Hearth
Privacy and trust
Safeguarding every journey
Learn how Hearth collects, protects, and empowers your data decisions while you explore mindful travel experiences.

Privacy Policy

Last Updated: September 2025
Company: StarKnights Technologies Pvt. Ltd.
Location: Dehradun, Uttarakhand, India
Contact: [email protected]

Hearth (the “Platform”) is operated by StarKnights Technologies Pvt. Ltd. (“StarKnights”, “we”, “us”, “our”). We respect your privacy and are committed to protecting your personal information. This Privacy Policy describes what data we collect, why we collect it, how we use it, how we share it, how we secure it, and the rights available to you under applicable Indian law.

India-centric note: This Privacy Policy is framed primarily under Indian law, including the Information Technology Act, 2000 and rules made thereunder, and acknowledges the Digital Personal Data Protection Act, 2023 as notified and in force from time to time. Where you access the Platform from outside India, you consent to processing in India under this Policy.

1. Definitions

  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
  • “Processing” means an operation performed on Personal Data including collection, recording, storage, use, disclosure, or deletion.
  • “Provider” means a business or individual listing stays, food, experiences, or services on Hearth.
  • “Traveler” means an individual browsing or using Hearth to discover such listings.
  • “KYC” means know-your-customer verification performed to validate the identity of Providers.
  • “Payment Gateway” means PhonePe or Razorpay (or any successor/alternative gateway engaged by us).

2. Scope & Applicability

This Policy applies to all users of the Platform (Providers, Travelers, visitors). By accessing or using Hearth, you agree to the practices described here.

3. Identity of Data Fiduciary / Controller

For the purposes of Indian law, StarKnights Technologies Pvt. Ltd. is the entity determining the purposes and means of Processing your Personal Data in connection with Hearth.

4. Contact & Grievance Redressal

  • Primary Contact: [email protected]
  • Postal Address: StarKnights Technologies Pvt. Ltd., Dehradun, Uttarakhand, India
  • Grievance Officer (India): Designated officer reachable at [email protected] (subject to update on the Site as required by law). We endeavor to acknowledge and respond to grievances within a reasonable period in accordance with applicable rules.

5. What We Collect From Travelers

  • Account details you provide (name, email, phone).
  • Content you submit (reviews, feedback).
  • Device/usage data (IP address, browser/OS, pages viewed, timestamps, referrers, error logs).
  • Cookie/local-storage identifiers essential for login session integrity and performance.

6. What We Collect From Providers

  • Account and business contact details (name, email, phone).
  • Listing details (property/service descriptions, photos, amenities, pricing, locations).
  • KYC details for verification (e.g., identity and address proof as permitted by law), limited to what is necessary for verification; may be collected via offline checks and/or e-KYC flows.
  • Operational communications (support tickets, compliance correspondence).

7. What We Do Not Collect or Store

  • We do not store card numbers, CVV, net-banking credentials, UPI PINs, or wallet passwords. Such data is processed directly by PhonePe/Razorpay under their policies and RBI guidelines.
  • We do not currently use third-party advertising trackers or behavioral ad profiles.

8. Sources of Personal Data

  • Directly from you when you sign up, create a listing, or submit a review.
  • Automatically from your device when you interact with the Platform.
  • From our field agents and verification partners during Provider verification.
  • From Payment Gateways in the form of minimal payment status/metadata needed to reconcile subscriptions (no sensitive payment instrument data).

9. Lawful Bases for Processing

We Process Personal Data based on one or more of the following: (a) your consent; (b) contractual necessity (to provide the Platform and subscriptions you request); (c) legal obligation (e.g., KYC/records retention); and/or (d) our legitimate interests (fraud prevention, network and information security, service improvement).

10. Purposes of Use

We use Personal Data to:

  • operate and improve the Platform;
  • create and manage accounts;
  • verify and onboard Providers (including offline and e-KYC checks);
  • render subscription billing and reconciliation via PhonePe/Razorpay;
  • enable secure, single-use reviews (QR/link) and community moderation;
  • communicate service notices, changes, and (with consent) marketing updates;
  • prevent fraud, abuse, and violations of our Terms;
  • comply with applicable law and enforce legal rights.

11. Cookies, Storage & Similar Technologies

We use essential cookies/local-storage for session management, CSRF protection, load balancing, rate-limiting, and preference storage. We do not presently use third-party analytics or advertising cookies. You may disable non-essential storage via your browser; essential storage is required for core functionality.

12. Payments & Subscriptions

  • Provider subscriptions are processed through PhonePe or Razorpay.
  • We receive only limited transaction metadata (status, masked identifiers) necessary to confirm payment, manage renewals, and issue refunds where applicable.
  • Autopay is preferred; manual payments are supported if autopay is unavailable.
  • We do not store or Process sensitive payment instrument details.

13. Provider Verification (KYC) & Field Checks

We may Process identity/address information for Providers to conduct lawful KYC and in-person verification. Such data is used strictly for verification, is access-controlled, and retained only as necessary for compliance and evidencing due diligence.

14. Reviews & Single-Use Links/QR

When you request or use a review link or QR:

  • We generate a single-use token tied to your booking window; tokens expire 21 days from generation to reduce misuse.
  • We Process basic metadata (token issuance time, expiry, listing ID, IP logs) to ensure authenticity and auditability.
  • Review content may be displayed publicly and moderated for policy compliance.

15. Data Minimisation & Accuracy

We strive to collect only what is necessary for stated purposes and encourage you to keep your information accurate and up to date. Providers are responsible for accuracy of listing data submitted to Hearth.

16. Sharing & Disclosures

We may share Personal Data with:

  • Verification personnel/field agents for KYC and quality checks;
  • Payment Gateways (PhonePe/Razorpay) for subscription Processing;
  • Cloud and infrastructure providers (e.g., object storage/CDN, email delivery) under confidentiality and data security obligations;
  • Professional advisers (legal/accounting) under duty of confidentiality;
  • Authorities/regulators/courts when compelled or lawfully required;
  • Successors in case of merger, acquisition, or reorganisation (with continued protection).

We do not sell Personal Data to advertisers.

17. International Data Transfers

Our infrastructure and providers may store or Process data in India or other jurisdictions. Where data moves cross-border, we implement appropriate safeguards and require service providers to maintain materially comparable protections consistent with this Policy and applicable Indian law.

18. Retention

We retain Personal Data only as long as necessary for the purposes stated or as required by law (e.g., KYC/accounting/tax records). Indicatively: account data for the life of the account; logs for a limited operational period; review content while relevant to the listing unless removed under policy.

19. Security Measures

We implement technical and organisational measures, including: TLS/HTTPS in transit; access controls and least-privilege; audit logs; encryption of secrets; periodic vulnerability scans; backups and tested restore procedures; staff confidentiality commitments; and incident response processes.

20. Data Breach Response

On becoming aware of a breach that materially affects your Personal Data, we will take reasonable steps to contain and remediate the incident, notify affected users within a reasonable timeframe, and engage with authorities where legally required.

21. Your Rights

Subject to applicable law, you may:

  • request access to your Personal Data;
  • request correction/updates;
  • request deletion (erasure) of Personal Data no longer necessary;
  • withdraw consent where Processing is based on consent;
  • object to or restrict certain Processing;
  • request a portable copy of your data in a common format.

22. Exercising Your Rights

To exercise rights, contact [email protected] with sufficient details to verify your identity and the nature of your request. We may request additional information solely to authenticate the requester. We will respond within a reasonable time as required by law.

23. Marketing Communications

We do not currently send newsletters. If we commence marketing communications, we will do so in compliance with law and provide clear opt-out mechanisms. Transactional or service-related communications may continue irrespective of marketing preferences.

24. Children’s Data

The Platform is not intended for persons under 18 years. We do not knowingly Process Personal Data of minors. If you believe a minor has provided data, please contact us for prompt deletion.

25. Third-Party Links & Services

The Platform may contain links to third-party sites or services not operated by us. Your interactions with those services are governed by their privacy practices. We are not responsible for their content or data handling.

26. Automated Decision-Making & Profiling

Hearth does not engage in automated decision-making that produces legal or similarly significant effects on individuals. We may use aggregated, de-identified metrics to improve features and relevance without identifying you.

27. Use of Aggregated/Anonymised Data

We may aggregate and anonymise Personal Data to generate statistics, trends, or insights (e.g., popular regions, listing performance). Such data no longer identifies individuals and may be used for analytics or shared publicly.

28. Provider Content & IP

Providers retain ownership of photos and descriptions submitted but grant Hearth a licence to host, display, and promote such content in connection with the Platform. We Process associated metadata for integrity, moderation, and takedown handling.

29. Legal Requests & Enforcement

We may access, preserve, and disclose information if we believe it is reasonably necessary to: (i) comply with law, regulation, legal process, or governmental request; (ii) enforce our Terms; (iii) protect the safety, rights, or property of users, the public, or StarKnights; or (iv) detect, prevent, or address fraud and security issues.

30. Interactions with Payment Gateways

When you pay subscription fees, you are redirected or embedded to PhonePe or Razorpay. Your use of such services is subject to their privacy policies and terms. We receive limited metadata confirming payment status; we do not store your payment credentials.

31. Data Protection by Design & Default

We integrate privacy and security considerations into product design and engineering processes (threat modelling, access reviews, minimal privilege, code reviews, separation of environments, and configuration hardening).

32. Employee & Contractor Obligations

Personnel with access to Personal Data are bound by confidentiality obligations, receive periodic training, and access only what is necessary for their role.

33. Record of Processing Activities

We maintain internal records of Processing activities (categories of data, purposes, sharing, retention) to support accountability and compliance.

34. Changes to this Policy

We may update this Policy to reflect legal, technical, or business developments. If changes are material, we will provide a prominent notice on the Platform. The “Last Updated” date will indicate the latest revision.

35. Business Transfers

If StarKnights is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred as part of that transaction. We will require the transferee to honour this Policy or provide notice with options consistent with law.

36. Governing Law & Jurisdiction

This Policy is governed by the laws of India. Disputes shall be subject to the exclusive jurisdiction of competent courts at Dehradun, Uttarakhand, India, without prejudice to any mandatory rights you may have under applicable law.

37. Effective Date & Versioning

This version is effective as of the “Last Updated” date above. Prior versions may be archived internally for audit and reference.

38. Contact & Complaints

If you have questions, concerns, or complaints about our privacy practices, please contact [email protected]. If you are not satisfied with our response, you may escalate to the appropriate authority under Indian law, as applicable.