This Privacy Policy describes how Pramanak ("we", "us", or "our") collects, uses, stores, and shares information about you when you use our website, platform, and messaging services (collectively, the "Service"). By using the Service you agree to the practices described here.
1. Information We Collect
We collect the following categories of information:
- Account information: Name, email address, username, password (hashed), and profile photo when you register.
- Organization data: Organization name, type, branch hierarchy, member lists, and roles.
- Bearer / student / participant data: Names, roll numbers, dates of birth, photos, guardian names, phone numbers, and other fields uploaded for ID card, certificate, or registration generation.
- Phone numbers and contact data: Collected for WhatsApp messaging, SMS, and account verification where applicable.
- WhatsApp message data: Template names, message parameters, delivery status, read receipts, and incoming replies when you use our WhatsApp messaging integration.
- Usage data: IP address, browser type, device information, pages visited, and interaction logs for security and service improvement.
- Cookies and local storage: Session tokens, preferences, and authentication state.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service.
- Generate ID cards, certificates, and other documents requested by your organization.
- Authenticate users and enforce organization and branch-level access controls.
- Send transactional and utility WhatsApp notifications — for example, registration confirmations, photo upload links, and "ID card ready" alerts — to recipients who have been opted in by the controlling organization.
- Respond to your support requests and security inquiries.
- Comply with legal obligations and enforce our Terms of Service.
3. WhatsApp Messaging — Data Handling
Our WhatsApp integration is built on the official WhatsApp Business Platform provided by Meta. When your organization uses this feature:
- Phone numbers: We process recipient phone numbers (in E.164 format) solely to deliver messages requested by the organization. Numbers are never sold, rented, or shared for marketing by third parties.
- Message content: We only send pre-approved message templates that have been reviewed by Meta. Template parameters (e.g., name, student name, card number, upload link) are filled in at send-time and stored with the message record.
- Delivery metadata: We receive webhook events from Meta containing status (sent, delivered, read, failed) and store this metadata to show delivery logs to the sending organization.
- Inbound messages: If a recipient replies to a WhatsApp message, that reply is stored and made available to authorised organization admins for a limited period (see Section 7).
- Data sent to Meta: Recipient phone number, template name, template parameters, and any media URLs you attach. Meta processes this data under its own WhatsApp Business Policy and WhatsApp Privacy Policy.
- Encryption: Access tokens and webhook secrets are encrypted at rest using AES-GCM. Transport to Meta is over HTTPS with HMAC-SHA256 webhook signature verification.
- Test phone safety registry: We maintain a registry of blocked and test-only phone numbers to prevent accidental delivery of messages to invalid or sensitive numbers.
4. Opt-in and Consent for WhatsApp Messaging
We only send WhatsApp messages to recipients who have provided valid opt-in consent. Consent is typically obtained by the organization operating the account (the "Controller"), for example a school collecting parent phone numbers at enrolment. The Controller is responsible for recording and retaining evidence of opt-in.
Recipients can opt out at any time by replying STOP, UNSUBSCRIBE, or BLOCK to any message, or by contacting the organization directly. Opt-outs are honoured immediately and the phone number is added to a suppression list. See our WhatsApp Messaging Policy for full details.
5. Data Storage and Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- All data in transit is encrypted over TLS 1.2+.
- Passwords are stored as salted bcrypt hashes.
- API access tokens and webhook secrets are encrypted at rest with AES-GCM.
- Database access is restricted to authorized services and personnel.
- JWT-based authentication with server-side session invalidation on password change.
- Organization-level access controls prevent cross-tenant data leakage.
6. Data Sharing
We do not sell, rent, or trade your personal information. We share data only in the following narrow circumstances:
- Within your organization: Data is accessible to users granted access by the organization owner or admin, subject to role-based permissions.
- Service providers: Cloud hosting (AWS), email delivery, and WhatsApp messaging (Meta) providers process data on our behalf under written data-processing terms.
- Legal obligations: We may disclose data when required by law, court order, or to investigate security incidents or fraud.
- Business transfers: If we are acquired or merged, user data may be transferred under the same privacy commitments.
7. Data Retention
We retain data for the following periods:
- Account data: For as long as your account is active, and up to 90 days after deletion to support recovery.
- Organization and bearer data: Controlled by the organization owner and deletable at any time.
- WhatsApp message logs: 180 days by default, then automatically purged; delivery metadata may be retained in aggregate form for analytics.
- Webhook events: 30 days.
- Audit logs: 1 year for security and compliance purposes.
8. Photo and Image Data
Photos uploaded for ID card or certificate generation are stored securely and used solely to produce the requested documents. Access is restricted to authorised members of the organization that uploaded the photo. Photos are deleted when the organization deletes the associated record or when the organization is closed.
9. Your Rights
Subject to applicable law, you have the right to:
- Access and receive a copy of your personal data.
- Request correction of inaccurate or incomplete data.
- Request deletion of your personal data (see the Data Deletion page).
- Withdraw consent for WhatsApp messaging at any time (reply STOP).
- Object to or restrict processing of your data.
- Data portability — export your data in a structured, machine-readable format.
- Lodge a complaint with a data protection authority.
10. Children's Data
Our Service is designed for educational institutions and organizations that process data about minors (e.g., students). Such data is processed on behalf of the organization, which is the data controller and is responsible for obtaining any necessary parental or guardian consent before uploading information about minors to the Service.
11. Cookies
We use essential cookies and browser local storage to maintain your session, remember preferences, and secure the Service. These are strictly necessary for the Service to function and cannot be disabled without affecting core features. We do not use advertising or cross-site tracking cookies.
12. International Transfers
Data may be processed on servers located in India, the European Union, or the United States (including by Meta for WhatsApp message delivery). Where transfers occur across jurisdictions, we rely on appropriate safeguards such as standard contractual clauses.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via the Service and by updating the "Last updated" date at the top of this page. Continued use of the Service after an update constitutes acceptance of the revised policy.
14. Contact Us
For privacy inquiries, data subject requests, or to exercise any of your rights, please contact us: