Plain English Summary: We collect only what we need to operate your account and provide the Servyn AI ERP service. Your data is stored securely in India. We do not sell, rent, or share your data with advertisers. You own your data. You can request access, correction, or deletion at any time. This policy complies with the DPDP Act 2023 and IT Rules 2011.
This Privacy Policy ("Policy") describes how Servyn AI ("we", "us", "our") collects, uses, stores, shares, and protects personal data through the Servyn AI web application, accessible at servynai.in and its subdomains ("Platform").
This Policy applies to:
By registering for, accessing, or using the Platform, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.
This Policy must be read alongside our Terms of Service, Cookie Policy, and Data Retention Policy.
This Policy complies with:
Under the DPDP Act 2023, Servyn AI is the Data Fiduciary — the entity that determines the purpose and means of processing personal data collected through the Platform.
Address: 4A B.D.D. Chawl, Naigaon, Dadar, Mumbai – 400014, Maharashtra, India
Email: founder@servynai.in
Phone: +91 97684 46498
Website: servynai.in
As a Data Fiduciary, Servyn AI's obligations include:
Your employer (the company subscribing to Servyn AI) is also a Data Fiduciary in respect of the employment and operational data they enter about their employees and customers. Both Servyn AI and your employer have independent obligations under applicable law.
| Term | Meaning |
|---|---|
| Personal Data | Any data about an individual who is identifiable by or in relation to such data (DPDP Act 2023, Section 2(t)) |
| Sensitive Personal Data (SPDI) | Passwords, financial data, health data, biometric data, and other categories listed under IT Rules 2011, Rule 3 |
| Data Fiduciary | An entity that alone or in conjunction with others determines the purpose and means of processing personal data — Servyn AI (DPDP Act 2023, Section 2(i)) |
| Data Principal | The individual to whom personal data relates — you, the user (DPDP Act 2023, Section 2(j)) |
| Data Processor | An entity that processes personal data on behalf of the Data Fiduciary, as per its instructions (DPDP Act 2023, Section 2(k)) |
| Processing | Any operation performed on personal data — collection, recording, storage, alteration, retrieval, use, sharing, transmission, or deletion |
| Consent | A free, specific, informed, unconditional, and unambiguous indication of agreement to processing (DPDP Act 2023, Section 6) |
| Platform | The Servyn AI web application accessible at servynai.in and its subdomains |
| Customer / Company | The business entity that has subscribed to the Servyn AI platform |
| User | Any individual accessing the Platform under a Customer's account |
| Customer Data | All operational data (jobs, invoices, customers, employees) entered into the Platform by or on behalf of a Customer |
| Data | Examples | Who Provides It |
|---|---|---|
| Identity data | Full name, email address, phone number | You or your employer |
| Credentials | Password (stored as bcrypt hash only — never in plain text) | You |
| Role & access data | User role (admin, manager, technician, etc.), permissions | Your company administrator |
| Company data | Business name, address, GSTIN, logo, company slug | Company administrator |
| Data Category | Examples |
|---|---|
| Job & service records | Job orders, work orders, site visit logs, job photos, service reports |
| Customer records | Client names, contact persons, addresses, GSTIN, phone numbers, emails |
| Vendor records | Vendor names, contact details, GSTIN, payment terms |
| Invoice & financial records | Invoice numbers, amounts, payment records, refunds, payables |
| Employee records | Employee codes, designations, departments, attendance, salary, bank account details (entered by employer) |
| Inventory records | Item names, stock levels, transaction history |
| AMC & maintenance records | Contract details, scheduled maintenance dates, service history |
| Data | Purpose |
|---|---|
| IP address | Security monitoring, IP whitelist enforcement, fraud prevention |
| Browser type & version | Compatibility, debugging |
| Device type & OS | Responsive design, compatibility |
| Session data | Login/logout timestamps, session duration, pages visited |
| Audit logs | Actions performed within the Platform (create, edit, delete events) |
| Error logs | Server-side errors encountered during use |
What we do NOT collect: Payment card or bank account details (payments handled by third-party gateways where applicable), biometric data, health or medical data, location data, browsing history outside our Platform, or data from social media profiles.
Under the Information Technology (SPDI) Rules 2011, Rule 3, the following categories are classified as Sensitive Personal Data or Information (SPDI) and attract heightened protection obligations:
| SPDI Category | Does Servyn AI Collect This? | If Yes — How Protected |
|---|---|---|
| Passwords | ✅ Yes (account passwords) | Hashed using bcrypt (cost factor 12) — never stored in plain text, never logged, never transmitted in readable form |
| Financial information (bank accounts, cards) | ⚠️ Partial — bank account details of employees entered by employers for payroll | Stored encrypted at rest; accessible only to company admin with appropriate role; not shared with any third party |
| Physical / physiological health data | ❌ No | N/A |
| Sexual orientation | ❌ No | N/A |
| Medical records or history | ❌ No | N/A |
| Biometric data | ❌ No | N/A |
| Caste or tribe | ❌ No | N/A |
For employee bank account details entered by employers for payroll purposes:
As required under SPDI Rules 2011, Rule 5, we will not collect SPDI without prior written consent. This consent is embedded in the employee onboarding process managed by the company administrator.
Under the DPDP Act 2023 and SPDI Rules 2011, every act of processing personal data requires a lawful basis. The following table documents our lawful basis for each significant processing activity:
| Processing Activity | Lawful Basis | Explanation |
|---|---|---|
| Creating and managing user accounts | Contract performance | Necessary to provide access to the subscribed service |
| Authenticating identity at login | Contract performance | Essential for secure service delivery |
| Providing ERP features (jobs, invoices, HR, inventory) | Contract performance | Core contracted service |
| Storing company operational data | Contract performance | The entire purpose of the ERP platform |
| Sending system and transactional notifications | Contract performance | Necessary for service delivery and account management |
| Processing employee payroll data | Contract performance + Consent | Contract with employer; consent of employee obtained by employer |
| Security monitoring, IP whitelisting, fraud detection | Legitimate interest | Protecting the Platform and all users from unauthorised access |
| Maintaining audit logs of user actions | Legitimate interest | Accountability, debugging, dispute resolution |
| Improving Platform features and UX | Legitimate interest | Improving service quality; no personal data used for profiling |
| Responding to support requests | Legitimate interest + Contract | Providing contracted support services |
| Retaining records for compliance | Legal obligation | GST Act, Companies Act, IT Act requirements |
| Enforcing Terms of Service | Legitimate interest | Protecting platform integrity and other users |
| Sharing data with Data Processors | Contract performance | Necessary to operate technical infrastructure |
You may withdraw consent for consent-based processing at any time by:
⚠️ Withdrawing consent for processing activities that are necessary for the performance of the subscription contract (such as account management, authentication, and data storage) will render the Platform inaccessible. If you are an employee, please consult your employer before withdrawing consent.
We do not send marketing emails, promotional messages, or newsletters without explicit opt-in consent. Transactional emails (account alerts, password changes, subscription notices) do not require separate consent as they are part of the contracted service.
Under the DPDP Act 2023, personal data must be used only for the specific, stated purpose for which it was collected. We commit to the following purpose limitations:
| Purpose | Data Used |
|---|---|
| Creating, verifying, and managing your account | Name, email, password, company, role |
| Providing all ERP features (jobs, invoices, HR, payroll, inventory, reports) | All operational data you enter |
| Sending transactional emails (login alerts, subscription notices, trial expiry warnings) | Email address, company name |
| Enforcing role-based access control (RBAC) | User role, company ID, permissions |
| Enforcing IP whitelisting (if configured by your admin) | IP address at login |
| Two-factor authentication (if enabled by your admin) | Email, 2FA secret (stored encrypted) |
| Security monitoring and fraud prevention | IP address, session data, login logs |
| Providing customer support | Name, email, issue description, account context |
| Diagnosing and fixing bugs and errors | Error logs, session data, browser info |
| Generating anonymised usage statistics for internal product improvement | Aggregated, anonymised usage data only |
| Complying with Indian law (GST, IT Act, court orders) | As required by the applicable law |
We do not use your data for: advertising, behavioural profiling, resale to third parties, building credit scores, or any purpose not listed above.
We use a minimal number of strictly necessary cookies. We do not use advertising, analytics, or third-party tracking cookies. For complete details, please see our Cookie Policy.
| Cookie / Token | Type | Purpose | Duration | httpOnly |
|---|---|---|---|---|
| token_[companyslug] | Essential / Authentication | Stores your encrypted, company-scoped JWT session token. Prevents cross-company session bleed in multi-tenant architecture. Set as httpOnly — not accessible by JavaScript. | 8 hours (standard) / 30 days (Remember Me selected) | ✅ Yes |
| active_company | Essential / Session | Records which company account is currently active. Used by middleware to load the correct company-scoped token. Essential for multi-tenant security. | 8 hours / 30 days (matches auth token) | ❌ No (must be readable by middleware JS) |
| csrf_token | Essential / Security | Prevents Cross-Site Request Forgery (CSRF) attacks. Ensures actions originate from your authenticated browser session. | Session | ❌ No (must be readable to be sent with requests) |
All cookies are first-party (set by Servyn AI only). We set zero third-party cookies. Clearing cookies will log you out of the Platform.
We share data only with the following Data Processors — entities that process data on our behalf under strict contractual obligations. We do not sell, rent, or share personal data with any party for their own commercial purposes.
| Processor | Role | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| Supabase | PostgreSQL database hosting and management | All Platform data — accounts, jobs, invoices, employee records, logs | AWS ap-south-1 (Mumbai, India) ✅ | Data Processing Agreement; encryption at rest and in transit; SOC 2 Type II |
| Vercel | Next.js application hosting, edge network, API routing | API requests (auth tokens, query parameters, response data) — in transit only; no persistent storage on Vercel | Global CDN edge (data in transit); primary compute: US-East | TLS 1.3; SOC 2 Type II; Data Processing Addendum; no persistent customer data stored |
| Cloudinary | Media storage and delivery (job photos, company logos, documents) | Media files uploaded through the Platform | Global CDN (media cached globally for performance) | Data Processing Agreement; encryption at rest; access controlled via signed URLs |
All our Data Processors are contractually required to:
Our primary database is hosted in India (AWS ap-south-1, Mumbai). However, certain Data Processors operate infrastructure outside India:
Where data is processed outside India, we ensure:
As the Government of India notifies additional cross-border transfer rules under the DPDP Act 2023, we will update our practices accordingly and notify customers of any material changes.
We implement a defence-in-depth security architecture across all layers of the Platform:
companyId scoping on every query. One company cannot access another's data.⚠️ Despite our best efforts, no internet-based system can guarantee absolute security. In the event of a breach, we will act promptly as described in Section 15. You can strengthen your own security by using a strong, unique password and enabling 2FA if your admin offers it.
In the event of a personal data breach that is likely to result in harm to affected individuals, we will:
To report a suspected security incident: founder@servynai.in — Subject: "Security Incident Report".
We retain personal data only for as long as is necessary for the purpose it was collected, or as required by law. For complete details, see our Data Retention & Deletion Policy.
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Account & operational data | Duration of active subscription | Permanently deleted 30 days after subscription ends |
| Employee HR & payroll records | Duration of active subscription | 30 days after subscription ends |
| Trial account data | Duration of trial (up to 7 days) | 7 days after trial end (3-day advance warning sent) |
| Session & login audit logs | 90 days | Automatic rolling deletion after 90 days |
| Support communications | 12 months | Automatic purge after 12 months |
| Server error logs | 30 days | Automatic rolling deletion |
| Database backups | 30-day rolling cycle | Automatically overwritten on 30-day cycle |
| Financial records (invoices, payments) | As required by GST Act / Companies Act | After applicable statutory period |
After the applicable retention period, data is permanently and irreversibly deleted from all active systems. Deleted data is excluded from all subsequent backups and will be purged from existing backups within the 30-day rotation cycle.
Data Export: You may request a full export of your company data at any time during the active subscription or within 30 days post-cancellation. Email founder@servynai.in — subject: "Data Export Request". We will deliver the export within 5 business days.
Under the Digital Personal Data Protection Act 2023, you have the following rights:
| Right | What It Means | How to Exercise | Our Response Time |
|---|---|---|---|
| Right to Access (Section 11, DPDP Act) |
Obtain a summary of personal data we hold about you and the processing activities performed on it | Email founder@servynai.in — Subject: "Data Access Request" | 30 days |
| Right to Correction & Completeness (Section 12, DPDP Act) |
Request correction of inaccurate, incomplete, or outdated personal data about you | Email founder@servynai.in or update via your account settings or company admin | 30 days |
| Right to Erasure (Section 12, DPDP Act) |
Request deletion of personal data no longer necessary for the purpose it was collected, subject to legal obligations | Email founder@servynai.in — Subject: "Data Deletion Request" | 30 days |
| Right to Grievance Redressal (Section 13, DPDP Act) |
Lodge a complaint with our Grievance Officer if you believe your data rights are being violated | Contact Grievance Officer — see Section 24 | 30 days |
| Right to Nominate (Section 14, DPDP Act) |
Nominate another individual to exercise your data rights in the event of your death or incapacity | Email founder@servynai.in with nomination details and proof of relationship | 30 days |
| Right to Withdraw Consent (Section 6(4), DPDP Act) |
Withdraw consent for consent-based processing at any time without affecting the lawfulness of processing before withdrawal | Email founder@servynai.in — Subject: "Consent Withdrawal" | 7 days |
All requests will receive an acknowledgement within 3 business days and a full response within 30 days. Complex requests may take up to 60 days with prior notification. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.
The Servyn AI Platform uses a multi-tenant architecture where multiple companies (tenants) operate on the same platform with complete data isolation. Key principles:
The Servyn AI Platform is intended exclusively for use by adults (18 years and above) in a professional business capacity. It is not directed at, designed for, or intended to be used by individuals under 18.
Under the DPDP Act 2023, children are defined as individuals below 18 years of age, and processing of their personal data requires verifiable parental consent and is subject to additional restrictions. Servyn AI does not knowingly collect or process personal data of children.
If we become aware that a minor has been given access to the Platform, we will:
Company administrators are responsible for ensuring that accounts are created only for adult employees. Creating an account for a minor is a violation of our Terms of Service.
The Platform may contain links to external websites or integrate with third-party services in limited contexts. These include:
Servyn AI is not responsible for the privacy practices, content, security, or data collection of any third-party website or service. When you follow an external link, you leave the Servyn AI environment and that third party's own privacy policy governs your interaction.
We strongly recommend reviewing the privacy policy of any external service before providing personal data to it.
Servyn AI sends the following categories of communications:
| Type | Requires Opt-In? | Examples |
|---|---|---|
| Transactional / Service emails | ❌ No — part of service contract | Account creation, password change, subscription renewal, trial expiry, data deletion warnings |
| Support communications | ❌ No — in response to your request | Replies to support tickets, follow-up on reported issues |
| Product update notifications | ⚠️ Opt-out available | New feature announcements, policy updates, downtime notices |
| Marketing / promotional emails | ✅ Yes — explicit opt-in required | Promotional offers, partner announcements (not currently sent) |
To opt out of product update notifications, email founder@servynai.in — Subject: "Unsubscribe from Product Updates". Note: you cannot opt out of transactional emails as these are essential to managing your account and subscription.
This Privacy Policy is governed by and construed in accordance with the laws of India, including:
Any dispute, claim, or controversy arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Mumbai, Maharashtra, India.
Before initiating any legal proceedings, you agree to first raise a grievance with our Grievance Officer (Section 24) and allow a 30-day resolution period.
We may update this Privacy Policy from time to time. Our approach to changes:
Continued use of the Platform after the effective date of a material change constitutes acceptance of the updated Policy. If you do not accept the changes, you must discontinue use and contact us to request data deletion.
As required under the Digital Personal Data Protection Act 2023 (Section 13) and the Information Technology (SPDI) Rules 2011 (Rule 5(9)), Servyn AI has designated a Grievance Officer for data-related concerns.
Name: Rahul Birwadkar
Designation: Founder & Grievance Officer
Organisation: Servyn AI
Address: 4A B.D.D. Chawl, Naigaon, Dadar, Mumbai – 400014, Maharashtra, India
Email: founder@servynai.in
Phone: +91 97684 46498
Response Time: Acknowledgement within 3 business days; resolution within 30 days
Hours: Monday to Saturday, 10:00 AM – 6:00 PM IST
When submitting a grievance, please include your full name, registered email, company name, a clear description of your concern, and any supporting documents. All grievances are treated confidentially.
If you are not satisfied with the Grievance Officer's resolution, you may escalate your complaint to the Data Protection Board of India once constituted under the DPDP Act 2023.
For any privacy-related questions, requests, or concerns:
💬 WhatsApp: +91 97684 46498
📍 4A B.D.D. Chawl, Naigaon, Dadar, Mumbai – 400014, Maharashtra, India
⏰ Monday – Saturday, 10:00 AM – 6:00 PM IST