Skip to content

Privacy Policy

How we collect, use, and protect your data

Last Updated: March 2026

Compliant with India's Digital Personal Data Protection Act, 2023 (DPDPA) and IT Act SPDI Rules, 2011

1. Who We Are

OnePlaceHQ is a product of AnnaiLabs, a technology company based in Tamil Nadu, India. We build industry-specific business management software for small and medium businesses.

Data Fiduciary: AnnaiLabs

Contact Email: [email protected]

WhatsApp: +91 8925610640

Registered Address: Tamil Nadu, India

Our Dual Role: When you (a business) use OnePlaceHQ, you are the Data Fiduciary for your customers' data (patients, members, donors, etc.). We act as a Data Processor on your behalf. For your own account and business information, we are the Data Fiduciary.

2. What Data We Collect

A. Your Account Data (We are the Data Fiduciary)

When you sign up and use OnePlaceHQ, we collect:

Data Purpose Legal Basis
Phone number Login, account identity, support Contract performance
Name, email Account profile, notifications Contract performance
Password (hashed) Account security Contract performance
Business name, address, GSTIN Business registration, GST invoicing Legal obligation (GST Act)
Subscription & payment records Billing, renewal, receipts Contract performance

B. Your Customers' Data (You are the Data Fiduciary; We are the Data Processor)

When you use OnePlaceHQ modules to manage your business, you store your customers' data on our platform. The type of data depends on which modules you use:

Billing & Restaurant
Customer name, phone, email, address, GSTIN (if B2B), purchase/order history, payment records, loyalty points
Hospital (Sensitive Personal Data)
Patient name, date of birth, gender, phone, email, address, vitals (BP, pulse, temperature, SpO2, weight, height, BMI), consultation records (SOAP notes), prescriptions (drug names, dosage, frequency), lab orders and results, ABHA ID (Ayushman Bharat Health Account)
Gold Loan / Pawnbroker (Sensitive Personal Data)
Customer name, phone, address, identity proof (Aadhaar/Voter ID/Driving Licence/PAN type and number), photo, pledge details (gold weight, purity, valuation), loan amounts, payment history, guarantor details
Cash Loan / Daily Collection (Sensitive Personal Data)
Customer name, phone, address, identity proof (type and number), photo, loan details, daily collection records, collector GPS coordinates (optional), guarantor name, phone, address, and identity proof
Gym & Fitness
Member name, phone, email, date of birth, gender, photo, emergency contact, height, weight, exercise experience, membership and payment records
Temple / Trust / NGO (Seva)
Patron name, phone, email, address, PAN (for 80G tax receipts), date of birth, anniversary, donation history, volunteer hours, expense records
CRM (Sales Management)
Lead name, phone, email, organisation, designation, deal value, activity history (calls, meetings, notes), pipeline stage, follow-up dates

C. Website Visitor Data

When you visit our website (oneplacehq.com), we collect:

  • Analytics data via Google Analytics 4 (GA4): pages visited, time on page, device type, browser, approximate location (city-level), referral source
  • AI referral tracking: If you arrive from ChatGPT, Perplexity, Claude, or other AI tools, we record the referral source for analytics
  • No personal forms: Our website does not have sign-up forms or collect email/phone through forms. Contact happens via WhatsApp click-to-chat only.

D. Messaging & Communication Data

When WhatsApp or SMS messaging is used through our platform:

  • Recipient phone number and name
  • Message content (text, templates, media URLs)
  • Delivery status (sent, delivered, read, failed)
  • Message timestamps
  • Incoming messages from your customers (via WhatsApp Business API)

E. Files & Documents

Files uploaded or generated by your business:

  • Customer/member photos
  • PDF receipts (donation receipts, payment receipts, invoices)
  • Prescription PDFs and lab reports (hospital module)
  • Expense receipt images

3. Why We Collect & Use Data

We process personal data only for the following specific purposes:

  • 1. Providing our service - Running your business software, storing your records, generating invoices and receipts
  • 2. Account management - Login authentication, subscription management, licence verification
  • 3. Communication - Sending WhatsApp/SMS messages to your customers on your behalf (appointment reminders, payment receipts, donation receipts, etc.)
  • 4. Legal compliance - GST invoicing, tax record retention (Income Tax Act, GST Act), hospital compliance (NMC, ABDM)
  • 5. Security & audit - Data access logging (especially for hospital/medical records), fraud prevention, system monitoring
  • 6. Improving our service - Aggregated, anonymous analytics to understand usage patterns and improve features

We will NEVER sell your data to anyone. We will NEVER use your business data for advertising or marketing to third parties.

4. Sensitive Personal Data (SPDI)

Under the IT Act SPDI Rules, 2011, certain categories of data require additional protection. OnePlaceHQ processes the following Sensitive Personal Data or Information:

SPDI Category Module Protection
Passwords All (user accounts) Hashed with bcrypt; never stored in plaintext; never returned in API responses
Medical records & history Hospital Encrypted; access-logged; consent captured at registration
Physical health conditions Hospital, Gym Tenant-isolated; role-based access
Financial information (identity documents) Cashloan, Pawnbroker, Seva (PAN) Tenant-isolated; encrypted storage

For all SPDI, we obtain consent at the point of collection and provide mechanisms for review, correction, and withdrawal of consent.

5. Who We Share Data With

We do not sell, rent, or trade your personal data. We share data only with the following service providers (sub-processors) who are essential to delivering our service:

Provider Purpose Data Accessed Location
Neon (PostgreSQL) Primary database All application data United States
Railway Application hosting All data in transit United States
Cloudflare CDN, DNS, security, file storage (R2) Traffic data, uploaded files Global (edge network)
Meta / WhatsApp WhatsApp Business messaging Phone numbers, message content United States
Google Analytics Website analytics Anonymised browsing data United States
Axiom Error & performance logging System logs (may contain PII in error context) United States

We may also disclose data when required by law — for example, in response to a court order, government investigation, or regulatory requirement.

6. Cross-Border Data Transfer

Your data may be transferred to and stored in the United States through our infrastructure providers (Neon, Railway, Cloudflare, Meta, Google). Under DPDPA Section 16, personal data may be transferred to any country not restricted by the Central Government of India. As of March 2026, no countries have been restricted.

We ensure all sub-processors maintain appropriate security safeguards for transferred data, including encryption in transit (TLS 1.2+) and at rest.

7. How We Protect Your Data

We implement reasonable security measures as required by the DPDPA and SPDI Rules:

Encryption

  • All data encrypted in transit (HTTPS/TLS)
  • Database encryption at rest
  • Passwords hashed with bcrypt

Access Control

  • JWT-based authentication (7-day expiry)
  • Role-based access (admin, staff, collector)
  • Module-level permissions

Tenant Isolation

  • PostgreSQL Row-Level Security (RLS)
  • All queries scoped by business ID
  • No cross-tenant data access possible

Monitoring & Recovery

  • Data access audit logging (hospital)
  • Point-in-time recovery (PITR) backups
  • Error monitoring and alerting

8. How Long We Keep Your Data

Data Type Retention Period Reason
Account data Duration of account + 30 days Allow data export after cancellation
Patient medical records 7 years after last visit MCI guidelines, medical practice standards
Financial records (invoices, loans, pledges) 7 years Income Tax Act, GST Act record-keeping
Donation records (80G receipts) 7 years Income Tax Act compliance
Gym member data 1 year after membership expiry Renewal facilitation, then deleted
CRM lead data Until deal closure + 2 years, or on erasure request Sales follow-up, then purpose fulfilled
WhatsApp message logs 90 days (operational) + archived for legal hold Service delivery and dispute resolution
Audit logs (data access) 7 years (immutable) Regulatory compliance, CERT-In, IT Act
Website analytics (GA4) 26 months (Google default) Website improvement
Consent records Indefinite (immutable) Proof of consent for regulatory audits

After the retention period, data is permanently deleted from all systems, including backups, within 30 days.

9. Your Rights (DPDPA Data Principal Rights)

Under India's DPDPA 2023, you have the following rights as a Data Principal:

1

Right to Access (Section 11)

Request a summary of all personal data we hold about you, the purposes of processing, and who we've shared it with. You can export your data in CSV/PDF format from within the application.

2

Right to Correction (Section 12)

Request correction of any inaccurate, incomplete, or misleading personal data. You can edit most data directly in the application, or contact us for assistance.

3

Right to Erasure (Section 12)

Request deletion of your personal data when it is no longer necessary for the stated purpose. Note: some data must be retained for legal compliance (tax records, medical records, audit logs).

4

Right to Withdraw Consent

Withdraw your consent for data processing at any time. Withdrawal is as easy as giving consent. Note: withdrawing consent may affect our ability to provide services.

5

Right to Grievance Redressal (Section 13)

File a complaint with our Grievance Officer. We will respond within 7 days. If unsatisfied, you may approach the Data Protection Board of India (DPBI).

6

Right to Nominate

Nominate another person to exercise your rights in case of death or incapacity.

To exercise any of these rights, contact our Grievance Officer (details in Section 13 below).

10. WhatsApp & Messaging

OnePlaceHQ integrates with WhatsApp Business API (powered by Meta) to enable your business to send messages to your customers. Here's how messaging data is handled:

  • What is transmitted: Phone numbers, message content (text, images, documents), delivery status metadata
  • Meta's role: Meta acts as a data processor for message transmission. Meta processes message metadata per their own WhatsApp Privacy Policy
  • Opt-in required: Your customers must opt-in before receiving non-transactional messages. Transactional messages (appointment reminders, payment receipts) are sent based on service relationship
  • Opt-out: Recipients can reply STOP at any time to stop receiving messages. We process opt-outs immediately
  • Message storage: Messages are logged in our system for service delivery and dispute resolution (90-day operational retention)

Your responsibility as a business: If your business uses WhatsApp messaging through OnePlaceHQ, you are responsible for obtaining appropriate consent from your customers and complying with TRAI regulations for commercial communications.

11. Cookies & Website Tracking

Our website uses the following tracking technologies:

Technology Provider Purpose Opt-Out
Google Analytics 4 Google LLC Website traffic analysis, page performance GA Opt-out Add-on
Google Fonts Google LLC Font rendering (Space Grotesk, DM Sans, Noto Sans Tamil) N/A (essential for display)
Cloudflare Cloudflare Inc. Security, DDoS protection, performance N/A (essential for security)

We do not use advertising cookies or retargeting pixels. We do not build advertising profiles from your browsing behaviour.

12. Children's Data

OnePlaceHQ is a business management tool intended for use by adults (18+). We do not knowingly collect personal data from children under 18 years of age.

Exception: In the hospital module, patient records may include minors. In such cases, the business (hospital/clinic) is the Data Fiduciary and is responsible for obtaining verifiable parental consent before storing a minor's health data on the platform.

If you believe we have inadvertently collected a child's data without appropriate consent, please contact us immediately and we will delete it.

13. Grievance Officer & Contact

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your data, please contact our Grievance Officer:

Grievance Officer

Email: [email protected]

Alternate Email: [email protected]

WhatsApp: +91 89256 10640

Response Time: Within 7 days of receiving your request

Languages: Tamil, English

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India (DPBI) as established under the DPDPA 2023.

14. Data Breach Notification

In the event of a personal data breach, we will:

  1. Notify affected business customers within 24 hours of becoming aware of the breach
  2. Notify affected individuals (Data Principals) without unreasonable delay via their registered communication channel
  3. Report to the DPBI within 72 hours with a detailed report of the breach, its scope, and remediation steps
  4. Take immediate remediation steps to contain the breach and prevent further exposure

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make significant changes:

  • We will update the "Last Updated" date at the top of this page
  • For material changes, we will notify you via email or WhatsApp at least 30 days before the changes take effect
  • Continued use of our service after the effective date constitutes acceptance of the updated policy

Last Updated: March 2026

Effective Date: March 2026

Governing Law: Laws of India. Courts in Chennai, Tamil Nadu have exclusive jurisdiction.

Questions?

Contact us:

Related Legal Documents

Terms & Conditions

Your Data, Your Control

We're committed to protecting your privacy. Questions? Reach out anytime.

Ask Us About Privacy