Privacy Policy

This Privacy Policy explains how ViharaOS ("we", "us") collects, uses, discloses, and safeguards personal data when you use our property management system and related services (the "Service"). We act as a data processor for the guest and operational data your property entrusts to us, and as a data fiduciary for the account data of your staff.

We are committed to handling personal data responsibly and in accordance with India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") and other applicable laws.

Depending on how the Service is used, we may process the following categories of data:

• Account data — names, email addresses, phone numbers and roles of property staff who use the Service.
• Guest data — guest names, contact details, identity-document references, nationality, stay dates and, for foreign nationals, passport and visa details required for statutory reporting.
• Reservation & financial data — bookings, folios, invoices, GST details and payment references (we do not store full card numbers; payments are handled by PCI-compliant processors).
• Operational data — housekeeping status, room assignments, messages and audit logs.
• Technical data — device, log, and usage information needed to operate, secure and improve the Service.

We use personal data only for clearly defined, lawful purposes connected to running your property. Specifically:

• To provide the Service — creating reservations, managing check-ins and check-outs, billing and reporting.
• To meet legal obligations — generating Form-C foreign-guest filings, police register exports, GST returns and e-invoices on your behalf.
• To secure accounts — authentication, two-factor verification, fraud prevention and audit logging.
• To support you — responding to enquiries and troubleshooting issues you raise.
• To improve the Service — analysing aggregated, de-identified usage trends to make the product better.

We do not sell personal data. We do not use guest data for advertising. Any AI-assisted features (such as demand forecasting or message drafting) operate on your property's own data to benefit your property, and never expose one property's data to another.

Where the Service displays sensitive identifiers, we apply data masking by default — for example, identity-document and passport numbers are shown in masked form and revealed only to authorised roles with the action recorded in the audit log.

We process personal data on the basis of (a) the consent obtained by your property from its guests, (b) the performance of our contract with your property, and (c) compliance with legal obligations such as immigration and tax reporting.

Your property is responsible for obtaining any guest consent required at the point of collection. The Service provides consent-capture and notice tools to help you do this.

Our practices are designed around the principles of the Digital Personal Data Protection Act, 2023:

• Purpose limitation — data is processed only for the purposes described in this policy.
• Data minimisation — we collect only what is needed for hospitality operations and statutory reporting.
• Accuracy — you can correct guest and account data at any time.
• Storage limitation — data is retained only as long as necessary or as required by law (see Retention).
• Security safeguards — technical and organisational measures protect data against unauthorised access.
• Accountability — access to personal data is role-based and recorded in tamper-evident audit logs.

We will assist your property, as a Data Fiduciary, in responding to requests from Data Principals (guests) and to lawful requests from the Data Protection Board of India.

We protect personal data using industry-standard safeguards, including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control, two-factor authentication for sensitive roles, and continuous audit logging.

Personal data of Indian guests and properties is hosted on infrastructure located in India. Offline desktop clients store data locally in encrypted form and synchronise securely when connectivity is available.

We retain personal data for as long as your property maintains an account and as required to provide the Service. Certain records — such as invoices and statutory filings — are retained for the periods mandated by Indian tax and immigration law.

When data is no longer required, it is securely deleted or irreversibly anonymised.

Subject to applicable law, individuals whose data we process may exercise the following rights:

• Right of access — to know what personal data is held about them.
• Right to correction — to have inaccurate or incomplete data corrected.
• Right to erasure — to have personal data deleted where it is no longer required.
• Right to grievance redressal — to raise a complaint about how data is handled.

Guests should direct requests to the property that collected their data. Properties can fulfil these requests using the tools in the Service, and we will support them as their processor.

We share personal data only as needed to operate the Service: with government portals for mandated filings, with PCI-compliant payment processors, and with infrastructure providers bound by confidentiality and data-protection obligations. We do not share personal data with advertisers or data brokers.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Grievance Officer at privacy@viharaos.com. We will acknowledge and address verified requests within the timelines required by law.