1 · Roles under §2(i) and §2(k)
Kryil Infotech is the Data Fiduciary for operator-account data. For media that operators upload, the operator is the Data Fiduciary and Kryil Infotech is the Data Processor. Statements on this page refer to the Fiduciary role unless noted.
2 · Lawful purpose and notice (§5, §6)
Operators sign up via a notice that itemises the personal data collected, the specific purpose, and contact details for the Data Protection Officer. The notice is available in English; Hindi and regional language versions are issued on request prior to consent.
3 · Personal data categories
- Operator email, name, mobile — service delivery; account lifetime + 18 months.
- Payment metadata (UPI handle, last 4 of card) — subscription billing; 8-year tax-law retention.
- GST identifier (commercial customers) — statutory invoice issuance; 8 years.
- Access logs (IP, UA, route) — security under §10(2)(b) safeguards; 30 days.
- Audit trail of admin actions — accountability under §8; 12 months.
4 · Rights of data principals (§11–§14)
Write to [email protected] to exercise any of:
- §11 — right to information about processing.
- §12 — correction and erasure; completed within 30 days, backups age out within a further 30 days.
- §13 — grievance redressal; first-tier response within 7 working days, escalation to Grievance Officer within an additional 14 days.
- §14 — right to nominate; operators may nominate a person to exercise rights on incapacity.
5 · Reasonable security safeguards (§8(5))
- TLS 1.2+ in transit; AES-256 at rest for PostgreSQL and object storage.
- Bcrypt password hashing (cost 12); email-code MFA on every superadmin login and on sensitive privilege-escalation operations. TOTP-based MFA is on the roadmap.
- RBAC; access reviewed on each role change and at minimum annually.
- Dependency vulnerability scanning on every build; an independent penetration test is scheduled before the FY 2027 independent audit and remediation is tracked to closure.
- Tamper-evident audit logs covering admin and authentication events.
- Backup encryption + geographically segregated cold storage. Restore drills run on a documented schedule; cadence and last-drill date available on request.
6 · Cross-border transfer (§16)
Default deployment for Indian operators is Microsoft Azure South India (Chennai). Data is not transferred outside India for the standard service. Transactional email sub-processors (Resend, SendGrid) are US-based; only the recipient address and message body are transmitted. Operators concerned about cross-border data residency can opt out of marketing email; transactional email is essential to service delivery.
7 · Significant Data Fiduciary status (§10)
- Appointed Data Protection Officer.
- Documented Data Protection Impact Assessment, updated annually.
- Independent audit on an annual cadence (scheduled for FY 2027).
8 · Breach reporting (§8(6))
Personal-data breaches are reported to the Data Protection Board of India and to affected principals as soon as the impact is assessed, in any case within 72 hours of confirmed detection. A documented incident-response runbook governs detection, containment, communication, and post-mortem.
Grievance Officer & Data Protection Officer
Grievance Officer: [email protected]
Data Protection Officer: [email protected]
Postal address: Kryil Infotech Pvt. Ltd., Workflow Ranka Junction, 3rd Floor, 224, KR Puram, Bangalore – 560016, Karnataka, India.