Privacy Policy

Welcome to Mafimo, a family-first matchmaking and matrimony platform operated by MakeFirstMove ("we," "our," or "us"), a product of APPLANTIC TECHNOLOGY LABS (OPC) PRIVATE LIMITED, a company incorporated under the laws of India and registered with the Ministry of Corporate Affairs. Mafimo is designed to bring families together in the journey of finding a life partner, blending traditional values with modern technology.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use any part of the Mafimo platform, including:

• The Mafimo website (https://mafimo.com and all subdomains)
• The Mafimo mobile applications (Android and iOS)
• Mafimo APIs and backend services
• Any related tools, features, or communications provided by MakeFirstMove in connection with Mafimo

By creating an account, accessing, or using the Mafimo platform in any capacity, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please do not use the platform.

This policy applies to all users of the platform, including individuals creating profiles, family members participating in the matchmaking process, and visitors browsing the website.

Intended Audience

Mafimo is designed and operated exclusively for individuals of Indian origin, including Indian residents, Non-Resident Indians (NRIs), Persons of Indian Origin (PIOs), and Overseas Citizens of India (OCIs), for the purpose of matrimonial matchmaking within the Indian cultural context. The platform is not directed at the general population of countries outside India. If users of Indian origin access the platform from outside India, the service remains operated from India and subject to the safeguards described in this policy.

This Privacy Policy describes our processing of personal data under Indian law, including the Information Technology Act, 2000 and rules thereunder, and the Digital Personal Data Protection Act, 2023 (DPDPA). Additional jurisdiction-specific disclosures form part of this policy only when they are made visible for a supported market.

To help you understand this Privacy Policy, the following terms are defined as used throughout this document:

• "Personal Data" - Any information that relates to an identified or identifiable individual. This includes your name, email address, phone number, photographs, date of birth, and any other data that can directly or indirectly identify you.
• "Sensitive Personal Data" - As defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, this includes: passwords; financial information (bank account, credit/debit card details); physical or mental health conditions; sexual orientation; medical records and history; biometric information; religious or caste-based beliefs; and any other information classified as sensitive under applicable Indian law.
• "Platform" - The Mafimo website, mobile applications, APIs, and all related services, tools, and features operated by MakeFirstMove.
• "User" - Any individual who creates an account on or accesses the Mafimo platform, whether for their own matrimonial search or on behalf of a family member.
• "Family Member" - A person who has been added to a User's family network on the platform. Family Members may have varying levels of access to the User's profile and matchmaking preferences, as configured by the User.
• "Profile" - The collection of information, photographs, preferences, and details a User provides on the platform for the purpose of matchmaking.
• "Verification Data" - Information collected and processed for the purpose of verifying a User's identity, including government-issued identification documents, Aadhaar offline KYC data, email verification tokens, and phone number verification records.
• "Data Fiduciary" - Under the DPDPA 2023, a Data Fiduciary is any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. MakeFirstMove is a Data Fiduciary with respect to the personal data processed through the Mafimo platform.
• "Data Principal" - Under the DPDPA 2023, a Data Principal is the individual to whom the personal data relates. As a user of Mafimo, you are a Data Principal.
• "Data Processor" - A person who processes personal data on behalf of a Data Fiduciary. Our third-party service providers acting under our instructions are Data Processors.
• "Consent Manager" - An entity registered with the Data Protection Board of India that manages consent on behalf of Data Principals, as defined under DPDPA 2023.
• "Significant Data Fiduciary" - A Data Fiduciary designated by the Central Government based on factors including volume and sensitivity of data processed. MakeFirstMove may be classified as a Significant Data Fiduciary given the nature of data processed.
• "Personal Data Breach" - Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.

We collect several categories of information to provide and improve the Mafimo platform. Below is a detailed breakdown of what we collect:

(a) Account Information

When you register for a Mafimo account, we collect:

• Full legal name
• Date of birth
• Email address
• Phone number (with country code)
• Password (stored in hashed form; we never store plain-text passwords)
• Gender
• Account creation timestamp

(b) Profile Data

To build your matchmaking profile, we collect information you choose to provide, such as:

• Profile photographs and optional family photographs
• Educational qualifications and institutions attended
• Professional information including occupation, employer, and income range
• Lifestyle details such as diet, smoking, and drinking preferences
• Physical attributes including height
• Family background including family type (joint/nuclear), family values, and parental details
• Hobbies, interests, and personal bio
• Languages spoken
• Current city and hometown

(c) Verification Data

To maintain trust and authenticity on the platform, we may collect:

• Aadhaar details through offline verification (XML-based offline eKYC or QR code scanning, not the Aadhaar number itself), including name, father's/guardian's name, date of birth, gender, residential address, and photograph
• Government-issued photo identification (passport, voter ID, driving licence, PAN card)
• Email verification confirmation
• Phone number verification via OTP
• Selfie or live photo for photo verification (if applicable)

Indian Identity Documents Only

Identity verification on Mafimo requires a valid Indian government-issued identity document, such as Aadhaar offline KYC, Indian Passport, PAN Card, Voter ID, or Indian Driving Licence. This requirement reflects the platform's exclusive focus on serving individuals of Indian origin for matrimonial matchmaking. Non-Indian identity documents are not accepted for verification purposes. If you do not hold a valid Indian identity document, you may still use the platform without verified status, but certain features that require identity verification will not be available to you.

(d) Family & Relationship Preferences

To power our matchmaking and compatibility features, we collect:

• Religion, caste, sub-caste, and community details
• Preferred partner criteria (age range, education, profession, location, religion, lifestyle preferences)
• Horoscope and Kundali details (date of birth, time of birth, place of birth) for astrological compatibility matching
• Gotra and Manglik status (if provided)
• Family network relationships and invitations
• Willingness for inter-caste or inter-religion matches

(e) Usage & Device Data

We automatically collect certain technical and usage information, including:

• IP address and approximate geographic location
• Browser type, version, and language settings
• Device type, operating system, and screen resolution
• Pages visited, time spent on each page, and navigation paths
• Search queries and filter selections used during matchmaking
• Timestamps of all significant interactions
• Referral sources (how you found Mafimo)
• App version (for mobile users)

(f) Communication Metadata

Mafimo does not offer in-app messaging or chat. However, we do collect metadata related to platform interactions:

• Profile views - who viewed your profile and when
• Profile shares - when a profile is shared with a family member
• Interest expressions - when you or someone expresses interest in a profile
• Mutual contact discovery records
• Notification delivery and read receipts

We do not collect, store, or have access to the content of any private communications between users conducted outside the platform.

We collect information through the following methods:

Direct Input from You

Most of the information we collect is provided directly by you when you:

• Create and set up your Mafimo account
• Complete or update your matchmaking profile
• Submit verification documents
• Set partner preferences and matchmaking criteria
• Configure your privacy and notification settings
• Contact our support team
• Respond to surveys or feedback requests

Automatic Collection

Certain information is collected automatically when you use the platform:

• Cookies and similar tracking technologies (see Section 7)
• Analytics tools that record usage patterns and platform performance
• Server logs that capture technical details of each request
• Device and browser fingerprinting for security and fraud prevention

Third-Party Verification Services

We work with trusted third-party verification partners to:

• Verify identity documents (Aadhaar offline KYC, government ID checks)
• Validate phone numbers and email addresses
• Detect fraudulent or duplicate accounts

These partners operate under strict data processing agreements and only process data as instructed by us.

Information from Family Members

In keeping with Mafimo's family-first approach, information about you may also be provided by:

• A family member who creates a profile on your behalf (with your knowledge and consent)
• Family members who add details to your family network
• Users who invite you to join the platform as part of their family network

If someone has created a profile on your behalf without your consent, please contact us immediately at protect@mafimo.com so we can take appropriate action.

We process your information for specific, legitimate purposes. Below is a detailed explanation of each purpose and the legal basis on which we rely:

• Account Management - To create, maintain, and administer your account, authenticate your identity, and manage your settings.
  Legal Basis: Contractual necessity - required to provide the service you signed up for.
• Identity Verification - To verify that users are real, of legal age, and who they claim to be, ensuring platform integrity and user safety.
  Legal Basis: Contractual necessity and legitimate interest in maintaining a trustworthy platform.
• Matchmaking Algorithms - To analyse your profile, preferences, and behaviour to suggest compatible matches through our proprietary matchmaking engine.
  Legal Basis: Contractual necessity - this is the core service we provide.
• Family Sharing Features - To enable family members within your network to view, discuss, and collaborate on matchmaking decisions in a controlled, permission-based environment.
  Legal Basis: Consent - you explicitly configure family access settings.
• Mutual Contact Discovery - To identify and surface mutual connections between users, strengthening trust and facilitating introductions through known networks.
  Legal Basis: Legitimate interest in enhancing the matchmaking experience.
• Kundali Compatibility - To compute astrological compatibility scores based on horoscope details you voluntarily provide.
  Legal Basis: Consent - this feature is entirely optional and based on your input.
• Platform Improvement - To analyse usage patterns, conduct research, and improve platform features, performance, and user experience.
  Legal Basis: Legitimate interest in improving our services.
• Fraud Prevention & Safety - To detect, investigate, and prevent fraudulent activity, fake profiles, harassment, and other harmful conduct.
  Legal Basis: Legitimate interest in protecting users and the platform.
• Legal Compliance - To comply with applicable laws, regulations, legal processes, and government requests, including the Information Technology Act, 2000 and related rules.
  Legal Basis: Legal obligation.
• Notifications & Communications - To send you service-related notifications (new matches, profile views, interest expressions), security alerts, and occasional product updates.
  Legal Basis: Contractual necessity for service notifications; consent for marketing communications.

Lawful Basis Summary

Under the DPDPA 2023, we process your personal data on the basis of your consent or for legitimate uses permitted by law. For optional or sensitive profile fields such as religion, caste, health information, Aadhaar verification data, and Kundali details, we rely on your clear and context-specific action at the point of collection or feature use. If additional jurisdiction-specific lawful basis disclosures apply to a supported market, they will appear in the relevant sections of this policy when enabled.

We take the sharing of your personal data seriously. Your information is only shared in the following circumstances:

(a) With Other Users

Certain parts of your profile are visible to other registered and verified users of the platform, based on your privacy settings. You control what information is visible, and you can adjust your visibility preferences at any time. Unverified users may have restricted access to profile details.

(b) With Family Members

If you have added family members to your family network, they may have access to your profile information and matchmaking activity, depending on the permissions you have configured. You remain in control of what your family network can see and can modify these permissions at any time.

(c) With Service Providers

We engage trusted third-party service providers who assist us in operating the platform. These include:

• Cloud hosting and infrastructure providers
• Analytics and performance monitoring services
• Identity verification and KYC partners
• Email and SMS delivery services
• Payment processing providers (if applicable)
• Customer support tools

All service providers are bound by data processing agreements and are only permitted to process your data as instructed by us, for the specific purposes we define.

(d) For Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, court order, or government request
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the platform
• Protect the personal safety of users or the public

(e) Business Transfers

In the event that MakeFirstMove is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the platform before your data becomes subject to a different privacy policy.

We do NOT sell your personal data. MakeFirstMove has never sold user data and has no intention of doing so. Your personal information is not a commodity - it is entrusted to us for the purpose of helping you and your family find a meaningful life partner.

Mafimo uses cookies and similar tracking technologies to enhance your experience, analyse usage, and maintain security. Here is what we use and why:

Essential Cookies

These cookies are strictly necessary for the platform to function. They enable core features such as:

• User authentication and session management
• Security features (CSRF protection, rate limiting)
• Load balancing and server routing

You cannot opt out of essential cookies, as the platform cannot function without them.

Analytics Cookies

We use analytics cookies to understand how users interact with the platform. This helps us identify popular features, detect usability issues, and improve overall performance. Analytics data is aggregated and does not identify you personally. We may use third-party analytics services such as Google Analytics or similar tools.

Preference Cookies

These cookies remember your choices and settings, such as:

• Language preferences
• Theme settings (light/dark mode)
• Recently viewed profiles or search preferences

Managing Cookies

You can manage your cookie preferences through:

• Your browser settings - most browsers allow you to block or delete cookies
• Any on-site privacy or cookie controls that we make available to you
• Your account settings (for preference cookies)

Please note that disabling certain cookies may affect the functionality of the platform. For example, disabling essential cookies will prevent you from logging in.

Third-Party Analytics

Our third-party analytics partners may set their own cookies on your device. These partners have their own privacy policies governing the use of such cookies. We encourage you to review them. We do not have control over third-party cookies, but we select partners who adhere to industry privacy standards.

We take the security of your personal data very seriously and implement robust technical and organisational measures to protect it.

Where Your Data Is Stored

Your data is primarily stored on secure servers located in India, hosted by reputable cloud infrastructure providers. Our servers are located in data centres that maintain industry-standard physical security controls, including restricted access, surveillance, and environmental protections.

Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security), ensuring that your information cannot be intercepted during transfer.
• At Rest: We implement encryption measures appropriate to the sensitivity of the data. Sensitive data categories are encrypted at the application level using AES-256-GCM, including: all Aadhaar verification data (name, address, date of birth, gender, photograph, and verification results), health information, religion/caste data, and financial data. The database itself is encrypted at rest using AWS RDS KMS encryption. Mobile app data is encrypted using AES-256 (Hive encrypted boxes) and platform-specific secure storage (iOS Keychain, Android Keystore).
• Passwords: User passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text.

Access Controls

• Access to personal data is restricted to authorised personnel on a strict need-to-know basis
• Administrative access is protected by strong authentication measures
• Access logs are maintained and regularly reviewed
• Role-based access control ensures employees only access data relevant to their function

Regular Audits

We are establishing a comprehensive security assessment programme that includes:

• Vulnerability scans and penetration testing
• Code reviews with security-focused analysis
• Independent security audits
• Compliance reviews against applicable regulations

Details of our security audit schedule are maintained in our internal security documentation and are available upon request to relevant regulatory authorities.

Incident Response

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Report the incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware of the breach, as required under CERT-In Directions 2022
• Notify the Data Protection Board of India as required under the DPDPA 2023
• Notify any other regulator or authority where applicable law requires us to do so for the affected users or systems
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• Take immediate steps to contain and remediate the breach
• Provide you with information about what happened and what steps you can take

Honest Disclaimer

While we implement and maintain robust security measures, no system connected to the internet can be guaranteed to be 100% secure. We cannot provide an absolute guarantee against unauthorised access, data loss, or breach. However, we are committed to continuously improving our security posture and responding swiftly to any incidents.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

Active Accounts

Your personal data is retained for as long as your Mafimo account remains active. You may update or modify your information at any time through your account settings.

Deleted Accounts

When you request account deletion:

• Your profile is immediately hidden from other users
• Your personal data is permanently deleted from our active systems within 30 days of the deletion request
• During this 30-day period, you may contact us to reverse the deletion and restore your account
• After 30 days, deletion is irreversible

Verification Data

Verification records (such as Aadhaar KYC data and government ID verification logs) may be retained for a longer period as required by regulatory and compliance obligations under Indian law. We retain only the minimum necessary verification data and delete it when the retention obligation expires.

Usage Logs

Technical usage logs (IP addresses, device information, access timestamps) are retained for a maximum of 12 months from the date of collection. After this period, logs are either deleted or fully anonymised.

In compliance with CERT-In Directions 2022, all system logs are retained for a minimum of 180 days within Indian jurisdiction.

Backups

Data that exists in encrypted backup systems will be purged within 180 days of the deletion of the corresponding data from our active systems. Backups are encrypted and access-restricted, and data in backups is not used for any active processing.

Legal Holds

In certain cases, we may be required to retain specific data beyond our standard retention periods due to:

• Ongoing or anticipated legal proceedings
• Regulatory investigations
• Court orders or legal holds
• Compliance with applicable laws

In such cases, the data will be retained only for the duration required and will be deleted promptly thereafter.

Aadhaar Verification Data

Raw Aadhaar offline KYC data (XML files) is deleted immediately after the verification data has been extracted and the verification process is complete. Only the verification outcome and limited demographic information (name, date of birth, gender, masked Aadhaar number showing only the last 4 digits) are retained for the duration of your account. The full 12-digit Aadhaar number is never stored. This is in compliance with the Aadhaar Act, 2016, Section 29.

Under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws, you have the following rights regarding your personal data:

• Right to Access - You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used format within a reasonable timeframe.
• Right to Correction - You have the right to request that we correct any inaccurate or incomplete personal data. You can also update most of your information directly through your account settings.
• Right to Deletion - You have the right to request the deletion of your personal data. Upon receiving a valid deletion request, we will delete your data in accordance with our retention policy (see Section 9), subject to any legal obligations that require us to retain certain data.
• Right to Data Portability - You may request a copy of personal data that you have provided to us in a machine-readable format, where technically feasible.
• Right to Restrict Processing - You may ask us to limit specific processing activities while we investigate a concern or verify your instructions.
• Right to Withdraw Consent - Where we process your data based on consent (e.g., Kundali matching, marketing communications), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
• Right to Lodge a Complaint - If you believe that we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the appropriate regulatory authority or Grievance Officer (see Section 14).
• Right to Nominate - Under the DPDPA 2023, you have the right to nominate another individual who may exercise your rights in the event of your death or incapacity.
• Right to Grievance Redressal - You have the right to file a complaint with the Data Protection Board of India if you believe your data has been processed in violation of the DPDPA 2023.

How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

• Email: protect@mafimo.com
• Subject Line: "Data Rights Request - [Your Full Name]"

We will acknowledge your request within 48 hours and aim to fulfil it within 15 days for grievances under IT Rules 2021, and 30 days for other requests. In complex cases, we may extend this period by an additional 30 days, in which case we will inform you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request to ensure the security of your account.

Mafimo is a matrimony platform intended exclusively for users who are 21 years of age or older. We do not knowingly collect, solicit, or process personal data from anyone under the age of 21.

Our registration process requires users to provide their date of birth, and we take reasonable steps to verify that all users meet the minimum age requirement of 21 years, regardless of gender.

If we become aware that we have inadvertently collected personal data from an individual under 21, we will:

• Immediately deactivate the associated account
• Delete all personal data collected from the minor within 48 hours of discovery
• Notify the individual (or their parent/guardian, if contactable) about the deletion

If you believe that a minor has created an account on Mafimo or that we have collected data from someone under 21, please contact us immediately at protect@mafimo.com so that we can investigate and take appropriate action.

Your personal data is primarily stored and processed on servers located in India. However, in certain limited circumstances, your data may be transferred to or accessed from locations outside India.

This may occur when:

• We use third-party service providers (e.g., cloud infrastructure, analytics, email delivery) whose servers or support teams may be located in other countries
• We need to comply with legal requirements in other jurisdictions
• Our technical or support teams access data from different geographic locations

Safeguards for International Transfers

When your data is transferred outside India, we apply safeguards that are appropriate to the destination, the service provider relationship, and the type of data involved. These safeguards may include:

• Contractual Restrictions: Processors and service providers are required to handle data only for authorised purposes and under our instructions
• Technical Controls: Data is protected in transit and, where appropriate, at rest using encryption and access controls
• Minimisation: We limit transferred data to what is reasonably necessary for the specific purpose
• Operational Review: We assess the access pattern, business need, and security posture relevant to the transfer or remote access activity

If you have questions about where your data is processed or the safeguards in place, please contact us at protect@mafimo.com. Additional jurisdiction-specific transfer disclosures are shown in this policy only when they are enabled for a supported market.

The Mafimo platform may contain links to third-party websites, applications, or services that are not operated or controlled by MakeFirstMove. These may include:

• Social media platforms
• Payment processing services
• App store listings (Google Play Store, Apple App Store)
• External resources or informational websites

This Privacy Policy applies solely to information collected by the Mafimo platform. We are not responsible for the privacy practices, content, or security of any third-party websites or services.

When you click on a third-party link or interact with a third-party service, you are subject to that third party's own terms and privacy policy. We strongly recommend that you review the privacy policy of any third-party website or service before providing any personal information.

The inclusion of a link to a third-party site on Mafimo does not imply endorsement of that site or its practices by MakeFirstMove.

In accordance with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we have appointed a Grievance Officer to address any concerns or complaints regarding the processing of your personal data.

Grievance Officer Details:

• Name: [To be designated prior to public launch]
• Email: protect@mafimo.com
• Phone: +91 98765 43210
• Postal Address: MakeFirstMove, India

How to File a Grievance

If you have any concerns about how your personal data is being collected, used, or processed by Mafimo, you may file a grievance by writing to the Grievance Officer at the contact details above. Please include:

• Your full name and registered email address
• A clear description of your concern or complaint
• Any supporting documentation or evidence
• The resolution you are seeking

The Grievance Officer will:

• Acknowledge your grievance within 24 hours of receipt
• Investigate the matter thoroughly
• Provide a resolution within 15 days of receiving the grievance

If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate the matter to the Grievance Appellate Committee established under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended 2023), the Data Protection Board of India under the DPDPA 2023, or any other authority or forum available to you under applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We are committed to keeping you informed about how we protect your data.

How We Communicate Changes

When we make changes to this policy, we will notify you through one or more of the following methods:

• An email notification sent to the email address associated with your account
• An in-app notification or banner within the Mafimo platform
• A prominent notice on our website
• An update to the "Effective Date" at the top of this policy

Material Changes

For material changes - those that significantly affect how we collect, use, or share your personal data - we will provide at least 30 days' advance notice before the changes take effect. This gives you time to review the updated policy and make informed decisions about your continued use of the platform.

Your Continued Use

Your continued use of the Mafimo platform after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree with the revised policy, you should stop using the platform and may request deletion of your account and data.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, we are here to help. You can reach us through the following channels:

• Privacy Inquiries: protect@mafimo.com
• Legal Inquiries: protect@mafimo.com
• General Support: promise@mafimo.com
• Phone: +91 98765 43210

Entity Details:

• Company: MakeFirstMove
• Product: Mafimo
• Country: India

Business Hours:

Our support team is available during Monday to Saturday, 9:00 AM to 6:00 PM IST (Indian Standard Time). Emails received outside business hours will be responded to on the next business day.

For privacy-related requests, we aim to acknowledge all inquiries within 48 hours and provide a substantive response within 30 days.

Thank you for trusting Mafimo with your personal information. We are committed to protecting your privacy and supporting you and your family on the journey to finding a meaningful life partner.

MakeFirstMove is a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA) with respect to all personal data processed through the Mafimo platform.

Consent Requirements

Under the DPDPA 2023, we obtain your consent for the processing of your personal data. Your consent must be free, specific, informed, unconditional, and unambiguous. Consent is collected on a granular basis for each processing purpose, ensuring you understand exactly what you are agreeing to.

You may withdraw your consent at any time through your account settings. Withdrawal of consent is as simple as granting consent. Upon withdrawal, we will cease processing your personal data for the relevant purpose, unless retention is required by law.

Data Deletion

We will delete your personal data when the purpose of processing is fulfilled or when consent is withdrawn, unless retention is required by law. Where data is retained for legal compliance, we will inform you of the specific legal basis and the expected retention period.

Security Safeguards

We are committed to implementing reasonable security safeguards as required under Section 8(4) of the DPDPA 2023 to protect personal data in our possession or under our control, including measures to prevent personal data breaches.

Significant Data Fiduciary Obligations

If designated as a Significant Data Fiduciary by the Central Government, we will undertake the following additional obligations: appoint a Data Protection Officer who is resident in India, conduct periodic Data Protection Impact Assessments to evaluate the impact of our processing activities on Data Principals, and engage independent data auditors to audit our compliance with the DPDPA 2023.

Mafimo supports two offline methods for Aadhaar-based identity verification, both permitted by UIDAI. Both methods require the same explicit consent (aadhaar_kyc) and both validate the UIDAI digital signature before any data is trusted. Both methods extract the same demographic information (name, father's/guardian's name, date of birth, gender, address, and photograph) for verification purposes.

Method 1: Offline eKYC (XML Upload)

You download your Aadhaar offline XML ZIP from the UIDAI resident portal and upload it to the platform. We decrypt the ZIP using the share code you provide, validate the UIDAI digital signature, and extract your demographic data. The raw XML data is deleted immediately after extraction -- we do not retain the source document. The share code is stored securely and used only for ZIP decryption during verification.

Method 2: QR Code Scan

You scan the QR code printed on your physical Aadhaar card (or mAadhaar) using the Mafimo app. The QR code contains UIDAI-signed data with the same demographic fields as the offline XML. Before storage, the scanned QR data is encrypted using AES-256-GCM with your share code used as Additional Authenticated Data (AAD). The resulting encrypted data file is retained for the duration of your active account to allow re-verification if needed. Only you, using your share code, can unlock this data.

What We Store

After verification, we store the following extracted fields in our database. All Aadhaar verification data is encrypted at rest using AES-256-GCM encryption:

• Verification status (verified/not verified) and verification match percentage
• Extracted name and father's/guardian's name
• Extracted date of birth and gender (stored as received from Aadhaar, without modification)
• Full residential address as extracted from the Aadhaar data
• A masked Aadhaar number (last 4 digits only, used for reference)
• The extracted photograph
• Verification match results (how well the extracted data matches your profile information)
• For QR Code Scan only: an encrypted copy of the scanned QR data (AES-256-GCM, encrypted with your share code as AAD), retained for the duration of your active account

What We NEVER Store or Return

• Your full 12-digit Aadhaar number
• Biometric data of any kind
• Virtual ID
• Encrypted mobile number hash from the Aadhaar data
• Encrypted email hash from the Aadhaar data

Address Visibility

Your full Aadhaar address is stored securely in our database but is not exposed to all users. The following access controls apply:

• Profile owner (you, or the family member who manages the profile): Can see the full address as extracted from Aadhaar.
• Other users: See only a masked version of the address showing the district, state, and postal code. House number, street, and locality are replaced with "***".
• Our employees and internal systems: See only the masked version of the address. Full address access is restricted through database-level controls and is not exposed through any internal tool or API.

Consent and Withdrawal

Separate explicit consent (aadhaar_kyc) is required before initiating Aadhaar verification via either method. You may withdraw consent at any time through Settings > Privacy > Consent Management, which will remove your verified status from the platform. Upon withdrawal, all stored Aadhaar data -- including any encrypted QR data file -- is deleted.

Compliance

All Aadhaar data handling complies with the Aadhaar Act, 2016 (Sections 8 and 29), UIDAI regulations governing the use and storage of Aadhaar-related information, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Both verification methods use only the offline verification framework -- no online authentication or connection to CIDR is performed.

Mafimo uses algorithmic matchmaking to suggest compatible profiles based on the information you provide, including your preferences, profile details, and optional features like Kundali compatibility.

Factors Considered by Our Algorithm

Our matchmaking algorithm considers factors such as:

• Partner preferences (age, location, education, profession)
• Lifestyle compatibility
• Family background preferences
• Kundali compatibility (when opted in)

The algorithm does not make binding decisions - it provides suggestions that you and your family evaluate independently. The final decision to express interest or proceed with a match is always yours.

You may request more information about the factors considered by our matchmaking systems or ask us to manually review a reported concern by contacting protect@mafimo.com. Any jurisdiction-specific rights relating to automated decision-making are described in the relevant regional sections of this policy when they are enabled.

We collect your consent at specific points during your use of the Mafimo platform:

• Terms and Privacy Policy acceptance - At registration (required)
• Sensitive personal data processing - Including health and religion/caste data, at profile creation (required for those data categories)
• Aadhaar identity verification (Offline eKYC or QR Code Scan) - Before verification (separate explicit consent)
• Kundali compatibility matching - Before feature use (optional)
• Device contact sync for mutual contacts - Before feature use (optional, user-initiated)
• Marketing communications - Optional, separate opt-in
• Website measurement technologies - Where we present a separate notice or choice for them

Managing Your Consent

You can view and manage your consent preferences at any time through your account Privacy and Security settings. Withdrawing consent is as simple as granting it.

When you withdraw consent for a specific purpose, we will stop processing your data for that purpose. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.

We engage the following categories of third-party service providers to help operate the Mafimo platform:

• Cloud infrastructure providers - Data hosting and storage
• Push notification services - Firebase Cloud Messaging
• Analytics services - Firebase Analytics
• Email and SMS delivery services - For OTP verification and notifications
• Identity verification partners - For Aadhaar offline KYC
• Astrology calculation services - For Kundali compatibility
• Contact form processing - Web3Forms for website contact submissions
• Advertising services - Google AdMob

We require all processors to enter into data processing agreements and to process data only as instructed by us. They are not permitted to use your data for their own purposes. We are in the process of formalising data processing agreements with all service providers.

International Transfers

Where a processor relationship or support workflow involves cross-border access, we apply contractual, technical, and access controls appropriate to the relationship and the type of data involved. Additional jurisdiction-specific transfer disclosures are provided in this policy when they are enabled for a supported market.

Processor List

A detailed list of our processors is maintained internally and is available upon request by emailing protect@mafimo.com.

Our website uses cookies and similar technologies. We categorise them as follows:

• Strictly Necessary Cookies - Always active. Required for authentication, security, and session management. The platform cannot function without these cookies.
• Analytics Cookies - Used to understand usage patterns and improve the platform. Where required for a supported market, we will ask for consent before enabling them.
• Preference Cookies - Remember your settings such as language and theme preferences.

Managing Cookie Preferences

You can manage your cookie preferences through:

• Any on-site privacy or cookie controls that we make available
• Your browser settings

Disabling strictly necessary cookies may prevent you from using core platform features, including logging in and maintaining your session.

For full details, see our standalone Cookie Policy accessible from the website footer.

In the event of a personal data breach, we will take the following steps:

• Report the incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware, as required under CERT-In Directions 2022.
• Notify the Data Protection Board of India as prescribed under the DPDPA 2023.
• Notify any other regulator or authority where applicable law requires us to do so for the affected users or systems.
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Breach Notification Content

Our notification to affected users will include:

• The nature of the breach
• The categories and approximate number of individuals affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact details of our privacy team or Grievance Officer

Some web browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how websites should respond to DNT signals.

At present, our website does not respond differently to DNT signals. However, you can manage tracking preferences through your browser settings and any cookie controls we make available on the site.

The following table summarises the primary basis we rely on for key processing activities under Indian law and our product flows: