Samay Cyber Pulse — operated by Samay Invotech Private Limited · Last updated / Effective date: 5 July 2026
This Privacy Policy explains how Samay Invotech Private Limited ("Samay", "we", "us", or "our") handles personal data in connection with the Samay Cyber Pulse platform, admin portal, mobile applications, and related services (the "Service"). It should be read together with our Terms of Service.
Samay Cyber Pulse is a business-to-business workplace tool. It is used by employers ("Customers") to manage and enforce internet-access policies on the devices of their field workers and employees ("Workers") during assigned shift hours.
This policy is issued in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and rules made under them.
In respect of the personal data of Workers processed through the Service:
Because the employer is the Data Fiduciary, the employer is responsible for establishing a lawful basis under the DPDP Act, for giving Workers any required notice, and for obtaining any required consent. Requests by a Worker to exercise rights over their data are addressed first to the employer; Samay assists the employer in responding (see Your Rights).
For personal data of visitors to our website and of Customer contacts (for example, an admin's name and email), Samay is the Data Fiduciary and processes that data as described in this policy.
We deliberately collect the minimum data needed to operate a DNS-based enforcement service.
Provided by the employer: name, work email address, phone number, assigned group, shift schedule, and account status.
From the Worker's enrolled device: device make and model, operating-system version, app version, device network (public IP address), connection/heartbeat timestamps, VPN connection state, and a device identifier used to bind the account to the device.
The domain names queried by the device (for example, example.com) and whether each query was allowed or blocked, with timestamps. We do not capture the content of web pages, messages, or files.
To keep blocking accurate, during shift hours the app reports observations from the enforced device — the TLS server hostname (SNI) of connections, the application/package that made them, and newly-seen domain names. This is used only to strengthen our service-detection catalogue so that the correct applications and websites are blocked; it does not include page content, messages, or files. This data is stored for a limited period and then deleted (see Data Retention). This collection is carried out under the employer's lawful basis; where an employer operates in a mode that requires individual consent, the app obtains it first and the Worker can withdraw it at any time, without affecting the core DNS-enforcement functionality.
App diagnostic reports and, via Firebase Crashlytics, crash and error logs (device state, OS version, app version, stack traces) used to detect and fix failures. These are technical diagnostics, not browsing content.
Via Google Analytics, we collect aggregate usage and interaction data on our website and within the app (for example, screens viewed, feature usage, app version, device type, and approximate location derived from IP) to understand how the Service is performing and to improve it. This is not used for advertising or to profile individual Workers.
A Firebase/APNs token used to deliver operational notifications (for example, shift start/end and re-authentication prompts).
If you visit samayinvotech.com, we may process basic technical data (IP address, browser type, pages viewed) and any information you submit through contact forms.
We do not collect the content of your browsing, the content of your messages or calls, passwords, GPS or precise-location data, photos, files, or keystrokes. The app does not request location permission.
Worker data is used solely to:
We do not use Worker data for advertising, and we do not sell, rent, or share personal data with any third party for advertising, marketing, or profiling.
Aggregated / de-identified data. We may generate aggregated or de-identified statistics (which do not identify any individual, employer, or device) — for example, the IP addresses of blocked services as network intelligence — to operate, secure, and improve the Service.
Certain data (such as the authentication token, the DNS endpoint, and the active blocklist) is stored locally on the Worker's device in encrypted storage (Android EncryptedSharedPreferences / iOS Keychain-backed secure storage) so the app can enforce policy reliably.
Data in transit is protected using TLS 1.2 or higher and DNS-over-HTTPS. See Security.
We keep personal data only as long as needed for the purposes above or as required by law:
| Data | Retention |
|---|---|
| DNS query logs (on the employer's dedicated server) | 90 days, then automatically deleted |
| Diagnostic reports | 90 days |
| Application-detection metadata (SNI/signature data) | 90 days, then automatically deleted |
| Device registration records | Duration of employment/engagement + 30 days |
| Worker account/profile data (name, email, phone) | Duration of the employer's engagement; deleted or returned on termination, subject to legal retention |
| Audit logs | 1 year (compliance) |
| Crash/diagnostic logs (Firebase Crashlytics) | Per the provider's standard retention (approximately 90 days) |
Default 90-day retention. Unless a longer period is required by law (for example, audit logs), the default retention for logs and enforcement data is 90 days, after which the data is deleted automatically. A Customer that requires a longer retention period may request it; longer retention increases storage cost and is subject to separate commercial terms.
On expiry or termination of the Service, we delete or return Customer personal data in accordance with the Terms of Service, except where retention is required by applicable law. As described in the Terms of Service, on non-renewal the Customer's Service environment and its logs are deleted within 30 days, after which no logs are recoverable.
We implement reasonable security safeguards designed to protect personal data, including: encryption in transit (TLS 1.2+ and DNS-over-HTTPS); encrypted storage of sensitive values on-device; per-Customer isolation (each employer's data is processed on a dedicated server); signed, authenticated configuration synchronisation; access controls and least-privilege administration; and session/token revocation controls.
No absolute guarantee. While we take these measures, no method of transmission or storage is completely secure. We cannot and do not guarantee that the Service is immune to every possible breach or unauthorised access. Our liability in connection with data processing is subject to the limitations in the Terms of Service.
Subject to the DPDP Act, a Data Principal (including a Worker) has the right to: access a summary of their personal data and how it is processed; request correction, completion, or updating; request erasure where retention is no longer necessary; nominate another individual to exercise rights in the event of death or incapacity; and, where processing is based on consent, withdraw that consent.
How to exercise rights. Because your employer is the Data Fiduciary for Worker data, please direct requests to your employer in the first instance. Where a request reaches Samay, we will assist the employer, or act on the employer's instructions, to fulfil it. For website/contact data, you may contact us directly.
Grievance redressal. If you have a concern or complaint about how your personal data is handled, contact our Grievance Officer. We will acknowledge and respond within the timelines prescribed under the DPDP Act (and in any event within 30 days). If you remain unsatisfied, you may escalate to the Data Protection Board of India.
Where Samay processes personal data as a Data Processor, on becoming aware of a personal data breach affecting a Customer's data we will notify that Customer (the Data Fiduciary) without undue delay and provide the information reasonably available to help it meet its obligations to notify the Data Protection Board of India and affected Data Principals within the timelines prescribed by law. The Customer, as Data Fiduciary, is responsible for making any legally required notifications to Workers and the Board.
Data residency. For Customers in India, personal data and logs are stored on servers located in India (Google Cloud Platform, asia-south1 region). For Customers outside India, their logs and enforcement data are stored on a dedicated server located in their own country or region. The admin portal used to sign in and manage the Service may be accessible from anywhere, but each Customer's logs remain stored in that Customer's home country/region.
Limited transfers to sub-processors. Certain sub-processors (for example, push-notification, email, and crash-diagnostics/analytics providers, and the app stores) may process limited operational data outside the Customer's home region. Any such transfer is carried out in accordance with Section 16 of the DPDP Act and applicable law. Where a Customer's dedicated server is located outside India, the Customer is responsible for any resulting obligations as Data Fiduciary in that jurisdiction.
The Service is a workplace tool intended for use by an employer's adult workforce. It is not directed at children, and we do not knowingly collect the personal data of anyone below the age of 18. If you believe a minor's data has been provided to us, contact the Grievance Officer and we will act with the employer to address it.
We may update this policy from time to time. Where changes are material, we will take reasonable steps to notify Customers (for example, by email to the registered contact or by notice within the admin portal) and will update the "Effective Date" above. We encourage you to review this policy periodically.
This policy is governed by the laws of India. Subject to the dispute-resolution provisions of the Terms of Service, the courts at New Delhi, India have exclusive jurisdiction over any dispute arising out of or in connection with it.
By using Samay Cyber Pulse, you acknowledge that you have read and understood this Privacy Policy.