Privacy Policy

Last Updated: March 21, 2026

This Privacy Policy ("Policy") explains how Tiona, a sole proprietorship operated by Devi Preetham Kumar Adimulam, having its registered address at Sierra - I - 701, Rajapushpa Atria, Kokapet, Hyderabad, Telangana - 500075, India ("we," "us," "our," or "Tiona"), collects, uses, stores, shares, and protects your personal data when you use the Tiona mobile application and related services (collectively, the "Service").

Tiona provides two applications:

  • Tiona Business App - a business management tool for tailors, boutique owners, and garment professionals.
  • Tiona Customer App - a companion app for end customers to track orders, make payments, communicate with their tailor, view portfolios, and book meetings.

This Policy applies to all users of both applications and covers all data collected through the apps, our website at tiona.fit, and any associated backend services.

This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 ("IT Act"), the IT (Reasonable Security Practices and Procedures and SPDI) Rules, 2011, and the Consumer Protection Act, 2019.

Under the DPDP Act, you are a Data Principal. Tiona acts as a Data Fiduciary. Where we process data on behalf of Business Users, we also act as a Data Processor.

By using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

1. Information We Collect

Personal Information (Business Users):

  • Full name, phone number, email address
  • Address, city, state, pincode
  • Business name, business type, owner name, business logo
  • Instagram handle, WhatsApp number
  • UPI payment details (PhonePe, Google Pay, Paytm IDs)
  • GPS coordinates (latitude/longitude)
  • Profile photos

Personal Information (Customer Users):

  • Full name, phone number, email address
  • Address, city, state, pincode
  • Profile photos

Customer Data (Entered by Business Users):

  • Customer name, phone, email, address
  • Tags and categories (e.g., VIP, Wedding, Corporate)
  • Notes, preferences, preferred language, source
  • Relationship status (active, inactive, lead)
  • Body measurements: chest, waist, hips, shoulder width, arm length, inseam, neck, height, weight, and category-specific measurements
  • Customer photos

Order and Payment Data:

  • Order numbers, garment types, quantities, prices, due dates, status history
  • Fabric details, style notes, reference images
  • Payment amounts, methods, transaction IDs, notes, refund details
  • Razorpay subscription data

Communication Data:

  • Text messages, images, voice recordings, documents shared in chat
  • Meeting invites, payment requests, order update notifications
  • Read receipts and delivery status

Device and Technical Data:

  • Device tokens (FCM, Apple VoIP PushKit)
  • Platform (iOS/Android), app version, IP address
  • Network metadata (STUN/TURN), crash reports (Sentry)
  • Usage analytics (Firebase), local cached data, speech recognition transcripts

2. How We Use Your Information

Service Delivery:

  • Authenticating your identity via OTP-based phone login
  • Displaying your business profile to Customer Users
  • Enabling customer record management, order tracking, and payment recording
  • Enabling real-time messaging and VoIP calling
  • Delivering push notifications for messages, order updates, payment reminders, and meetings
  • Providing offline access and data synchronization

AI-Powered Features:

  • Extracting body measurements from photographs
  • Generating contextual reply suggestions
  • Providing design suggestions and virtual try-on
  • Creating AI-generated portfolio descriptions

Payment Processing:

  • Processing subscription payments through Razorpay
  • Generating payment requests with UPI deep links
  • Maintaining financial records and payment analytics

Analytics and Improvement:

  • Analyzing aggregate usage patterns
  • Bug resolution through Sentry crash reports
  • Monitoring app performance and feature adoption

Safety and Compliance:

  • Detecting and preventing fraud and unauthorized access
  • Enforcing our Terms of Service
  • Complying with legal obligations and maintaining audit logs

Location-Based Services:

  • Auto-filling addresses and enabling nearby business discovery
  • Displaying business location on maps

3. Legal Basis for Processing

Under the DPDP Act, 2023, we process your personal data on the following lawful bases:

Consent: You provide consent when you create an account, grant device permissions, opt into AI features, or enable contact import. You may withdraw consent at any time.

Contractual Necessity: Processing necessary for the performance of our contract with you, including account creation, core features, subscription payments, and essential notifications.

Legitimate Interest: Crash reporting, aggregate analytics, security measures, and fraud detection, balanced against your rights as a Data Principal.

Legal Obligation: Maintaining financial records under Indian tax and accounting laws, responding to lawful government requests, and data breach notification obligations.

4. Data Sharing and Third-Party Services

We do not sell your personal data. We share your data with the following third-party service providers for specific and limited purposes:

  • Supabase (Supabase Inc.) — Backend infrastructure: database, authentication, file storage, real-time sync. Servers in Singapore and United States.
  • Firebase Analytics (Google LLC) — Usage analytics. Servers in United States.
  • Firebase Cloud Messaging (Google LLC) — Push notification delivery. Servers in United States.
  • Razorpay Software Pvt. Ltd. — Subscription payment processing. Servers in India.
  • Google Gemini AI (Google LLC) — AI-powered features. Servers in United States.
  • Google Maps Platform (Google LLC) — Map display and geocoding. Servers in United States.
  • Twilio Inc. — SMS and WhatsApp notification delivery. Servers in United States.
  • MSG91 (Walkover Web Solutions Pvt. Ltd.) — OTP delivery. Servers in India.
  • Sentry (Functional Software Inc.) — Error monitoring and crash reporting. Servers in United States.
  • Apple APNs / PushKit (Apple Inc.) — iOS push and VoIP notifications. Servers in United States.
  • Google STUN/TURN (Google LLC) — WebRTC call connectivity. Global infrastructure.

We may also share data with law enforcement when required by law, to protect rights and safety, or in connection with a merger or acquisition.

5. AI-Powered Features and Data Processing

Technology Provider: Tiona's AI features are powered by Google Gemini (Google LLC). When you use AI features, data is transmitted to and processed on Google's servers, which may be located outside India.

Data Sent to Google Gemini:

  • AI Measurement Extraction: Body photographs for analyzing body proportions.
  • AI Reply Suggestions: Conversation text snippets for generating replies.
  • AI Design Suggestions: Design/garment images for analysis.
  • Virtual Try-On: Design images and body reference data.
  • Portfolio Description Generator: Portfolio metadata and images.

Google's Data Handling: Under Google's API terms, API input data is not used to train Google's models. Google may retain inputs for up to 30 days for abuse monitoring. Data is encrypted in transit (TLS 1.2+) and at rest.

Biometric-Adjacent Data: Body photographs may be considered biometric-adjacent as they reveal physical characteristics. These are used solely for extracting numerical measurements, not for biometric identification or facial recognition. You can delete these photographs at any time.

Accuracy Disclaimer: AI-generated outputs are estimates only and may contain inaccuracies. Always verify AI-extracted measurements manually.

Opt-In Nature: All AI features are strictly opt-in. No data is sent to AI services passively or in the background.

6. Device Permissions

Tiona requests the following device permissions, each only when you use the associated feature:

  • Camera: Capturing customer photos, profile photos, reference images, AI measurement scanning.
  • Microphone: Voice messages, voice-to-text input, VoIP calling.
  • Contacts: Customer import from device contacts (accessed only on explicit action).
  • Location (GPS): Address auto-fill and business discovery (accessed only when feature is used).
  • Photo Library / Storage: Selecting images from gallery for messages, orders, portfolio, profile.
  • Speech Recognition: On-device speech-to-text conversion (audio processed locally, not sent to our servers).
  • Push Notifications: Order updates, payment reminders, new messages, meeting alerts, VoIP call alerts.

Denying a permission disables only the specific features that require it. Core app functionality remains available without any permissions granted.

7. Data Security

We implement the following measures in accordance with reasonable security practices under the IT Rules 2011:

Encryption:

  • In transit: All data encrypted using TLS 1.2 or higher. API communications use HTTPS exclusively.
  • At rest: Database uses AES-256 encryption. File storage is encrypted on Supabase Storage.
  • Local storage: Sensitive cached data stored on the device's encrypted storage partition.

Access Controls:

  • Row Level Security (RLS) ensures users can only access their own data.
  • Phone-based OTP authentication with session token management and regular rotation.
  • All API endpoints require valid authentication tokens with rate limiting.
  • Production data access restricted to authorized personnel with audit logging.

Infrastructure Security: SOC 2 Type II compliant hosting, network isolation, firewall rules, intrusion detection, and regular security updates.

Incident Response: Immediate containment, notification to affected users and Data Protection Board within 72 hours, root cause analysis, and remediation.

8. Data Retention

We retain your data for the following periods:

  • Account data (name, phone, email, profile): Duration of account + 90 days after deletion request.
  • Customer records (entered by Business Users): Duration of Business User account + 90 days.
  • Body measurements: Duration of account + 90 days.
  • Order data: 7 years from order completion (Indian tax compliance).
  • Payment and financial records: 7 years from transaction date.
  • Chat messages and media: Duration of account + 90 days.
  • Voice recordings: Duration of account + 90 days.
  • Uploaded photos and images: Duration of account + 90 days.
  • Firebase Analytics data: 14 months (Google default).
  • Sentry crash reports: 90 days.
  • Push notification tokens: Until token refresh or account deletion.
  • AI processing inputs: Not retained by Tiona after processing; Google retains up to 30 days.
  • Subscription and billing records: 7 years.
  • Audit logs: 3 years.

After the retention period, data is permanently deleted or irreversibly anonymized within 30 days.

9. Cross-Border Data Transfers

Your personal data is processed and stored on servers located outside India, primarily in Singapore and the United States:

  • All account and application data: Singapore / United States (Supabase)
  • Analytics data: United States (Firebase Analytics)
  • Notification data: United States (Firebase Cloud Messaging, Apple APNs)
  • AI processing data: United States (Google Gemini)
  • Error and crash data: United States (Sentry)
  • Communication delivery data: United States (Twilio)
  • Payment data: India (Razorpay)
  • OTP data: India (MSG91)

Legal Basis: Cross-border transfers are conducted in accordance with Section 16 of the DPDP Act, 2023. We transfer data only to countries and entities not restricted by the Central Government. Appropriate contractual safeguards including data processing agreements with standard contractual clauses are in place with all international service providers.

10. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights:

Right to Access: Obtain a summary of personal data we hold about you. Contact support@tiona.fit. Response within 72 hours acknowledgment and 7 working days for information.

Right to Correction and Erasure: Request correction of inaccurate data, completion of incomplete data, or erasure of unnecessary data. You can edit most data directly in the app. Response within 7 working days.

Right to Consent Withdrawal: Withdraw consent at any time by revoking device permissions, disabling specific features, requesting account deletion, or contacting us. Withdrawal does not affect prior lawful processing.

Right to Grievance Redressal: Have your grievances addressed in a timely manner (see Section 17).

Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

Data Portability: We will provide your data in JSON or CSV format upon request within 14 working days.

11. Data Breach Notification

In the event of a personal data breach:

Notification to the Data Protection Board: Within 72 hours of becoming aware of a qualifying breach.

Notification to Affected Users: Without unreasonable delay and no later than 72 hours, through push notification, email, SMS, or in-app banner.

Content of Notification: Nature of the breach, categories and approximate number of affected users, likely consequences, measures taken or proposed, and contact details.

Breach Response:

  • Immediately contain the breach and secure affected systems
  • Assess the scope, severity, and impact
  • Notify the Data Protection Board and affected users
  • Conduct thorough investigation and root cause analysis
  • Implement remediation measures
  • Maintain a documented record of the breach

12. Children's Data

Tiona is intended for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under 18.

If we discover that we have collected data from a child, we will promptly delete such data and terminate the associated account.

If the Central Government designates Tiona as requiring verifiable parental consent under the DPDP Act, we will implement appropriate age verification and parental consent mechanisms.

If you believe a child under 18 has provided personal data to us, please contact us immediately at support@tiona.fit.

We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.

13. Sensitive Personal Data or Information (SPDI)

Under the IT (SPDI) Rules, 2011, the following data is classified as Sensitive Personal Data or Information:

Financial Information:

  • UPI payment identifiers (PhonePe, Google Pay, Paytm IDs)
  • Payment transaction details and history
  • Bank account or card details processed through Razorpay

Biometric and Physical Data:

  • Body measurements (chest, waist, hips, shoulder width, arm length, inseam, neck, height, weight)
  • Body photographs used for AI measurement extraction

SPDI Handling Practices:

  • Collected only with your informed, explicit consent
  • Used only for the specific purpose collected
  • Not retained longer than necessary
  • You may withdraw consent at any time
  • Security practices commensurate with ISO/IEC 27001 standards
  • Not disclosed to third parties without your consent, except as required by law

14. Business User vs. Customer User Data Roles

Tiona as Data Fiduciary: Tiona is the Data Fiduciary for all Business User data (account, profile, business information, subscription), all Customer User data collected directly by Tiona, and device/technical/analytics data of all users.

Tiona as Data Processor: When Business Users enter customer data into Tiona, the Business User is the Data Fiduciary and Tiona is the Data Processor. Business Users are responsible for ensuring they have a lawful basis to enter customer data and should inform their customers about the use of Tiona.

Customer User App: When a Customer User creates an account and links to a Business User, Tiona is the Data Fiduciary for account data while the Business User remains the Data Fiduciary for the business-customer relationship data.

Business User Obligations: Business Users are responsible for obtaining consent, not entering data of minors without parental consent, complying with the DPDP Act as Data Fiduciaries, and responding to customer data requests in a timely manner.

15. Account Deletion

How to Delete: Open the app, go to Settings, tap Account, then Delete Account, and confirm.

What Happens:

  • Immediate (within 24 hours): Account deactivated, logged out of all devices, profile hidden.
  • Within 30 days: All personal data permanently deleted from active systems.
  • Retained after deletion: Financial records (7 years), transaction audit logs (3 years), anonymized aggregate data.
  • Third-party data: We instruct all processors to delete your data per their retention schedules.
  • Local data: Uninstalling the app deletes locally cached data.

Impact on Business Users: All customer records, orders, payments, and messages will be permanently deleted. Linked Customer Users will lose access. Active subscriptions will be cancelled without refund.

Impact on Customer Users: Profile and communication history will be deleted. Business Users may retain independent records of your orders and measurements.

16. Changes to This Policy

We may update this Privacy Policy from time to time.

Material Changes: At least 30 days' advance notice through in-app notification, email, and a prominent notice within the app.

Minor Changes: We will update the "Last Updated" date.

Your continued use after the notice period constitutes acceptance. If you do not agree, discontinue use and delete your account. Previous versions are available upon request.

17. Grievance Redressal

How to File: Email support@tiona.fit with subject "Privacy Grievance" or use the in-app support feature.

Please include your full name, registered phone number or email, a detailed description of your concern, supporting documents, and the resolution you are seeking.

Response Timelines:

  • Acknowledgment: Within 72 hours
  • Initial assessment and response: Within 7 working days
  • Final resolution: Within 30 days

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

  • Email: support@tiona.fit
  • Website: https://tiona.fit
  • In-App: Settings > Help & Support > Contact Us
  • Address: Sierra - I - 701, Rajapushpa Atria, Kokapet, Hyderabad, Telangana - 500075, India

We aim to respond to all inquiries within 72 hours.

By using Tiona, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, processing, and transfer of your personal data as described herein.

19. Regulatory Compliance

This Policy complies with:

DPDP Act, 2023: Clear notice about data collection (Sections 1-2), informed consent (Section 3), lawful processing (Sections 2-3), security safeguards (Section 7), Data Principal rights (Section 10), breach notification (Section 11), cross-border transfers (Section 9), grievance redressal (Section 17), and children's data restrictions (Section 12).

Information Technology Act, 2000: Reasonable security practices for personal data protection, lawful interception requirements, and intermediary obligations.

IT (SPDI) Rules, 2011: Published privacy policy (Rule 4), disclosed SPDI types (Section 13), consent before SPDI collection (Rule 5), option to withdraw consent (Section 10), reasonable security practices (Section 7), and grievance timeline compliance (Section 17).

Consumer Protection Act, 2019: No deceptive data collection practices, clear information about data practices, and respect for consumer rights.

We monitor developments in Indian data protection law and will update this Policy as necessary. In the event of conflict between this Policy and applicable law, the applicable law shall prevail.