Shield
Sign in

Legal

DPDP Disclosure

Last updated: 2026-04-15

This disclosure is published pursuant to the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the rules framed thereunder. It sets out, in plain language, what personal data Shield processes about you (the Data Principal) and your child, for what purpose, for how long, and how you may exercise your rights.

1. Data Fiduciary

Rostan Technologies Pvt. Ltd. is the Data Fiduciary. Registered office: Sector 62, Noida, UP 201301, India.

2. Data Principal

The parent or lawful guardian who creates the Shield account is the Data Principal for their own personal data and acts as the verifiable lawful guardian for the child whose device is protected by Shield.

3. Categories of personal data processed

  • Authentication tokens (session cookies, refresh tokens).
  • Parent email address.
  • Child profile — name or nickname, date of birth, avatar image.
  • Device identifiers — install ID, OS version.
  • DNS query summaries — aggregated by category only; full URLs are never stored.
  • Approximate location — only when the parent enables the Real-Time Location feature (LOCATION_REAL_TIME).
  • FCM push notification tokens (parent device only).

4. Purposes of processing

Delivery of the parental-control service, safety alerts, billing, fraud prevention, and compliance with Indian law.

5. Retention windows

  • activity_daily_aggregates— 365 days.
  • raw activity_events— 90 days (partitioned tables, auto-dropped).
  • location pings— 30 days default (parent-extendable up to 180 days).
  • audit logs— 24 hours hot, 365 days cold.
  • deleted accounts— 30-day grace period, then cryptographic erasure.

6. Consent withdrawal and erasure

Under §6(4) and §12 of the DPDP Act you may withdraw consent and request erasure at any time. Shield provides self-service controls:

  • Export your data (DATA_EXPORT): generate a machine-readable archive of everything we hold from /settings/account Export my data.
  • Delete your account (DATA_DELETION): trigger account deletion from /settings/account Delete account. Deletion is irreversible after the 30-day grace period.

Withdrawing consent does not affect the lawfulness of processing that occurred prior to withdrawal.

7. Children’s data — §9

Shield processes the personal data of children exclusively under verifiable parental consent. We do not track the child for behavioural advertising, we do not profile the child for any purpose detrimental to their well-being, and we do not permit targeted advertising directed at the child.

8. Grievance Officer

Grievance Officer: Virender Kumar, grievance@shield.makewish.ai, Sector 62, Noida, UP 201301, India. Response SLA: 30 days per DPDP §13.

9. Contact

You may contact us about this disclosure at: privacy@shield.makewish.ai.