Privacy

Privacy Policy

StaqOn (“StaqOn”, the “Service”, “we”, “us”) is a team-communication product operated by VistarKriya Marketings Private Limited (“VMPL”, the “Company”), a company incorporated under the laws of India. This Privacy Policy explains what personal data we collect when you use StaqOn at staqon.one and the StaqOn mobile app, why we collect it, how we store and protect it, and the rights you have under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other applicable Indian law.

StaqOn is a workplace messaging and collaboration tool. We do not run a lending, loan, DSA, credit-bureau, or financial-services business through StaqOn, and we never share your StaqOn data with banks, NBFCs, lenders, credit bureaus, or lead-generation partners.

1. Who is the Data Fiduciary

For personal data you provide to StaqOn as an individual user, VistarKriya Marketings Private Limited is the Data Fiduciary. Where your organisation (a workspace owner/admin) invites you and manages a workspace, that organisation controls the content and membership of its workspace; VMPL processes that data to provide the Service. Our contact and grievance details are in Section 11.

2. Information we collect

a) Account & identity. Your full name, email address, and (if you provide them) mobile number, profile photo (avatar), date of birth, country/state, and timezone. StaqOn uses passwordless sign-in — a 6-digit MPIN plus a one-time password (OTP) sent to your email. We do not store account passwords or any card/payment details. If you sign in with Google, we receive your basic Google account identifier and email.

b) Workspace & team data. The workspaces and teams you belong to, your role (owner, admin, member, guest), display name, title, and online/last-active status.

c) Messages & content. The messages, replies, reactions, mentions, announcements, reminders, worklist items and read receipts you create. Files, images and voice notes you upload are stored on our content-delivery provider (see Section 4).

d) Device & technical data. Push-notification tokens (via Firebase Cloud Messaging) and basic device type/info so we can deliver notifications; session information including IP address, browser/app user-agent, device label and login source; and timestamps of activity.

e) Communications infrastructure. To send transactional email (OTPs, invitations, notifications) we use an email provider, or an SMTP server that you or your workspace configure. Any SMTP credentials you enter are stored encrypted.

f) Usage & logs. Audit logs of important actions and, if you use the developer API, API request logs — used for security, troubleshooting and abuse prevention.

3. Why we use your data

We do not use your messages or files to serve advertising, and we do not sell your personal data.

4. Where your data is stored (and our sub-processors)

Your account and message data is stored on our managed servers. Files, images and voice notes you upload are stored and served through BunnyCDN (Bunny.net), our content-delivery provider. We share the minimum necessary data with a small set of infrastructure sub-processors purely to run the Service:

These providers process data only to perform their function for us. We do not share your data with banks, NBFCs, lenders, credit bureaus, financial partners, lead buyers, or advertisers. We may disclose data if required by law, a valid court order, or a lawful government request.

5. Data retention

We keep your personal data for as long as your account and workspace membership are active and as needed to provide the Service. When you delete your account (see our Data Deletion policy), we delete or irreversibly anonymise your personal data within 30 days, except where we must retain limited records to comply with law, resolve disputes, or enforce our terms. Messages you posted in a shared workspace may remain visible to that workspace unless the workspace or its owner also deletes them.

6. Your rights under the DPDP Act

Subject to applicable law, you have the right to:

To exercise any of these rights, contact our Grievance Officer (Section 11) or follow the Data Deletion process. We will respond within the timelines required by law and may verify your identity first.

7. Security

We protect your data with encryption in transit (HTTPS/TLS), hashed MPINs, encrypted storage of SMTP credentials, access controls and audit logging. No method of transmission or storage is completely secure, but we work to protect your information and to notify you and the authorities of a reportable breach as required by law.

8. Children

StaqOn is intended for use by people aged 18 and over, in a workplace or organisational context. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version here with a new “Last updated” date, and where required we will notify you.

10. Governing law

This Privacy Policy is governed by the laws of India. Subject to any applicable dispute-resolution terms in our Terms of Service, the courts at Dehradun, Uttarakhand shall have exclusive jurisdiction.

11. Grievance Officer & contact