Ganakys
Legal

Privacy Policy

Last updated: April 5, 2026

Privacy Policy

Effective date: April 29, 2026 · Version: 2026-04-29-v1

Ganakys Codilla Apps OPC Pvt. Ltd. ("Ganakys", "we", "us", "our") is the Data Fiduciary for personal data we process about you. This policy describes what we collect, why we collect it, how long we keep it, and the rights you have under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025.

> This policy is published in DRAFT form and is reviewed by Indian counsel before binding it on the first paying client engagement. Material revisions bump the version above and re-prompt your consent.

1. Who we are

Data Fiduciary: Ganakys Codilla Apps OPC Pvt. Ltd., a One Person Company incorporated under the Companies Act, 2013. Registered office: TC 6/1608-6, Flat A2, Rose Apartment, Neerazhi Lane, Ulloor, Thiruvananthapuram, Kerala 695011, India. Grievance Officer: Snehalatha Ganaky, Director — reachable at grievance@ganakys.com (see /grievance for details and escalation path).

2. Personal data we process

Depending on how you interact with us, we process some or all of the following:

  • Identity data — name, email, phone, company name, country.
  • KYC documentation (only if you onboard as a paying client) — PAN, GSTIN, address proof, bank account details. Stored encrypted at rest; access restricted to operators who need it for invoicing or refunds.
  • Project data — information you provide when submitting a BOT request or while we run an engagement for you.
  • Payment metadata — invoice numbers, payment references, UTRs, refund records. Card details themselves are processed by Razorpay; we never receive or store full card numbers.
  • Technical data — IP address (hashed for the consent log), user agent, request timestamps, audit-log entries for security-sensitive actions.
  • Cookies and consent — see Section 8.

We do not knowingly collect personal data of children under 18. The Ganakys platform is a B2B service intended for adult founders and operators.

3. Why we process your data, and on what lawful basis

Under the DPDP Act, every processing activity has a lawful basis. Ours are:

  • Consent (Section 6) — for non-essential cookies, marketing communications, and any optional features you explicitly opt into.
  • Legitimate use under Section 7(a) — performance of services you have requested (e.g. running an engagement, issuing invoices, providing portal access).
  • Legitimate use under Section 7(b) — compliance with our legal obligations under the Companies Act, Income Tax Act, CGST Act, Prevention of Money Laundering Act and DPDP Act.
  • Legitimate use under Section 7(g) — protection from fraud, abuse, network attack, and operational misuse.

We do not process your personal data for purposes you did not contract for, and we do not sell or rent your personal data.

4. Sub-processors

We rely on a small number of vetted sub-processors to provide the service. The full, current list — including the categories of personal data they receive, their region, and a link to their privacy policy — is published at /sub-processors and updated when sub-processors change.

5. Retention

We retain personal data only as long as the lawful basis for processing applies. After that, data is deleted or irreversibly anonymized. Specifically:

  • Tax invoices and supporting documents — 8 years from end of the relevant financial year (Income Tax Act, Section 44AA + Rule 6F).
  • GST records — 6 years from the last action on the record (CGST Act, Section 36).
  • Companies Act records — 8 years (Section 128).
  • Audit logs — 1 year hot, 6 years cold.
  • KYC documentation — for the duration of the engagement plus 5 years after closure or as required by law.
  • All other personal data — for the duration of the engagement plus 30 days, after which it is purged unless a statutory retention applies.
  • Consent records — for the duration of the consent plus 7 years (proof of lawful processing).

If you exercise your right to erasure (see Section 7), data covered by a statutory retention is anonymized rather than deleted, and the rest is removed.

6. Security

We apply layered safeguards consistent with DPDP Section 8(5):

  • TLS 1.2+ in transit; HSTS enforced.
  • Authentication via salted password hashes; mandatory two-factor authentication on the client portal.
  • Column-level encryption for sensitive identifiers (PAN, GSTIN, bank account).
  • Strict role-based access for operators; every sensitive read or mutation is audit-logged.
  • Cloudflare Web Application Firewall and DDoS mitigation in front of all hosts.
  • Self-hosted antivirus scanning of all client uploads.
  • Daily database integrity backups, retained per the schedule above.

No system can guarantee absolute security; we monitor for breaches and notify you and the Data Protection Board of India in line with Section 8(6) if a notifiable breach occurs.

7. Your rights as a Data Principal

Under DPDP Sections 11–14 you have the right to:

  • Access — receive a summary of the personal data we process about you and the purposes of that processing.
  • Correction and completion — have inaccurate or incomplete data corrected.
  • Erasure — have your personal data deleted, subject to statutory retention noted in Section 5.
  • Nominee — nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
  • Grievance redressal — raise a complaint with our Grievance Officer if your rights are not honoured.

You can exercise all of the above from inside the client portal at /me/privacy (once you are logged in), or by emailing grievance@ganakys.com. We respond within 30 days as required by the DPDP Rules, 2025.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India as constituted under the DPDP Act.

8. Cookies and tracking

We use only essential cookies by default. With your consent (recorded the first time you visit, and changeable at any time from the "Cookie preferences" link in the footer), we may also enable analytics or marketing cookies. We do not currently use any third-party advertising or cross-site tracking technology.

A complete description of cookie categories, retention, and how to withdraw consent is presented in the consent banner the first time you visit the site.

9. Cross-border transfers

Some sub-processors (Cloudflare, Let's Encrypt, GitHub) operate globally. Cross-border transfers, where they occur, are made consistent with Section 16 of the DPDP Act and are limited to jurisdictions not restricted by the Central Government. The list of jurisdictions and sub-processors is at /sub-processors.

10. Changes to this policy

We may update this policy. Material changes bump the version number above and re-prompt your consent on next visit. Earlier versions remain available on request.

11. Contact

For any privacy question, write to grievance@ganakys.com or to the registered address in Section 1. The Grievance Officer responds within 7 business days for grievances and within 30 days for rights requests.