Envitra logoenvitra

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly how Envitra collects, uses, and protects your personal information — written in plain language.

Last Updated: June 2026

01

Information We Collect

When you use the Envitra platform, we collect different categories of personal data depending on how you interact with us:

A. Information You Provide Directly

  • Account data: Name, email address, password (hashed), phone number
  • Profile data: Job title, company name, bio, profile photo, social media links, website URLs
  • Order data: Shipping address, card design preferences, order history
  • Payment data: Transaction identifiers (we do not store raw card numbers — all payment data is handled by Razorpay)
  • Communications: Support messages, feedback, or emails you send us

B. Information Collected Automatically

  • Device & browser data: IP address, browser type, operating system, device type
  • Usage analytics: Pages visited, time on site, dashboard interactions
  • NFC / QR tap data: Timestamp, approximate location (city-level), device type of the person tapping your card (see Section 5)
  • Cookies & local storage: Session tokens, preference settings, consent flags (see Section 6)

C. Information from Third Parties

  • Courier partners: Delivery status and recipient confirmation shared by our logistics partners for order fulfilment
02

How We Use Your Information

We use the data we collect for the following purposes:

  • Service delivery: Creating and maintaining your digital profile, fulfilling NFC card orders, and enabling NFC/QR tap functionality
  • Account management: Authentication, security, password recovery, and session management
  • Analytics & insights: Providing you with tap count statistics, visitor demographics, and profile performance data via your dashboard
  • Order fulfilment: Processing payments, dispatching cards, and providing delivery updates
  • Communication: Sending order confirmations, shipping updates, product announcements, and support responses
  • Legal compliance: Meeting our obligations under Indian law including GST compliance and responding to lawful requests from authorities
  • Product improvement: Analysing aggregate usage patterns to improve platform features and user experience (using anonymised data only)
  • Fraud prevention: Detecting and preventing fraudulent orders, account takeovers, and abuse of our platform
No Selling of Data
Envitra does not sell, rent, or trade your personal data to any third party for their own marketing purposes. Full stop.
03

Legal Basis for Processing

Envitra processes your personal data in compliance with the Digital Personal Data Protection (DPDP) Act 2023 and the Information Technology Act 2000 and its rules. Our legal bases for processing are:

  • Consent: For optional features such as marketing communications and cookies. You may withdraw consent at any time.
  • Contractual necessity: To fulfil your order for NFC cards and deliver the core digital profile service you registered for.
  • Legal obligation: To comply with applicable Indian laws including GST filing, fraud prevention, and responding to lawful government requests.
  • Legitimate interests: For platform security, fraud detection, and aggregate analytics — where our interests do not override your rights.
04

Data Sharing & Third Parties

We share your personal data with a limited set of trusted third parties only as necessary to operate our service:

Razorpay

Payment processing — they receive your transaction data to process payments.

Privacy Policy →

Supabase

Backend infrastructure — our database, file storage, and authentication are hosted on Supabase (AWS ap-south-1 region).

Privacy Policy →

Courier Partners

Order fulfilment — your name, phone, and shipping address are shared with our courier partners (Shiprocket/Delhivery) for delivery.

We may also disclose your information where required by law — for example, in response to a court order, summons, or lawful request from a government authority in India.

05

NFC Card & Tap Data

When someone taps your Envitra NFC card or scans your QR code to view your profile, we automatically collect limited technical data to power your analytics dashboard:

  • Timestamp of the tap/scan
  • Device type and operating system (e.g., "Android", "iPhone")
  • Approximate city-level location derived from IP address (not GPS — precise location is never collected)
  • Referral source (NFC tap vs. QR scan vs. direct link)
No Personal Data of Tappers
We do not collect the name, email, phone number, or any personally identifying information of people who tap your NFC card or scan your QR code — unless they choose to interact with a contact form you have set up on your profile.

Tap analytics are accessible only to the cardholder (you) through your dashboard and are not shared with any third parties.

06

Cookies & Tracking

Envitra uses cookies and similar tracking technologies on our website and dashboard for the following purposes:

TypePurposeConsent Required
EssentialAuthentication session tokens, security, CSRF protectionNo (required)
FunctionalRemembering your theme preference (dark/light mode)No
AnalyticsAggregate page view and feature usage statistics (anonymised)Yes

You can manage your cookie preferences at any time by clicking "Decline All" in the cookie consent banner or by clearing your browser cookies. Note that disabling essential cookies will affect your ability to log in and use the platform.

07

Data Retention

We retain your personal data for different periods depending on the type of data and the purpose for which it was collected:

  • Account data: Retained for as long as your account is active, plus 30 days after deletion for recovery purposes.
  • Order & transaction records: Retained for 7 years as required under the Companies Act 2013 and GST regulations.
  • Tap analytics data: Retained for 24 months from the date of collection, after which it is aggregated and anonymised.
  • Support communications: Retained for 2 years after the resolution of the support request.
  • Marketing consent records: Retained until you withdraw consent or delete your account.

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

08

Data Security

Envitra implements industry-standard security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
  • Encryption at rest: Sensitive data is encrypted at rest in our database infrastructure
  • Password security: Passwords are hashed using bcrypt and are never stored in plaintext
  • Access controls: Strict role-based access controls limit employee access to personal data
  • Supabase Row-Level Security: Database access is restricted at the row level — you can only access your own data
  • Regular security reviews: We conduct periodic security assessments of our infrastructure
No Guarantee
While we take extensive precautions, no method of electronic storage or transmission is 100% secure. In the unlikely event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable Indian law.
09

Your Rights

Under the Digital Personal Data Protection (DPDP) Act 2023 and other applicable Indian law, you have the following rights with respect to your personal data:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data, subject to legal retention requirements.

Right to Data Portability

Request your profile data in a machine-readable format (CSV or JSON).

Right to Withdraw Consent

Withdraw your consent for optional processing (e.g. marketing emails) at any time.

Right to Raise Grievances

File a complaint with our Grievance Officer (see Section 13) or with the Data Protection Board of India once operational.

To exercise any of these rights, contact us at support@envitra.in. We will respond within 30 days of receiving your request.

10

Children's Privacy

The Envitra Service is intended for use by individuals who are at least 18 years of age. We do not knowingly collect, store, or process personal data of children under 18.

If you believe that a child under 18 has provided personal data to Envitra without parental consent, please contact us immediately at support@envitra.in and we will promptly investigate and delete the relevant data.

11

Cross-Border Data Transfers

Envitra's primary infrastructure is hosted in India (Supabase on AWS ap-south-1, Mumbai). Some of our third-party service providers may process data outside of India (for example, Razorpay's global infrastructure).

When your data is transferred outside India, we ensure adequate safeguards are in place through:

  • Contractual data processing agreements with all sub-processors
  • Use of providers who comply with applicable international data protection standards
  • Limiting cross-border transfers to the minimum necessary for service delivery

As the DPDP Act 2023 notification framework for cross-border transfers is finalised by the Government of India, we will update our practices accordingly to ensure ongoing compliance.

12

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our data practices or applicable law. When we make significant changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Send an email notification to your registered email address
  • Display a prominent notice on our website and dashboard

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of changes constitutes your acknowledgement of the updated policy.

13

Contact & Grievance Officer

In accordance with the Information Technology Act 2000 and its rules, and the Digital Personal Data Protection Act 2023, Envitra has appointed a Grievance Officer to address complaints and queries related to the processing of your personal data.

Grievance Officer / Data Protection Contact

support@envitra.in

Envitra Technologies Pvt. Ltd., India — Response within 5 business days

General Support

support@envitra.in

For account issues, order queries, and general questions. Response within 2–3 business days.

Registered Office

Envitra Technologies Pvt. Ltd.

India

You also have the right to lodge a complaint with the Data Protection Board of India once it becomes operational under the DPDP Act 2023, if you believe your data rights have been violated.