Privacy Policy

Last updated: 22 March 2026

1. Introduction

This Privacy Policy describes how TimeBomb, operated by Aravind Labs ("we", "us", "our"), collects, uses, and protects your personal information when you use our Service. We are committed to protecting your privacy and ensuring the security of your data.

2. Data We Collect

We collect the following categories of personal data:

  • Account Information: Email address, name, and profile picture, obtained through Google Sign-In.
  • Letter Content: The text of letters you write and seal. This content is encrypted with AES-256-GCM before storage. Even the TimeBomb team cannot read your letter content.
  • Usage Data: Session identifiers (stored in cookies) for authentication purposes.
  • Payment Data: Transaction records processed through Razorpay. We do not store your payment card details; these are handled entirely by Razorpay.

3. How We Use Your Data

Your data is used exclusively for the following purposes:

  • To authenticate you and provide access to the Service
  • To store and deliver your sealed letters at the designated unlock date
  • To process payments and verify your subscription status
  • To maintain the security and integrity of the Service

We do not use your data for advertising, profiling, analytics beyond basic service operation, or any purpose unrelated to the core functionality of TimeBomb.

4. Encryption

All letter content is encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) before being stored in our database. This means:

  • Your letter content is unreadable in our database without the encryption key
  • The TimeBomb team cannot read, access, or analyse the content of your letters
  • Each letter is encrypted with a unique initialisation vector (IV) for additional security

5. Third-Party Data Sharing

We do not share your personal data with any third parties, with the following exceptions:

  • Razorpay: Our payment processor. When you make a payment, your name and email are shared with Razorpay solely for the purpose of processing the transaction. Razorpay's privacy policy governs their handling of your data.
  • Google: We use Google Sign-In for authentication. Your interaction with Google is governed by Google's Privacy Policy.
  • Legal Requirements: We may disclose data if required to do so by law or in response to a valid legal order from a competent authority.

6. Cookies

TimeBomb uses the following cookies:

  • tb_session: A session identifier for tracking your letters. This is an HTTP-only cookie with a long expiration period.
  • tb_auth: A JSON Web Token (JWT) for authentication. This is set upon signing in with Google and expires after 1 year.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

7. Data Retention

Your data is retained as follows:

  • Letters: Stored until the unlock date plus 1 year, after which you may request deletion.
  • Account Information: Retained for as long as your account is active.
  • Payment Records: Retained as required by applicable financial regulations.

8. Account Deletion

You may request complete account deletion by emailing us at aravind@replx.in. Upon verification of your identity, we will permanently delete:

  • Your user account and profile information
  • All sealed and unsealed letters associated with your account
  • All payment records (subject to legal retention requirements)

This action is irreversible. Deleted data cannot be recovered.

9. Data Security

We implement the following security measures to protect your data:

  • AES-256-GCM encryption for all letter content
  • HTTPS encryption for all data in transit
  • HTTP-only, secure cookies to prevent cross-site scripting attacks
  • Rate limiting to prevent abuse
  • Regular database backups

10. Digital Personal Data Protection Act (DPDP Act), 2023

In compliance with the Digital Personal Data Protection Act, 2023 of India:

  • We process your personal data only for the specific purposes outlined in this Policy, with your consent obtained at the time of account creation.
  • You have the right to access, correct, and request deletion of your personal data.
  • You have the right to withdraw consent at any time by requesting account deletion.
  • You have the right to nominate another individual to exercise your data rights in the event of your death or incapacity.
  • We will notify you and the Data Protection Board of India in the event of a personal data breach, as required by the Act.
  • Grievances related to data processing may be directed to our contact email below.

11. Children's Privacy

TimeBomb is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If you become aware that a child under 13 has provided us with personal data, please contact us and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service. Your continued use of TimeBomb after any changes constitutes your acceptance of the updated Policy.

13. Contact

For privacy-related inquiries, data access requests, or complaints, please contact:

aravind@replx.in

Back to TimeBomb Terms & Conditions