Privacy Policy

1. Scope and who we are

This Privacy Policy ("Policy") is issued by Smart Neta ("Smart Neta", "we", "us" or "our"), an election technology provider headquartered in Bangalore, India, with a presence in Sydney, Australia. It applies to:

• Visitors to smartneta.com and any related sub-domains;
• Individuals who contact us, request a demo, or otherwise interact with our sales and support teams;
• Authorised users of our mobile applications, including party administrators, campaign managers, booth coordinators and field workers ("App Users"); and
• Party members, supporters and voters whose personal data is recorded in our apps by our client political parties ("Data Subjects").

By using our website or apps, you acknowledge that you have read and understood this Policy.

2. Definitions

We use the following terms with the meanings assigned to them by the DPDP Act, 2023:

• Personal Data means any data about an individual who is identifiable by or in relation to such data.
• Processing means any operation performed on Personal Data — collection, recording, organisation, storage, use, disclosure, erasure or destruction.
• Data Principal means the individual to whom the Personal Data relates.
• Data Fiduciary means the person who, alone or together with others, determines the purpose and means of processing Personal Data.
• Data Processor means a person who processes Personal Data on behalf of a Data Fiduciary.
• Consent Manager means a person registered with the Data Protection Board of India who enables Data Principals to give, manage, review and withdraw consent.

3. Our role: Data Fiduciary vs. Data Processor

Smart Neta acts in two distinct capacities, and it is important to understand which applies to a given dataset:

3.1 We act as a Data Fiduciary

When you visit our website, fill in a contact or demo request form, email us, or otherwise correspond with us directly, Smart Neta is the Data Fiduciary. We decide why and how your Personal Data is processed, and this Policy governs that processing.

3.2 We act as a Data Processor

When a political party or its authorised agents (our "Clients") use our mobile apps to record information about members, supporters or voters, the Client is the Data Fiduciary for that information and Smart Neta is a Data Processor acting only on the Client's documented instructions. The Client is responsible for providing notices, obtaining consent, responding to Data Principal requests, and determining retention periods for such data. Data Principals in this category should contact the Client political party in the first instance; we will assist the Client as required.

4. Personal data we collect

4.1 Data you provide directly (website and sales)

• Contact form submissions: full name, email address, phone number, organisation / party affiliation, state, election timeline, package of interest, message content.
• Correspondence: content of emails, calls and meetings initiated with our sales or support teams.
• Careers: any information you provide if you apply for a role with us.

4.2 Data collected automatically on the website

• IP address, approximate location derived from IP, device type, browser, operating system, language, referring URL, pages visited, time spent, clicks and scroll depth.
• Cookies and similar technologies (see Section 8).

4.3 Data collected through the mobile apps

When Clients use our apps, the following categories of data may be recorded on their behalf:

• App User (party worker) data: name, phone number, booth / constituency assignment, role, login credentials, device identifier, app version, crash logs.
• Member / supporter / voter data (entered by party workers): name, gender, age or date of birth, address, voter ID / EPIC number, phone number (where provided), household information, language, survey and sentiment responses, issues raised, membership status, OTP verification records, consent captures.
• Location data: GPS coordinates, geo-tagged visit logs, check-in / check-out times, movement within an assigned booth area — collected only while the App User is on an active field task and where the Client has enabled this functionality.
• Media: optional photographs, voice notes or documents captured by the App User as proof-of-visit or supporting evidence.

4.4 Categories we do not knowingly collect

We do not design our products to collect biometric data, caste or religion (except to the extent already present in publicly released electoral rolls and provided to us by a Client), health information, sexual orientation, or financial account credentials. If you believe such data has been submitted to us in error, please contact our Grievance Officer so we can delete it.

5. Purposes of processing

We process Personal Data only for the purposes listed below:

• To respond to enquiries, schedule demos and fulfil sales contracts.
• To operate, maintain, secure and improve the Smart Neta website and mobile apps.
• To provide services to our Clients under contract, including authentication, field-force management, voter analytics, war-room dashboards and election-day GOTV coordination.
• To comply with legal obligations, enforce our terms and protect the rights, property and safety of Smart Neta, our Clients and the public.
• To send service communications (e.g. incident notices, policy updates). We do not send marketing emails without separate opt-in consent.

We do not use Personal Data for political profiling or micro-targeting of individuals outside the contractual scope agreed with our Client, and we do not sell Personal Data.

6. Consent and legal basis

Our lawful grounds for processing under the DPDP Act are:

• Consent of the Data Principal — for website form submissions, marketing communications and any non-essential cookies.
• Certain legitimate uses as permitted under Section 7 of the DPDP Act — for example, to fulfil an obligation under law, to respond to a medical emergency, or for employment-related purposes.
• Processor instructions — when we process data on documented instructions from a Client Data Fiduciary, the lawful basis rests with the Client, who is required to have obtained valid consent or to be relying on a legitimate use.

You may withdraw consent at any time (see Section 12). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. Mobile app permissions

Our apps request the minimum device permissions needed to function. Permissions are requested at the point of first use and can be changed at any time in your device settings:

• Location (Foreground and, where enabled by the Client, Background): to geo-tag canvassing visits, record polling-booth attendance and verify field presence. Background location is used only while an active field task is in progress.
• Camera: to scan voter ID cards, upload proof-of-visit photos or capture supporting documents.
• Microphone: to record optional voice notes during survey capture.
• Storage / Photos: to attach documents or save offline data for areas with poor connectivity.
• Phone / SMS: to dial a contact directly from the app or to read OTPs during login.
• Notifications: to alert App Users to tasks, targets and command-centre messages.

8. Cookies and analytics

Our website uses cookies and similar technologies:

• Strictly necessary cookies — required for security, session management and anti-spam. These cannot be switched off.
• Analytics cookies — e.g. Google Analytics, to understand aggregate usage. We use IP-anonymisation where supported.
• Preference cookies — to remember display and language choices.

You can control cookies through your browser settings and, where available, through our cookie banner. Blocking analytics cookies will not affect core functionality.

9. Sharing and disclosure

We share Personal Data only as described below:

• With Clients: all data entered by App Users is made available to the contracting Client political party, whose authorised officials can access it through dashboards and command-centre interfaces.
• With sub-processors: vetted hosting, cloud storage, email-delivery, SMS/OTP, analytics, CRM and customer-support providers who process data strictly on our instructions and under confidentiality obligations.
• With professional advisors: lawyers, auditors, bankers and insurers under duties of confidentiality.
• Where legally required: in response to a lawful request from a competent authority, a court order, or to comply with Indian law, including the DPDP Act and directions of the Data Protection Board of India.
• Corporate transactions: in connection with a merger, acquisition or restructuring, with continuity of protection.

We do not sell or rent Personal Data.

10. Data retention

• Website enquiries: retained for up to 24 months after last contact, after which they are deleted or anonymised, unless a longer period is required by law.
• Client engagement data (as Processor): retained for the duration of the Client contract and for a reasonable wind-down period thereafter, after which data is returned to the Client or deleted in line with Client instructions and Section 8(7) of the DPDP Act.
• Server logs: retained for up to 12 months for security and incident investigation.
• Back-ups: held in encrypted form and overwritten on a rolling schedule.

11. Security measures

We maintain reasonable security safeguards as required under Section 8(5) of the DPDP Act, including:

• Encryption of data in transit (TLS) and of sensitive data at rest.
• Role-based access controls and least-privilege principles.
• Multi-factor authentication for administrative interfaces.
• Regular vulnerability scanning, patching and third-party penetration testing.
• Secure software development practices and code review.
• Logging, monitoring and incident-response procedures.
• Personnel training, background checks and confidentiality agreements.
• Our information security programme is aligned with ISO 27001 principles and ISO 9001 quality management.

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with the DPDP Act and any rules made thereunder.

12. Your rights under the DPDP Act

Subject to verification of your identity and applicable exceptions, you may:

• Access a summary of Personal Data being processed and the processing activities.
• Correct, complete, update or erase your Personal Data.
• Withdraw consent previously given to us.
• Nominate another individual to exercise your rights in the event of death or incapacity.
• Raise a grievance with our Grievance Officer (see Section 16).

If you are a member, supporter or voter whose data was entered into our apps by a political party, please contact that party directly in the first instance, as they are the Data Fiduciary for your data. If you are unable to identify or reach the relevant party, write to us and we will route the request appropriately.

If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India.

13. Children's data

Our services are not directed at children under 18. We do not knowingly collect Personal Data from a child or a person with disability without verifiable parental or lawful-guardian consent. We do not undertake tracking, behavioural monitoring or targeted advertising directed at children. If you believe a child's data has been shared with us without proper consent, contact our Grievance Officer for prompt deletion.

14. Cross-border transfers

Our primary processing infrastructure is located in India. We may, to a limited extent, transfer Personal Data outside India to sub-processors (for example, for email delivery or crash reporting) only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act, and under contractual safeguards equivalent to this Policy.

15. Changes to this policy

We may update this Policy from time to time. The "Last Updated" date at the top will reflect the latest revision. Material changes will be notified through a prominent notice on the website or in the apps, and, where required, by direct communication. Continued use after the effective date of a change constitutes acceptance of the revised Policy.

16. Grievance Officer and contact

In accordance with Section 8(10) of the DPDP Act and Rule 3(11) of the Information Technology (Intermediary Guidelines) Rules, 2021, we have appointed a Grievance Officer to address any concerns regarding this Policy or our handling of Personal Data:

For general queries, you can also reach us at Info@smartneta.com or via our Contact page.