Privacy Policy

1. Who we are

Abhay is operated by Saundarya Roof Private Limited, a private limited company incorporated under the Companies Act, 2013, having CIN U63119ME2026PTC474233 and its registered office at H.No. 598, Main Road, Adarsh Nagar, Lakhni, Bhandara — 441804, Maharashtra, India. We are a "Data Fiduciary" within the meaning of the Digital Personal Data Protection Act, 2023 ("DPDP Act") in respect of the personal data described in this Policy, and a "Data Processor" acting on behalf of each Workspace Owner in respect of the data they upload to their Workspace.

For any privacy-related question or request, please write to helpdesk@saundaryaroof.homes or contact our Grievance Officer (see section 16 below).

2. What data we collect

• Identity data: name, phone number, photograph (used as an avatar), workspace code, and, for staff and superadmins, a username and password hash.
• Biometric template: a mathematical representation of the user's fingerprint, generated and stored on the ZKTeco K40 Pro (or similar) biometric terminal installed on the Workspace Owner's premises. The raw fingerprint template is not transmitted to or stored in our servers; we only receive the device's reference identifier (enroll ID) when a punch event occurs.
• Movement / attendance data: in-time and out-time stamps generated when a registered user punches at a Workspace device, together with the device serial number and the punch type (entry / exit).
• Leave records: leave requests submitted by parents or students, their reason, dates, attachments (if any) and the warden's approval state.
• Alerts and messages: automated safety alerts (e.g. curfew breaches) and the in-app messages exchanged through the Service.
• Device data: the push-notification subscription endpoint of each user's web browser, used solely to deliver alerts to that browser.
• Account & session data: hashed password, session JSON Web Token, last-active timestamp, IP address used at sign-in, and the user-agent of the signing-in browser. Used for security and for the "Active sessions" feature.
• Communications with us: the content of emails you send to helpdesk@saundaryaroof.homes, retained to enable us to follow up on your request.

3. From whom we collect data

Most personal data in Abhay is uploaded by the Workspace Owner during enrolment of students, wardens, parents and staff. Each Workspace Owner warrants in the Terms of Service that they have obtained valid, informed consent — including parental consent for minors — before uploading any such data. We rely on that warranty.

Where you create your own account (for example, a warden setting their password for the first time), the personal data you enter is collected directly from you.

4. Purpose of processing

• Recording, tabulating and displaying attendance and movement (in / out) of enrolled members.
• Notifying wardens, parents and superadmins of relevant events: in/out punches, curfew breaches, leave requests and safety alerts.
• Managing leave: submission by parents/students, approval by wardens, downstream attendance adjustment.
• Providing dashboards, reports and exports to the Workspace Owner.
• Authenticating users and securing accounts, including detecting unusual sign-ins.
• Communicating with you about the Service, including operational notices, security alerts and policy updates.
• Complying with applicable law and responding to lawful requests from competent authorities.

5. Lawful basis

We process personal data under one or more of the following bases under the DPDP Act:

• Consent (DPDP §6) — given by the data principal (or, for minors, their parent / legal guardian) before enrolment, and recorded by the Workspace Owner.
• Performance of a contract — to provide the Service to the Workspace Owner under our commercial agreement with them.
• Legitimate use for safety / security — limited to the operational purpose of running a hostel, office, factory or college and as permitted under DPDP §7.

6. Where data lives

• Application database: Supabase Inc. (Postgres) in the Asia/Pacific (Mumbai) region (ap-south-1).
• Files (photos, documents, leave attachments): Cloudflare R2, served from Cloudflare's global edge network.
• Transactional email: Resend, used to send password-reset, alert and notification emails.
• Push notifications: the Web Push services operated by Google, Mozilla and Apple, depending on the browser used by the recipient.
• Biometric templates: stored only on the ZKTeco K40 Pro (or similar) device on the Workspace Owner's premises. Never replicated to our servers.

7. Sub-processors

We rely on the following sub-processors to deliver the Service. Each is bound by its own data-protection commitments:

• Supabase Inc. — managed Postgres and authentication infrastructure.
• Cloudflare Inc. — object storage (R2) and content delivery.
• Resend Inc. — transactional email delivery.
• Upstash Inc. — Redis cache for short-lived operational data.
• Vercel Inc. — hosting of the application's server and edge endpoints.
• Web Push providers — Google (FCM/Web Push), Mozilla (autopush), and Apple (APNs) for browser-level notification delivery.

8. Sharing

We do not sell personal data. We disclose personal data only:

• To the Workspace Owner who enrolled the data principal, for the operational purposes described in section 4.
• To our sub-processors listed in section 7, under written contracts limiting their use of the data to operating the Service.
• Where required by law, regulation or a lawful order of a competent authority — in which case we will, where legally permitted, inform the affected data principal.
• To a successor entity, in the event of a merger, acquisition or reorganisation of the Company, under terms that maintain this Policy's protections.

9. Cross-border transfers

Supabase, Cloudflare, Resend, Upstash, Vercel and the Web Push providers may process or store data at facilities outside India. Such transfers are made on the basis of contractual safeguards equivalent to standard contractual clauses, and in compliance with section 16 of the DPDP Act. The Central Government may from time to time notify countries to which personal data may not be transferred; we will comply with any such notification.

10. Retention

• Student, parent, warden and staff records: retained for as long as the relevant Workspace is active and the person remains enrolled.
• Punch logs and attendance records: retained for as long as the Workspace is active.
• Leave records: retained for as long as the Workspace is active.
• Account and session data: retained while the account remains active. Inactive sessions are revoked after 7 days.
• Deletion: when a Workspace, an account or an individual record is deleted, the data is purged from primary stores within seven (7) days and from encrypted backups within ninety (90) days. After purge, only the minimum metadata needed to enforce legal obligations (e.g. tax records of past invoices) is retained.

11. Your rights under the DPDP Act

If you are a data principal under the DPDP Act, you may:

• Access the personal data we hold about you and obtain a summary of how it is being processed.
• Correct or update data that is inaccurate or incomplete.
• Erase data that is no longer necessary for the purpose for which it was collected, subject to legal-retention exceptions.
• Withdraw consent previously given for any specific processing activity. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Grievance redressal — escalate any complaint to our Grievance Officer (section 16).
• Nominate a person to exercise these rights on your behalf in the event of your death or incapacity, in accordance with DPDP Act §14.

12. How to exercise your rights

Send a clear, written request to helpdesk@saundaryaroof.homes from the email address linked to your account (or, where the account uses only a phone number, from any address while quoting the workspace code and phone number used for login). We will verify your identity and respond within thirty (30) days, or sooner where required by law.

Where you are an End User in a Workspace and your request concerns data that the Workspace Owner controls (for example, student records uploaded by a hostel), we may need to redirect the request to the Workspace Owner. We will tell you when we do so.

13. Children's data

Many students enrolled in Abhay are minors. Before any minor's personal data — including a biometric fingerprint, photograph and contact details — is enrolled, the Workspace Owner is required by the Terms of Service to obtain verifiable parental or guardian consent in writing. We do not process the personal data of any child in a manner likely to cause detrimental effect on their well-being, and we do not engage in tracking, behavioural monitoring or targeted advertising directed at children.

A parent or legal guardian may withdraw consent at any time by writing to the Workspace Owner and copying us at helpdesk@saundaryaroof.homes.

14. Security measures

• All traffic to the Service is served over TLS (HTTPS).
• Passwords are stored only as bcrypt hashes; we cannot read your password.
• Authentication uses signed JSON Web Tokens stored in HTTP-only cookies and rotated on sign-in.
• Database access is gated by row-level security policies that scope every read and write to the requesting Workspace.
• Biometric templates are stored on-device and never transmitted to our servers, as noted above.
• Administrative access to production systems is limited to a small number of named individuals and is audited.

15. Personal-data breach notification

In the event of a personal-data breach that is reasonably likely to cause harm to an affected data principal, we will notify the Data Protection Board of India and each affected data principal without undue delay, and in any case within seventy-two (72) hours of becoming aware of the breach, in the form and manner prescribed under the DPDP Act and any rules made thereunder.

16. Grievance Officer

In accordance with DPDP Act §10 and Rule 5(3) of the Consumer Protection (E-Commerce) Rules, 2020, the Grievance Officer for Abhay is:

If your grievance remains unresolved beyond the timelines above, you may escalate to the Data Protection Board of India once it has been notified by the Central Government.

17. Data Protection Officer

A separate Data Protection Officer is mandated by section 10(1) of the DPDP Act only for entities notified as Significant Data Fiduciaries. Saundarya Roof Private Limited has not been so notified at the date of this Policy. All data-protection matters should be addressed to the Grievance Officer above. If the Company is in future notified as a Significant Data Fiduciary, we will appoint a separate Data Protection Officer and update this Policy accordingly.

18. Cookies and similar technologies

Abhay uses only functional cookies and browser storage — specifically, a workspace-context cookie (abhay_workspace), an authentication cookie (abhay_token) and the service-worker storage required for push notifications and offline support. We do not use third-party analytics, advertising or tracking cookies.

19. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email to Workspace Owners at least thirty (30) days before they take effect, and the "Last updated" date at the top of this page will be revised. The current version of this Policy will always be available at /legal/privacy.