This policy explains what personal data Axhy collects, why we collect it, how we store it, and what rights you have over it. We have written it in plain language because we believe you deserve to understand it. This policy is compliant with India's Digital Personal Data Protection Act 2023 (DPDPA) and incorporates provisions for EU GDPR and US CCPA where applicable.

Note: Axhy is currently in pre-launch. This policy will be updated as our legal registration completes and as DPDPA rules are progressively notified by the Government of India.

1. Who We Are

Axhy is a B2B facility-management SaaS platform that helps facility management companies in India manage worker scheduling, verify site visits through GPS and photographs, and generate proof-of-work reports. The platform consists of an admin web portal at axhy.app and a mobile app for field workers.

Legal name: Axhy
Operated by: Akshay (sole founder, Karnataka, India) [Registered address to be filled by Akshay]
Domain: axhy.app
Grievance contact: grievance@axhy.app

For data protection purposes, Axhy acts as the Data Fiduciary under DPDPA 2023 (and Data Controller under GDPR) for all personal data processed through the platform. Customer companies (facility management firms) are independent Data Fiduciaries for their own workers' data within their tenant account.

2. Data We Collect

We only collect data that is directly necessary to operate the platform and fulfil our contractual obligations to customer companies. We do not collect payment card details (billing is handled manually), browsing history outside the platform, or sensitive personal data such as biometrics, religion, caste, or health information.

Category A — Admin users (company managers, supervisors)

• Full name — provided at account creation by the company
• Work email address — used as login identifier
• Hashed password — stored as bcrypt hash (cost factor 12); the plaintext password is never stored
• Audit log entries — timestamped record of all actions taken in the portal (assignment creation, worker edits, report exports, etc.) retained for compliance

Category B — Field workers (mobile app users)

• Full name — entered by the employer when the worker account is created
• Mobile phone number — used as login identifier; OTP sent via SMS
• Skills list — work skills assigned by the employer (e.g., “deep clean”, “glass facade”)
• Home GPS coordinates (lat/lng) — optionally provided by employer for route planning; stored at rest
• Aadhaar hash — a one-way hash of the worker's Aadhaar number for identity verification; the raw Aadhaar number is never stored
• GPS location trails — captured during active assignments to verify presence at the correct site
• Before and after photographs — photos of work areas taken by the worker as proof of work; stored in Cloudflare R2
• Work timestamps — check-in time, check-out time, duration, and per-task completion timestamps
• Device metadata — device model, OS version, app version, used for debugging and support only

Category C — Site and operational data

• Site address — physical address of the facility
• Site GPS coordinates — used for geo-fence verification of worker check-ins
• Site contact name and phone number — the on-site contact person provided by the customer company
• Zone configuration — internal zone/floor layout for assignment mapping

3. Why We Collect It — Purpose of Processing

• Admin email + password hash — Authentication and account security. Legal basis: Contract performance.
• Worker phone + name — Identity, OTP login, assignment routing. Legal basis: Contract performance; employer consent.
• Worker skills — Matching workers to appropriate assignments. Legal basis: Legitimate interest; contract.
• Home GPS coordinates — Route planning (proximity-based scheduling). Legal basis: Employer consent; legitimate interest.
• Aadhaar hash — Identity de-duplication; fraud prevention. Legal basis: Employer consent; legitimate interest.
• GPS location trails — Verify physical presence at assigned site. Legal basis: Contract performance.
• Before/after photos — AI-assisted proof-of-work verification. Legal basis: Contract performance.
• Work timestamps — Payroll support, SLA verification, anomaly detection. Legal basis: Contract; legal obligation (labour compliance).
• AdminAuditLog — Security, compliance, dispute resolution. Legal basis: Legal obligation; legitimate interest.
• Site address + GPS — Geo-fencing, assignment dispatch. Legal basis: Contract performance.

Workers are informed of data collection by their employer as part of onboarding. Axhy requires customer companies to provide such notice to their workers as a contractual condition of using the platform.

4. Data Processors (Sub-processors)

We use the following third-party service providers to operate the platform. Each processor is bound by a data processing agreement or equivalent contractual terms.

• Neon — Managed PostgreSQL: primary application database storing all structured data. Handles all platform data. Region: Singapore (ap-southeast-1).
• Cloudflare R2 — Object storage: stores all before/after work photographs. Handles work photos. Region: Cloudflare global network.
• Railway — Application hosting: runs the Fastify backend API and Next.js admin portal. Handles all data in transit through API. Region: Singapore (ap-southeast-1).
• Upstash — Redis: ephemeral session tokens, rate-limiting counters, and job queues. Handles session tokens (expire automatically). Region: Singapore (ap-southeast-1).
• MSG91 — SMS delivery: sends OTP codes to workers during mobile login. Handles worker phone number + OTP only. Region: India.
• Anthropic — AI assistant API: powers the in-platform AI assistant for admin queries; photo-based quality analysis. Handles work photos and anonymised query context (not linked to worker names). Region: United States.

We do not sell or rent personal data to any third party. Data shared with the processors above is strictly limited to what is necessary for the stated purpose.

5. International Transfer of Data

All primary application data (database, API, session layer) is hosted in the Singapore (ap-southeast-1) region. Singapore is a recognised hub with strong data protection laws under the Personal Data Protection Act (PDPA) 2012, and Axhy's hosting contracts include standard contractual safeguards.

Two processors involve cross-border transfers outside Singapore:

• MSG91 (India) — phone numbers are transmitted to MSG91's India-based infrastructure solely to dispatch OTP SMS messages.
• Anthropic (United States) — work photos and anonymised query context are sent to Anthropic's API for AI analysis. Photos are not stored by Anthropic beyond the duration of a single API call, per Anthropic's enterprise data handling commitments.

Under DPDPA 2023, cross-border transfers are permissible to countries notified by the Central Government as having adequate data protection standards, or subject to standard contractual safeguards. We monitor the Government of India's notifications and will update our transfer mechanisms accordingly. For EU-based customers, these transfers rely on Standard Contractual Clauses (SCCs) as permitted by GDPR Article 46.

[Akshay to confirm: once DPDPA cross-border transfer rules are notified, update the legal basis cited in this section accordingly]

6. Retention Periods

• Work photos (before/after) — 3 years. Reason: Client SLA disputes, AI model training.
• AdminAuditLog — 7 years. Reason: Labour law and tax compliance.
• AssignmentEvent records — 7 years. Reason: Labour law compliance, payroll audit trail.
• Visits and assignments (core records) — Lifetime of contract + 2 years post-termination. Reason: Operational continuity; post-termination dispute window.
• Worker PII (name, phone, home GPS) — Until deletion request + 30-day waiting period, then anonymised. Reason: DPDPA right to erasure; fraud-check window.
• Admin account PII — Until account deletion or contract termination + 30 days. Reason: Active service delivery.
• Session tokens (Redis) — 8 hours (admin) / 30 days (worker). Reason: JWT expiry; automatically purged.
• Deletion requests — 30-day waiting period, then anonymisation executed. Reason: Allows fraud reversal window before destruction.

When a worker is anonymised, their name and phone number are replaced with pseudonymous identifiers. Work records (timestamps, GPS trails, AI scores) are retained in anonymised form to preserve historical analytics integrity.

7. Your Rights Under DPDPA 2023 and GDPR

Depending on your location and applicable law, you have the following rights over your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure (right to be forgotten) — request anonymisation of your personal identifiers; subject to the 30-day waiting period and the retention obligations described above
• Right to data portability — request your data in a machine-readable format (CSV / JSON export)
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal
• Right to grievance redressal (DPDPA 2023, Section 13) — lodge a complaint with the Axhy Grievance Officer, who must respond within 30 days
• Right to complain to the Data Protection Board — if your grievance is not resolved satisfactorily, you may approach the Data Protection Board of India once it is constituted

[Akshay to confirm: GDPR rights (Articles 15–22) apply to EU-based data subjects. CCPA rights apply to California residents. Add explicit flags if you expand to those markets.]

8. How to Exercise Your Rights

Send a written request to our Grievance Officer at grievance@axhy.app. Please include:

• Your full name and the phone number or email address on your account
• A description of the right you wish to exercise (access, erasure, portability, etc.)
• Any additional context that helps us locate your records

We will acknowledge your request within 7 business days and provide a substantive response within 30 days. If we need more time (complex or multiple requests), we will notify you of the extension before the 30-day deadline.

Worker requests may need to be routed through the employer company in certain circumstances where data access is governed by the employment relationship.

9. Grievance Officer

Akshay
Founder & Grievance Officer, Axhy

Email: grievance@axhy.app
Address: [Registered address to be filled by Akshay], Karnataka, India

Response time: within 30 days of receiving a written complaint. As mandated under DPDPA 2023, Section 13.

10. Cookies and Tracking

The Axhy admin portal uses only essential cookies and browser storage required for authentication, security, and session management. Specifically:

• Session / JWT token — stored in an httpOnly, Secure, SameSite=Strict cookie; expires after 8 hours for admin users
• CSRF token — double-submit cookie pattern; stored in a Secure, SameSite=Strict cookie
• Cookie consent preference — stored in localStorage for 1 year; records which cookie categories you accepted

We do not use any third-party analytics cookies, advertising cookies, or tracking pixels at this time. If we add analytics in future, we will update this policy and request fresh consent via the cookie consent banner.

The platform honours the browser's Do-Not-Track signal — if DNT is enabled, no optional analytics are activated even if you have previously accepted them.

11. Security Measures

Axhy applies the following technical and organisational security measures:

• Encryption in transit — all connections use TLS 1.3 minimum; HTTP is redirected to HTTPS
• Encryption at rest — database and object storage are encrypted at rest by Neon and Cloudflare respectively
• Password hashing — admin passwords are hashed with bcrypt (cost factor 12); plaintext passwords are never stored or logged
• JWT expiry — admin tokens expire after 8 hours; worker tokens expire after 30 days; refresh requires re-authentication
• Least-privilege access — each service has a narrowly scoped database role; SUPER_ADMIN actions are separately gated and audit-logged
• Rate limiting — all API endpoints are rate-limited via Upstash Redis to protect against brute-force and abuse
• Audit logging — all admin actions are logged with timestamp, user ID, IP address, and action type
• Aadhaar data handling — Aadhaar numbers are hashed using a one-way cryptographic function before storage; the raw number is discarded immediately after hashing

To report a security vulnerability, email security@axhy.app. We will acknowledge all reports within 48 hours.

12. Changes to This Policy

We may update this Privacy Policy as the platform evolves, as DPDPA rules are progressively notified, or as we expand to new markets. We will update the “Last updated” date at the bottom of this page whenever we make changes.

For material changes — meaning changes that significantly affect how we handle your data — we will send an email notification to all registered admin users at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance.

13. Contact

General support: support@axhy.app
Privacy / grievance: grievance@axhy.app
Security: security@axhy.app

Karnataka, India · [Registered address to be filled by Akshay]