KHOJ — Privacy Policy PUBLIC DOCUMENT · DPDPA 2023 Section 5 Notice Axiomaera Private Limited | CIN: U62011MH2026PTC467707 | DPIIT: DIPP248013 Registered Office: Shop 8, Upper Ground Floor, Amenity Bldg, Ashok Astoria, Gangapur, Nashik, Maharashtra 422222, India Version: 1.0 | Effective Date: May 10, 2026 | Document Owner: Office of the Managing Director, Axiomaera Private Limited
LANGUAGE
This document is published in English. Translations will be made available in Hindi and additional Indian languages on a rolling basis. This document is currently available in English only. The English version shall prevail for all legal purposes. Any discrepancy in a future translated version is unintentional. Axiomaera respects each language and is committed to improving translation accuracy on an ongoing basis. If you notice a translation error, please report it to legal@axiomaera.com. The English version of all legal documents (Terms of Service, Privacy Policy, Data Retention Policy, Grievance Mechanism, and Methodology Disclosure) is freely accessible at khoj.axiomaera.com/legal at all times, in all circumstances, at no charge. For the KHOJ diagnostic report itself (the paid product), the report language is determined at the time of scan and additional language versions are subject to standard service fees.
TABLE OF CONTENTS
2.1 Identity of Data Fiduciary 2.2 Personal Data We Collect 2.3 Personal Data We Do NOT Collect 2.4 Purpose of Processing 2.5 Lawful Basis 2.6 Third-Party Data Sources 2.7 Data Storage and Security 2.8 Data Retention 2.9 Your Rights Under DPDPA 2023 2.10 Children's Data 2.11 Cross-Border Data Transfer 2.12 Cookies and Tracking 2.13 Changes to This Policy 2.14 Contact 2.15 Law Enforcement Access 2.16 Data Breach Notification
2.1 Identity of Data Fiduciary
For the purpose of KHOJ, Axiomaera Private Limited is the Data Fiduciary as defined under Section 2(i) of the Digital Personal Data Protection Act, 2023 ("DPDPA").
| Field | Detail |
|---|---|
| Legal Name | Axiomaera Private Limited |
| CIN | U62011MH2026PTC467707 |
| DPIIT Recognition | DIPP248013 |
| Registered Office | Shop 8, Upper Ground Floor, Amenity Bldg, Ashok Astoria, Gangapur, Nashik, Maharashtra 422222, India |
| Managing Director | Mukund Hemant Mohadikar |
| Founder & Chief Architect | Harshwardhan Mukund Mohadikar |
| Primary Domain | axiomaera.com |
| Service Domain | khoj.axiomaera.com |
| Indian Patent Application No. | 202521070192 |
For the avoidance of doubt, where these Terms refer to "we", "us", or "our", they refer to Axiomaera Private Limited acting in its capacity as Data Fiduciary.
2.2 Personal Data We Collect
We collect the following categories of personal data, only as necessary for the operation of KHOJ: 1. Email address — entered by the User for the purposes of a Scan; 2. Telephone number — entered by the User for the purposes of a Scan, where a phone-vector Scan is requested; 3. OTP verification logs — including the timestamp at which an OTP was sent, the timestamp at which it was verified, and the verification status (success/failure). The OTP value itself is not stored beyond the validity window; 4. Consent record — including the timestamp of consent, the version hash of the consent text shown to the User, the timestamp of consent acceptance, and a hashed (SHA-256) representation of the User's IP address; 5. Scan results — including the breach list returned, the ATI Score computed, and the severity classification. Retained per the Data Retention Policy; 6. Exposed Credentials — these are queried from licensed breach intelligence providers in real time and are not stored. They are rendered into the Report and the raw API response is discarded; 7. Payment information — processed by Razorpay Software Private Limited. Axiomaera does not receive or store full credit/debit card details. Axiomaera receives only the payment confirmation and Razorpay payment identifier; 8. Device and browser metadata — including user-agent string, screen resolution, and language preferences, used for security and fraud prevention only; 9. IP address — stored as a SHA-256 hash, used for security, rate-limiting, and consent logging.
2.3 Personal Data We Do NOT Collect
We do not collect any of the following: 1. Aadhaar number; 2. Permanent Account Number (PAN); 3. Bank account details, beyond the payment confirmation provided by Razorpay; 4. User passwords. KHOJ displays third-party breach data as recovered; we never ask for or store any password belonging to the User; 5. Biometric data; 6. Voter identification, driving licence, or any other government-issued identifier; 7. Geolocation data more granular than country/region/city.
2.4 Purpose of Processing
We process personal data exclusively for the following purposes: 1. Breach exposure diagnostics (primary purpose) — to identify whether the User's email address or telephone number appears in known data breach corpora; 2. OTP identity verification — to confirm that the User initiating the Scan is the lawful owner of the data being scanned; 3. Consent record maintenance — to comply with Section 6(1) of the DPDPA and to evidence the lawfulness of processing; 4. Aggregated, anonymised statistics — for the India Exposure Dashboard, our public statistical product. No personally identifying information is retained at this layer; all subjects and IP addresses are HMAC-SHA256 hashed with a non-rotating pepper, with IP addresses additionally truncated to /24 (IPv4) or /48 (IPv6) before hashing for k-anonymity; 5. Communication — about Scan results and service updates, only with the User's explicit opt-in (the optional retention consent).
2.5 Lawful Basis
The lawful basis for processing personal data through KHOJ is consent, obtained under Section 6(1) of the DPDPA. Consent is collected through two complementary mechanisms: 1. OTP verification — confirming that the person initiating the Scan is the lawful owner of the data being scanned; 2. Explicit affirmative consent — collected through a non-pre-checked checkbox on the consent screen, which is shown to the User after OTP verification and before any Scan is initiated. The consent so collected is: Free — given without coercion, fraud, or undue influence; Specific — limited to the operation of KHOJ as described in this Policy; Informed — preceded by the disclosure required under Section 5 of the DPDPA; Unambiguous — given through a clear affirmative action; Unconditional — not bundled with consent for any unrelated purpose. The User may withdraw consent at any time by writing to privacy@axiomaera.com. Upon withdrawal, all personal data will be deleted in accordance with the Data Retention Policy. The withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.
2.6 Third-Party Data Sources
KHOJ relies on the following third-party data sources and processors. Each is engaged under a contractual arrangement appropriate to the nature of the engagement. 2.6.1 Have I Been Pwned (HIBP) Operator: Superlative Enterprises Pty Ltd (Australia) Service: Provides breach metadata under the Creative Commons Attribution 4.0 International licence (CC BY 4.0) Subscription: Core 1 commercial API subscription Data accessed: Breach name, breach date, data classes, approximate record count Privacy Policy: https://haveibeenpwned.com/Privacy Compliance posture: Written confirmation of compliance has been obtained from the HIBP team confirming that the described usage is consistent with HIBP's Terms of Use 2.6.2 DeHashed Operator: DeHashed LLC (United States) Service: Credential exposure data via real-time API queries Subscription: Commercial API subscription Data accessed: Exposed credentials including passwords, usernames, hashed passwords, names, telephone numbers, IP addresses Privacy Policy: https://dehashed.com/legal Compliance posture: Engagement is governed by DeHashed's API Terms of Service. Written confirmation of compliance is being sought and will be documented upon receipt. 2.6.3 Bharti Airtel Limited (Airtel) Service: SMS OTP delivery under TRAI Telecom Commercial Communications Customer Preference Regulations, 2018 Axiomaera Registration: TRAI-registered Principal Entity (Registration No. 1001825059978445085, valid until April 23, 2027) Data accessed: Telephone numbers transmitted solely for the purpose of OTP delivery Compliance posture: Standard telecom service contract; SMS delivery via DLT-approved templates 2.6.4 Razorpay Software Private Limited Service: Payment processing for Paid Tier transactions Data accessed: Card data is collected directly by Razorpay; Axiomaera receives only payment status and Razorpay payment identifier Privacy Policy: https://razorpay.com/privacy Compliance posture: Razorpay is a Reserve Bank of India authorised payment aggregator 2.6.5 Resend (email delivery) Service: Transactional email delivery (OTP and reports) Data accessed: Recipient email address; email body content (OTP code or report link) Compliance posture: SPF/DKIM/DMARC authenticated delivery from Axiomaera-controlled domain 2.6.6 Amazon Web Services (AWS) Service: Hosting and storage infrastructure Region: ap-south-1 (Mumbai) Compliance posture: All personal data is processed and stored within Indian jurisdiction
2.7 Data Storage and Security
1. Location: All personal data is processed and stored on AWS infrastructure in the ap-south-1 region (Mumbai, India). No personal data leaves Indian jurisdiction in stored form; 2. Encryption at rest: AES-256 for all storage volumes; 3. Encryption in transit: TLS 1.2 or higher for all network connections, including connections to third-party APIs; 4. Access controls: Role-based access control with the principle of least privilege; multi-factor authentication mandatory for all administrative accounts; 5. Audit logging: All access to systems handling personal data is logged and reviewed; 6. Security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Cross-Origin policies are applied to all responses; 7. Rate limiting: Per-IP and per-identifier rate limits to prevent abuse; 8. Periodic security review: Internal and external security audits conducted at minimum on an annual basis.
2.8 Data Retention
Please refer to the KHOJ Data Retention & Deletion Policy for the complete retention schedule. In summary: Scan results are retained for a maximum of 24 hours, then automatically and permanently deleted; Raw API responses from third-party providers are discarded immediately after Report generation; Anonymised aggregate analytics data (containing no personal data within the meaning of Section 2(t) of the DPDPA) is retained indefinitely; Consent logs are retained for 3 years to evidence DPDPA compliance.
2.9 Your Rights Under DPDPA 2023
As a Data Principal under DPDPA 2023, you have the following rights: 1. Right to Access (Section 11) — You may request a summary of personal data processed about you by KHOJ; 2. Right to Correction and Erasure (Section 12) — You may request correction or deletion of all personal data held about you. We will honour such requests within the period prescribed under the DPDP Rules, 2025 (currently up to 90 days). We will endeavour to resolve simple deletion requests within 72 hours where operationally feasible, save for data we are legally required to retain (such as payment records under tax law or consent logs to evidence DPDPA compliance, which are retained in pseudonymised form); 3. Right to Grievance Redressal (Section 13) — You may file a grievance with our Grievance Officer. We will acknowledge within 48 hours and resolve within 90 days, as prescribed under the DPDP Rules, 2025. If unsatisfied, you may approach the Data Protection Board of India (DPBI), as and when constituted by the Central Government under Section 18 of the DPDPA; 4. Right to Nominate (Section 14) — You may nominate a person to exercise your rights under DPDPA in the event of your death or incapacity. To exercise any of these rights, please email privacy@axiomaera.com with the subject line: DPDPA Rights Request — [Your Email/Phone]. We may require additional verification before acting on a request, to protect against identity fraud.
2.10 Children's Data
1. KHOJ is not intended for individuals under 18 (eighteen) years of age. 2. We do not knowingly collect personal data from children. If we become aware that a Scan was initiated by an individual under 18, we will delete all associated data immediately, save for what is required to evidence the deletion. 3. KHOJ requires all Users to be 18 years of age or older. Axiomaera has not been notified as a class of Data Fiduciary exempted under Section 9 read with the Fourth Schedule to the DPDP Rules, 2025, and therefore the full protections of Section 9 of the DPDPA apply. 4. KHOJ does not engage in tracking, behavioural monitoring, or targeted advertising directed at children. This is consistent with DPDPA Section 9(3).
2.11 Cross-Border Data Transfer
KHOJ queries external APIs for breach intelligence: HIBP is operated from Australia DeHashed is operated from the United States The query (containing the User's email address or telephone number) is transmitted to these providers via TLS-encrypted API calls for the sole purpose of retrieving breach data. These providers do not store the User's query on Axiomaera's behalf — these are real-time API lookups, not data outsourcing arrangements. Your email address or telephone number is transmitted to HIBP and DeHashed servers via encrypted API calls for the sole purpose of retrieving breach/credential data. These providers do not retain your query on our behalf. Axiomaera has obtained written confirmation from HIBP regarding compliance with their terms. All Scan results — once returned — are processed and stored exclusively within Indian jurisdiction (AWS Mumbai). In the event the Central Government, by notification under Section 16 of the DPDPA, restricts transfer of personal data to Australia or the United States, Axiomaera will modify the operation of KHOJ to remain in compliance.
2.12 Cookies and Tracking
1. KHOJ uses essential cookies only — these are required for session management and the OTP flow. 2. KHOJ does not use advertising cookies, third-party trackers, or analytics cookies that identify individuals. 3. Should we introduce any non-essential analytics in the future, we will obtain explicit consent first. 4. The proprietary anonymous analytics layer described in Section 2.4(4) operates server-side, with HMAC-SHA256 hashing and IP truncation; it does not employ client-side cookies for identification.
2.13 Changes to This Policy
1. We may update this Policy from time to time. Material changes will be notified to registered Users by email and via prominent notice on khoj.axiomaera.com. 2. The notice period for material changes is 30 (thirty) days. Continued use after the notice period constitutes acceptance. 3. Where a change relates to a new lawful basis or a material change in third-party providers, fresh consent will be obtained.
2.14 Contact
| Purpose | |
|---|---|
| Data protection / privacy | privacy@axiomaera.com |
| Grievance Officer | grievance@axiomaera.com |
| Legal | legal@axiomaera.com |
| Security | security@axiomaera.com |
| Abuse | abuse@axiomaera.com |
Grievance Officer: Mukund Hemant Mohadikar, Managing Director Registered Office: Axiomaera Private Limited, Shop 8, Upper Ground Floor, Amenity Bldg, Ashok Astoria, Gangapur, Nashik, Maharashtra 422222, India.
2.15 Law Enforcement Access
Axiomaera may disclose personal data to law enforcement authorities or judicial bodies if: 1. Required by an order of a court of competent jurisdiction; 2. Required under applicable Indian law, including the Information Technology Act, 2000 and the Bharatiya Nagarik Suraksha Sanhita, 2023; 3. Necessary to prevent a crime or to protect the safety of any person; 4. Required under the CERT-In Directions, 2022. We will notify the affected Data Principal of any such disclosure unless prohibited by law from doing so. Where law-enforcement requests are received, Axiomaera will assess the request for legal validity, scope, and proportionality before complying, and will preserve User data only for so long as is required by the request.
2.16 Data Breach Notification
In the event of a personal data breach affecting KHOJ: 1. CERT-In notification: within 6 (six) hours, as required under the CERT-In Directions, 2022; 2. Data Protection Board of India notification: notification to the Data Protection Board of India (DPBI), as and when constituted by the Central Government under Section 18 of the DPDPA, in the manner and within the timelines required under Section 8(6) of the DPDPA; 3. Affected Data Principal notification: within 72 (seventy-two) hours, via the email address on file. The notice will provide: The nature of the breach The categories of personal data affected The likely consequences The measures taken or proposed to be taken Recommended protective actions for the Data Principal Contact information for further inquiries. For our internal Incident Response Plan, please refer to the KHOJ Incident Response Plan (internal document).
End of Privacy Policy.
By using KHOJ, you acknowledge that you have read and understood this Privacy Policy.