Privacy Policy

Last Updated: May 2026

1. Information We Collect

1.1 Information You Provide

Booking Information: When making bookings, we collect your name, email address, phone number, booking dates and times, studio preferences, and special requirements.

Payment Information: Payment details are processed through our secure payment gateway (Razorpay). spotin does not store complete card numbers or CVV data on our servers.

Communications: Messages sent to us via the contact form, WhatsApp, or email.

1.2 Information Collected Automatically

Usage Data: Pages visited, time spent, search queries, booking patterns, device type, browser, operating system, and approximate location via IP address.

Cookies: We use cookies to enhance your experience and analyse website traffic. Essential cookies are always active. Analytics cookies (Google Analytics) are only activated upon your explicit consent via our cookie banner. You can withdraw consent at any time.

1.3 What We Do Not Collect

• We do not collect social media login data — spotin has no third-party social login
• We do not store complete payment card details on our servers
• We do not collect data from users under 18 years of age knowingly

2. How We Use Your Information

2.1 Core Services

• Processing and managing your bookings
• Sending booking confirmations via WhatsApp and email
• Facilitating payments and processing refunds
• Providing customer support and resolving disputes

2.2 Platform Improvement

• Analysing usage patterns to improve our platform (only with your cookie consent)
• Testing new features and monitoring platform performance

2.3 Marketing & Communication

We may send promotional offers and studio announcements only if you have opted in. You can opt-out at any time by contacting us at [email protected] or via the unsubscribe link in any marketing email.

2.4 Legal & Safety

• Preventing fraud and unauthorised access
• Enforcing our Terms and Conditions
• Complying with legal obligations including GST, TDS, and tax filing requirements

3. How We Share Your Information

3.1 With Studio Partners

When you make a booking, we share your name, phone number, and email with the booked studio solely to enable them to fulfil your booking. Studios are contractually required to keep this information confidential, use it only for the booked session, and handle it in compliance with applicable law.

3.2 With Service Providers

We share data with the following trusted service providers who help us operate our platform:

• Payment Processing: Razorpay (for secure payment processing)
• Cloud Infrastructure: Google Cloud (Sheets API, Apps Script, Cloudflare Pages)
• Notifications: WhatsApp Cloud API (Meta) for booking confirmations
• Analytics: Google Analytics GA4 (only with your cookie consent)

3.3 Legal Requirements

We may disclose your information if required by law, court order, or government authority, or to protect the rights and safety of spotin, our partners, or our users.

3.4 What We Do Not Do

• We do NOT sell your personal data to third parties
• We do NOT share your data with advertisers
• We do NOT rent or lease customer data

4. Data Security

4.1 Security Measures

• SSL/TLS encryption for all data transmission (HTTPS enforced via HSTS)
• Encrypted storage of sensitive information
• Content Security Policy (CSP) and security headers on all pages
• Access controls limiting who can view customer data
• Razorpay's PCI-DSS compliant payment processing

4.2 Data Breach Protocol

In the event of a data breach affecting your personal information, spotin will notify affected users and relevant authorities as soon as practicable and without undue delay, as required under the Digital Personal Data Protection Act, 2023. We will take immediate steps to secure affected systems and provide guidance on protecting your data.

5. Your Data Rights (DPDP Act 2023)

5.1 Right to Access

You have the right to access all personal data we hold about you and to receive a summary of processing activities.

5.2 Right to Correction

You may request correction of inaccurate or incomplete personal data by contacting [email protected].

5.3 Right to Erasure

You may request deletion of your personal data. Please note: we must retain financial and booking records for 7 years under Indian tax laws. Anonymised analytical data may be retained after deletion.

5.4 Right to Withdraw Consent

You may withdraw consent for marketing communications, analytics cookies, or any consent-based processing at any time. Withdrawal does not affect processing carried out before withdrawal.

5.5 Right to Nominate

Under DPDP Act 2023, you may nominate another individual to exercise your data rights on your behalf in the event of death or incapacity. Contact our Grievance Officer to register a nomination.

6. Data Retention

• Booking Records & Financial Data: 7 years from date of booking (Income Tax Act, 1961 and GST Act compliance)
• Inactive Accounts: Account profile deleted after 3 years of inactivity. Note: booking records associated with the account are retained separately for the 7-year period regardless of account deletion, in an anonymised or archived form as required by law
• Marketing Data: Deleted immediately upon opt-out request
• Support Tickets: 2 years for quality assurance
• Partner Customer Data: Partners must not retain customer data beyond what is necessary for the specific booking under DPDP Act 2023

When your account is deleted, your booking records are retained in a minimised form (booking ID, transaction amount, dates) for legal and tax compliance purposes, but your personal identifiers are removed to the extent permitted by applicable law.

7. Children's Privacy

spotin is intended for users who are 18 years of age or older. We do not knowingly collect personal information from persons under 18 years of age. If we discover we have collected data from a minor, we will delete it immediately. If you believe a minor has provided us data, contact [email protected] immediately.

8. Video Surveillance at Studios

Many partner studios have CCTV cameras for security. When booking, you will be informed if the studio has video surveillance. Studios are required to display clear signage, use cameras only for security (not to monitor creative work), and comply with the IT Act, 2000. Studios may not share recordings with third parties without your consent or valid legal authority.

9. Data Transfers

Primary customer data is stored on servers in India via Google's Indian data infrastructure. Some service providers including Google Analytics and Cloudflare may process operational or analytical data on servers outside India. These providers maintain data protection standards equivalent to Indian law requirements. All cross-border transfers comply with applicable Indian regulations.

10. Cookies & Consent Management

We use two categories of cookies:

• Essential Cookies: Required for basic platform functions (booking session, preferences). Cannot be disabled as they are necessary for the service.
• Analytics Cookies: Google Analytics GA4 — only activated with your explicit consent via our cookie banner. Declining disables GA4 tracking completely (GA4 disabled via JavaScript).

Consent Management under DPDP Act 2023:

• Consent is obtained via explicit checkboxes at the point of data collection (booking form, contact form, partner form)
• Consent records are maintained for compliance purposes
• Separate consent is obtained for: (a) booking fulfilment, (b) marketing communications, and (c) analytics cookies
• Withdrawing consent is as easy as giving it — email [email protected] or use the unsubscribe link in any marketing email
• Withdrawal of consent for analytics is available at any time via the cookie banner which can be re-accessed at the bottom of any page

WhatsApp Communications: By providing your phone number at booking, you consent to receiving booking confirmations and service notifications via WhatsApp. You may opt out of WhatsApp notifications by contacting [email protected].

11. Legal Compliance

This Privacy Policy is drafted in compliance with:

• Digital Personal Data Protection Act, 2023
• Information Technology Act, 2000
• IT (Reasonable Security Practices and Procedures) Rules, 2011
• Consumer Protection Act, 2019
• Consumer Protection (E-Commerce) Rules, 2020

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For significant changes, we will notify you via email and post a notice on our website for 30 days. The "Last Updated" date at the top indicates the most recent revision. Continued use of spotin after changes constitutes acceptance of the updated policy.

13. Contact & Grievance Redressal

For privacy-related questions, requests, or complaints:

Email: [email protected] (Subject: "Privacy Request – [Your Name]")
Grievance & Data Protection Officer: Mayank Srivastav, Chief Operating Officer (COO)
WhatsApp: +91 87964 98297 (Subject: "DPO – Privacy Matter")
Address: 032, Tower H, Spaze Privvy, Sector 93, Gurugram – 122505, Haryana

We will acknowledge complaints within 48 hours and aim to resolve them within 30 days. Unresolved complaints may be escalated to the Data Protection Board of India.