Legal
How nextdooh — operated by KRYIL INFOTECH PRIVATE LIMITED — collects, uses, and protects your personal data. Written in plain English; binding in legal effect.
Effective: 1 January 2026 · Last updated: 25 May 2026
This Privacy Policy explains how KRYIL INFOTECH PRIVATE LIMITED ("Kryil", "we", "us", "our") collects, uses, discloses, and protects personal data in connection with the nextdooh digital signage platform (the "Service"). It applies to the website at nextdooh.com, the operator dashboard, the player apps for Android TV / Android / Tizen / webOS / browser kiosks, and any APIs we expose.
Kryil is a private limited company incorporated in India. Our registered office and primary processing location is India.
This policy applies to two related groups of data subjects:
(a) Operators — the people and organisations who sign up for a nextdooh account to manage their own signage screens. We act as a data controller for operator account data.
(b) Audiences — the people who pass in front of screens running nextdooh content. We do NOT collect any biometric, facial, or device-identifier data from passers-by, and the player apps shipped by Kryil do not run any audience-measurement SDK by default. If an operator chooses to integrate a third-party analytics overlay, that integration is governed by the operator's own privacy notice, not ours.
We collect only the data needed to operate the Service and meet our legal obligations. We collect data in four categories:
| Category | What we collect | Source |
|---|---|---|
| Account data | Email, hashed password, display name, organisation name, contact phone (optional), profile photo (optional), preferred locale | You, at sign-up + in profile settings |
| Billing data | Plan tier, billing region, GST identifier (India), invoices, payment-processor transaction IDs (we do not store full card numbers — those live with the payment processor) | You + payment processor |
| Device data | Device pairing code, device-assigned name, location label, screen orientation, OS + app version, last-seen timestamp, IP address of the device at sync time | The player app, on every sync poll |
| Content + telemetry | Media uploads (images, videos), playlists, layouts, schedules, proof-of-play logs (which file played on which screen at which timestamp), command history | You + the player app |
| Technical logs | Server access logs (IP, user-agent, path, response code, timestamp), error reports, security-event logs (failed logins, account lockouts) | Automatic, server-side |
We use personal data for the following purposes, with the legal bases shown next to each. Where a legal basis is shown for the EU/UK only, the same processing in India is permitted under DPDP Act 2023 because it is necessary to deliver the Service you signed up for.
| Purpose | Legal basis (GDPR / UK) |
|---|---|
| Authenticate your account + maintain your session | Contract performance (Art. 6(1)(b)) |
| Deliver content from the dashboard to your paired devices | Contract performance (Art. 6(1)(b)) |
| Generate analytics reports (proof-of-play, uptime) for your own screens | Contract performance (Art. 6(1)(b)) |
| Send transactional emails (verification, password reset, billing receipts) | Contract performance (Art. 6(1)(b)) |
| Detect and block abuse, fraud, brute-force login attempts | Legitimate interest (Art. 6(1)(f)) |
| Comply with tax + accounting law (invoice retention, GST returns) | Legal obligation (Art. 6(1)(c)) |
| Respond to support requests you initiate | Contract performance (Art. 6(1)(b)) |
| Send occasional product update emails (you can opt out at any time) | Legitimate interest (Art. 6(1)(f)) |
We do NOT use your data for: profiling, advertising, automated decision-making with legal effect, or training generative-AI models on your media uploads.
We share personal data only with a small number of vetted sub-processors who deliver pieces of the Service on our behalf. Each is bound by a written data-processing agreement and may only act on our documented instructions. Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting (compute, database, blob storage), application logs | India + EU (Azure regions we deploy to) |
| Resend | Transactional email delivery (primary) | US (Resend operates from US) |
| Microsoft 365 SMTP | Transactional email delivery (fallback) | EU / US (Microsoft regions) |
| Stripe | Payment processing for USD/EUR/GBP transactions | US + EU |
We disclose personal data outside this list only when (a) you have given specific consent, (b) we are required to do so by a court order or other binding legal process from a competent authority, or (c) it is necessary to protect our or a third party's rights, property, or safety. In all such cases we will narrowly scope the disclosure and, where legally permitted, notify you in advance.
We do NOT sell personal data and have never done so.
Our infrastructure is primarily hosted in India. For customers in the EU/UK, personal data may be transferred to India or to other regions where our sub-processors operate. Where the destination has not received an adequacy decision from the European Commission or the UK ICO, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum, as applicable. A copy of the relevant transfer mechanism is available on request to `[email protected]`.
We retain personal data only for as long as needed to deliver the Service and meet our legal obligations. Defaults:
| Data | Retention period |
|---|---|
| Account profile + auth credentials | For the lifetime of the account; deleted within 30 days of account closure |
| Media uploads | For the lifetime of the account; deleted on account closure or earlier on request |
| Playback logs / proof-of-play | 12 months rolling; older logs are aggregated and personal-data-stripped |
| Server access logs | 90 days, then purged |
| Billing records (invoices, GST returns) | 8 years from the financial year of issue — required by Indian tax law |
| Customer support tickets | 24 months from last contact, unless deletion requested |
After the retention period, data is either deleted or irreversibly anonymised (so it can no longer be linked to an identifiable person).
We apply industry-standard safeguards to protect personal data:
- All web traffic uses HTTPS/TLS 1.2 or later.
- Passwords are stored hashed using bcrypt with per-row salts; we never log or transmit raw passwords.
- Database access requires authenticated, allow-listed connections; backups are encrypted at rest.
- Media blobs are stored in Azure Blob Storage and served via short-lived signed URLs.
- Failed login attempts are rate-limited; suspicious activity triggers an account lockout.
- Internal admin access is restricted to named operators and audit-logged.
No system is invulnerable. If we discover a personal-data breach that is likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, in line with GDPR Art. 33–34 and DPDP Act s. 8.
Subject to local law, you have the following rights over your personal data. To exercise any of them, email `[email protected]` from the email address on your account. We will verify your identity and respond within 30 days (15 days under the DPDP Act, where applicable).
Under GDPR / UK GDPR: access, rectification, erasure, restriction of processing, data portability, objection to processing, the right to withdraw consent at any time, and the right to lodge a complaint with your local supervisory authority.
Under the DPDP Act 2023 (India): access to personal data we process about you, correction, completion, updating, erasure, and the right to nominate another individual to exercise these rights if you are incapacitated or deceased.
Under the CCPA / CPRA (California): the right to know what categories of personal information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing (we do neither), and the right to non-discrimination for exercising these rights.
You may withdraw a previously-given consent at any time without affecting the lawfulness of processing carried out before withdrawal.
The Service is a B2B platform for operators managing screens; it is not directed at children. We do not knowingly collect personal data from individuals under 18. If you believe a child has provided personal data to us, please contact `[email protected]` and we will delete it.
The Service may link to third-party sites or services (for example, social-media links in our marketing copy, or app stores when downloading the player). Once you leave nextdooh.com, this policy no longer applies; the third party's own privacy notice governs.
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. Account-related decisions (suspension for non-payment, abuse blocks) are always reviewed by a human operator.
We may update this policy from time to time. The "last updated" date at the top of the page reflects the most recent material change. Substantive changes will be announced in-app, by email to your account address, or both. Continued use of the Service after the effective date of an update constitutes acceptance of the revised policy.
If you believe we have not handled your personal data in accordance with this policy or applicable law, please contact us first at `[email protected]` so we have an opportunity to investigate. If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- India: the Data Protection Board of India, once constituted under the DPDP Act 2023.
- EU: your local Data Protection Authority. A directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
- UK: the Information Commissioner's Office (ICO) at ico.org.uk.
- California: the California Privacy Protection Agency at cppa.ca.gov.
For any question, request, or complaint about this policy or about how we handle your personal data:
KRYIL INFOTECH PRIVATE LIMITED
Workflow Ranka Junction, 3rd Floor, 224
KR Puram, Bangalore – 560016
Karnataka, India
Email: [email protected]
Web: https://kryil.com