Privacy Policy

Last updated: 15 March 2026

Kodspot ("we", "us", "our") operates the Kodspot Housekeeping platform at app.kodspot.in. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

1. Data We Collect

We collect the following categories of personal data:

Account Data: Name, email address, phone number, and role (Admin/Supervisor) — provided during account creation by your organization administrator.
Authentication Data: Password (stored as a one-way bcrypt hash — we never store plain-text passwords).
Operational Data: Cleaning records, photographs of cleaned locations, timestamps, shift information, and worker assignments.
Guest Complaint Data: Name and phone number (optional, provided voluntarily when submitting a complaint via QR code scan), issue type, and description.
Technical Data: IP address, browser type, and device information — collected automatically for security and rate-limiting purposes.
Organization Data: Organization name, type, address, phone, and email — provided by the Super Admin.
Sensitive Personal Data (IT Rules 2011, Rule 3): Aadhar number, blood group, date of birth, and gender — collected optionally for worker records by the organization administrator. These fields are encrypted at rest using AES-256-GCM and stored only when provided.

2. Purpose of Data Collection

We process your personal data for the following lawful purposes:

Providing and operating the housekeeping management platform.
Authenticating users and managing access control.
Recording and tracking cleaning operations and facility maintenance.
Generating analytics and performance reports for organization administrators.
Processing and routing guest complaints to appropriate staff.
Ensuring platform security, preventing abuse, and enforcing rate limits.
Maintaining audit logs for accountability and compliance.

3. Legal Basis for Processing (DPDP Act 2023)

We process personal data based on:

Consent: Guest complaint submissions are voluntary. Organization administrators consent on behalf of their staff during onboarding.
Legitimate Use: Processing necessary for performing the contract between Kodspot and the subscribing organization.
Compliance: Processing required to comply with applicable laws.

4. Data Storage and Security

All data is stored on servers located in India (Google Cloud Platform, Mumbai region).
Data is encrypted in transit using TLS 1.2+ (HTTPS enforced via HSTS).
Sensitive personal data (Aadhar number, blood group) is encrypted at rest using AES-256-GCM with a server-side encryption key.
Passwords are hashed using bcrypt with a cost factor of 12. Passwords must contain at least 8 characters, including uppercase, lowercase, and a digit.
Photographs are stored in Cloudflare R2 (encrypted at rest) and automatically deleted after 7 days.
Database access is restricted to the application server only; no public database access is permitted.
All authentication tokens expire after 24 hours. Changing your password immediately invalidates all existing sessions.
We implement rate limiting, input validation, and output encoding to prevent common attacks.

5. Data Retention

Cleaning photographs: Automatically deleted after 7 days.
Cleaning records and audit logs: Retained for the duration of the organization's subscription, plus 90 days after termination.
User accounts: Retained until the organization administrator deactivates or deletes them, or the organization subscription ends.
Guest complaint data: Retained for 180 days, then automatically anonymized — guest name and phone number are permanently deleted from the database. The complaint record (issue type, description, resolution) is retained without identifying information.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data may be shared with:

Your Organization: Administrators and supervisors within your organization can access data relevant to their role.
Infrastructure Providers: Google Cloud Platform (hosting), Cloudflare (CDN/storage), and Amazon Web Services (email delivery) — all bound by their respective data processing agreements.
Law Enforcement: When required by a valid court order or legal obligation under Indian law.

7. Your Rights (DPDP Act 2023)

As a Data Principal, you have the right to:

Access: Request a summary of the personal data we hold about you.
Data Portability: Export your personal data in a machine-readable format (JSON) via the platform's data export feature.
Correction: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data (subject to legal and contractual retention requirements).
Grievance Redressal: File a complaint with our Grievance Officer (see Section 11).
Nomination: Nominate another individual to exercise your rights in case of your death or incapacity.

To exercise your rights, contact us at the email provided in Section 11. We will respond within 30 days.

8. Consent

We collect personal data based on the following consent mechanisms:

Organizational consent: When an organization subscribes to Kodspot, the administrator consents on behalf of the organization and its staff for data necessary to operate the platform.
Guest consent: When a guest provides their name or phone number via the complaint form, they must explicitly check a consent checkbox before submission, acknowledging our Privacy Policy.
Sensitive data consent: Worker sensitive data (Aadhar number, blood group) is collected only when voluntarily provided by the organization administrator. Collection is optional and not required for platform functionality.

9. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to Data Principals:

We will notify the Data Protection Board of India without unreasonable delay, and no later than 72 hours after becoming aware of the breach.
Affected Data Principals (users or organizations) will be notified via email and/or platform notification as soon as practicable.
The notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.
We maintain an internal breach register documenting all incidents, their assessment, and remediation actions.

10. Cookies and Local Storage

We use sessionStorage (browser tab-level) to store your authentication token during a session. This data is automatically cleared when you close the browser tab. We do not use third-party tracking cookies or analytics scripts.

11. Children's Data

Kodspot is a workplace productivity tool and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the Grievance Officer for Kodspot is:

Name: Kishan
Email: privacy@kodspot.in
Response Time: Within 30 days of receipt of complaint.

If you are unsatisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the platform. The "Last updated" date at the top will reflect the latest revision.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka.