Privacy Policy

Effective date: 1 June 2026

Tokans.org ("we", "our", "us") is committed to protecting your privacy. This Policy explains what personal data we collect, how we use it, and your rights under applicable law — including India's Digital Personal Data Protection Act 2023 (DPDP Act).

1. Data We Collect

Account data: name, email address, and (if you use email/password sign-in) a bcrypt-hashed password. We never store your password in plain text.

OAuth identity data: if you sign in via GitHub or Google, we receive your name, email, and OAuth provider ID. We do not receive your provider password.

Profile and contribution data: role, sub-type, professional context, GitHub URL, website URL, and any contribution information you voluntarily submit to build your Tokan score.

Usage data: onboarding journey path, completed journeys, and anonymised feature-usage signals. We do not use third-party analytics trackers.

Session data: a session token stored as an HttpOnly cookie with a 7-day TTL. We use Upstash (Redis) to store session payloads server-side.

2. How We Use Your Data

• To create and maintain your account and Tokan profile.
• To compute and display your verified Tokan score.
• To match opportunity seekers with employers and founders.
• To send transactional emails (email verification, password reset, platform updates). We use Resend to deliver email.
• To detect and prevent fraud, gaming, and abuse.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Data Storage and Security

Your data is stored in a managed PostgreSQL database (Neon) and a Redis cache (Upstash), both hosted on infrastructure with encryption at rest and in transit. Access is restricted to the Platform's serverless functions; no human has routine access to your raw data.

Passwords are hashed with bcrypt (cost factor 12). Session tokens are cryptographically random UUIDs.

4. Cookies

We use two cookies:

• tokans_session — HttpOnly, Secure, SameSite=Lax. Stores your session ID. Required for login.
• tokans_csrf — used to protect mutating requests against cross-site request forgery.

We do not use advertising, tracking, or analytics cookies.

5. Third-Party Services

• GitHub / Google OAuth — identity only; governed by their respective privacy policies.
• Neon — PostgreSQL database provider. neon.tech/privacy
• Upstash — Redis session store. upstash.com privacy
• Resend — transactional email. resend.com/privacy
• Vercel — hosting and edge functions. vercel.com/legal/privacy-policy

6. Data Retention

We retain your account and profile data for as long as your account is active. If you request deletion, we will remove your personal data within 30 days, except where retention is required by law. Aggregated, anonymised Tokan score signals may be retained for platform integrity purposes.

7. Your Rights

Under the DPDP Act and applicable law you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request erasure of your data ("right to be forgotten").
• Withdraw consent at any time (which may affect your ability to use the Platform).
• Nominate a person to exercise these rights on your behalf.

To exercise any of these rights, email hello@tokans.org. We will respond within 30 days.

8. Children's Privacy

The Platform is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Policy periodically. Material changes will be communicated by email or a prominent notice on the Platform at least 14 days before they take effect.

10. Contact

For privacy-related questions or to exercise your rights, contact us at hello@tokans.org.