Privacy Policy

1. Sapaad Software Pvt Ltd, a company incorporated under the Companies Act, 2013, and its relevant subsidiaries and affiliates (collectively, "Sapaad," "we," "us," or "our") respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal data in compliance with applicable laws.
2. Applicable Laws: This Privacy Policy complies with:
   1. India's Digital Personal Data Protection Act, 2023 (DPDPA) and rules notified thereunder;
   2. Information Technology Act, 2000 and rules thereunder; and
   3. Other applicable data protection laws in jurisdictions where we operate or serve customers.
3. Scope of Application: This Privacy Policy applies to personal data that we collect:
   1. Through our website at www.sapaad.com/in and related websites;
   2. When you register for, access, or use our Service (as defined in our Terms of Service);
   3. Through direct communications with you (email, phone, in-person meetings, etc.);
   4. At events, webinars, demonstrations, and trade shows;
   5. From third-party sources with your consent or as permitted by law; and
   6. Through cookies and similar tracking technologies.

   Personal data collected by Sapaad will be transferred to Sapaad Pte. Ltd. (Singapore) and other Sapaad group entities located outside India for centralized processing, to provide you with the services and other legitimate business needs in accordance with applicable law. Further, your personal data may be shared with authorized data processors appointed by Sapaad strictly for service delivery purposes.

1. "Personal Data" means information that identifies or can reasonably be used to identify an individual, including:
   1. Name, title, gender, date of birth;
   2. Contact details (email address, phone number, postal address);
   3. Identification numbers (passport, national ID, tax ID);
   4. Financial information (bank account, credit card details);
   5. IP address, device identifiers, geolocation data;
   6. Online identifiers (cookies, session IDs);
   7. Employment information (company name, job title);
   8. Transaction history and usage data; and
   9. Any other information defined as "personal data" under applicable laws.
2. "Sensitive Personal Data" (or "Special Category Data") means personal data revealing:
   1. Racial or ethnic origin, political opinions, religious or philosophical beliefs;
   2. Biometric or genetic data processed to uniquely identify an individual;
   3. Health data, including dietary restrictions or food allergies;
   4. Sexual orientation or gender identity; or
   5. Financial account credentials, passwords, PINs.

   We do not intentionally collect Sensitive Personal Data except where strictly necessary for service delivery (e.g., dietary restrictions for meal planning) and only with your explicit consent or as required by law.

3. "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, transfer, deletion, destruction and other activities as prescribed under applicable laws.

1. Data You Provide Directly: We collect personal data you voluntarily provide when you:
   1. Express Interest in Our Services: Name, title, company name, business address, phone number, email address, job function; Purpose of inquiry or information requested.
   2. Create an Account or Subscribe: Account credentials (username, password); Billing and payment information (credit/debit card details, bank account information, billing address, GSTIN); Company registration details, business licenses (including FSSAI license numbers); Authorized user information for your organization.
   3. Use Our Service: Customer Data uploaded to the Service (including menu items, inventory records, transaction data, customer contact information collected by you); Support requests and communications with our customer service team, preferences and settings within the Service.
   4. Attend Events or Webinars: Registration information (name, title, company, email, phone, country). Badge scan information at sponsored events; Dietary preferences or accessibility requirements.
   5. Participate in Marketing or Surveys: Responses to surveys, questionnaires, or feedback forms; Marketing preferences and communication opt ins.
   6. Register for Online Communities: Username, profile photo, biographical information (occupation, location, social media profiles, areas of expertise and interests).
   7. Visit Our Offices: Visitor registration details (name, email, phone, company, date and time of visit); Non-disclosure agreements (if required); Security footage from CCTV cameras in office premises.
2. When You Visit Our Website: We automatically collect:
   1. Device and browser information: IP address, device type, operating system, browser type and version, screen resolution, language preferences;
   2. Usage data: Pages viewed, links clicked, time spent on pages, referring URLs, search queries, date and time stamps;
   3. Location data: General geographic location derived from IP address.
   When You Use Our Service: We automatically collect:
   1. Service usage data: Features accessed, modules used, frequency of use, actions taken within the Service;
   2. Performance data: Page load times, error logs, system performance metrics;
   3. Device data: Mobile device identifiers, operating system, app version, push notification tokens;
   4. Location data: Geolocation (if you grant permission via mobile app);
   5. Transaction metadata: Transaction times, amounts, payment methods (but not full card numbers or CVV codes).
3. Cookies and Tracking Technologies: We use cookies, web beacons, pixels, JavaScript, and similar technologies to:
   1. Authenticate users and prevent fraud;
   2. Remember preferences and settings;
   3. Analyze website and Service usage;
   4. Deliver personalized content and advertisements;
   5. Measure marketing campaign effectiveness.
   See Section 9 for detailed information on cookies and your choices.
4. Data From Third-Party Sources: We may collect personal data from:
   1. Business contact databases and lead generation services (name, title, company, email, phone);
   2. Social media platforms (LinkedIn, Facebook, Twitter) if you interact with our pages or authorize connections;
   3. Third party service providers integrated with our Service (payment processors, logistics partners, loyalty program providers);
   4. Publicly available sources (company websites, public registries, published directories);
   5. Event sponsors or co-marketing partners with your consent;
   6. Credit reporting agencies (for creditworthiness assessments where permitted).
   We combine this data with information we collect directly to update records, identify prospective customers, personalize marketing, and improve our services.

1. We process personal data only where we have a lawful basis under applicable law:
   1. Consent: You have given free, clear, specific, informed, unconditional consent;
   2. Contract Performance: Processing is necessary to fulfill our contractual obligations to you;
   3. Legal Obligation: Processing is required to comply with applicable laws or regulations;
   4. Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms or any applicable law; or
   5. Vital Interests: Processing is necessary to protect your vital interests or those of another person.
2. We process personal data for the following purposes:

   Service Delivery and Performance (Contract Performance / Legitimate Interests):

   1. Provide access to and functionality of the Service;
   2. Authenticate users and manage accounts;
   3. Process transactions and maintain billing records;
   4. Deliver customer support and respond to inquiries;
   5. Fulfil orders and service requests;
   6. Enable integrations with Third-Party Services you authorize.

   Legal and Regulatory Compliance (Legal Obligation):

   1. Comply with Indian tax laws (GST invoicing, TDS reporting, FSSAI licensing verification);
   2. Respond to lawful requests from government authorities, courts, or regulators;
   3. Maintain records required by law (including CERT-In log retention for customers);
   4. Report cybersecurity incidents as required by CERT-In;
   5. Comply with anti-money laundering and counter-terrorism financing obligations;
   6. Verify TRAI DLT registration for SMS users in India.

   Security and Fraud Prevention (Legitimate Interests):

   1. Monitor for suspicious activity, unauthorized access, or security threats;
   2. Investigate and respond to security incidents;
   3. Enforce our Terms of Service and other policies;
   4. Protect the rights, property, and safety of Sapaad, our customers, and the public;
   5. Implement access controls and authentication measures.

   Service Improvement and Development (Legitimate Interests):

   1. Analyze usage trends and user behavior;
   2. Identify bugs, errors, and performance issues;
   3. Develop new features, products, and services;
   4. Conduct research and analytics;
   5. Generate anonymized, aggregated statistics (which do not identify individuals).

   Marketing and Communications (Consent / Legitimate Interests):

   1. Send marketing emails, newsletters, and promotional offers (with your consent);
   2. Conduct market research and customer satisfaction surveys;
   3. Display personalized advertisements on our websites and third-party platforms;
   4. Invite you to events, webinars, and product demonstrations;
   5. Share information about product updates and new features.

   For marketing communications, we rely on consent where required by law. You may withdraw consent or opt out at any time (see Section 7).

   Event Management (Contract Performance / Legitimate Interests):

   1. Process registrations and send event-related communications;
   2. Facilitate networking and attendee engagement;
   3. Share attendee information with event sponsors (with your consent via registration or badge scan).

   Business Operations (Legitimate Interests):

   1. Manage vendor and partner relationships;
   2. Assess customer opportunities and business development;
   3. Facilitate corporate transactions (mergers, acquisitions, asset sales);
   4. Maintain internal records and documentation;
   5. Manage office security and visitor access.

   Internal Training and Quality Assurance (Legitimate Interests):

   1. Train staff on product functionality and customer service;
   2. Monitor and improve the quality of customer support;
   3. Conduct internal audits and risk assessments.

1. Within Sapaad Group: We may share personal data among Sapaad Pte. Ltd., Sapaad Software Private Limited, and our affiliates for the purposes described in Section 4, including customer support, technical operations, marketing, and account management.
2. Service Providers and Processors: We share personal data with trusted third-party service providers who assist us in operating our business, including:
   1. IT and cloud infrastructure providers (hosting, storage, backup, disaster recovery);
   2. Payment processors and gateways (Stripe, Razorpay, PayPal, etc.);
   3. Customer support platforms (help desk software, live chat tools);
   4. Marketing and analytics providers (Google Analytics, email marketing platforms, CRM systems);
   5. Security and fraud prevention services;
   6. Professional advisors (lawyers, accountants, auditors, insurers).
   These service providers are contractually obligated to process personal data only as instructed by Sapaad, maintain confidentiality, and implement appropriate security measures.
3. Integration Partners (With Your Authorization): When you activate third-party integrations (payment gateways, logistics providers, loyalty platforms, hardware providers), we share relevant personal data and Customer Data with those partners as necessary to deliver the integration functionality. You authorize such sharing by activating the integration.
4. Event Sponsors and Co-Marketing Partners: If you attend an event or webinar we organize, or download sponsored content, we may share your registration information (name, title, company, email, phone) with event sponsors or content providers. Where required by law, you will be asked to consent via the registration form or by allowing your badge to be scanned. Sponsors' use of your information is governed by their own privacy policies.
5. Business Transfers: If Sapaad is involved in a merger, acquisition, reorganization, asset sale, or bankruptcy, personal data may be transferred to the successor entity. We will use reasonable efforts to notify you (via email or prominent notice on our website) before your personal data is transferred and becomes subject to a different privacy policy.
6. Legal Requirements and Protection of Rights: We may disclose personal data to government authorities, law enforcement, courts, or other third parties when we believe disclosure is:
   1. Required by law, regulation, legal process, or government request;
   2. Necessary to enforce our Terms of Service or other agreements;
   3. Necessary to detect, prevent, or address fraud, security, or technical issues;
   4. Necessary to protect the rights, property, or safety of Sapaad, our customers, or the public, as required or permitted by law.
   We will attempt to notify you of such requests unless prohibited by law or court order.
7. Aggregated and Anonymized Data: We may share aggregated, anonymized, or de-identified data that does not identify individuals (or permit re-identification) with third parties for analytics, research, marketing, and business intelligence purposes. Such data is not considered personal data.
8. With Your Consent: We may share personal data with other third parties when you provide specific consent for such sharing.

1. Cross-Border Transfers: Sapaad operates globally and may transfer personal data across international borders, including to countries that may not provide the same level of data protection as your home jurisdiction.
2. Safeguards for Transfers: When transferring personal data internationally, we implement appropriate safeguards, including:
   1. Standard Contractual Clauses (SCCs) approved by the relevant authorities;
   2. Adequacy decisions recognizing certain jurisdictions as providing adequate protection;
   3. Binding Corporate Rules within the Sapaad group entities;
   4. Consent where required by law;
   5. Compliance with DPDPA requirements for transfers from India, including obtaining your explicit consent and implementing such transfer mechanisms or safeguards as may be prescribed under applicable law.
3. Primary Data Locations: Personal data is primarily stored and processed in:
   1. Singapore;
   2. India;
   3. Cloud infrastructure is provided by third-party service providers (AWS, Google Cloud, Microsoft Azure) with data centres in various locations.
   4. You may contact us at support@sapaad.com to obtain more information about international transfers and the safeguards in place.

1. Rights Under DPDPA: You have the following rights under the DPDPA:
   1. Right to Access: You may request confirmation of whether we process your personal data and obtain a copy of such data in a clear and concise manner, including the identities of all data fiduciaries and data processors with whom we have shared your personal data, together with a description of the personal data so shared subject to applicable laws.
   2. Right to Correction: You may request correction of inaccurate, misleading, incomplete, or outdated personal data.
   3. Right to Erasure: You may request deletion of your personal data where:
      1. It is no longer necessary for the purposes for which it was collected;
      2. You withdraw consent (where processing is based on consent);
      3. Processing is unlawful; or
      4. Erasure is required by law.
      This right is subject to exceptions, including where retention is required by law or necessary for legal claims.
   4. Right to Grievance Redressal: You may lodge a complaint with our Data Protection Officer (DPO) or the Data Protection Board of India if you believe your rights have been violated in accordance with applicable laws.
   5. Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.
2. Exercising Your Rights
   1. To exercise any of the above rights, please contact us at:
      Email: support@sapaad.com
      Phone: 1800 571 7272
   2. We will respond to your request within thirty (30) business days. We may request additional information to verify your identity before processing your request.
3. Marketing Opt-Out: You may opt out of marketing communications at any time by:
   1. Clicking the "unsubscribe" link in any marketing email;
   2. Emailing support@sapaad.com with "OPT OUT" in the subject line;
   3. Updating your communication preferences in your account settings; or
   4. Contacting us using the contact details in Section 7.
   5. Opting out of marketing does not affect transactional or service-related communications (e.g., account notifications, billing statements, security alerts).
4. Cookie Management: See Section 9 for information on managing cookies and tracking technologies.

1. Retention Principles: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
2. General Retention Periods:
   1. Account and transaction data: Retained for the duration of the customer relationship plus 7 years (or longer if required by applicable tax, accounting, or legal requirements);
   2. Marketing data: Retained until you opt out or withdraw consent, plus up to 2 years for suppression purposes;
   3. Support and communication records: Retained for 5 years, unless a shorter retention period is required by applicable law;
   4. Website analytics and logs: Retained for up to 26 months;
   5. CCTV footage: Retained for 90 days unless required for security investigation or legal proceedings.

   We retain:

   1. System logs, IP addresses, and usage records: Minimum 180 days from the date of generation;
   2. Financial and tax records: 7 years from the end of the relevant financial year (as required under Indian tax laws).
3. Deletion and Anonymization: After the retention period expires, we will:
   1. Securely delete or destroy personal data; or
   2. Anonymize personal data such that it can no longer identify individuals.
4. Legal Holds: We may retain personal data beyond standard retention periods if required for legal proceedings, government investigations, or to defend legal claims.

1. Cookies are small text files placed on your device when you visit a website. They enable the website to recognize your device, remember your preferences, and improve your experience.
2. Types of Cookies We Use:
   1. Essential Cookies (Required): These cookies are strictly necessary for the operation of our website and Service. They include: Session cookies to maintain your login status; Authentication cookies to verify your identity; Security cookies to detect fraud and abuse. You cannot opt out of essential cookies, as they are required for basic functionality.
   2. Functional Cookies (Optional): These cookies enhance functionality and personalization: Remembering your preferences (language, region, display settings); Storing items in your shopping cart; Enabling live chat and customer support features; Analyzing site traffic and usage patterns (e.g., Google Analytics). You may opt out of functional cookies through cookie preference settings.
   3. Analytics and Performance Cookies (Optional): These cookies help us understand how visitors use our website: Google Analytics: Collects anonymized data on page views, navigation paths, time spent on pages, and user demographics. See Google's privacy policy at https://www.google.com/policies/privacy/partners/. We have enabled Google's Restricted Data Processing to limit how Google can use our data. Heatmaps and session recordings: Capture anonymized user interactions to identify usability issues. You may opt out of analytics cookies through cookie preference settings or by installing browser extensions (e.g., Google Analytics Opt-Out Browser Add-on).
   4. Advertising and Targeting Cookies (Optional): These cookies track your activity across websites to deliver personalized ads: Showing Sapaad ads on third-party websites (e.g., Google Ads, Facebook Ads, LinkedIn Ads); Measuring ad campaign effectiveness; Building audience profiles for retargeting. We work with third-party advertising networks that may collect IP addresses, device identifiers, browsing behavior, and other information through cookies and web beacons. We require these partners to process data only as necessary for advertising services and to comply with applicable privacy laws. You may opt out of advertising cookies through: Cookie preference settings on our website; Industry opt-out tools: (1) Network Advertising Initiative: https://optout.networkadvertising.org/ (2) Digital Advertising Alliance: http://optout.aboutads.info/ Platform-specific controls: (1) Google Ads Settings: https://adssettings.google.com/ (2) Facebook Ad Preferences: https://www.facebook.com/ads/preferences/ (3) LinkedIn Advertising Preferences: https://www.linkedin.com/psettings/advertising
3. Other Tracking Technologies
   1. Web Beacons and Pixels: Small transparent images embedded in web pages and emails to track whether content was viewed or links were clicked. Used for email open rates, campaign analytics, and conversion tracking.
   2. Local Storage (HTML5): Allows websites to store data locally in your browser for faster loading and enhanced functionality. You can clear local storage through your browser settings.

   Mobile Device Identifiers: Mobile apps may use device advertising identifiers (Apple IDFA, Google Advertising ID) for analytics and advertising. You can reset or disable these identifiers in your device settings: (i) iOS: Settings > Privacy > Advertising > Reset Advertising Identifier or Limit Ad Tracking (ii) Android: Settings > Google > Ads > Reset advertising ID or Opt out of Ads Personalization

4. Do Not Track (DNT): Some browsers offer "Do Not Track" signals to indicate your preference not to be tracked. However, there is no universal standard for interpreting DNT signals. We do not currently respond to DNT signals, but you can control tracking through cookie settings and opt-out tools described above.
5. Managing Cookie Preferences: You can manage cookie preferences by:
   1. Clicking the "Cookie Preferences" link in the footer of our website;
   2. Adjusting your browser settings to block or delete cookies (note: disabling cookies may limit website functionality);
   3. Using browser extensions or privacy tools (e.g., Ghostery, Privacy Badger).

   Popular browser cookie management:

   1. Chrome: Settings > Privacy and Security > Cookies and other site data
   2. Firefox: Options > Privacy & Security > Cookies and Site Data
   3. Safari: Preferences > Privacy > Manage Website Data
   4. Edge: Settings > Privacy, search, and services > Cookies and site data

1. We implement robust administrative, technical, and physical safeguards to protect personal data against unauthorized access, disclosure, alteration, and destruction, including, as may be appropriate, the following measures:

   Administrative Safeguards:

   1. Data protection policies and procedures;
   2. Privacy and security training for employees;
   3. Designated Data Protection Officer (DPO) and security personnel;
   4. Background checks for employees with access to personal data;
   5. Regular security audits and risk assessments.

   Technical Safeguards:

   1. Encryption of data in transit (TLS/SSL) and at rest (AES-256);
   2. Multi-factor authentication (MFA) for account access;
   3. Access controls and role-based permissions (principle of least privilege);
   4. Intrusion detection and prevention systems (IDS/IPS);
   5. Regular security patching and vulnerability scanning;
   6. Secure software development lifecycle (SDLC) practices;
   7. Data loss prevention (DLP) tools;
   8. Backup and disaster recovery procedures.

   Physical Safeguards:

   1. Secure data center facilities with restricted access;
   2. 24/7 surveillance and monitoring of physical infrastructure;
   3. Environmental controls (fire suppression, temperature regulation).
2. Payment Card Security (PCI DSS Compliance): We comply with the Payment Card Industry Data Security Standard (PCI DSS) for payment processing. We do not store complete credit card numbers, CVV codes, or magnetic stripe data. Payment processing is handled by PCI DSS-compliant third-party processors using encryption and tokenization.
3. CERT-In Compliance (India): We comply with CERT-In directives, including:
   1. Reporting cybersecurity incidents to CERT-In within six hours of noticing such incidents;
   2. Maintaining system logs for at least 180 days;
   3. Implementing security best practices and coordinating with CERT-In on incident response.
4. Limitations of Security: While we employ industry-standard security measures, no system is completely secure. Data transmission over the internet and electronic storage carry inherent risks. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account. For your own protection, do not include sensitive personal data (e.g., passwords, credit card numbers, health information) in emails to us or our staff unless encrypted or transmitted through secure channels.
5. Security Incident Response: In the event of a data breach affecting personal data:
   1. We will investigate promptly and take steps to contain and mitigate the breach;
   2. We will notify affected individuals and relevant authorities including the Data Protection Board of India as required by law;
   3. Notice to affected individuals and the Data Protection Board without undue delay. We will cooperate with regulatory investigations and take corrective actions to prevent recurrence.

1. Our Service is not directed to children under the age of 18 (or the applicable age of majority in your jurisdiction) or to persons with disabilities who are legally unable to provide valid consent. We do not knowingly collect personal data from children under 18 or from persons with disabilities who are legally unable to provide valid consent without verifiable parental or guardian consent.
2. If you are a parent or lawful guardian and believe your child or a person with a disability under your care has provided personal data to us without your consent, please contact us at support@sapaad.com. Upon verification, we will promptly delete such information from our systems.
3. For residents under the age of 18, we require verifiable parental or guardian consent before processing personal data, in accordance with DPDPA requirements.

1. Our website and Service may contain links to third-party websites, applications, and services that are not owned or controlled by Sapaad. This Privacy Policy does not apply to such third-party sites. We are not responsible for the privacy practices or content of third parties.
2. We encourage you to review the privacy policies of any third-party websites or services you visit or use. Third parties may have different data collection, use, and sharing practices than Sapaad.

1. We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. The "Last Updated" date at the top of this policy indicates when it was last revised.
2. If we make material changes that significantly affect how we collect, use, or share personal data, we will:
   1. Post a prominent notice on our website;
   2. Send an email notification to registered users (where we have your email address); and/or
   3. Provide notice through the Service.
3. Continued Use as Acceptance: Your continued use of our website or Service after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using our Service and may request deletion of your personal data (subject to legal retention requirements).

1. For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
   1. Email: support@sapaad.com
   2. Phone: 1800 571 7272
   3. Address: Sapaad Software Pvt Ltd, SCK01, 207, Second Floor, Smart City, Kakkanad, Ernakulam, Kerala 682030 and B4, 65/1389, Express Garden, Elamkulam Road, KALOOR, Ernakulam, Kerala, 682017
2. Grievance Officer: We have appointed a Grievance Officer in accordance with DPDPA requirements to address complaints and grievances related to personal data processing.
   1. Grievance Officer Name: Sikandar Kotwal
   2. Email: legal@sapaad.com
   3. Address: Sapaad Software Pvt Ltd, SCK01, 207, Second Floor, Smart City, Kakkanad, Ernakulam, Kerala 682030 and B4, 65/1389, Express Garden, Elamkulam Road, KALOOR, Ernakulam, Kerala, 682017
   4. The Grievance Officer will acknowledge your complaint within 24 hours and resolve it within 15 days (or such other timeframe as specified under DPDPA rules).
3. Regulatory Authorities: You have the right to lodge a complaint with the relevant data protection authority in your jurisdiction: India: Data Protection Board of India.

By using our Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.