1. Introduction
EkaTantra Hospitality Pvt Ltd ("we", "us", "our") operates the EkaTantra platform. This policy explains what personal data we collect, why, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act, 2023 (DPDP).
2. Information we collect
- Account data: name, email, phone number, role, business affiliation.
- Order data: items, addresses, payment metadata (no card data is stored on our servers — payments are processed by gateways).
- Device data: IP address, user agent, browser fingerprint, push subscription endpoint.
- Usage data: pages visited, actions taken, performance telemetry.
- KYC data (when applicable): PAN, Aadhaar reference, GSTIN, bank account.
3. How we use your information
To deliver the service, prevent fraud, comply with statutory obligations (GST, TDS, payroll, audit), improve product quality, send transactional notifications, and — with separate consent — marketing communications.
4. Legal basis (GDPR Article 6)
Contract performance, legitimate interests (security, fraud prevention), legal obligations (tax law, employment law), and your consent (where required).
5. Data sharing
We share data with sub-processors strictly necessary for service delivery — payment gateways (Razorpay, Stripe etc), notification providers (Twilio, SendGrid, FCM), cloud infrastructure (Google Cloud / Firebase). All sub-processors are bound by data processing agreements.
6. Retention
Personal data is retained as long as your account is active or as needed to provide the service. Tax records are retained for 8 years (Indian Income-tax Act). Audit logs are retained for 7 years. After retention, data is anonymized.
7. Your rights
- Access — request a copy of your data via
/api/compliance/data-export. - Erasure — request deletion via
/api/compliance/data-deletion. Statutory financial records may be anonymized but retained as required by law. - Rectification — correct inaccurate data via your profile settings.
- Portability — export your data in JSON format.
- Objection — to direct marketing at any time.
8. Security
We use Firebase Authentication, Firestore security rules, encrypted transport (TLS 1.3), role-based access control, audit logging, and immutable session tracking. Hardware-level encryption at rest is provided by our infrastructure provider.
9. Cookies
We describe the cookies we set and how to control them in the sections below and in your browser settings.
10. Contact
Data Protection Officer — privacy@ekatantra.com