Data Protection Policy

1. Scope

This policy describes how personal data (Name, email, phone number, ID proofs, payment data, location data, etc.) is collected, stored, transferred, and deleted across the Deskr platform.

2. Lawful basis

• Consent — for marketing communications, optional analytics.
• Contract — for processing bookings, invoices, and member accounts.
• Legitimate interest — for fraud prevention, security audits, debugging.
• Legal obligation — for tax records, KYC, or court orders.

3. Storage & encryption

• All data stored in Indian data centres (AWS Mumbai / Hetzner equivalents).
• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Passwords hashed with bcrypt; OTPs are short-lived and never logged.
• Database backups encrypted and rotated daily for 30 days.

4. Access controls

• Role-based access (root_admin, super_admin, company_admin, building_manager, staff, member).
• All admin actions written to an immutable activity log.
• Two-factor authentication available on all admin accounts.

5. Cross-border transfers

We do not transfer personal data outside India unless legally required (e.g. for a payment gateway partner whose servers may be in another jurisdiction). All such partners are GDPR/DPDP-aware.

6. Data subject rights

• Right to access & portability — request a JSON export of your data.
• Right to correction & erasure — via your member profile or by emailing us.
• Right to grievance redressal — write to our DPO at dpo@deskr.in.

7. Breach notification

In the unlikely event of a personal-data breach, we will notify affected Operators within 72 hours and the Data Protection Board of India as required.

8. Sub-processors

We use these sub-processors. Each is bound by a DPA:

• AWS / Hetzner — hosting
• Razorpay — payment processing
• Meta WhatsApp Business — transactional messaging
• Twilio / MSG91 — SMS OTP
• SES / Resend — transactional email

9. Contact

For any data-protection question, write to our DPO at dpo@deskr.in or hello@deskr.in.