Samay Cyber Pulse — employee internet control app by Samay Invotech
Request a free pilot
B2B DNS Enforcement Platform

Privacy Policy

Samay Cyber Pulse — operated by Samay Invotech Private Limited · Last updated / Effective date: 5 July 2026

Platform
Samay Cyber Pulse
Data Processor
Samay Invotech Pvt. Ltd.
Data Fiduciary
Your Employer (Customer)
Section 01

Introduction

This Privacy Policy explains how Samay Invotech Private Limited ("Samay", "we", "us", or "our") handles personal data in connection with the Samay Cyber Pulse platform, admin portal, mobile applications, and related services (the "Service"). It should be read together with our Terms of Service.

Samay Cyber Pulse is a business-to-business workplace tool. It is used by employers ("Customers") to manage and enforce internet-access policies on the devices of their field workers and employees ("Workers") during assigned shift hours.

This policy is issued in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and rules made under them.

Section 02

Our Role: Who Is Responsible for Your Data

In respect of the personal data of Workers processed through the Service:

  • the Customer (your employer) is the Data Fiduciary — it decides what data is collected, why, and for how long; and
  • Samay is the Data Processor — we process that data only on the documented instructions of the employer, to provide the Service.

Because the employer is the Data Fiduciary, the employer is responsible for establishing a lawful basis under the DPDP Act, for giving Workers any required notice, and for obtaining any required consent. Requests by a Worker to exercise rights over their data are addressed first to the employer; Samay assists the employer in responding (see Your Rights).

For personal data of visitors to our website and of Customer contacts (for example, an admin's name and email), Samay is the Data Fiduciary and processes that data as described in this policy.

Section 03

Data We Collect

We deliberately collect the minimum data needed to operate a DNS-based enforcement service.

Worker Account Data

Provided by the employer: name, work email address, phone number, assigned group, shift schedule, and account status.

Device and Connection Data

From the Worker's enrolled device: device make and model, operating-system version, app version, device network (public IP address), connection/heartbeat timestamps, VPN connection state, and a device identifier used to bind the account to the device.

DNS Enforcement Metadata

The domain names queried by the device (for example, example.com) and whether each query was allowed or blocked, with timestamps. We do not capture the content of web pages, messages, or files.

Application-Detection Metadata (SNI / Signatures)

To keep blocking accurate, during shift hours the app reports observations from the enforced device — the TLS server hostname (SNI) of connections, the application/package that made them, and newly-seen domain names. This is used only to strengthen our service-detection catalogue so that the correct applications and websites are blocked; it does not include page content, messages, or files. This data is stored for a limited period and then deleted (see Data Retention). This collection is carried out under the employer's lawful basis; where an employer operates in a mode that requires individual consent, the app obtains it first and the Worker can withdraw it at any time, without affecting the core DNS-enforcement functionality.

Diagnostic and Crash Data

App diagnostic reports and, via Firebase Crashlytics, crash and error logs (device state, OS version, app version, stack traces) used to detect and fix failures. These are technical diagnostics, not browsing content.

Usage and Performance Analytics

Via Google Analytics, we collect aggregate usage and interaction data on our website and within the app (for example, screens viewed, feature usage, app version, device type, and approximate location derived from IP) to understand how the Service is performing and to improve it. This is not used for advertising or to profile individual Workers.

Push-Notification Token

A Firebase/APNs token used to deliver operational notifications (for example, shift start/end and re-authentication prompts).

Website Data

If you visit samayinvotech.com, we may process basic technical data (IP address, browser type, pages viewed) and any information you submit through contact forms.

What We Do NOT Collect

We do not collect the content of your browsing, the content of your messages or calls, passwords, GPS or precise-location data, photos, files, or keystrokes. The app does not request location permission.

Section 04

How Data Is Used

Worker data is used solely to:

  • enforce the employer's internet-usage policy on the enrolled device during assigned shift hours (outside shift hours, enforcement is suspended);
  • deliver operational notifications to the Worker;
  • generate compliance and diagnostic reports for the employer;
  • detect, prevent, and investigate security issues, tampering, and circumvention;
  • understand how the Service performs and improve it (aggregate usage analytics); and
  • maintain, secure, and improve the Service.

We do not use Worker data for advertising, and we do not sell, rent, or share personal data with any third party for advertising, marketing, or profiling.

Aggregated / de-identified data. We may generate aggregated or de-identified statistics (which do not identify any individual, employer, or device) — for example, the IP addresses of blocked services as network intelligence — to operate, secure, and improve the Service.

Section 05

On-Device Storage and Encryption

Certain data (such as the authentication token, the DNS endpoint, and the active blocklist) is stored locally on the Worker's device in encrypted storage (Android EncryptedSharedPreferences / iOS Keychain-backed secure storage) so the app can enforce policy reliably.

Data in transit is protected using TLS 1.2 or higher and DNS-over-HTTPS. See Security.

Section 06

Sharing and Sub-Processors

We do not sell or disclose personal data to data brokers, advertisers, or any party for profiling. We share data only in the ways below.

Your employer. The employer's authorised IT administrators can access the reports, logs, device information, and settings relating to their own Workers, through the admin portal.

Infrastructure sub-processors. We use a limited set of service providers solely to operate the Service. They process data on our instructions and are not permitted to use it for their own purposes:

Sub-ProcessorPurposeData Involved
Cloud/VPS hosting provider (currently Google Cloud Platform)Hosts each Customer's dedicated server (per-tenant isolation)DNS enforcement metadata, worker profiles, device data
Cloudflare, Inc.Authoritative DNS / name servers, TLS certificates, and upstream DNS resolutionDomain queries (for resolution), connection metadata
Zoho Corporation (ZeptoMail)Transactional email delivery (one-time passcodes and account notifications)Email address, delivery content
Google LLC (Firebase Cloud Messaging & Crashlytics)Push-notification delivery (Android and iOS) and crash/error diagnosticsPush token, crash/diagnostic logs
Google LLC (Google Analytics)Usage and performance analytics (website and app)Usage/interaction events, device type, approximate location from IP
Apple Inc. (Apple Push Notification service)Push-notification delivery to iOS devicesPush token

The mobile app is distributed through Google Play and the Apple App Store; those platforms process download and app-store data under their own privacy policies.

Legal disclosure. We may disclose data where required by law, court order, or a lawful request by a public authority, or to establish, exercise, or defend legal claims.

Business transfer. If Samay is involved in a merger, acquisition, or sale of assets, data may be transferred as part of that transaction, subject to this policy.

We may update our sub-processors as the Service evolves and will reflect changes in this policy.

Section 07

Data Retention

We keep personal data only as long as needed for the purposes above or as required by law:

DataRetention
DNS query logs (on the employer's dedicated server)90 days, then automatically deleted
Diagnostic reports90 days
Application-detection metadata (SNI/signature data)90 days, then automatically deleted
Device registration recordsDuration of employment/engagement + 30 days
Worker account/profile data (name, email, phone)Duration of the employer's engagement; deleted or returned on termination, subject to legal retention
Audit logs1 year (compliance)
Crash/diagnostic logs (Firebase Crashlytics)Per the provider's standard retention (approximately 90 days)

Default 90-day retention. Unless a longer period is required by law (for example, audit logs), the default retention for logs and enforcement data is 90 days, after which the data is deleted automatically. A Customer that requires a longer retention period may request it; longer retention increases storage cost and is subject to separate commercial terms.

On expiry or termination of the Service, we delete or return Customer personal data in accordance with the Terms of Service, except where retention is required by applicable law. As described in the Terms of Service, on non-renewal the Customer's Service environment and its logs are deleted within 30 days, after which no logs are recoverable.

Section 08

Security

We implement reasonable security safeguards designed to protect personal data, including: encryption in transit (TLS 1.2+ and DNS-over-HTTPS); encrypted storage of sensitive values on-device; per-Customer isolation (each employer's data is processed on a dedicated server); signed, authenticated configuration synchronisation; access controls and least-privilege administration; and session/token revocation controls.

No absolute guarantee. While we take these measures, no method of transmission or storage is completely secure. We cannot and do not guarantee that the Service is immune to every possible breach or unauthorised access. Our liability in connection with data processing is subject to the limitations in the Terms of Service.

Section 09

Your Rights Under the DPDP Act

Subject to the DPDP Act, a Data Principal (including a Worker) has the right to: access a summary of their personal data and how it is processed; request correction, completion, or updating; request erasure where retention is no longer necessary; nominate another individual to exercise rights in the event of death or incapacity; and, where processing is based on consent, withdraw that consent.

How to exercise rights. Because your employer is the Data Fiduciary for Worker data, please direct requests to your employer in the first instance. Where a request reaches Samay, we will assist the employer, or act on the employer's instructions, to fulfil it. For website/contact data, you may contact us directly.

Grievance redressal. If you have a concern or complaint about how your personal data is handled, contact our Grievance Officer. We will acknowledge and respond within the timelines prescribed under the DPDP Act (and in any event within 30 days). If you remain unsatisfied, you may escalate to the Data Protection Board of India.

Section 10

Personal Data Breach

Where Samay processes personal data as a Data Processor, on becoming aware of a personal data breach affecting a Customer's data we will notify that Customer (the Data Fiduciary) without undue delay and provide the information reasonably available to help it meet its obligations to notify the Data Protection Board of India and affected Data Principals within the timelines prescribed by law. The Customer, as Data Fiduciary, is responsible for making any legally required notifications to Workers and the Board.

Section 11

Grievance Officer and Contact

Grievance OfficerRenu Handa, Director
Registered OfficeGG-1 Rd, 87A, Vikaspuri, New Delhi 110018, India
CIN · GSTINU62099DL2024PTC435317 · 07ABOCS0946B1ZD
Section 12

Cross-Border Processing

Data residency. For Customers in India, personal data and logs are stored on servers located in India (Google Cloud Platform, asia-south1 region). For Customers outside India, their logs and enforcement data are stored on a dedicated server located in their own country or region. The admin portal used to sign in and manage the Service may be accessible from anywhere, but each Customer's logs remain stored in that Customer's home country/region.

Limited transfers to sub-processors. Certain sub-processors (for example, push-notification, email, and crash-diagnostics/analytics providers, and the app stores) may process limited operational data outside the Customer's home region. Any such transfer is carried out in accordance with Section 16 of the DPDP Act and applicable law. Where a Customer's dedicated server is located outside India, the Customer is responsible for any resulting obligations as Data Fiduciary in that jurisdiction.

Section 13

Children

The Service is a workplace tool intended for use by an employer's adult workforce. It is not directed at children, and we do not knowingly collect the personal data of anyone below the age of 18. If you believe a minor's data has been provided to us, contact the Grievance Officer and we will act with the employer to address it.

Section 14

Cookies and Website Analytics

Our website (samayinvotech.com) and our app use Google Analytics to understand aggregate usage and how the Service is performing. This is used for product analytics only — we do not use it to build advertising profiles or to profile individual Workers. The website may use strictly necessary cookies to operate, and, where required by law, we will seek consent for non-essential cookies/analytics. The app does not use advertising cookies.

Section 15

Changes to This Policy

We may update this policy from time to time. Where changes are material, we will take reasonable steps to notify Customers (for example, by email to the registered contact or by notice within the admin portal) and will update the "Effective Date" above. We encourage you to review this policy periodically.

Section 16

Governing Law

This policy is governed by the laws of India. Subject to the dispute-resolution provisions of the Terms of Service, the courts at New Delhi, India have exclusive jurisdiction over any dispute arising out of or in connection with it.

By using Samay Cyber Pulse, you acknowledge that you have read and understood this Privacy Policy.