.
Database, authentication, edge functions. Encrypted studio-data envelope + readable account metadata. India (Mumbai) for your data; US for the auth control plane.
Razorpay Software Pvt Ltd
Subscription billing and payment processing (UPI Autopay, card autopay). Name, email, phone, subscription state, payment instrument data. India (Bengaluru). Subject to RBI regulation and razorpay.com/privacy.
Vercel Inc.
Static web hosting. Serves the website files only; no studio data flows through it. Global edge.
Resend, Inc.
Transactional email. Recipient email and email content. US (migration to EU / India planned).
Google (Firebase)
Crash reporting (Crashlytics) and push (FCM). Crash diagnostics; push token. Google Cloud (region set by Google).
Expo (650 Industries)
Mobile build pipeline. Source code at build time; app signing keystore. US.
Google Play
Android distribution. Standard install analytics. Per Google.
GoDaddy.com LLC
Domain registrar / email forwarding. Domain WHOIS; forwarded email. US-managed DNS.
We maintain the current sub-processor list at aksho.in/privacy and will give 30 days' notice of material changes by email or in-app.
7. Where your data is stored, and cross-border transfers
Your encrypted studio data is stored on servers in Mumbai, India and does not leave India in normal operation. Some operational metadata, authentication control-plane data, email, crash data, and build artifacts are handled by providers located outside India (Section 6). Such transfers are presently permitted under section 16 of the DPDP Act, which allows transfer except to countries the Central Government may restrict by notification. If you sign in from outside India, a decrypted copy of your data will necessarily reside on the device you use for that session.
8. How long we keep your data
We keep your data while your Account is active. Encrypted studio data, keys, authentication records, and profiles are backed up daily and roll off provider backups within 7–30 days depending on tier. Signup-request records are retained for up to 12 months for audit. Crash reports roll off after 90 days; authentication logs after 7–30 days. On deletion (Section 11) we delete or anonymise your data as described in the Terms.
9. How we protect your data
Beyond end-to-end encryption of studio data, we use: salted Argon2id password hashing; optional multi-factor authentication (TOTP); database row-level security so each user can only access their own rows; HTTPS / TLS in transit; an idle session lock that wipes the in-memory key after 60 minutes; and least-privilege server access. We do not log the contents of your data, keys, passwords, or PINs.
10. Data breach notification
If a personal data breach occurs, we will act in line with section 8(6) of the DPDP Act: we aim to confirm scope within 24 hours, notify affected users and (as required) the Data Protection Board of India promptly, and publish a post-incident summary. Because your studio data is end-to-end encrypted, a server-side breach of that table would expose only unreadable ciphertext; readable metadata tables (e.g. profile and signup data) could, however, be exposed in such an event.
11. Your rights
As a Data Principal under the DPDP Act, you can:
- Access your data — view and export it in-app (Reports → Export to Excel).
- Correct / update — edit any record directly in the app.
- Erase / delete — email support@aksho.in from your registered email; processed within 7 working days.
- Data portability — the Excel export is a machine-readable copy.
- Withdraw consent — e.g. revoke push notification permission, or stop using the Service; uninstalling stops further processing on the device.
- Nominate — nominate someone to exercise your rights in case of death or incapacity (DPDP s.14).
- Grievance / complain — first to our Grievance Officer (Section 12); you may then approach the Data Protection Board of India.
12. Grievance redressal
If you have a concern about how we handle your data, contact our Grievance Officer:
Name: Rajdatta Sakharam Sawant
Email: admin@aksho.in
Address: 982, Gangai, Bhatwadi Road, Kanduli, Kaleli, Kudal, Sindhudurg, Maharashtra 416519, India
We will acknowledge your complaint within 48 hours. If you are not satisfied after exhausting our grievance process, you may approach the Data Protection Board of India as provided under the DPDP Act.
13. Children
Aksho is intended for adult (18+) studio owners and is not directed to children. We do not knowingly create accounts for individuals under 18. If your studio's own records include data about minors (for example, in family or event shoots), you are responsible for that data as its Data Fiduciary, and it remains end-to-end encrypted on our systems.
14. Your clients' data
Much of what you store in Aksho is information about your clients. For that data, you decide why and how it is processed, so under the DPDP Act you are the Data Fiduciary and Aksho is only an encrypted store that cannot read it. You are responsible for collecting and using your clients' data lawfully, including any notice and consent your clients are entitled to.
15. Changes to this policy
We may update this policy. For material changes we will give reasonable notice by email or in-app, and we will update the “Effective” date above.
16. Contact
Rajdatta Sakharam Sawant, trading as Aksho
982, Gangai, Bhatwadi Road, Kanduli, Kaleli, Kudal, Sindhudurg, Maharashtra 416519, India
Email: support@aksho.in