Privacy Policy

MMG Infotech Pvt Ltd ("MMG", "we", "us", "our") is committed to protecting the privacy and security of all data processed through our software products, including DRISHTI, MMG VPN, MMG CyberShield, Digital Malkhana, NMB-Niwas, MMG AI School, RetinAI, MMGPlus, and MMG License Portal.

This Privacy Policy describes what data we collect, how we store it, and the measures we take to ensure its confidentiality and integrity. Given that our primary clients are government agencies and law enforcement departments, we maintain the highest standards of data security and privacy.

The data collected depends on the specific MMG product deployed at your organization. Data is collected solely for the operational purpose of the software and is never used for advertising, profiling, or sale to third parties.

• DRISHTI / PRAGYA 2.0: Case records (FIR, diary, charge-sheets), accused/witness personal information, court proceedings, officer details, station configurations, AI interaction logs.
• NIVARAN: Complainant name, phone, address, complaint details, resolution history, satisfaction ratings, WhatsApp interaction logs.
• MMG VPN: Connection timestamps, device fingerprint hashes, bandwidth usage, IDS event logs. No traffic content is ever logged or inspected.
• Digital Malkhana: Evidence descriptions, photographs, chain-of-custody records, disposal orders, court exhibit references.
• NMB-Niwas: Resident name, flat number, phone, email, maintenance payment records, complaint details.
• Authentication Data (all products): Username, hashed password (bcrypt, 12 rounds), TOTP secrets, login timestamps, device identifiers, session tokens.

All MMG software is deployed on-premise on the client's own servers, behind their firewall. No data is stored on MMG-owned servers or cloud infrastructure.

• Encryption at Rest: AES-256-CBC field-level encryption for all PII fields (Aadhaar, phone, address). Database-level encryption using PostgreSQL/MSSQL Transparent Data Encryption (TDE).
• Encryption in Transit: TLS 1.3 for all HTTP traffic. WireGuard ChaCha20-Poly1305 for VPN tunnels. HMAC-SHA256 signed API requests with 2-minute timestamp window.
• Key Management: Machine-bound AES-256-GCM vault with PBKDF2 100,000 iterations. RSA-2048 key pairs for API response signing. Keys never leave the deployment server.
• Backups: Automated nightly database backups at 2:00 AM with AES-256 encryption. Backup files stored on the same on-premise server. 30-day retention with automatic rotation.
• Audit Logs: Tamper-proof hash-chain audit logs. Every data access, modification, and deletion is recorded with user ID, timestamp, IP address, and action hash. Immutable — cannot be edited or deleted even by administrators.

• No cloud transmission: All deployments are on-premise. No data is sent to MMG servers, cloud providers, or any third party.
• No analytics collection: We do not collect usage analytics, telemetry, or behavioral data from deployed software.
• No third-party sharing: We do not sell, rent, license, or share any data with advertisers, data brokers, or any external entity.
• AI calls are PII-free: When external AI services (Google Gemini) are used for features like Kalandra generation, all PII is stripped before the API call and re-inserted locally after the response.
• Ollama fallback: For environments requiring 100% air-gapped operation, on-premise Ollama AI models are available, ensuring zero external network calls.

MMG Infotech is fully compliant with the Digital Personal Data Protection Act (DPDPA), 2023 of India. Our compliance measures include:

• Lawful Purpose: All data is processed solely for the lawful purpose of law enforcement, public safety, grievance management, or the specific operational purpose of the deployed software.
• Data Minimization: We collect only the data necessary for the software to function. No extraneous data is collected or retained.
• Consent Management: Where applicable (NIVARAN citizen portal, NMB-Niwas), explicit consent is obtained before collecting personal data, with clear explanation of purpose.
• Data Localization: 100% data localization. All data resides on Indian soil, on government/client servers, within Indian jurisdiction. No cross-border data transfer.
• Data Fiduciary Obligations: The deploying organization (police department, government agency) acts as the Data Fiduciary. MMG acts as the Data Processor, processing data only as instructed by the Fiduciary.
• Breach Notification: In the event of a data breach, we commit to notifying the Data Fiduciary and CERT-In within 6 hours, as required by CERT-In directives.
• Grievance Redressal: A designated Data Protection Officer is available for privacy-related queries and grievances.

Data retention periods are determined by the deploying organization (Data Fiduciary), in accordance with applicable laws and departmental policies.

• Case records (DRISHTI): Retained as per the Indian Evidence Act and departmental record retention rules. Typically 15-30 years for criminal cases.
• Grievance records (NIVARAN): Retained for a minimum of 3 years after resolution, or as per departmental policy.
• Audit logs: Retained for a minimum of 365 days. Hash-chain integrity ensures no tampering.
• VPN connection logs: Retained for 365 days as per CERT-In directives. No traffic content is logged.
• Authentication logs: Retained for 180 days (login attempts, session history, device records).
• Backups: 30-day rolling retention with AES-256 encryption. Older backups are securely destroyed.

When data reaches end-of-life, it is securely erased using cryptographic erasure (destroying the encryption key), rendering the data permanently irrecoverable.

Under the DPDPA 2023, data principals (individuals whose data is processed) have the following rights, subject to applicable exemptions for law enforcement:

• Right to Access: You may request information about what personal data of yours is being processed and the purpose of such processing.
• Right to Correction: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention obligations and law enforcement exemptions.
• Right to Grievance Redressal: You may raise a grievance regarding the processing of your personal data with our Data Protection Officer.
• Right to Nominate: You may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

• VAPT Grade A Certified: All products undergo regular Vulnerability Assessment and Penetration Testing, scoring 89%+ on OWASP Top 10.
• 14-Role RBAC: Granular role-based access control from SUPER_ADMIN to VIEWER, with 2-person approval for critical actions.
• Login Security: Account lockout after 5 failed attempts. CAPTCHA on login. Device fingerprinting. Session timeout at 30 minutes of inactivity.
• Network Security: On-premise deployment behind government firewalls. IIS + ARR reverse proxy. PM2 cluster mode. No public-facing database ports.
• Incident Response: Documented incident response plan with 6-hour breach notification to CERT-In. Automated alerts for suspicious activity patterns.
• Code Security: All code is scanned with MMG CyberShield (our own VAPT tool) before every deployment. SAST + DAST + dependency scanning.

For any privacy-related queries, data access requests, or grievances, please contact our Data Protection Officer: