Privacy Policy

We collect the minimum data needed to run checks and deliver reports. We delete check results after 7 days. We don't sell your data. We only search publicly available databases and other public records that anyone can access. India-specific court and MCA sources will be activated only when the India check orchestrator launches. If information about someone isn't in those public sources, we won't find it. But having verified information from public records is better than going in with none.

In this document, “Safi,” “we,” and “us” mean the company that operates getsafi.ai. Full company details are at the end of this page. Under the Digital Personal Data Protection Act, 2023 (DPDP Act), Safi is a “Data Fiduciary” and determines the purpose and means of processing your personal data. Our Data Protection Officer can be reached at privacy@getsafi.ai.

This section serves as the privacy notice required under Section 5 of the DPDP Act, 2023 and Rule 3 of the DPDP Rules, 2025.

We collect your phone number to verify your identity via OTP. If you use Sign in with Apple, we also collect the email address Apple provides, including a private relay address if you choose one. Your payment information is handled by our payment processor (we never see or store your card or UPI details). When you run a check, we collect the name and phone number of the person you're checking, your use case selection, and any optional details you provide (company name, social handle, city, etc.). We also collect standard technical data (device type, pages visited, error logs, install ID, APNs push token, product interaction, performance data, and crash and diagnostic data) to keep Safi running smoothly and understand product usage by cohort. On iOS, we store your notification permission state and when it changed so safety reminders work reliably and so we can measure opt-in friction. During Go sessions you start, Safi may collect precise location so arrivals, route drift, and safety alerts can work. If you choose to add Lookouts from your address book, Safi reads contact names and numbers for that picker. Aggregate analytics are anonymised where possible. Some feature-use counters, such as checks by use case, Go sessions, SOS triggers, watchlist activity, invite activity, and voice-call kinds, remain tied to your account so we can support account history, abuse prevention, and product reliability. Those account-level counters are personal data and are included in account exports.

If you save people in Safi, we store the profile details you choose to add, including names, phone numbers, social handles, photos, and encrypted notes. If you dictate a note, the temporary audio is sent to ElevenLabs for transcription; we save the resulting note only if you keep it, and we do not store the audio file ourselves.

We use this data to provide the Safi service, process payments, improve how Safi works, communicate with you about your checks, and prevent fraud and abuse. All processing is based on your consent.

Public records about the person you check

When you run a check, we search publicly available records configured for the live market and check flow. For India launch, planned sources include eCourts India, the Ministry of Corporate Affairs, phone directory sources, sanctions and watchlist databases, and publicly available social media profiles and news articles; those India-specific sources remain launch-gated until the India orchestrator is registered.

Your personal data (phone number, check history) is processed based on your consent. Some official or self-published public information may fall within Section 3(c) of the DPDP Act, including information published by authorised government agencies or made publicly available by the individual themselves. We treat that as a source-by-source assessment, not a blanket exemption. Where a source falls outside that carve-out, we rely on consent, minimisation, 7-day deletion, and legal review before using it.

By accepting our Terms of Service and running a check, you give us consent to process your personal data for the purposes described above. Your consent is freely given (you can use the free check without payment), specific (limited to the stated purposes), informed (this notice describes exactly what we collect and why), and clear (you actively accept the Terms of Service before your first check).

You can withdraw consent at any time by emailing privacy@getsafi.ai or deleting your account. Withdrawal does not affect the legality of processing done before withdrawal. If you withdraw consent, we will delete your personal data within 30 days (except where retention is required by law).

Yes, for a few specific things. When you give us your phone number, you agree to receive text messages (SMS), WhatsApp messages, and voice calls from us for:

• One-time verification codes when you sign in.
• Safety alerts and check-ins during a Go session (our “Watch Over Me” feature), sent to you and to the safety contacts you have added.
• Voice calls from Aya, our safety voice, when a Go session safety trigger fires (you held SOS without sliding to cancel, you tapped uneasy, you went off your planned route, your check-in ran late) or when you ask Aya to call you back to debrief a session.
• Voice calls from Aya to your squad if a safety call to you ends with us not reaching you. We call squad members one at a time, in your set order, until someone commits to checking on you.
• Alerts about new findings on people you have added to your watchlist.
• Operational notifications about your account, for example payment receipts or expiry reminders.

Message and call frequency varies based on how you use Safi. Standard message and data rates from your carrier may apply. We do not send marketing or promotional messages.

In India, messages are sent primarily via WhatsApp Business. SMS is used as a fallback when WhatsApp delivery fails. To stop receiving messages, reply STOP to any SMS or WhatsApp message from us. You can also register your number on India's Do Not Disturb registry, the National Customer Preference Register, at nccptrai.gov.in.

To get help, reply HELP or email hello@getsafi.ai. Stopping messages will also stop the safety alerts above, so we recommend keeping them on while you are an active Safi user. You can also disable Aya voice calls in your account settings; safety triggers fall back to SMS-only alerts when Aya is off.

Our current providers are Twilio (SMS, WhatsApp connectivity, and voice telephony), the WhatsApp Business API via Twilio (WhatsApp messaging), ElevenLabs (Aya's voice synthesis and live transcription), Sentry (crash reporting), and PostHog (product analytics).

Your mobile phone number will not be shared with third parties or affiliates for marketing or promotional purposes. We share it only with the carriers and infrastructure providers named above strictly as needed to deliver the messages you have opted in to receive.

Aya is the voice we use to check on you. When something on your phone signals you might need help (you held SOS without sliding to cancel, you tapped uneasy, you went off your planned route, your check-in ran late), Aya calls you to make sure you're okay before we alert your squad. You can also tap “Talk to Aya about it” after a session to debrief out loud.

When Aya calls, here's what we keep:

• The transcript of the conversation, encrypted, for 30 days. After that, it's gone automatically.
• A short record of the call (when she called, how long it lasted, what she concluded). We keep this for as long as your account is active so you can see your safety history.
• For “Talk to Aya about it” reflection calls only, Aya generates 3 first-person notes from the call (“your notes from tonight”). They're yours alone, never shared with your squad. You can edit or delete them any time.

What we don't keep: the audio. Aya runs on ElevenLabs, who handle her voice and the live transcription. We don't ask them to record the audio, and we don't store it on our side either.

What you can do:

• Read every transcript via Account → Privacy receipts.
• Delete a transcript early. We clear the transcript and any notes immediately.
• Share a transcript with someone you choose, via a one-time link that expires in 24 hours. You can redact lines before you share, and revoke the link any time.
• Disable Aya in your account settings. Voice triggers fall back to SMS-only safety alerts.

Under the DPDP Act, you give us specific consent for voice features the first time Aya would call you. The consent prompt explains what Aya does, what we keep, and how to disable it. You can withdraw consent any time in your account settings, and we will stop placing voice calls to you (safety triggers fall back to SMS).

After the call ends, the post-call transcript may run through Anthropic (Claude) so we can tell whether you sounded fine or whether your squad needs to step in. Anthropic processes transcript text only, not the audio. Production enablement requires our DPA evidence file to confirm the active retention and transfer terms for Safi's organisation.

We work with a small number of trusted service providers and public-record data sources to process payments, deliver messages, generate reports, track errors, and understand how people use Safi. Those include Stripe and Apple for payments, Twilio for messaging and voice, ElevenLabs for Aya voice, Anthropic for report generation and transcript evaluation, Sentry for crash reporting, and PostHog for product analytics. Each provider only receives the minimum data needed for its role, and processors are required to protect your data under their contract or published terms, including DPDP Act obligations where they apply.

• Supabase provides database hosting, authentication, storage, and account sessions.
• Stripe processes web payments while India checkout remains Stripe-first; Razorpay will be added only after its provider integration and legal review are complete. Apple processes in-app purchases on iOS.
• Twilio delivers SMS, WhatsApp, and voice connectivity. ElevenLabs powers Aya voice and transcription.
• Anthropic processes report generation, OSINT reasoning, claim verification, and voice transcript evaluation.
• PostHog provides product analytics. Sentry provides crash and error reporting.
• People Data Labs and IPQS support identity resolution, phone validation, and fraud checks when those sources are used by a market-specific check flow.
• Serper supports public web search used by the OSINT pipeline.
• CourtListener, Offenders.io, the Federal Bureau of Prisons, and FBI public records support US public-record checks when a US check flow is used.
• Google Maps Platform and Mapbox support places, routing, maps, and Go-session location surfaces.

We do not sell, rent, trade, or otherwise monetise your personal data. We do not share your data with data brokers or advertisers.

As a Data Principal, you have the right to access your personal data (Section 11), request corrections (Section 12), request erasure (Section 12), withdraw consent (Section 6), file a grievance (Section 13), and nominate someone to exercise your rights on your behalf (Section 14). While not required by law, we will provide a summary of your data in a structured format upon request. To exercise any of these rights, email privacy@getsafi.ai. We will verify your identity via OTP and respond within 30 days.

If someone believes they have been checked on Safi, they can contact us at privacy@getsafi.ai. We will verify their identity and, if data exists within the 7-day window, provide a summary of what publicly available information we found. If data has already been deleted, we will confirm that. We will never reveal who checked them, how many times, or which use case was selected.

Report details are automatically deleted after 7 days. In rare cases involving legal disputes, data may be retained for up to 30 days. Basic check history (what you checked and when) is kept while your account is active. Your account data (phone number) is kept while your account is active and deleted within 30 days of account closure. Reports you save on Premium stay until you remove the save or delete your account. Payment records are retained as required by law (typically 7 years). Product analytics events are kept for 90 days unless they are account-level counters included in your user record for service, reliability, or abuse-prevention purposes.

Under Rule 8 of the DPDP Rules, 2025, if you do not use Safi for 1 year, we will notify you before erasing your account data. We are implementing this requirement ahead of the full compliance deadline.

Your data is encrypted in transit and at rest (AES-256), protected by row-level database security, and accessible only to essential systems. Check results are automatically deleted after 7 days. Voice call transcripts are encrypted at rest and automatically deleted after 30 days.

If we experience a personal data breach that affects your data, we will notify the Data Protection Board of India as soon as practicable and notify you via WhatsApp, SMS, or email with details of the breach and the steps to take. Under the DPDP Act and Rules, all breaches must be reported regardless of severity.

Safi is operated from the UAE. Your data may be processed in the UAE, the United States, and other countries where our database, payment, messaging, analytics, AI, maps, and public-record source providers operate. This includes providers such as Supabase, Stripe, Twilio, Anthropic, ElevenLabs, PostHog, Sentry, PDL, IPQS, Serper, Google, and Mapbox when they are used for the relevant feature or market. Under Section 16 of the DPDP Act, personal data may be transferred outside India except to countries specifically restricted by the Central Government. We rely on provider DPAs, contractual safeguards, public-record source terms, and data-minimisation controls for these transfers.

We use essential cookies to keep Safi working (authentication and session management) and optional analytics cookies to understand usage patterns. You can opt out of analytics cookies when you first visit or from this page at any time. We don't use advertising or third-party tracking cookies.

Safi is not for anyone under 18. We do not knowingly collect or process personal data of children as defined under the DPDP Act. If we learn that a user is under 18, we will terminate their account and delete all associated data.

Grievance Officer: The Data Protection Officer
Email: grievance@getsafi.ai

We will acknowledge your complaint within 24 hours and provide a resolution within 30 days. If you are not satisfied, you may file a complaint with the Data Protection Board of India.

We may update this policy from time to time at our sole discretion. Non-material changes (clarifications, formatting, updated contact information, new sub-processor disclosures where the data category is unchanged) take effect immediately upon being posted on this page.

For material changes affecting how we collect, use, share, or retain your personal data, we will notify you through reasonable means (such as WhatsApp or in-app notice) before they take effect, as required by the Digital Personal Data Protection Act, 2023 and other applicable Indian laws. Your continued use of Safi after changes are posted constitutes acceptance of the updated policy. If you don't agree to a material change, your remedy is to stop using Safi and request erasure of your personal data under Section 12 of the DPDP Act.

If any provision of this policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will remain in full force and effect.

Safi is operated by Safi Technologies L.L.C-FZ, a limited liability company (free zone) registered in Meydan Free Zone, Dubai, United Arab Emirates (license 2647207.01). Our registered office is at Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates.

Privacy and data rights: privacy@getsafi.ai
Grievances: grievance@getsafi.ai
General questions: hello@getsafi.ai