Privacy Policy

Truffaire Private Limited is an Indian private limited company incorporated under the Companies Act, 2013, with its principal place of business in Bengaluru, Karnataka, India. Truffaire Private Limited is the Data Fiduciary as defined under the DPDP Act, 2023 for all personal data processed through the ARCORAplatform.

For all privacy-related enquiries or to exercise your rights, contact us at: one@truffaire.in

We process your personal data for the following purposes:

• Providing the ARCORA diagnostic service — running AI-assisted crop analysis on your uploaded images
• Account creation, authentication, and session management
• Processing payments, allocating credits, and managing your subscription plan
• Generating, storing, and displaying diagnosis reports in your dashboard and history
• Improving the accuracy and reliability of our diagnostic engine using anonymised and aggregated data
• Sending transactional communications (payment confirmation, service alerts) — not marketing without consent
• Complying with applicable laws, resolving disputes, and enforcing our Terms of Service
• Preventing fraud, unauthorised access, and abuse of the platform

We do not use your crop images or personal data to train third-party AI models without your explicit consent. Diagnostic queries are processed by our AI infrastructure under data processing agreements that prohibit use of API inputs for model training.

Under the DPDP Act, 2023, we process your personal data on the following grounds:

• Consent — you provide consent at account registration and by submitting data for diagnosis
• Contractual necessity — processing required to deliver the Service you have purchased
• Legitimate interests — fraud prevention, service security, and platform analytics (balanced against your rights)
• Legal obligation — compliance with applicable Indian statutes and regulatory requirements

To operate the Service, we work with carefully selected third-party technology providers for functions including user authentication, cloud database and file storage, AI-powered analysis, payment processing, and web hosting. Each provider is engaged only to the extent necessary to deliver their specific function, and all are bound by written data processing agreements that restrict their use of your data to the contracted purpose.

We share only the minimum data necessary for each function — for example, payment processors receive transaction identifiers but never your diagnostic data, and our AI infrastructure receives agronomic inputs but not your billing information.

We do not sell, rent, or trade your personal data to any third party for commercial or marketing purposes. We may disclose data to law enforcement or regulatory authorities when required by valid legal process under Indian law.

• Account data — retained for the duration of your account and for 3 years after deletion for legal compliance
• Diagnosis reports and crop images — retained for the full history window (Cooperative and Alliance plans) or 30 days (Scout Pack), and deleted upon account deletion
• Payment records — retained for 8 years as required under Indian accounting and tax laws
• Usage logs — retained for 90 days for security and debugging, then deleted
• Communications — retained for 2 years from last contact

You may request deletion of your account and associated personal data at any time by emailing one@truffaire.in. Certain data may be retained longer where required by law or for legitimate dispute resolution purposes.

We implement industry-standard technical and organisational measures to protect your personal data, including:

• TLS/HTTPS encryption for all data in transit
• Encryption at rest for database records and stored files via our cloud infrastructure
• Role-based access controls limiting internal access to personal data
• Secure, short-lived session tokens for authentication
• Payment data handled exclusively by PCI-DSS compliant infrastructure — we never store card data

No method of transmission or storage is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security. In the event of a data breach that poses risk to your rights, we will notify affected users and the relevant authority in accordance with applicable law.

Under the DPDP Act, 2023 and applicable Indian law, you have the following rights with respect to your personal data:

• Right to access — request a copy of the personal data we hold about you
• Right to correction — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data, subject to legal retention obligations
• Right to withdraw consent — withdraw consent at any time without affecting prior processing
• Right to grievance redressal — lodge a complaint with our grievance officer or the Data Protection Board of India

To exercise any of these rights, email us at one@truffaire.in with the subject line "Data Rights Request". We will respond within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is operationally constituted.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately and we will delete such data promptly.

We use strictly necessary cookies and session tokens required for authentication and service functionality. We do not use advertising cookies, cross-site tracking, or third-party analytics that profile individual behaviour. Your browser settings may be used to control cookie acceptance, though disabling cookies may impair platform functionality.

Some of our technology service providers may process data in jurisdictions outside India, including the United States. We rely on contractual protections — data processing agreements incorporating standard contractual clauses — to ensure your data receives a level of protection consistent with Indian data protection standards. By using the Service, you acknowledge and consent to these transfers.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify registered users by email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

In accordance with the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the following person is designated as the Grievance Officer for the Service: