Privacy Policy

SMART24x7 RESPONSE SERVICES PRIVATE LIMITED

GLOBAL PRIVACY POLICY & DATA PROTECTION FRAMEWORK

Version: 3.0 (ISO 27001:2022 Compliant)

Effective Date: March 31, 2026

Supersedes: All previous versions

Classification: Public

1. INTRODUCTION AND ORGANIZATIONAL COMMITMENT

Smart24x7 Response Services Pvt. Ltd. (“Smart24x7,” “we,” “us,” or “our”) operates as a premier Software as a Service (SaaS) provider specializing in Transport, Facility, and Security Management. We recognize that the data we handle—including real-time location and emergency contact information—is highly sensitive.

This Privacy Policy (the “Policy”) is designed to meet the requirements of ISO/IEC 27001:2022 Annex A Control 5.34 and ISO/IEC 27701. Our commitment is to ensure the Confidentiality, Integrity, and Availability (CIA) of Personal Identifiable Information (PII) through a robust Information Security Management System (ISMS).

2. SCOPE AND APPLICABILITY

This Policy applies to all PII collected, processed, stored, or transmitted by Smart24x7 via:

  • The Smart24x7 Website (https://smart24x7.com , https://tms.smart24x7.com).

  • The Smart24x7 Mobile Application (iOS and Android).

  • Our SaaS backend infrastructure and APIs.

  • Offline interactions related to safety and emergency response services.

Scope Note: This policy covers users acting as “Data Principals” (individuals) and “Data Controllers” (corporate clients using our platform for employee transport/safety).

3. ROLES AND GOVERNANCE (ISO 27701 ALIGNMENT)

Smart24x7 operates in two capacities depending on the service context:

  • As a PII Controller: When you interact directly with our website or download our app as an individual user.

  • As a PII Processor: When we provide services to your employer (e.g., Employee Transport Management). In this case, your employer is the Controller, and we process data solely based on their documented instructions and our Data Processing Agreement (DPA).

4. THE INFORMATION WE COLLECT

In compliance with the principle of Data Minimization (ISO 27001:2022 Control 8.10), we only collect data that is strictly necessary for the performance of our services.

4.1. Personal Identity Information

  • Registration Data: Name, email address, mobile number, employee ID (if corporate), and profile picture.

  • Authentication Data: Passwords (stored as salted hashes), biometric tokens (stored locally on your device), and MFA logs.

4.2. Sensitive Real-Time Data

  • Precise Geolocation: We collect GPS, Wi-Fi, and cellular tower signals to provide live cab tracking, geofencing for employee safety, and SOS response.

  • Background Location: If enabled, the app tracks location in the background to ensure safety during commutes, even when the app is minimized.

4.3. Emergency & Contact Data

  • Emergency Contacts: With explicit consent, we access your contact list to allow you to nominate individuals who should be notified in an emergency.

  • Voice/Audio: During a triggered SOS event, the app may record audio to assist emergency responders in assessing the situation.

4.4. Automated Technical Data

  • Device Metadata: IP address, IMEI/UDID, device model, operating system version, and app crash logs.

  • Audit Logs: Timestamps of logins, feature access, and data modifications to ensure system integrity.

5. LEGAL BASIS FOR PROCESSING

We process PII under the following legal frameworks:

  1. Consent: Where you have given clear permission (e.g., allowing location access).

  2. Contractual Necessity: To provide the transport or security services you or your employer have subscribed to.

  3. Vital Interests: During emergency SOS situations where processing location data is essential to protect life.

  4. Legitimate Interests: For security monitoring, fraud prevention, and system optimization.

6. DATA RETENTION AND SECURE DISPOSAL (CONTROL 8.10)

Smart24x7 maintains a formal Data Retention Schedule. We do not keep PII longer than is necessary for the purposes for which it was collected.

  • Account Data: Retained for the duration of the active subscription plus 180 days post-termination to facilitate data recovery request.

  • Location History: Detailed breadcrumb trails are archived after 30 days and permanently deleted after 90 days, unless a legal hold is in place (e.g., for an accident investigation).

  • SOS Records: Retained for 2 years as part of safety audit requirements.

  • Secure Disposal: When the retention period expires, data is digitally shredded using industry-standard overwriting patterns (e.g., NIST SP 800-88) to ensure it cannot be reconstructed.

7. INFORMATION SECURITY CONTROLS (ISO 27001:2022)

We implement “Defense in Depth” through the following technical and organizational measures:

7.1. Encryption (Control 8.24)

  • In-Transit: All data between the app, website, and our servers is encrypted using TLS 1.2 or 1.3 with strong cipher suites.

  • At-Rest: Sensitive data in our databases (e.g., PII and location logs) is encrypted using AES-256.

7.2. Access Control (Control 5.15 – 5.18)

  • We enforce the Principle of Least Privilege. Only authorized personnel with a “need-to-know” can access PII.

  • Internal access requires Multi-Factor Authentication (MFA) and is logged in a centralized Security Information and Event Management (SIEM) system.

7.3. Vulnerability Management (Control 8.8)

  • We conduct bi-annual Vulnerability Assessment and Penetration Testing (VAPT) by independent third-party auditors.

  • Continuous automated scanning is performed on our code repositories and cloud infrastructure.

7.4. Physical Security

  • Our infrastructure is hosted on Tier-IV data centers (e.g., AWS/Azure) which maintain their own ISO 27001, SOC2, and PCI-DSS certifications.

8. SHARING AND THIRD-PARTY DISCLOSURES

Smart24x7 does not sell, rent, or trade your PII. Data is only shared with:

  • Service Providers: Sub-processors who provide hosting, SMS alerts, or map services (e.g., Google Maps API). All sub-processors undergo a Third-Party Risk Assessment (TPRA).

  • Emergency Services: Police, medical responders, or corporate security teams during an SOS event.

  • Legal Authorities: When required by a valid court order or to comply with statutory regulations (e.g., CERT-In directions).

9. INTERNATIONAL DATA TRANSFERS

If your data is transferred outside your country of residence (e.g., to a global cloud region), we ensure compliance through:

  • Standard Contractual Clauses (SCCs).

  • Data Residency: For Indian users, we prioritize storage within local data centers in compliance with the DPDP Act.

10. PRIVACY BY DESIGN (CONTROL 8.25)

Our Software Development Life Cycle (SDLC) includes:

  • Default Settings: Privacy-invasive features (like continuous tracking) are “Off” by default unless required for the core service.

  • Data Minimization: We strip unnecessary metadata from logs before analysis.

  • Impact Assessments: We conduct Data Protection Impact Assessments (DPIA) for all new high-risk features.

11. USER RIGHTS (DATA PRINCIPAL RIGHTS)

In accordance with global privacy standards, you have the following rights:

  1. Right to Information: To know what data is being collected and why.

  2. Right to Correction: To update inaccurate or incomplete PII.

  3. Right to Erasure: To request the deletion of your account and associated data.

  4. Right to Portability: To receive your data in a structured, CSV, or JSON format.

  5. Right to Object: To opt-out of marketing communications or specific processing activities.

12. INCIDENT MANAGEMENT AND BREACH NOTIFICATION (CONTROL 5.7)

Smart24x7 has a formal Incident Response Plan.

  • In the event of a data breach involving PII, we will notify the Data Protection Board or relevant supervisory authority within 72 hours of discovery.

  • If the breach poses a high risk to you, we will notify you directly via email or app notification without undue delay.

13. DATA PROTECTION OFFICER (DPO) & GRIEVANCE REDRESSAL

We have appointed a Data Protection Officer to oversee our privacy framework and ensure compliance with ISO 27701 and the DPDP Act.

Contact Details for DPO:

  • Designation: Data Protection Officer

  • Organization: Smart24x7 Response Services Pvt. Ltd.

  • Address: 10, Gulmohar Marg, DLF City, Phase-2, Gurugram, Haryana, India, 122002.

  • Email: dpo@smart24x7.com

  • Grievance Timeline: We acknowledge all privacy-related queries within 48 hours and aim for full resolution within 30 days.

14. COOKIE POLICY AND TRACKING

Our website uses cookies categorized into:

  • Essential: Necessary for site security and login.

  • Analytical: To help us understand user behavior (anonymized).

  • Preference: To remember your language or region.

  • Users can manage cookie preferences via their browser settings.

15. AMENDMENTS TO THIS POLICY

This policy is reviewed annually or whenever there is a significant change in our processing activities or the regulatory landscape.

  • Notice of Change: We will notify users of “Material Changes” (e.g., a change in the categories of data collected) via email or a prominent banner in the application 30 days before the change takes effect.

16. ACCEPTANCE

By using the Smart24x7 platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and processing of your data as described herein.