Plain English Summary: We collect only what we need to run your ERP account. Your data is stored securely in India (Mumbai, AWS ap-south-1). We do not sell, rent, or share your data with advertisers. You own your data at all times. You may request access, correction, or deletion at any time. This platform is a B2B SaaS service. Disputes go to the Data Protection Board of India after our internal grievance process.
This Privacy Policy ("Policy") describes how Servyn AI, a sole proprietorship owned and operated by Rahul Birwadkar, trading as Servyn AI, with its principal place of business at 4A B.D.D. Chawl, Naigaon, Dadar, Mumbai – 400014, Maharashtra, India ("we", "us", "our") collects, uses, stores, shares, and protects personal data.
This Policy applies to all personal data processed through:
This Policy applies to: company administrators, managers, HR personnel, accountants, field technicians, and any individual accessing the platform under a company subscription, as well as website visitors and trial users.
This Policy complies with:
Note for PWA / APK users: The Servyn AI mobile experience is delivered as a Progressive Web App (PWA) or an Android APK. It functions like a native app but operates through the browser engine. All data practices described in this Policy apply equally to the PWA and APK versions.
Under the DPDPA 2023, Servyn AI is a Data Fiduciary — the entity that determines the purpose and means of processing your personal data.
In relation to the personal data of your customers and employees that you enter into the platform, you (the subscribing business) are also a Data Fiduciary, and Servyn AI acts as your Data Processor. This dual relationship is governed by our Data Processing Agreement (see Section 12).
| Role | Entity | Responsibility |
|---|---|---|
| Data Fiduciary (for platform account data) | Servyn AI (Rahul Birwadkar) | Determines purpose and means of processing your account, billing, and usage data |
| Data Processor (for your business data) | Servyn AI (Rahul Birwadkar) | Processes customer records, employee data, and financial records on your instructions |
| Data Fiduciary (for your employee/customer data) | You (the subscribing company) | Responsible for obtaining lawful consent from your employees and customers before entering their data into the platform |
| Term | Meaning |
|---|---|
| Personal Data | Any data about an individual who is identifiable by or in relation to such data (DPDPA 2023 S.2(t)) |
| Sensitive Personal Data (SPDI) | Passwords; financial information (bank account, card details); physical, physiological, and mental health condition; sexual orientation; medical records; biometric data; and any detail relating to the above as defined under SPDI Rules 2011 |
| Data Principal | The individual to whom the personal data relates (DPDPA 2023 S.2(j)) |
| Data Fiduciary | Any person who determines the purpose and means of processing personal data (DPDPA 2023 S.2(i)) |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary (DPDPA 2023 S.2(k)) |
| Processing | Wholly or partly automated operations on personal data including collection, recording, storage, use, disclosure, sharing, transfer, or deletion |
| Consent | Free, specific, informed, unconditional, and unambiguous indication of agreement (DPDPA 2023 S.6) |
| Platform | The Servyn AI web application, PWA, and Android APK collectively |
We collect the following categories of personal data:
The following categories of data collected through Servyn AI qualify as Sensitive Personal Data or Information (SPDI) under Rule 3 of the SPDI Rules, 2011, and attract heightened protection obligations:
| Data Type | Why It Is SPDI | How We Protect It |
|---|---|---|
| Aadhaar numbers | Government identity number — Rule 3(iii) of SPDI Rules; Aadhaar Act 2016 restrictions apply | Encrypted at rest (AES-256); displayed masked (XXXX-XXXX-1234); access restricted to company admin only |
| PAN numbers | Tax identity — financial information under Rule 3(ii) | Encrypted at rest; access restricted to company admin; not logged in audit trails |
| Bank account numbers & IFSC | Financial information under Rule 3(ii) | Encrypted at rest; masked in UI; never transmitted in plain text |
| Salary & payroll data | Financial information under Rule 3(ii) | Role-based access control — only admin and HR roles can view payroll; field technicians cannot access salary data of colleagues |
| Passwords | Passwords under Rule 3(i) | Stored as bcrypt hash only — never plain text, never logged |
⚠️ Aadhaar data — legal restriction: Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, private entities are prohibited from collecting, using, or storing Aadhaar numbers unless specifically permitted by law. You must ensure you have a legitimate legal basis before entering Aadhaar numbers of your employees into the platform. Servyn AI stores this data only on your instruction as your Data Processor and is not responsible for unlawful collection by you.
For all SPDI, we comply with Rule 5 of the SPDI Rules, which requires:
The Servyn AI mobile experience is delivered as a Progressive Web App (PWA) and an Android APK. The following device-level data may be accessed:
| Permission / Feature | Data Accessed | Purpose | Can You Refuse? |
|---|---|---|---|
| Camera | Photographs taken by the technician (job site photos, completion photos) | Attaching evidence photos to job records | Yes — camera is optional; photos can be uploaded from gallery instead |
| Storage / Files | Read/write access to download or upload documents and photos | Uploading customer documents, downloading invoices | Yes — storage access is needed only for file upload/download features |
| Notifications (Push) | Device push notification token (if push notifications are enabled in future) | Job alerts, schedule reminders — not currently active | Yes — notifications are opt-in only |
| Offline / Service Worker | Cached job records and pending sync queue stored in IndexedDB on device | Offline functionality — allows technicians to update jobs without internet | Yes — offline mode is optional but reduces functionality |
| Device Info | Browser/OS version, screen size, device type (not device identifier) | Technical support, compatibility testing | Automatic — collected via browser headers; no device ID stored |
Servyn AI does not access: GPS location, contacts, microphone, call logs, SMS, or any other device sensor not listed above.
PWA vs native app: Because Servyn AI is a PWA/APK built on web technology, it does not access device APIs beyond what the browser permits. It is not distributed via Google Play Store and therefore Google's data safety form requirements do not apply unless a Play Store listing is created in the future.
We do not purchase, obtain, or receive personal data from data brokers, marketing lists, or any third party not listed in Section 12.
Under DPDPA 2023 S.4 and S.7, we process personal data only when:
| Data Category | Lawful Basis | Applicable Section |
|---|---|---|
| Account registration data | Consent (explicit agreement to Terms and Privacy Policy at signup) | DPDPA 2023 S.6 |
| Subscription and billing data | Contractual necessity (performance of subscription contract) | DPDPA 2023 S.7(a) |
| Employee payroll, Aadhaar, PAN | Legitimate use — compliance with Indian labour and tax law (IT Act, EPF Act, ESIC Act) | DPDPA 2023 S.7(b)(ii) |
| Job/service records entered by company | Contractual necessity — core ERP function | DPDPA 2023 S.7(a) |
| Technical/usage logs | Legitimate interest — platform security and performance | DPDPA 2023 S.7(f) |
| Marketing communications | Consent (separate opt-in) | DPDPA 2023 S.6 |
| Financial/GST records | Legal obligation (CGST Act 2017, Income Tax Act 1961) | DPDPA 2023 S.7(c) |
Under DPDPA 2023 S.6, consent must be free, specific, informed, unconditional, and unambiguous. We implement consent as follows:
You may withdraw consent at any time by:
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal may result in inability to use certain platform features.
⚠️ Your obligation as Data Fiduciary: When you enter personal data of your employees or customers into the platform, you are responsible for obtaining valid consent from those individuals as required by DPDPA 2023. Servyn AI processes that data as your Data Processor and is not responsible for your failure to obtain consent from your employees or customers.
Under DPDPA 2023 S.8(3), personal data may only be used for the specified purpose for which it was collected. We do not use your data for any purpose beyond those stated below:
We never use your data for: advertising to third parties, profiling for sale, training AI models on your business data, or any purpose not listed above.
Under DPDPA 2023 S.8(1), we only engage Data Processors who provide sufficient guarantees regarding data protection. Our current Data Processors are:
| Processor | Role | Data Shared | Location | DPA Status |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage (primary infrastructure) | All platform data including SPDI | AWS ap-south-1, Mumbai, India | DPA signed (supabase.com/legal/dpa) |
| Google LLC (Gmail / Workspace) | Business email communications | Name, email, message content of support communications | Google servers (may be outside India) | Google Workspace Business Terms apply |
| Meta Platforms (WhatsApp Business) | Customer communication channel | Name, phone number of contacts who initiate WhatsApp contact | Meta servers (global) | WhatsApp Business Policy applies |
| Payment Gateway (TBD) | Subscription payment processing | Billing name, amount — card data is never stored by Servyn AI | India (RBI-regulated) | DPA to be signed before integration |
We do not share your personal data with any other third party without your explicit consent, except as required by Indian law.
We do not sell, rent, or trade your personal data to any third party for commercial purposes.
By accepting our Terms of Service, you enter into a Data Processing Agreement with Servyn AI. Under this agreement, Servyn AI as your Data Processor agrees to:
The primary database is hosted on AWS ap-south-1 (Mumbai, India) via Supabase. Your ERP data does not leave India.
The following limited cross-border transfers may occur:
Under DPDPA 2023 S.16, the central government may notify certain countries/territories to which data transfer is restricted. We will update this section if any such notification affects our operations.
We implement the following security measures as required under Rule 8 of the SPDI Rules 2011 and DPDPA 2023 S.8(5):
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a breach, we will follow the notification procedure in Section 15.
In the event of a personal data breach as defined under DPDPA 2023 S.8(6):
The breach notification will include: the nature of the data affected, the likely consequences, the measures taken, and the contact details of our Grievance Officer.
We retain personal data only for as long as necessary for the stated purpose, as required under DPDPA 2023 S.8(7):
| Data Type | Retention Period | Legal Basis for Retention |
|---|---|---|
| Active subscription data (all ERP records) | Duration of active subscription + 30 days post-cancellation | Contractual necessity |
| Trial account data | 7 days from trial end | Consent |
| GST/tax invoice records | 5 years minimum from financial year end | CGST Act 2017 — legal obligation (overrides deletion request) |
| Income tax related records | 7 years from relevant assessment year | Income Tax Act 1961 — legal obligation |
| Payroll records (if under Companies Act) | 8 years | Companies Act 2013 — legal obligation |
| Support communications | 12 months | Legitimate interest |
| Audit/security logs | 90 days rolling | Legitimate interest — security |
| Database backups | 30-day rolling cycle | Legitimate interest — disaster recovery |
⚠️ Important — Financial record legal hold: Even after subscription cancellation and data deletion, Servyn AI may be required to retain financial transaction records (invoices, payment records) for 5–8 years as required by Indian tax and company law. These records will be retained in a minimal, secure archive and used only for legal compliance purposes. We will notify you of any such retention.
Under DPDPA 2023 Chapter III, you have the following rights:
| Right | What It Means | How to Exercise | Response Time |
|---|---|---|---|
| Right to Access (S.11) | Obtain a summary of your personal data being processed and the processing activities | Email with subject "Data Access Request" | 30 days |
| Right to Correction (S.12) | Correct inaccurate or misleading personal data; complete incomplete data | Email with subject "Data Correction Request" | 10 business days |
| Right to Erasure (S.12) | Delete your personal data when the purpose is fulfilled or consent is withdrawn (subject to legal retention obligations) | Email with subject "Data Deletion Request" | 10 business days |
| Right to Grievance Redressal (S.13) | Have grievances addressed by the Grievance Officer within a reasonable time | Email Grievance Officer — see Section 25 | 30 days |
| Right to Nominate (S.14) | Nominate another individual to exercise rights on your behalf in the event of death or incapacity | Email with subject "Nomination Request" | 10 business days |
| Right to Withdraw Consent | Withdraw consent at any time (see Section 9) | Email or account settings | Immediate |
To exercise any of the above rights, contact: founder@servynai.in
We may ask you to verify your identity before processing any rights request.
Servyn AI is a multi-tenant SaaS platform. Each subscribing company ("tenant") has a completely isolated data environment.
If you are an employee using the platform under your employer's subscription:
Servyn AI is a business-to-business (B2B) ERP platform intended for use by adults in a professional capacity. We do not knowingly collect personal data from individuals under the age of 18.
If you believe a minor has inadvertently provided personal data through the platform, please contact founder@servynai.in immediately and we will delete such data promptly.
Under DPDPA 2023 S.9, processing of personal data of children requires verifiable parental consent and is subject to additional restrictions. We do not process children's data in the ordinary course of business.
We may send you product updates, feature announcements, and occasional promotional communications only if you have explicitly opted in during registration or at any other time.
The web application and PWA use the following storage mechanisms:
| Mechanism | Name / Type | Purpose | Duration |
|---|---|---|---|
| Cookie | auth_token | Encrypted session token (JWT) — keeps you logged in; httpOnly, cannot be read by JavaScript | 8 hours (standard) / 30 days (Remember Me) |
| Cookie | active_company | Identifies which company account is active in multi-tenant context; httpOnly | Session |
| Cookie | csrf_token | CSRF attack prevention token | Session |
| IndexedDB (PWA) | offline_jobs_cache | Caches job records for offline access on the device; cleared on logout | Until logout or data sync |
| Service Worker Cache | App shell assets | Caches app UI for offline loading | Until PWA is uninstalled or cache cleared |
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. See our separate Cookie Policy for full details.
Under DPDPA 2023 Section 13, if you have exhausted the internal grievance redressal process described in Section 25 and are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India (DPBI).
Data Protection Board of India (DPBI)
Website: www.dataprivacy.gov.in (once operational)
The DPBI will be established and complaints will be accepted once the Government of India notifies the relevant rules under DPDPA 2023.
The process for filing a complaint with the DPBI is:
You may also approach the Adjudicating Officer under the IT Act 2000 for claims relating to cybersecurity or unauthorised access to your data.
This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts at Mumbai, Maharashtra, India, subject to the arbitration provisions in our Terms of Service.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. When we make material changes:
We recommend reviewing this Policy periodically. The DPDPA 2023 implementation rules are still being notified by the Government of India; we will update this Policy as required when those rules come into effect.
In accordance with Rule 5(9) of the SPDI Rules 2011 and DPDPA 2023 S.13, Servyn AI has designated a Grievance Officer to address any complaints or concerns regarding the processing of personal data.
Name: Rahul Birwadkar
Designation: Founder & Sole Proprietor, Servyn AI
📍 4A B.D.D. Chawl, Naigaon, Dadar, Mumbai – 400014, Maharashtra, India
Response time: Grievances will be acknowledged within 3 business days and resolved within 30 days of receipt.
Please include the following in your grievance: your name, email address registered with Servyn AI, description of the issue, and any supporting documentation.