Privacy Policy

Your Privacy is
Our Architecture

Version 1.0 Effective April 29, 2026 Last Updated April 29, 2026 Suraksha Technologies Pvt Ltd
Section 01

Our Privacy Promise

At DooTX, privacy is not a feature we added after the fact — it is the foundation on which every technical decision has been made. We built DooTX because we believe that private conversation is a fundamental human right, and that technology should protect that right by design, not by policy alone.

This Privacy Policy explains exactly what information we collect, why we collect it, what we do with it, and — equally important — what we are technically incapable of doing with it. We believe in complete transparency.

Our Five Core Promises to You
  • We cannot read your messages. Your messages are encrypted on your device before they ever reach our servers. This is a mathematical guarantee.
  • We do not sell your data. Not to advertisers. Not to data brokers. Not to anyone. Ever.
  • We do not show you ads. DooTX is a messaging tool, not an advertising platform. Your attention is not our product.
  • Your messages exist only on your device. No message content is stored on DooTX servers.
  • Post-quantum encryption protects your future privacy. Our CRYSTALS-Kyber768
    A post-quantum key encapsulation algorithm standardised by NIST. Designed to resist attacks from both classical and quantum computers.
     encryption is mathematically resistant to quantum attacks.

These are not aspirational statements. Each promise is enforced by the technical architecture of DooTX.

Section 02

Information We Collect

We collect the minimum amount of information necessary to provide a functioning, secure messaging service.

2.1 Account Information

DataWhy We Collect ItStored?
Mobile phone numberYour unique identity on the network.Yes
Registration timestampTo verify when your account was created.Yes
Device typeTo serve the correct version of the app.Yes

2.2 Cryptographic Keys

DooTX's KAVACH encryption system

KAVACH is DooTX's proprietary post-quantum encryption layer combining CRYSTALS-Kyber768, CRYSTALS-Dilithium3, and AES-256-GCM. Developed at Indus University.
uses a public-private key architecture. We store only your public keys.

Key TypePurposeServer Status
Kyber768 public keyAllows others to encrypt messages for youStored
Dilithium3 public keyVerifies messages came from youStored
Your private keysUsed to decrypt and sign messagesNever leaves device

2.3 Message Metadata (Minimal)

We collect a very limited set of metadata about messages. This is the operational minimum required to deliver messages reliably.

MetadataPurposeDuration
Message delivery status (delivered / pending)So the sender knows if their message reached the recipientDeleted after delivery
Message timestampTo sort messages chronologically in your inboxStored locally on your device only
Online / offline statusTo decide whether to queue a message or deliver it immediatelyReal-time, not persistently stored

We never store message content. The content of your messages — text, images, files, voice notes — is encrypted on your device and, if temporarily in transit through our servers (offline queue), is stored only as opaque encrypted ciphertext that we cannot read. It is deleted immediately upon delivery.

2.4 Technical Data

DataPurpose
Firebase Cloud Messaging (FCM) tokenA token issued by Google that allows us to send you a notification ping when you receive a message. The ping contains no message content.
App version numberTo ensure compatibility and prompt you to update when needed.
Connection timestampsTo detect suspicious activity and protect against account takeover.

2.5 What We Do NOT Collect

Strictly Zero Access
  • Message content — ever, under any circumstance.
  • Your contact list — we never read your phone's address book.
  • Location data — no GPS, cell-tower, or IP-based tracking.
  • Photos or media files — zero access to your gallery.
  • Browsing history — DooTX has no access to your web browsing activity.
  • Device identifiers — we do not collect IMEI, advertising IDs, or hardware serial numbers beyond what is listed above.
  • Biometric data — face, fingerprint, or any other biometric identifiers.
Section 03

How We Use Your Information

The information we collect is used solely to operate DooTX as a secure messaging service. Here is every use:

  • Account authentication via OTP. Your phone number is used to send a one-time password (OTP) to verify your identity during registration and login. This is the only time your phone number is shared with a third-party OTP delivery service.
  • Delivering encrypted messages. When you send a message, we route the encrypted ciphertext from your device to the recipient's device. We act as a secure relay — we cannot read what we are relaying.
  • Sending push notification pings. When you receive a message, your device receives a notification. This notification is content-free — it carries no message text, no sender name in the payload we control, and no media. It simply instructs your app to connect and retrieve your encrypted messages.
  • Maintaining server connection. We use connection data to keep your session alive and deliver messages in real time when you are online.
  • Detecting and preventing abuse. We use account-level metadata (not message content) to detect patterns of abuse such as spam, harassment, or attempts to compromise other users' accounts.
  • Improving the service. Aggregate, anonymised metrics (e.g., "how many active users today") help us understand how DooTX is being used and improve reliability. This does not involve reading message content or profiling individual users.
Important Note

DooTX will never use your data for advertising targeting, selling to third parties, profiling you for commercial purposes, or any purpose beyond what is described in this section. If we ever wish to use your data for a new purpose, we will update this Privacy Policy and notify you at least 30 days in advance.

Section 04

How Your Messages Are Protected

4.1 End-to-End Encryption (E2EE)

End-to-end encryption

E2EE means that messages are encrypted on the sender's device and can only be decrypted by the intended recipient's device. Nobody in between — including the service provider — can read the message.
means that your message is locked on your device before it is sent, and can only be unlocked on your recipient's device. The message travels through DooTX's servers in a locked state that we cannot open. Think of it like sending a locked box through a postal service — the postal workers handle the box but have no key to open it.

4.2 Post-Quantum Cryptography

Standard encryption systems (including those used by many popular messaging apps) are vulnerable to a future threat: powerful quantum computers. If a sufficiently powerful quantum computer were built, it could break the mathematical problems that today's encryption relies on. This is not a problem today, but it is a credible future risk.

DooTX addresses this threat proactively using CRYSTALS-Kyber768 for key exchange — a post-quantum algorithm that has been standardised by the US National Institute of Standards and Technology (NIST) specifically because it is resistant to quantum computer attacks. Even if an adversary records your encrypted traffic today and waits for quantum computers to become available, your messages are protected against that future threat.

Message signatures are protected by CRYSTALS-Dilithium3, ensuring that messages cannot be forged even by a quantum-capable attacker.

The KAVACH System

DooTX uses KAVACH — a proprietary post-quantum encryption layer combining Kyber768 (key exchange), Dilithium3 (digital signatures), AES-256-GCM (message encryption), and X25519 (hybrid key exchange) into a unified protocol that provides defence-grade security for everyday messaging.

4.3 Local Storage Encryption

Your messages are not only encrypted in transit — they are also encrypted at rest on your own device. DooTX uses SQLCipher to encrypt the local message database, and your encryption keys are bound to your device's secure hardware using the Android Keystore. This means that even if someone physically obtained your device, they cannot read your messages without your device's biometric or PIN authentication.

4.4 Zero-Knowledge Architecture

DooTX operates on a zero-knowledge architecture

We genuinely do not have access to the information you entrust to the service. We do not possess the keys needed to decrypt data.
. This means:

  • Our servers store only encrypted ciphertext.
  • We do not possess the private keys needed to decrypt your messages.
  • Even our own engineers cannot read your messages because the plaintext does not exist on our systems.
Legal Requests Guarantee

Even if our servers were seized by any government, law enforcement authority, or third party, they would find only encrypted ciphertext that is mathematically impossible to decrypt without your private keys — keys which exist only on your personal device and which we have never possessed.

If we receive a lawful court order demanding the content of your messages, the honest and complete answer is: we do not have it. Not because we deleted it. Not because we are resisting the order. Because the content never existed on our servers in decryptable form.

We can only provide the account-level metadata described in Section 2.1 — your phone number, registration date, and device type.

Section 05

Data Sharing

We do not sell, rent, trade, or share your personal data with third parties for commercial purposes. Below is a complete account of every situation in which your data may be shared with any external party.

5.1 Service Providers

ProviderData SharedPurpose
Google Firebase (FCM)Your FCM device tokenTo deliver push notification pings to your device. These pings contain no message content. Firebase receives a token — not your phone number, message content, or identity.
OTP ProviderYour phone number, temporarily during registration/loginTo send you a one-time password for identity verification. Your number is used solely for OTP delivery and is not retained by the provider for any other purpose under our agreement with them.

We have no relationships with advertising networks, data brokers, analytics platforms that profile users, or any other party that receives your data for commercial purposes.

5.2 Legal Disclosures

DooTX is an Indian company and is subject to Indian law, including the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023. If we receive a lawfully issued court order or government directive requiring us to disclose user data, we will comply to the extent legally required.

Legal Orders Boundary

What we can provide: Account registration data — your phone number, registration date, and device type. Nothing more.

What we cannot provide: Message content. We do not have it. Your messages are end-to-end encrypted and we possess no decryption keys. Message metadata stored locally on your device is also outside our reach.

We will notify affected users of legal demands to the extent permitted by law, and we will challenge overbroad or unlawful demands.

5.3 Business Transfers

If Suraksha Technologies Private Limited is involved in a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. In such an event, we will provide notice via the app and this Privacy Policy, and the acquiring entity will be required to honour the commitments made in this policy or obtain your fresh consent for any changes.

Section 06

Data Retention

We retain your data for the minimum time necessary. Here is exactly how long each type of data is kept:

Data TypeRetention Period
Message contentNot stored on servers at all. If temporarily queued for an offline recipient, deleted immediately upon delivery confirmation.
Offline message queueMaximum 30 days. If a recipient does not come online within 30 days, the encrypted message is permanently deleted from our servers. The sender is notified of non-delivery.
Your public cryptographic keysRetained for as long as your account is active. Deleted permanently when you delete your account.
Account registration data (phone number, timestamps)Retained for the life of your account, plus a short window (up to 90 days) after account deletion for fraud prevention purposes.
FCM tokenUpdated each time you open the app. Previous tokens are overwritten, not accumulated.
Connection timestampsRetained for a maximum of 90 days for security and abuse detection purposes, then automatically deleted.

Deleting Your Account

You can delete your DooTX account at any time from within the app (Settings → Account → Delete Account). When you delete your account:

  • Your phone number is removed from our active user database.
  • All your public cryptographic keys are deleted from our servers.
  • Any queued (undelivered) encrypted messages addressed to you are permanently deleted.
  • Your account deletion is permanent and irreversible. We cannot restore a deleted account.

Messages you have already sent to others, which have been delivered to their devices, remain on their devices subject to their own deletion choices. We have no control over or access to messages that have been delivered to recipient devices.

Section 07

Your Rights Under Indian Law

DooTX is operated by Suraksha Technologies Private Limited, an Indian company. The Digital Personal Data Protection Act 2023 (DPDP Act) grants you the following rights as a data principal (i.e., the person whose data is being processed).

Your Rights as an Indian User
  • Right to Access. You have the right to know what personal data we hold about you and how it is being processed. You can request a summary of your data at any time.
  • Right to Correction. If the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it.
  • Right to Erasure. You have the right to request deletion of your personal data. You can exercise this right by deleting your account in the app, or by contacting us at legal@dootx.in.
  • Right to Grievance Redressal. If you believe your data rights have been violated, you have the right to file a complaint with our Grievance Officer (details in Section 11) and, if unsatisfied, with the Data Protection Board of India.
  • Right to Withdraw Consent. Where we process your data based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to Nominate. You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, please contact our Grievance Officer at legal@dootx.in. We will respond within 30 days as required by the DPDP Act.

Section 08

Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction covered by the General Data Protection Regulation (GDPR) or equivalent legislation, the following rights apply to you.

Data Controller: Suraksha Technologies Private Limited, Ahmedabad, Gujarat, India — is the data controller for personal data processed by DooTX.

Your GDPR Rights
  • Right of Access (Article 15). You may request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16). You may request correction of inaccurate personal data.
  • Right to Erasure / "Right to be Forgotten" (Article 17). You may request deletion of your personal data, subject to certain legal exceptions.
  • Right to Restriction of Processing (Article 18). You may request that we restrict processing of your data in certain circumstances.
  • Right to Data Portability (Article 20). You have the right to receive your personal data in a structured, machine-readable format.
  • Right to Object (Article 21). You may object to processing of your data based on legitimate interests.
  • Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection authority.

Our lawful basis for processing your data is:

  • Contract performance — processing necessary to provide the DooTX messaging service you have registered for.
  • Legitimate interests — security, fraud prevention, and abuse detection.
  • Legal obligation — compliance with applicable law.

To exercise your GDPR rights, email legal@dootx.in. We will respond within 30 days.

Section 09

Children's Privacy

DooTX is not intended for use by children under the age of 13 years. We do not knowingly collect personal data from children under 13.

If you are a parent or guardian and you believe your child under the age of 13 has registered for DooTX or provided us with personal data, please contact us immediately at support@dootx.in. We will promptly investigate and, if confirmed, delete the account and all associated data.

By using DooTX, you represent that you are at least 13 years of age. Users in certain jurisdictions may be subject to higher age requirements under local law (for example, 16 years in some EU member states). It is the responsibility of the user to comply with applicable local age requirements.

For Parents

If you discover your child has created a DooTX account, contact us at support@dootx.in with the registered phone number. We will remove the account within 48 hours of verification.

Section 10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the features of DooTX. When we make changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Send an in-app notification informing you that the Privacy Policy has been updated.
  • For material changes — changes that meaningfully affect how we collect or use your data — provide at least 30 days' advance notice before the changes take effect, allowing you time to review and, if you disagree, delete your account before the new policy applies.

Your continued use of DooTX after the effective date of an updated policy constitutes your acceptance of the updated policy. If you do not agree with any changes, you may delete your account at any time before the new policy takes effect.

We encourage you to review this Privacy Policy periodically. All previous versions will be archived and available upon request.

Section 11

Contact Us

We are committed to resolving any questions about this Privacy Policy transparently.

Grievance Officer

Alay
Role:Founder, CEO, Director &Grievance Officer, Suraksha Technologies Pvt Ltd
Email: Will Update Later
Address:Ahmedabad, Gujarat