Privacy Policy | Taniyur

[COMPANY NAME]("we", "us") operates the TANIYUR society management platform. This Privacy Policy describes how we collect, use, store, and share digital personal datawhen you use our website, mobile apps, and API services, in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable laws in India. For a high-level compliance summary, see our DPDP compliance overview. This policy is not legal advice.

1. Who we are

For the purposes of the DPDP Act, we act as a Data Fiduciary when we determine the purpose and means of processing your personal data. You, as an individual to whom such data relates, are the Data Principal.

Legal entity: [COMPANY NAME] · Registered address: [REGISTERED ADDRESS]

1a. Taniyur and your society — who processes what

TANIYUR provides software for residential societies. In practice, personal data is often processed in two related roles:

TANIYUR (platform): We act as Data Fiduciary for processing needed to operate the platform—account creation, authentication, security, hosting, optional AI infrastructure, push delivery, and support—when we determine the purpose and means of that processing.
Your society (management committee / authorised administrators): For many society-specific records—visitor logs, gate decisions, maintenance ledgers, notices, complaints, roster data, and committee communications—the society decides what to record and how long to keep it. The society may act as Data Fiduciary(or equivalent responsible party under applicable law) for those operational datasets, while TANIYUR processes data on the society's instructions as a Data Processor where the law recognises that relationship.

If you are a resident seeking access, correction, or erasure of society-held records (for example a visitor log entry), we may ask you to contact your society administrator first; we will still assist where we are required to act as fiduciary or processor.

2. Scope

This policy applies to:

Visitors to our public website;
Users of marketing contact or demo flows who share email or phone;
Authorised users of the TANIYUR platform (residents, owners, tenants, committee members, security, and staff), including mobile and web clients connected to our API.

3. Personal data we collect

Depending on how you interact with us, we may process:

Identity and profile: name, flat or unit identifiers, role, preferred language, profile photo, and similar account attributes.
Contact: email address, mobile number, and mailing address where provided.
Authentication: Firebase user identifiers, session tokens, and password hashes where applicable.
Operational and society data: visitor pre-approvals and gate logs, complaints and service requests, notices, amenities, rulebooks, parking records, and other data your society records in the platform.
Gate and security: optional visitor photos, vehicle registration details, and plate images when your society enables those features (images may be processed for text extraction and then stored only as permitted by your society).
Financial and transaction metadata: invoice references, ledger entries, and payment IDs from integrated payment providers (full card or bank credentials are handled by certified payment gateways, not stored by us).
Push notifications: device push tokens (e.g. Expo) when you grant notification permission, used to deliver gate approvals and society alerts.
Voice and AI assistant: voice recordings you submit for speech-to-text, chat messages you send to the society AI assistant, and society-scoped context (notices, billing summaries, rule excerpts) used to answer your questions. We do not use your society data to train a global model shared across all societies.
Technical and security: IP address, device and browser type, session identifiers, authentication events, rate-limit counters, and timestamps.
Diagnostics: crash reports and error logs (e.g. via Sentry) to improve reliability.
Analytics (where enabled): aggregated product usage on web or mobile web builds (e.g. Firebase Analytics / GA4), not used to sell your data.
Communications: messages you send via support or in-product channels.

We do not collect device contacts, precise GPS location, or calendar data through the Taniyur mobile app as shipped today.

3a. App permissions (mobile)

The Taniyur mobile app requests device permissions only when a feature needs them. The OS shows the purpose strings below; you may deny non-essential permissions and still use other parts of the app.

Permission	Used for
Microphone	Voice input for society AI assistant and service-request capture (audio sent to configured speech-to-text; not used to train a global cross-society model)
Camera	QR / gate code scan; optional visitor photo at security desk for resident approval
Photos / library	Profile picture, marketplace listings, optional image attachments
Notifications	Gate pre-approvals, society alerts, and inbox (Expo push token stored until logout or rotation)

4. Purposes and legal bases

We process personal data to:

Provide, operate, and improve the TANIYUR platform and website;
Authenticate users, enforce role-based access, and protect security;
Facilitate gate workflows, society billing, compliance processes, and communications you expect from the product;
Deliver optional AI assistant features (Q&A, complaint drafting, voice input) using society-scoped data only;
Send push notifications you have opted into at the OS level;
Respond to enquiries, demos, and support requests;
Comply with law, court orders, or lawful requests by competent authorities;
Defend legal claims and enforce our Terms & Conditions.

We rely on consent where required under the DPDP Act (for example, optional marketing contact, push notifications, camera/microphone access, and certain AI features where your society enables them). We also rely on other permissible grounds—including voluntary provision of data for specified purposes and legitimate uses recognised under the Act—where applicable.

5. Cookies and similar technologies

On our website and society web app we use cookies and similar technologies for session management, authentication, security, and preferences. Where we use analytics cookies on marketing pages, we will describe them and, where required, obtain consent before placing non-essential cookies. You can control cookies through your browser settings; disabling some cookies may limit certain features.

6. Sharing and processors

We may share personal data with trusted Data Processors who assist us under contracts that require them to protect data and process it only on our instructions. Categories include:

Cloud hosting and database (e.g. Supabase / PostgreSQL via Prisma, deployment regions per your instance);
Authentication (Firebase / Google);
Email and messaging (e.g. Resend, Expo push);
Payment gateways (e.g. Razorpay — card and bank details stay with the gateway);
Media storage (e.g. Cloudinary);
Caching and rate limiting (e.g. Redis for security caps and performance — not a primary long-term store of personal data);
AI and speech providers when configured (self-hosted LLM, Google Gemini, OpenAI for embeddings/transcription, or other STT endpoints your deployment uses);
Error monitoring (e.g. Sentry).

We do not sell personal data.

7. Cross-border processing

Some processors may process or store data outside India (for example, cloud regions, OpenAI, Google, or Expo infrastructure). Where personal data is transferred outside India, we comply with the DPDP Act and with Central Government notifications regarding permissible transfers or restrictions, as in force from time to time. Your deployment administrator should confirm which regions and subprocessors apply to your instance.

8. Retention

We retain personal data only for as long as necessary for the purposes above, including statutory, accounting, or dispute-resolution needs, after which we delete or anonymise it in line with internal schedules. Examples:

Account profile data: for the life of the account plus any legal hold;
Security and access logs: typically months, unless investigation requires longer;
Society operational records (visitors, billing): per society instructions and applicable law;
AI assistant inputs: processed per request; not retained as a cross-society training corpus.

9. Security

We implement appropriate technical and organisational measures—including encryption in transit, access control, society-scoped data isolation, rate limiting, and monitoring—to protect personal data against unauthorised access, loss, or alteration. No method of transmission or storage is completely secure; we continually review our practices.

10. Your rights under the DPDP Act

Subject to the DPDP Act and applicable rules, you may have the right to obtain information about processing, seek correction of inaccurate data, request erasure where grounds apply, withdraw consent (where processing is consent-based), nominate another individual as provided under the Act, and use our grievance mechanism. Some requests may need to be routed through your society administrator where data is controlled jointly for society operations.

11. Children's data

The platform is intended for authorised society users. Where processing relates to children as defined under the DPDP Act, verifiable parental or guardian consent or another lawful basis is required before processing, unless a permitted legitimate use applies. Societies should not register minors without appropriate authority.

12. Grievance officer / contact

For privacy requests, corrections, or grievances, contact our Grievance Officer at [GRIEVANCE EMAIL]. We will acknowledge and address grievances in line with the DPDP Act and rules (including prescribed timelines, once applicable to your matter). You may also have the right to approach the Data Protection Board of India as the law permits.

13. Changes

We may update this Privacy Policy from time to time. We will post the revised version with a new "Last updated" date and, where appropriate, provide additional notice.