Last updated: May 29, 2026 · Effective: May 29, 2026

Privacy Policy

KhetiGPT (“KhetiGPT”, “we”, “us”, “our”) is an AI-assisted advisory service for Indian farmers, accessed primarily through WhatsApp and via our website at www.khetigpt.com (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it.

This Policy is published in compliance with the Information Technology Act, 2000 and the rules thereunder (including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011), and with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) as and when its provisions come into force. By accessing or using the Service you confirm that you have read and understood this Policy.

1. Who we are & how to contact us

The Service is operated by Cravings IT Pvt Ltd, a company incorporated under the Companies Act, 2013 and having its registered office in Pune, Maharashtra, India (referred to in this Policy as “Cravings IT” or “KhetiGPT”). For any privacy-related question, complaint, or request to exercise your rights, please contact our Grievance Officer / Data Protection point of contact at:

• Email: privacy@khetigpt.com
• WhatsApp: send the word privacy to our verified business number

We will acknowledge complaints within 48 hours and resolve them within 15 days (or such shorter period as required by applicable law).

2. Personal data we collect

We collect only what is necessary to deliver the Service.

2.1 You provide directly

• Sign-up form data: mobile number (mandatory), preferred language, state, district, role (farmer / FPO / partner / other), and optionally your name and primary crop.
• WhatsApp messages: the text, images (e.g. soil test reports, crop photos), and voice notes you send to our business number.
• Web chat: messages you type into our website chat interface.

2.2 Automatically collected

• Technical data: IP address (used for rate-limiting and abuse prevention; truncated/hashed in long-term logs), user-agent, request timestamps, error traces.
• WhatsApp metadata: message IDs, delivery status, timestamps received from the WhatsApp Business Platform.
• Cookies & analytics: a language-preference cookie set by our website, and (if you accept) Google Analytics 4 (GA4) cookies for aggregate traffic measurement. No cross-site advertising cookies are used.

2.3 We do not intentionally collect

• Financial account numbers, UPI IDs, credit/debit card details.
• Aadhaar, PAN, voter-ID, or other government identifiers (please do not send these — if received we delete on detection).
• Caste, religion, political opinion, biometric data, health data beyond what is incidentally visible in a photo you choose to share.
• Data of children under 18 (see Section 9).

3. Why we use your data (purposes & legal basis)

We process personal data for the following purposes:

• Delivering the advisory: understanding your query, fetching relevant weather / mandi / scheme information, and sending you a response. Legal basis: performance of the service you requested (and your consent for sensitive inputs such as photos and voice notes).
• Localisation: sending responses in your chosen language and surfacing location-relevant prices and weather.
• Safety & abuse prevention: moderating content, applying rate limits, blocking automated abuse, complying with WhatsApp Business policy.
• Service improvement: aggregated and de-identified analytics (intent mix, response quality, latency). We do not use your personal messages to train third-party large language models for general purposes.
• Legal compliance: responding to lawful requests from courts or government authorities, and complying with tax, accounting, and consumer-protection laws.

4. Third-party processors & sub-processors

To run the Service we rely on the following categories of sub-processors, each bound by a written data-processing agreement (where applicable). Some of them may process data outside India.

• WhatsApp Business Platform (Meta Platforms, Inc.) — message transport. Subject to Meta's own privacy terms.
• OpenAI, L.L.C. — language model inference for generating responses. We send only the user message plus necessary context; the OpenAI API is configured with data-retention and no-training defaults appropriate for business use.
• OpenWeather Ltd. — weather data lookup by district/coordinates. No identifying information is sent.
• Government of India Open Data Platform (data.gov.in / Agmarknet) — public mandi-price lookup. No identifying information is sent.
• Sentry (Functional Software, Inc.) — error and performance monitoring. PII (phone numbers, names, message text) is scrubbed by our server before transmission.
• Google LLC (Google Analytics 4) — aggregate web traffic only, with IP anonymisation.
• Upsun / Platform.sh SAS — cloud hosting (primary region: US, with deployment to Asia available).

The current full list of sub-processors is available on request to privacy@khetigpt.com. Where data leaves India, we rely on appropriate contractual safeguards.

5. How long we keep your data

• Profile data (phone, language, state, district, crop): for as long as your account is active, plus 24 months thereafter, unless you request earlier deletion.
• Conversation history: 24 months from the date of the message, after which it is either deleted or fully anonymised.
• Uploaded photos / voice notes: 90 days, then deleted from storage. Extracted text/insights may be retained with the conversation record.
• Error logs: 30 days. PII is scrubbed at collection.
• Audit and security logs: up to 12 months for fraud-prevention and legal-defence purposes.

We may retain data for longer where required by law or to enforce our agreements.

6. How we protect your data

• HTTPS/TLS everywhere; HSTS enforced.
• WhatsApp webhook payloads are validated via HMAC signature against our app secret.
• Admin access requires a username + strong password and short-lived JWT tokens.
• Secrets and API keys are stored as environment variables / encrypted runtime overrides, never in source code.
• Per-IP and per-phone rate limiting on public endpoints.
• Uploaded files are verified by magic-byte inspection (JPEG / PNG / PDF only) before processing.
• Logs and error reports are scrubbed of phone numbers, e-mails, and tokens before storage.
• Strict Content Security Policy and other security headers on all web responses.

No system is perfectly secure. If you become aware of any vulnerability please report it to security@khetigpt.com.

7. Your rights

Subject to applicable law (including the DPDP Act when in force) you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or out-of-date data.
• Erase your data, subject to legal retention requirements.
• Withdraw consent at any time (this will stop future processing but does not undo past lawful processing).
• Object to certain processing and request restriction.
• Lodge a complaint with the Data Protection Board of India (once constituted) or with us via the contact details in Section 1.

To exercise any of these rights, write to privacy@khetigpt.com from the e-mail address (or WhatsApp number) associated with your account. We will verify your identity before acting on the request. We respond within 30 days.

8. Cookies

Our website uses a small number of first-party cookies (e.g. for language preference) and, where you consent, third-party analytics cookies (GA4). Blocking cookies will not break the Service but may reset your preferences.

9. Children

The Service is intended for users 18 years or older. We do not knowingly collect data of children. If you believe a child has used the Service, please contact us and we will delete the relevant data promptly.

10. International transfers

Some sub-processors (notably OpenAI, Sentry, Google, Meta and Upsun) process data outside India. We rely on contractual and technical safeguards (standard contractual clauses where applicable, IP anonymisation, PII scrubbing) and select providers with mature security and privacy programs.

11. Automated decisions & AI disclaimer

KhetiGPT generates responses using artificial intelligence. While we take reasonable care, responses may contain errors, omissions, or out-of-date information. Advisories are informational only and are not a substitute for professional agronomic, veterinary, legal, medical, or financial advice. Please refer to our Terms of Service for the full disclaimer and limitation of liability.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Service (a WhatsApp message and / or a banner on the website) at least 7 days before they take effect. The current version and effective date are always shown at the top of this page.

13. Governing law & jurisdiction

This Policy and any dispute arising out of it shall be governed by the laws of India. Subject to the dispute-resolution clause in our Terms of Service, the courts at Pune, Maharashtra shall have exclusive jurisdiction.

14. Language

This Policy is published in English. Translations may be provided in regional languages for convenience; in case of conflict, the English version shall prevail.

If anything in this Policy is unclear, write to us at privacy@khetigpt.com and we'll explain in plain language.