Privacy Policy

1. Who we are

Vicholan (“we”, “us”, “our”) is the data controller for the personal information we collect through our website and verification services. We are based in Ontario, Canada and serve clients primarily in Canada and India.

For all privacy questions, contact our Privacy Officer at privacy@vicholan.com. We respond within 30 days.

2. The personal information we collect

From parents who engage us

• Name, phone number, email address, city
• Information about your child whose match is being verified
• Information about the prospective match: name, contact details, workplace, claimed background, photos, and bio-data you choose to share
• Payment details (processed by Stripe — we never store card numbers or CVV codes)
• Communications with us via email, WhatsApp, or our website
• Voice notes submitted through our intake process (if you choose to record one)

From the prospective match

• Identity confirmation at the time of meeting
• Their written consent record (name, timestamp, IP address, and agreement)
• Our representative's observations from the in-person meeting — recorded in the report we deliver to the engaging family

Automatically, from website visitors

• Browser type, device type, operating system
• IP address (stored in hashed form only, never plain text)
• Pages visited, time spent, referring page
• Cookies and similar technologies — see our Cookie Policy for details

3. How we use this information

We use personal information to:

• Provide the verification service you have engaged us for
• Communicate with you about your case status, scheduling, and report delivery
• Contact the prospective match to explain our role and obtain their consent
• Process payments and prevent fraud
• Send transactional emails — booking confirmations, status updates, report notifications. We do not send marketing emails unless you have explicitly opted in.
• Improve our service through anonymised usage analytics
• Comply with legal and regulatory obligations
• Defend against legal claims if necessary

We do not sell, rent, or trade your personal information to any third party for their own use.

4. Legal basis for processing

For users in Canada — PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), we process personal information with your knowledge and consent, for the purposes stated in this policy. You consent at the point of engaging our service. Withdrawal of consent may affect our ability to provide the service.

For users in India — DPDP Act, 2023

Under the Digital Personal Data Protection Act, 2023, we process your personal data as a Data Fiduciary on the basis of:

• Consent — freely given, specific, and informed consent at the point of engagement
• Legitimate use — where necessary to provide the service you have contracted us for
• Legal obligation — where required by applicable law

5. The match's consent

We will not meet the prospective match without their explicit written consent. Before any in-person meeting, we contact the match, explain our role clearly, and obtain their digital signature on a consent form.

The consent record captures:

• The identity of the engaging family (first name and city only)
• The scope of our observations — what we will and will not do
• What information will appear in the report and who will receive it
• Their right to withdraw consent before the meeting takes place
• Their option to request a copy of the final report

Consent records are stored permanently as immutable records and cannot be edited after signing. They form part of our legal compliance documentation.

6. Who we share information with

We share personal information only as follows:

• The prospective match — limited information about the engaging family when explaining our role and obtaining consent
• Service providers who help us operate:
  • Stripe — payment processing (PCI-DSS compliant; their privacy policy)
  • Resend — transactional email delivery
  • Supabase — database and file storage (hosted in North America)
  • Vercel — website hosting and edge functions
  • Cloudflare — security and spam protection (Turnstile)
  Each provider is bound by their own privacy commitments and data processing agreements with us.
• Our legal counsel — where strictly necessary for advice or to defend a legal claim
• Regulators and courts — when required by a court order, lawful regulatory request, or other legal obligation

We do not share information with advertising networks, data brokers, social media platforms, or any party for their own commercial use.

7. Where your information is stored

Our primary database is hosted by Supabase on infrastructure in North America. File attachments (bio-data PDFs, voice notes) are stored in Supabase Storage. Payment data is processed and stored by Stripe according to their global infrastructure.

By using our service, you acknowledge that your information may be processed and stored in Canada and the United States, where data protection laws may differ from those in your home country. We take steps to ensure that any cross-border transfer of data is handled with appropriate safeguards.

8. How long we keep your information

We retain personal information for as long as your case is active, plus 24 months after case closure. This retention period covers our legal, accounting, and dispute-resolution obligations.

After this period, we delete or permanently anonymise personal information. Aggregated and anonymised data — from which no individual can be identified — may be retained indefinitely for analytics and service improvement.

Consent records are retained permanently as immutable legal records. Payment records are retained for 7 years per Canadian accounting requirements.

You may request earlier deletion under Section 10, subject to our legal retention obligations.

9. How we protect your information

• All data is encrypted in transit using HTTPS (TLS 1.2+)
• Database content is encrypted at rest
• File access is controlled through short-lived signed URLs (1-hour expiry) — direct file links cannot be shared or bookmarked
• Payment data is handled exclusively by PCI-DSS compliant providers
• Database access is role-controlled — our systems enforce row-level security so each user can only access their own records
• IP addresses are stored only in hashed form and cannot be reverse-engineered
• We review security practices regularly

No system is perfectly secure. In the event of a data breach that affects your personal information, we will notify you and the relevant regulators as required by applicable law, without undue delay.

10. Your rights

You have the following rights regarding your personal information. To exercise any of them, email privacy@vicholan.com. We respond within 30 days.

Under PIPEDA (Canada)

• Access: request a summary of the personal information we hold about you
• Correction: request that we correct inaccurate or incomplete information
• Withdrawal of consent: withdraw consent for future processing at any time (note: this may end our ability to continue the service)
• Complaint: lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

Under the DPDP Act, 2023 (India)

As a Data Principal, you have the right to:

• Access: obtain a summary of your personal data and the processing activities we carry out
• Correction and erasure: request that we correct inaccurate data or erase data we no longer have a lawful reason to retain
• Grievance redressal: raise a grievance with us; we respond within 30 days
• Nominate: nominate another person to exercise these rights on your behalf in the event of your death or incapacity
• Complaint: lodge a complaint with the Data Protection Board of India, once operational

Right to deletion

You may request deletion of your personal data at any time. We will action requests within 30 days, subject to our legal obligation to retain certain records (payment logs, consent records). We will tell you clearly what we can and cannot delete and why.

A deletion request form is also available in your account settings once you are signed in.

11. Cookies and tracking technologies

We use a small, carefully chosen set of cookies. Necessary cookies are always on; all others require your consent, which you can give or withdraw at any time.

Full details — every cookie name, provider, purpose, and duration — are listed on our Cookie Policy page.

We honour Do Not Track browser signals where technically feasible: if your browser sends a DNT signal, analytics cookies are defaulted to off.

12. Children's privacy

Our service is not directed at children under 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information about a child, please contact us at privacy@vicholan.com and we will delete it promptly.

13. International users

Our service is primarily designed for users in Canada and India. If you access our site from another jurisdiction, you do so at your own initiative and are responsible for compliance with local laws.

For users in the European Economic Area: although we do not actively market to EU residents, if you use our service, GDPR-equivalent rights apply to your personal data. Contact us at privacy@vicholan.com to exercise those rights.

14. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated by email to active clients at least 30 days before they take effect. The date at the top of this page shows when the policy was last updated.

15. Contact

Privacy Officer: privacy@vicholan.com
General support: support@vicholan.com
Company: Vicholan, Ontario, Canada

We respond to all privacy requests within 30 days. If your request is complex or numerous, we may extend this by up to 60 days — we will notify you if this is the case.