Privacy Policy

ProofChain Private Limited ("ProofChain", "we", "us", or "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, who can read it, and what rights you have over it.

This policy applies to all ProofChain products: ProofScript, ProofBooks, ProofSound, ProofTrain, ProofSchool, ProofLegal, and ProofVerify. ProofSchool has additional school-specific provisions covering minor data and parental consent (see Section 19 and the dedicated ProofSchool Privacy Policy). ProofTrain has product-specific provisions in Section 9.

The headline promise: your creative work — your screenplays, manuscripts, audio, legal documents, and training programs — is yours. We don't sell it, share it, mine it, or use it to train any AI model. Nobody at ProofChain reads it unless you ask us to, and even then only with a logged, time-limited access request tied to your support request.

• Account Information: Name and email address, collected via Firebase Authentication when you create an account. For industry users (producers, publishers): company name, role, and verification details where applicable.
• Payment Information: Processed securely by Razorpay. We do not store credit card numbers, UPI handles, or payment card details on our servers. We retain payment confirmations, order metadata, GST invoices, and subscription state.
• Usage Data: Basic usage patterns to operate and improve the service — which features you use, timestamps of your actions, error events, and aggregate volumetrics. No advertising, behavioural profiling, or third-party analytics.
• Support Communications: Content of emails, support tickets, and in-app messages when you contact us. We keep these long enough to resolve the issue and respond to follow-ups.
• ScriptPad Content: When you use ScriptPad (our screenwriting editor), your full screenplay text, scene metadata (type, color, omit markers), and version-history snapshots are stored in our Firestore database in Mumbai (asia-south1). This data is encrypted at rest (Google Cloud AES-256) and in transit (TLS 1.2+). Section 3 below explains exactly who can read it.
• Protected work metadata: Title, genre, language, AI scores, hash, blockchain timestamps, TSA tokens, and watermarked-certificate references for every work you protect on ProofScript, ProofBooks, ProofSound, ProofLegal, and ProofTrain.
• AI analysis outputs: Scores, insights, Cinema DNA, Literary DNA, market positioning, pitch decks, and similar derived results. The underlying file is not retained — see Section 4.
• Diagnostic data: Error reports (Sentry), uptime telemetry (Better Stack), and infrastructure logs. Diagnostic events exclude screenplay, manuscript, audio, legal-document, and training content — they capture only error context and request metadata.

This section addresses the question writers, authors, and creators ask most: can anyone at ProofChain read my work?

The default state is no access.

• ProofChain engineers and staff cannot read ScriptPad screenplays, uploaded manuscripts, audio submissions, legal documents, or training content in the ordinary course of operating the service.
• Access happens only on a logged, time-limited basis when (a) you raise a support ticket that genuinely requires us to inspect your content, and (b) you give explicit written consent in the same support thread. We will not open your content without that consent. If you decline, we will diagnose with metadata-only information.
• All ProofChain personnel are bound by written confidentiality obligations. Creative content is treated as Confidential Information, accessed strictly on a need-to-know basis, and may not be copied, indexed, sampled, summarised, quoted, or used to train any model.
• Access events are recorded in an audit log including who accessed, when, for how long, and which support ticket authorised the access. You may request your own access-log history at any time by emailing privacy@proofchain.in.
• Firestore Security Rules enforce per-user isolation. Even with database access, an engineer cannot read another user's document without the audit-logged elevated access described above.
• ScriptPad currently has no multi-user collaboration. Your drafts are visible only to your own account until you explicitly export them, publish them to your public profile, list them on the marketplace, or initiate a protect/analyse action.

Purpose limitation. We process ScriptPad and other creative content solely to provide the editor, save your work, generate your version history, and execute actions you explicitly trigger. We do not data-mine, profile, derive analytics from, or train any AI model on your creative text.

When you explicitly trigger an AI-powered action — ProofIntelligence analysis, ProofTrain analysis, ProofTrain design, Training Analysis, ProofScript Lab, ProofBooks Lab, Adaptation, or AI Chat — your submitted text is sent to third-party AI providers (Anthropic, OpenAI) via encrypted connection (HTTPS/TLS) for processing.

How your data is handled by AI providers:

• AI providers do not use your content for model training.
• API data may be retained for a short safety-monitoring window — up to 7 days by Anthropic and up to 30 days by OpenAI — after which it is permanently deleted.
• No human at any AI provider reads your content unless it is flagged for abuse review under the provider's policy.
• Providers receive only the text you submitted. They do not receive your name, email, account ID, payment information, or any identifier that could be joined back to your ProofChain account.
• For timestamping, only the SHA-256 hash is transmitted — your file stays on your device. For AI analysis, your file is uploaded to Cloud Storage for text extraction and processing. Both the original file and extracted text are deleted immediately after analysis is complete. Only the analysis results are stored in your account.

Analysis results (scores, Cinema DNA, insights), Training Analysis results, viral-tool results (roast text, cast suggestions, predictions, DNA matches, OTT scores), and AI Chat conversation history are stored in our Firestore database in Mumbai (asia-south1) and associated with your account.

Certain data you create on ProofChain is publicly visible by design. You control whether and when this is the case.

• Viral-tool results shared via generated links are viewable by anyone with the link.
• Analysis showcase cards (if you opt to share them) are publicly visible on the showcase page.
• Public writer/author/artist profiles display your name, portfolio of protected works, AI analysis scores, and protection history. You can control per-section visibility via privacy settings (public / industry-only / private).
• Leaderboard rankings (based on analysis scores) are publicly visible.
• Marketplace listings show your work's metadata (title, genre, language, AI scores) to logged-in users.
• Public trainer profiles on ProofTrain (if you opt in) show your name, verified status, training analyses, and gig history.

You can change your profile visibility and marketplace listing status at any time. Shared viral-tool result links cannot be revoked once generated, but the underlying analysis can be deleted from your account.

When you list a protected work on the marketplace:

• Work metadata (title, genre, language, budget tier, AI analysis scores) is visible to all logged-in users.
• For timestamping, only the hash is stored — your file stays on your device. For AI analysis, the file is processed on our servers but not retained after analysis.
• Industry professionals may request time-limited read access; you approve or decline each request individually.
• Read-access requests and their status are logged for both parties.

When you participate in competitions or gigs:

• Your submission metadata (title, genre, protected-work reference) is visible to competition organisers and gig posters.
• AI analysis scores may be shared with organisers as part of competition evaluation.
• Winner announcements may include your display name and submission title.
• Gig proposals and communications are stored and visible to both parties.

When you use our referral program, we store your referral code, the accounts referred by you, and reward status. Referred users can see the name of the person who referred them. Referral earnings and redemption history are visible only to you.

ProofTrain is the trainer-and-L&D arm of ProofChain. It is hosted at prooftrain.in and is governed by this Privacy Policy.

• Training designs and analyses you submit (programme outlines, lesson plans, learning outcomes) are processed by third-party AI providers (Anthropic, OpenAI) under the conditions in Section 4. Your submitted text is not retained by providers beyond their safety-monitoring windows.
• Trainer profiles are private by default. You opt in to a public profile; once opted in, your name, verified status, training analyses, design scores, and gig history are visible to logged-in ProofTrain users.
• Verified-trainer status is a Premium-tier capability. The credentials you submit for verification (LinkedIn, certifications, portfolio URLs) are reviewed by ProofChain staff under the access-controls in Section 3 and retained as proof of verification.
• Opportunities (gigs) posted by L&D teams are visible to all logged-in trainers. Your proposal submissions are visible only to the posting L&D team.
• Feedback campaigns collect anonymous learner feedback on trainer-led programmes. Learner responses do not include direct identifiers; aggregate results are visible to the trainer and the commissioning L&D team.
• Credit packs and Premium subscription are processed by Razorpay. ProofTrain stores order metadata, credit balances, redemption history, and subscription state. Card / UPI details never reach our servers.

Privacy is fundamental to our service. Here is what we explicitly do not collect:

• Your files (timestamping): For timestamp protection, files are hashed locally on your device using SHA-256. Only the hash — a 64-character string — is transmitted. We never see or store your actual file. Note: For AI analysis (a separate opt-in service), your file is uploaded for processing — see Section 4 for details.
• Third-party analytics: We do not use Google Analytics, Facebook Pixel, Mixpanel, Amplitude, or any third-party behavioural-tracking tools.
• Location data: We do not collect precise geolocation information.
• Device identifiers: We do not track device fingerprints or advertising identifiers.
• Biometric / Aadhaar / health data: Never collected.

We use the following sub-processors to operate ProofChain. Each is bound by a contract that restricts use of personal data to the purposes below.

• Firebase / Google Cloud: Authentication, Firestore database, Cloud Storage, hosting, Cloud Functions. Data resides in asia-south1 (Mumbai). Subject to Google's Privacy Policy.
• Razorpay: Payment processing for one-time orders and subscriptions (UPI, cards, netbanking, wallets). PCI-DSS compliant; we never see card / UPI details. Subject to Razorpay's Privacy Policy.
• Anthropic (Claude): AI analysis, scoring, and report generation. Your submitted text is sent for inference and not used for model training. Retained up to 7 days for safety monitoring per Anthropic's Privacy Policy.
• OpenAI: AI chat and supplementary lightweight inference. Your submitted text is sent for inference and not used for model training. Retained up to 30 days for safety monitoring per OpenAI's Privacy Policy.
• Resend: Transactional email delivery (account verification, payment receipts, password resets, report-ready notifications) and marketing email (only with your explicit opt-in). Subject to Resend's Privacy Policy.
• Sentry: Error monitoring and performance telemetry on our web apps and API. Diagnostic events only; creative content and PII are filtered out at the client and server before being sent. Subject to Sentry's Privacy Policy.
• Better Stack: Uptime monitoring and status-page hosting. No customer data passes through.
• OpenTimestamps + RFC 3161 TSA: Blockchain timestamping and dual-layer certified timestamps. Only cryptographic hashes are submitted — no personal data is ever stored on the blockchain or with the TSA.

A current sub-processor list is maintained and updated as additions occur. We will give 30 days' notice (via the Last Updated date on this page and, for material additions that touch personal data, by email to registered users) before adding a sub-processor with access to personal data.

All account data, ScriptPad content, protected-work metadata, analysis results, and audit logs are stored and processed in Google Cloud's asia-south1 (Mumbai) region. The data does not leave India for storage.

When you explicitly trigger an AI-powered action, the submitted text is transmitted to Anthropic and OpenAI servers located outside India for inference (typically in the United States). These transfers are made under contractual safeguards (no model training, short retention, no human review absent abuse flagging) and comply with Section 16 of the Digital Personal Data Protection Act 2023 — the processing countries are not on any restricted list notified by the Central Government of India as of the Last Updated date.

• To provide and maintain our timestamp verification, AI analysis, marketplace, and discovery services.
• To process payments, subscriptions, and credit packs.
• To communicate service updates and respond to support requests.
• To send marketing emails — only with your explicit consent.
• To comply with legal obligations (tax, audit, lawful requests).

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not engage in any form of cross-context behavioural advertising.

If you create an account or use our paid services, we may occasionally email you about related product features, improvements, tips, and promotional offers. You can unsubscribe at any time using the link at the bottom of every marketing email.

We do not sell, rent, or share your email address with third parties. Marketing emails are sent only by us, only about ProofChain products, and only as long as you remain subscribed.

If you have not yet engaged with our paid services, we will only send you marketing emails if you explicitly opted in at signup or via a consent campaign.

Per-product topics (ProofScript, ProofBooks, ProofSound, ProofLegal, ProofTrain) can be independently subscribed to or unsubscribed from via the Resend preference centre linked in every marketing email.

• Account data is retained while your account is active.
• Blockchain timestamps are permanent and cannot be deleted. This is by design — the immutability of your timestamp is the core value of our service.
• You may delete your account at any time from your account settings. Upon deletion, all analysis results, AI chat history, ScriptPad drafts, and associated personal data are permanently removed within 30 days. Blockchain timestamps cannot be deleted.
• ScriptPad drafts you soft-delete enter a 30-day trash window. After 30 days, the draft and all snapshots are permanently removed.
• Analysis deletion — when you delete an analysis, the entire result is permanently removed from our database. Only a minimal audit log entry is retained (recording that a deletion occurred, with the analysis ID, tier, and timestamp — no analysis content).
• Encrypted backups of our Firestore database are maintained by Google Cloud as point-in-time-recovery snapshots for up to 7 days for disaster-recovery purposes. Backups are encrypted and not accessible to ProofChain engineers in the ordinary course of operation. A draft you permanently delete is also purged from any active backup within the 7-day window.
• Billing records (invoices, payment confirmations) are retained for 8 years to meet tax and audit obligations under Indian law.
• System logs are retained for up to 90 days for debugging and security purposes.

We use only essential cookies required for Firebase Authentication to keep you signed in securely.

No advertising, tracking, or third-party cookies are used across any ProofChain product.

You have the following rights regarding your personal data under the Digital Personal Data Protection Act 2023:

• Access: You can request a copy of the personal data we hold about you.
• Correction: You can update your profile information at any time through your account settings, or request correction by email.
• Erasure: You can delete your account and personal data at any time through account settings. Some data (billing records, blockchain timestamps) is retained as described in Section 15.
• Portability: You can export your ScriptPad drafts as PDF or Fountain, your analyses as PDF, and request a portable export of account data.
• Nomination: You may nominate another individual to exercise these rights on your behalf (e.g. in case of incapacity).
• Grievance: Escalate to the Grievance Officer (Section 20) or the Grievance Appellate Committee notified under the IT Rules 2021 (as amended in 2022).

To exercise any of these rights, email privacy@proofchain.in. We respond within 30 days as required by the DPDP Act.

If we become aware of a personal-data breach that materially affects your data, we will:

• Notify you in writing within 72 hours of discovery, with available facts on scope, cause, and remediation in progress.
• Notify the Data Protection Board of India as required by the Digital Personal Data Protection Act 2023.
• Cooperate with any onward notifications required by law.
• Publish a post-incident summary on our status page once forensic facts are confirmed.

Most ProofChain products (ProofScript, ProofBooks, ProofSound, ProofLegal, ProofTrain, ProofVerify) are not directed at individuals under 18 years of age. For those products, we do not knowingly collect personal data from children, and if we become aware that we have, we will promptly delete the information.

ProofSchool is the exception. ProofSchool is a B2B teacher-assessment platform that collects anonymous feedback responses from students, including students under 18 (Children under the Digital Personal Data Protection Act 2023). For ProofSchool:

• The school is the Data Fiduciary; ProofChain is the Data Processor, operating only on the school's documented instructions.
• Verifiable parental consent is captured (digital signature on the response form, or paper-slip-home consent attested by the school) and recorded with token, hashed IP, terms version, and timestamp before any minor response is processed.
• Student responses are anonymous — we do not collect student names, identifiers, or other direct identifiers in the response data.
• A parent may revoke consent at any time by emailing privacy@proofchain.in, triggering erasure of responses attributable to that consent token within 30 days.
• Detailed ProofSchool-specific terms are published at proofschool.in/privacy and operationalised in a per-school Data Processing Addendum signed at subscription start.

• All data is encrypted in transit using TLS 1.2+.
• Firestore and Cloud Storage data is encrypted at rest by Google Cloud (AES-256).
• Firebase Authentication provides secure access control with session expiry.
• Engineer access to your data is restricted to the audit-logged, ticket-authorised path described in Section 3.
• Firestore Security Rules enforce per-user isolation; an engineer cannot read another user's document without the audit-logged elevated access described in Section 3.
• Cloud Functions secrets are managed via Google Secret Manager; no API key is ever embedded in client-side code.
• For timestamping, files are processed locally on your device and only the hash is transmitted. For AI analysis, files are uploaded via encrypted connection for processing and are not retained after analysis.
• All account data and analysis results are stored in Google Cloud's Mumbai (asia-south1) region. For AI analysis, submitted text is processed by Anthropic and OpenAI servers outside India and is subject to their respective retention policies.
• Regular security reviews, dependency upgrades, and vulnerability monitoring are performed.

Under the Digital Personal Data Protection Act 2023, we designate the following contact for all data-protection and grievance matters:

Aravinth Raj S.C.
Data Protection Officer & Grievance Officer, ProofChain Private Limited
India
privacy@proofchain.in · legal@proofchain.in

We acknowledge data-principal requests and grievances within 24 hours and resolve them within 15 days as required by the IT Rules 2021. If you are not satisfied with our response, you may escalate to the Grievance Appellate Committee notified under the IT Rules 2021 (as amended in October 2022) or the Data Protection Board of India established under the DPDP Act 2023.

We may update this privacy policy from time to time. Material changes (categories of data processed, retention periods, cross-border transfer, sub-processor additions affecting personal data) will be communicated via email to registered users with at least 30 days' notice. Other changes take effect on publication. The "Last Updated" date at the top of this page is the authoritative effective date.