Version 1.0Effective: 15 December 2025

Privacy Policy

Last Updated: 01 December 2025
Effective Date: 15 December 2025
Version: 1.0

1. Who We Are

Welcome to Thodar, a job management platform designed for small businesses in India.

This Privacy Policy explains how Indraveen Technologies ("we", "us", "our", or "Company") collects, uses, stores, and protects your personal data when you use our Progressive Web Application and website (collectively, the "Service").

Company Details:

Legal Name: Indraveen Technologies
Registered Address: G1, Block No 7 & 13, Sumeru City, IAF Road, Selaiyur, Chennai - 600073, Tamil Nadu, India
GSTIN: 33AJXPM3656L1ZH
Contact Email: support@indraveentech.in
Privacy Email: support@indraveentech.in

This Privacy Policy is drafted in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and applies to all users of Thodar within India and internationally.

2. Important: Understanding Data Roles

2.1 When You Use Thodar for Your Business

You are the Data Fiduciary for your customer data. We are the Data Processor acting on your behalf.

This means:

You control what customer data you collect (names, phone numbers, addresses, etc.).
You are responsible for obtaining valid consent from your customers.
You must handle data subject requests (access, deletion, correction) from your customers.
We process this data solely based on your instructions through the app.

Your Obligations:

Obtain proper consent before entering customer data into Thodar.
Inform your customers that their data is stored and processed by Thodar.
Handle customer complaints and data requests directly.
Comply with DPDPA 2023 in your capacity as Data Fiduciary.

Our Obligations:

Process your customer data only as instructed by you.
Implement security measures to protect the data.
Not use customer data for our own purposes.
Assist you with data subject requests when technically feasible.

2.2 When We Collect Your Business Account Data

We are the Data Fiduciary for your account information. You are the Data Principal (the person whose data we process).

This applies to:

Your name, email, phone number.
Your business details (shop name, address, GSTIN).
Your usage data, billing information, and app activity.

For this data, we are responsible for DPDPA compliance, and you have rights under Section 3 and 6 of this policy.

2.3 Indemnification

You agree to indemnify and hold Indraveen Technologies harmless from any claims, damages, losses, or legal actions arising from:

Your failure to obtain proper consent from your customers.
Your misuse of customer data entered into Thodar.
Your violation of DPDPA 2023 or other applicable laws.
Unauthorized access to customer data due to your failure to secure your account.

We are not liable for how you collect, use, or share your customer data outside of Thodar's intended functionality.

3. Information We Collect

3.1 Account & Authentication Data

What we collect:

Full name
Email address
Phone number (for account recovery)
Password (stored as hashed value using bcrypt - we never see your plain password)
Google account information (if you sign in with Google OAuth)

Why we collect it:

To create and manage your account.
To authenticate your login (via email/password or Google OAuth).
To send critical account notifications (password resets, security alerts).

Important: Your email address is your login credential and cannot be removed or opted out of while your account is active. If you wish to stop receiving emails, you must delete your account (see Section 5.3).

Legal basis: Performance of contract (DPDPA 2023, Section 7).

3.2 Business Profile Data

What we collect:

Business name, address, and phone number.
Business email (optional).
WhatsApp number (optional - for future integrations).
GSTIN (optional - for GST invoicing).
Tax regime preference (GST/Composition/None).
State code (for tax calculations).

Why we collect it:

To generate legally compliant invoices.
To customize the app for your business type.
To enable multi-location business management.

Legal basis: Performance of contract (DPDPA 2023, Section 7).

3.3 Customer Records (You Control This Data)

What you enter into Thodar:

Your customers' names, phone numbers, emails (optional), postal addresses (optional), WhatsApp numbers (optional).
Your customers' GSTIN (if B2B transactions).
Your customers' communication preferences.

Important: We process this data on your behalf. You are responsible for obtaining consent from your customers before entering their data into Thodar.

Why we process it:

To enable you to track jobs and services.
To generate invoices addressed to your customers.
To allow you to send service updates (when you choose to).

Legal basis: Processing on behalf of Data Fiduciary (you) - DPDPA 2023.

3.4 Job & Service Data

What we collect:

Job descriptions and service notes.
Photos of devices/vehicles (stored in Cloudflare R2).
Pricing, invoice details, and payment records.
Job status history (received → repaired → delivered).

Why we collect it:

To help you manage repair/service workflows.
To generate invoices and payment receipts.
To provide service tracking for your customers.

Legal basis: Performance of contract (DPDPA 2023, Section 7).

3.5 Device & Usage Data

What we automatically collect:

Device type, browser type/version, OS.
Screen resolution (to optimize PWA layout).
App usage patterns (feature usage, error logs).

What we DO NOT collect:

GPS location data.
IP addresses (not logged or stored).
Browsing history outside Thodar.
Contact lists or other phone data.

Legal basis: Legitimate interests (DPDPA 2023, Section 7).

3.6 Cookies & Local Storage

What we use:

Better Auth Session Cookie: Essential cookie to keep you logged in (even offline). Contains an encrypted session token and expires when you log out or after 30 days of inactivity.
IndexedDB Storage: Your app stores data locally on your device using browser IndexedDB for offline functionality. This data is not encrypted at rest by the app (see Section 8.2 for security recommendations).

Cookie Banner: We do not require a cookie consent banner because we only use essential cookies necessary for the Service to function.

3.7 Payment Information

What we collect:

Subscription plan, billing cycle, payment status.
Razorpay Customer ID and Subscription ID.

What we DO NOT collect or store:

Credit card numbers, CVV codes, expiry dates, or bank account details.

Why: All payment processing is handled securely by Razorpay (PCI-DSS compliant). We never see or store your payment card details.

4. How We Use Your Data

We use your personal data only for the following purposes:

4.1 Service Delivery

Create and manage your account.
Enable offline-first job management.
Sync data across your devices.
Generate GST-compliant invoices.
Process subscription payments.
Provide customer support.

4.2 Communication

Send transactional emails (invoice generated, subscription expiring, password reset).
Send important service updates (maintenance, security, policy changes).
Send promotional emails about new features or offers (only if you opt in).

4.3 Legal Compliance

Maintain transaction records for 7 years (as required by Indian Income Tax Act and GST laws).
Respond to lawful requests from authorities.
Enforce our Terms of Service.

4.4 Analytics & Improvement (Future)

We may implement analytics and error tracking tools in the future (e.g., Sentry, Pino, OpenTelemetry). If we add these tools, we will update this Privacy Policy, notify you, and implement a cookie consent banner if required.

We will NEVER sell your data to third parties, use your data for advertising, or share data with marketers.

5. Your Rights Under DPDPA 2023

As a Data Principal, you have the following rights:

5.1 Right to Access

Request a summary of personal data we process about you, details of third parties, or a copy of your data in JSON format.

How to exercise: Go to Settings → Export Data, or email support@indraveentech.in

5.2 Right to Correction

Request correction of inaccurate or incomplete personal data.

How to exercise: Edit your profile in Settings → Account, or email support@indraveentech.in

5.3 Right to Erasure (Right to be Forgotten)

Request deletion of your account and personal data. We will delete your account within 30 days.

Note: We retain transaction history for 7 years to comply with Indian tax laws. Personal identifiers will be anonymized after this period.
How to exercise: Email support@indraveentech.in with subject "Account Deletion Request".

5.4 Right to Data Portability

Export your business data (customers, jobs, invoices) in JSON format anytime to take to another provider.

How to exercise: Go to Settings → Backup → Export Data.

5.5 Right to Withdraw Consent

You can withdraw consent for marketing emails or optional features at any time.

5.6 Right to Nominate

You may nominate another person to exercise your rights in the event of your death or incapacity (as per DPDPA 2023, Section 9).

How to nominate: Email support@indraveentech.in with nominee details.

6. Grievance Redressal & Complaints

6.1 Grievance Officer

If you have any concerns about how we handle your personal data, contact our Grievance Officer:

Name: Data Protection Officer, Indraveen Technologies
Email: support@indraveentech.in
Response Time: We will acknowledge your grievance within 7 working days and provide a resolution within 90 days.

6.2 Complaint to Data Protection Board

If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India via their official portal (once operational).

7. Data Sharing & Third-Party Services

We share your data only with essential service providers required to operate Thodar. We do not sell, rent, or trade your data.

7.1 Service Providers

Payment Gateway: Razorpay (India). PCI-DSS Level 1 compliant.
Cloud Hosting & Database: Neon Database, Railway (Singapore/India). SOC 2 Type II compliant.
File Storage: Cloudflare R2 (Global). Encrypted at rest.
Email Service: Resend (US/India). GDPR/SOC 2 compliant.
Authentication: Google OAuth (Global).

7.2 International Data Transfers

Your data may be stored and processed on servers located in Singapore and globally. We ensure that international transfers comply with DPDPA 2023 cross-border data transfer requirements.

8. Data Security & Storage

8.1 Security Measures We Implement

Encryption in Transit: TLS 1.3 (HTTPS).
Password Security: Hashed using bcrypt.
Database Security: Encryption at rest (AES-256).
Backups: Encrypted backups stored in Cloudflare R2.

8.2 Offline-First Architecture & Device Security (Critical)

Thodar is an offline-first Progressive Web App.

A significant portion of your data is stored locally on your device using IndexedDB.
This local data is not encrypted at rest by the Thodar app.
If someone gains physical access to your unlocked device, they may be able to view locally stored data.

Your Responsibility:

Use a strong PIN, password, or biometric lock on your device.
Enable device-level encryption.
Do not leave your device unlocked in public places.

9. Data Retention Policy

9.1 While Your Account is Active

Account & Business Data: Retained indefinitely.
Job Photos: 90 days (auto-deleted).
Invoice PDFs: 180 days (can be regenerated).

9.2 After Account Deletion

Grace Period: 30 days to cancel deletion.
Anonymization: After 30 days, identifiers are removed.
Tax Compliance: Transaction history is retained for 7 years (Indian Income Tax Act & GST Act), then permanently deleted.

10. Data Breach Notification

In the event of a personal data breach, we will:

Notify the Data Protection Board of India and affected users within 72 hours (or as prescribed by law).
Assess the impact and take immediate containment measures.
Notify you via email or in-app notification with details of the breach and protective steps you can take.

11. Children's Privacy

Thodar is intended for business owners aged 18 years or older. We do not knowingly collect personal data from minors. If discovered, such accounts will be deleted immediately.

12. Marketing Communications & Opt-Out

Transactional Emails: Mandatory (invoices, security, resets). You cannot opt out unless you delete your account.
Promotional Emails: Optional. You can opt out via the "Unsubscribe" link or App Settings.

13. Changes to This Privacy Policy

We may update this policy to reflect legal or product changes.

Material Changes: We will notify you via email at least 30 days in advance.
Minor Changes: We will update the "Last Updated" date.

Continued use of Thodar constitutes acceptance of the updated policy.

14. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in Chennai, Tamil Nadu, India.

15. Contact Us

For questions or Data Subject Rights Requests, please contact:

Data Protection Officer Indraveen Technologies G1, Block No 7 & 13, Sumeru City, IAF Road, Selaiyur, Chennai - 600073, Tamil Nadu, India

Email: support@indraveentech.in

Version 1.0Effective: 15 December 2025

Privacy Policy

Last Updated: 01 December 2025
Effective Date: 15 December 2025
Version: 1.0

1. Who We Are

Welcome to Thodar, a job management platform designed for small businesses in India.

Company Details:

Legal Name: Indraveen Technologies
Registered Address: G1, Block No 7 & 13, Sumeru City, IAF Road, Selaiyur, Chennai - 600073, Tamil Nadu, India
GSTIN: 33AJXPM3656L1ZH
Contact Email: support@indraveentech.in
Privacy Email: support@indraveentech.in

This Privacy Policy is drafted in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and applies to all users of Thodar within India and internationally.

2. Important: Understanding Data Roles

2.1 When You Use Thodar for Your Business

You are the Data Fiduciary for your customer data. We are the Data Processor acting on your behalf.

This means:

You control what customer data you collect (names, phone numbers, addresses, etc.).
You are responsible for obtaining valid consent from your customers.
You must handle data subject requests (access, deletion, correction) from your customers.
We process this data solely based on your instructions through the app.

Your Obligations:

Obtain proper consent before entering customer data into Thodar.
Inform your customers that their data is stored and processed by Thodar.
Handle customer complaints and data requests directly.
Comply with DPDPA 2023 in your capacity as Data Fiduciary.

Our Obligations:

Process your customer data only as instructed by you.
Implement security measures to protect the data.
Not use customer data for our own purposes.
Assist you with data subject requests when technically feasible.

2.2 When We Collect Your Business Account Data

We are the Data Fiduciary for your account information. You are the Data Principal (the person whose data we process).

This applies to:

Your name, email, phone number.
Your business details (shop name, address, GSTIN).
Your usage data, billing information, and app activity.

For this data, we are responsible for DPDPA compliance, and you have rights under Section 3 and 6 of this policy.

2.3 Indemnification

You agree to indemnify and hold Indraveen Technologies harmless from any claims, damages, losses, or legal actions arising from:

Your failure to obtain proper consent from your customers.
Your misuse of customer data entered into Thodar.
Your violation of DPDPA 2023 or other applicable laws.
Unauthorized access to customer data due to your failure to secure your account.

We are not liable for how you collect, use, or share your customer data outside of Thodar's intended functionality.

3. Information We Collect

3.1 Account & Authentication Data

What we collect:

Full name
Email address
Phone number (for account recovery)
Password (stored as hashed value using bcrypt - we never see your plain password)
Google account information (if you sign in with Google OAuth)

Why we collect it:

To create and manage your account.
To authenticate your login (via email/password or Google OAuth).
To send critical account notifications (password resets, security alerts).

Important: Your email address is your login credential and cannot be removed or opted out of while your account is active. If you wish to stop receiving emails, you must delete your account (see Section 5.3).

Legal basis: Performance of contract (DPDPA 2023, Section 7).

3.2 Business Profile Data

What we collect:

Business name, address, and phone number.
Business email (optional).
WhatsApp number (optional - for future integrations).
GSTIN (optional - for GST invoicing).
Tax regime preference (GST/Composition/None).
State code (for tax calculations).

Why we collect it:

To generate legally compliant invoices.
To customize the app for your business type.
To enable multi-location business management.

Legal basis: Performance of contract (DPDPA 2023, Section 7).

3.3 Customer Records (You Control This Data)

What you enter into Thodar:

Your customers' names, phone numbers, emails (optional), postal addresses (optional), WhatsApp numbers (optional).
Your customers' GSTIN (if B2B transactions).
Your customers' communication preferences.

Important: We process this data on your behalf. You are responsible for obtaining consent from your customers before entering their data into Thodar.

Why we process it:

To enable you to track jobs and services.
To generate invoices addressed to your customers.
To allow you to send service updates (when you choose to).

Legal basis: Processing on behalf of Data Fiduciary (you) - DPDPA 2023.

3.4 Job & Service Data

What we collect:

Job descriptions and service notes.
Photos of devices/vehicles (stored in Cloudflare R2).
Pricing, invoice details, and payment records.
Job status history (received → repaired → delivered).

Why we collect it:

To help you manage repair/service workflows.
To generate invoices and payment receipts.
To provide service tracking for your customers.

Legal basis: Performance of contract (DPDPA 2023, Section 7).

3.5 Device & Usage Data

What we automatically collect:

Device type, browser type/version, OS.
Screen resolution (to optimize PWA layout).
App usage patterns (feature usage, error logs).

What we DO NOT collect:

GPS location data.
IP addresses (not logged or stored).
Browsing history outside Thodar.
Contact lists or other phone data.

Legal basis: Legitimate interests (DPDPA 2023, Section 7).

3.6 Cookies & Local Storage

What we use:

Better Auth Session Cookie: Essential cookie to keep you logged in (even offline). Contains an encrypted session token and expires when you log out or after 30 days of inactivity.
IndexedDB Storage: Your app stores data locally on your device using browser IndexedDB for offline functionality. This data is not encrypted at rest by the app (see Section 8.2 for security recommendations).

Cookie Banner: We do not require a cookie consent banner because we only use essential cookies necessary for the Service to function.

3.7 Payment Information

What we collect:

Subscription plan, billing cycle, payment status.
Razorpay Customer ID and Subscription ID.

What we DO NOT collect or store:

Credit card numbers, CVV codes, expiry dates, or bank account details.

Why: All payment processing is handled securely by Razorpay (PCI-DSS compliant). We never see or store your payment card details.

4. How We Use Your Data

We use your personal data only for the following purposes:

4.1 Service Delivery

Create and manage your account.
Enable offline-first job management.
Sync data across your devices.
Generate GST-compliant invoices.
Process subscription payments.
Provide customer support.

4.2 Communication

Send transactional emails (invoice generated, subscription expiring, password reset).
Send important service updates (maintenance, security, policy changes).
Send promotional emails about new features or offers (only if you opt in).

4.3 Legal Compliance

Maintain transaction records for 7 years (as required by Indian Income Tax Act and GST laws).
Respond to lawful requests from authorities.
Enforce our Terms of Service.

4.4 Analytics & Improvement (Future)

We will NEVER sell your data to third parties, use your data for advertising, or share data with marketers.

5. Your Rights Under DPDPA 2023

As a Data Principal, you have the following rights:

5.1 Right to Access

Request a summary of personal data we process about you, details of third parties, or a copy of your data in JSON format.

How to exercise: Go to Settings → Export Data, or email support@indraveentech.in

5.2 Right to Correction

Request correction of inaccurate or incomplete personal data.

How to exercise: Edit your profile in Settings → Account, or email support@indraveentech.in

5.3 Right to Erasure (Right to be Forgotten)

Request deletion of your account and personal data. We will delete your account within 30 days.

Note: We retain transaction history for 7 years to comply with Indian tax laws. Personal identifiers will be anonymized after this period.
How to exercise: Email support@indraveentech.in with subject "Account Deletion Request".

5.4 Right to Data Portability

Export your business data (customers, jobs, invoices) in JSON format anytime to take to another provider.

How to exercise: Go to Settings → Backup → Export Data.

5.5 Right to Withdraw Consent

You can withdraw consent for marketing emails or optional features at any time.

5.6 Right to Nominate

You may nominate another person to exercise your rights in the event of your death or incapacity (as per DPDPA 2023, Section 9).

How to nominate: Email support@indraveentech.in with nominee details.

6. Grievance Redressal & Complaints

6.1 Grievance Officer

If you have any concerns about how we handle your personal data, contact our Grievance Officer:

Name: Data Protection Officer, Indraveen Technologies
Email: support@indraveentech.in
Response Time: We will acknowledge your grievance within 7 working days and provide a resolution within 90 days.

6.2 Complaint to Data Protection Board

If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India via their official portal (once operational).

7. Data Sharing & Third-Party Services

We share your data only with essential service providers required to operate Thodar. We do not sell, rent, or trade your data.

7.1 Service Providers

Payment Gateway: Razorpay (India). PCI-DSS Level 1 compliant.
Cloud Hosting & Database: Neon Database, Railway (Singapore/India). SOC 2 Type II compliant.
File Storage: Cloudflare R2 (Global). Encrypted at rest.
Email Service: Resend (US/India). GDPR/SOC 2 compliant.
Authentication: Google OAuth (Global).

7.2 International Data Transfers

Your data may be stored and processed on servers located in Singapore and globally. We ensure that international transfers comply with DPDPA 2023 cross-border data transfer requirements.

8. Data Security & Storage

8.1 Security Measures We Implement

Encryption in Transit: TLS 1.3 (HTTPS).
Password Security: Hashed using bcrypt.
Database Security: Encryption at rest (AES-256).
Backups: Encrypted backups stored in Cloudflare R2.

8.2 Offline-First Architecture & Device Security (Critical)

Thodar is an offline-first Progressive Web App.

A significant portion of your data is stored locally on your device using IndexedDB.
This local data is not encrypted at rest by the Thodar app.
If someone gains physical access to your unlocked device, they may be able to view locally stored data.

Your Responsibility:

Use a strong PIN, password, or biometric lock on your device.
Enable device-level encryption.
Do not leave your device unlocked in public places.

9. Data Retention Policy

9.1 While Your Account is Active

Account & Business Data: Retained indefinitely.
Job Photos: 90 days (auto-deleted).
Invoice PDFs: 180 days (can be regenerated).

9.2 After Account Deletion

Grace Period: 30 days to cancel deletion.
Anonymization: After 30 days, identifiers are removed.
Tax Compliance: Transaction history is retained for 7 years (Indian Income Tax Act & GST Act), then permanently deleted.

10. Data Breach Notification

In the event of a personal data breach, we will:

Notify the Data Protection Board of India and affected users within 72 hours (or as prescribed by law).
Assess the impact and take immediate containment measures.
Notify you via email or in-app notification with details of the breach and protective steps you can take.

11. Children's Privacy

Thodar is intended for business owners aged 18 years or older. We do not knowingly collect personal data from minors. If discovered, such accounts will be deleted immediately.

12. Marketing Communications & Opt-Out

Transactional Emails: Mandatory (invoices, security, resets). You cannot opt out unless you delete your account.
Promotional Emails: Optional. You can opt out via the "Unsubscribe" link or App Settings.

13. Changes to This Privacy Policy

We may update this policy to reflect legal or product changes.

Material Changes: We will notify you via email at least 30 days in advance.
Minor Changes: We will update the "Last Updated" date.

Continued use of Thodar constitutes acceptance of the updated policy.

14. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in Chennai, Tamil Nadu, India.

15. Contact Us

For questions or Data Subject Rights Requests, please contact:

Data Protection Officer Indraveen Technologies G1, Block No 7 & 13, Sumeru City, IAF Road, Selaiyur, Chennai - 600073, Tamil Nadu, India

Email: support@indraveentech.in