Samay Cyber Pulse← Back to Portal

Privacy Policy

Last updated: 30 May 2026

1. About This Policy

Samay Cyber Pulse is a B2B DNS-based internet policy enforcement platform operated by Samay Invotech Private Limited. This policy explains how we collect, use, and protect data when the Samay Cyber Pulse mobile application is installed on employee devices by an employer (referred to as “Tenant”).

In relation to worker data, your employer (Tenant) acts as the Data Controller — they decide what data is collected and how it is used. Samay Invotech Private Limited acts as the Data Processor — we process data only on your employer's instructions. Workers should direct data access or erasure requests to their employer in the first instance.

2. Who We Are

3. Data We Collect

When the app is installed and active during designated shift hours, we collect the following categories of data:

DNS query data:

  • Domain names queried by the device (not the content of websites)
  • Whether each query was allowed or blocked by policy
  • Query timestamps

Connection data (when signature collection is enabled by employer):

  • TLS connection hostnames (SNI — the server name from encrypted connection headers, not the content)
  • Application identifiers (Android package names, e.g. com.instagram.android) associated with network requests
  • Connection timestamps and outcomes (allowed/blocked)

Network intelligence data:

  • When a blocked domain is detected, the app queries Google Public DNS (8.8.8.8) to discover IP addresses associated with that domain. These IP addresses are stored on-device and may be reported to Samay Invotech servers for platform-wide enforcement improvement.
  • Discovered IP addresses may be shared across all employers using the Samay Cyber Pulse platform (without identifying which specific worker or employer the discovery came from).

Device information:

  • Device model, manufacturer, and Android version
  • App version number
  • Battery level and VPN connection status
  • Heartbeat signals sent every 15 minutes during active sessions

We do NOT collect:

  • Browsing content, web page content, passwords, or messages
  • Location data (GPS or network-based)
  • Personal communications or file contents
  • Camera, microphone, or contacts
  • Data outside of designated shift hours

4. How We Use Data

Purpose limitation: Data collected through this application is used solely for the purposes listed below. It is not used for advertising, third-party profiling, employee performance assessment beyond policy compliance, or any purpose not listed here.

We use the collected data to:

  • Enforce your employer's internet usage policy during shift hours
  • Block access to services your employer has restricted
  • Provide your IT administrator with compliance reports and block/allow statistics
  • Improve the accuracy of domain and IP blocking lists across the platform (using aggregated, non-identifying network intelligence)
  • Detect and report attempts to bypass the enforcement policy
  • Maintain platform security and audit trails

5. Data Sharing and Third Parties

Your employer (Tenant):

Your employer's IT administrators have access to your DNS query logs, connection statistics, device status, and compliance reports.

Samay Invotech:

We process data on behalf of your employer as a data processor. We will never sell, share, or use worker DNS activity data for advertising or third-party profiling. We do not monetise worker data in any form.

Platform-wide intelligence:

Network intelligence data (IP addresses of blocked services) discovered on your device may be shared across employers using the platform after review by Samay Invotech. This sharing is limited to technical network data and does not include personally identifying information.

IP address handling:

Your device's IP address (source IP) is logged per DNS query on the tenant's dedicated VPS for enforcement and audit purposes. Unlike some consumer DNS services that anonymise IPs within hours, we retain full source IPs for the duration of the DNS query log retention period (90 days) because this is required for B2B enforcement, compliance reporting, and security incident investigation. Source IPs are stored only on your employer's dedicated VPS infrastructure — they are not stored on Samay Invotech's central servers and are not shared outside your employer's organisation.

Third-party infrastructure:

  • When blocked domains are detected, the app queries Google Public DNS (8.8.8.8 / 8.8.4.4) to discover associated IP addresses. This involves sending the blocked domain name to Google's infrastructure. Google's privacy policy applies to these queries: https://policies.google.com/privacy
  • Data is stored on servers in India and/or Google Cloud Platform (GCP) infrastructure.
  • DNS queries are processed via Samay Invotech's tenant VPS infrastructure — no browsing data passes through these servers, only DNS query names and responses.

6. Data Retention

Data TypeDefault RetentionNotes
DNS query logs (per worker, on VPS)90 daysAuto-deleted at expiry
Worker diagnostic reports90 daysAuto-deleted at expiry
Signature bundles (DNS/SNI event data)90 daysAuto-deleted at expiry
Shadow IP discoveries180 daysDeleted when employer account terminates
Device registration recordsDuration of employment + 30 daysDeleted on account termination
Audit logs1 yearRequired for compliance
JWT authentication tokensRevoked immediately on offboardingNo expiry wait

Tenant Administrators may configure shorter retention periods through the portal. Data is deleted automatically at expiry. These are default values.

7. Your Rights (DPDP Act 2023)

Under the Digital Personal Data Protection Act 2023 (India), you have the right to:

  • Right to access: You may request a copy of personal data your employer holds about you. Direct requests to your IT administrator or Tenant Admin.
  • Right to correction: You may request correction of inaccurate personal data held about you.
  • Right to erasure: Upon employment termination, your data is deleted per the retention schedule above. You may request earlier deletion by contacting your employer.
  • Right to withdraw consent: Where data collection is based on your consent (e.g., optional signature collection), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to nominate a representative: You may nominate another person to exercise these rights on your behalf.
  • Right to grievance: You have the right to raise a grievance with Samay Invotech.
  • Right to complain: You may file a complaint with the Data Protection Board of India.

Grievance Officer: Renu Handa, hello@samayinvotech.com (subject line: ‘DPDP Grievance — [your employer name]’)

Note: As this application is deployed under an employment relationship, certain data processing is carried out under legitimate employer interest and may not require separate individual consent. Your employer is the primary data controller for data collected through this application.

To exercise these rights, contact your IT administrator or email hello@samayinvotech.com.

8. Security

All data is encrypted in transit (TLS 1.2+) and at rest. DNS queries are processed via DNS-over-HTTPS (DoH) with per-worker authentication tokens. Device data is stored in encrypted storage.

Sensitive data (authentication tokens, cached network data) is stored in Android EncryptedSharedPreferences using AES-256 encryption. Network intelligence data transmitted to Samay servers uses HMAC-SHA256 signed payloads to prevent tampering.

9. Monitoring Hours and Enforcement Scope

This application enforces your employer's internet policy only during your assigned shift hours as configured in the portal. Outside of shift hours: the VPN tunnel is inactive, DNS enforcement is suspended, no DNS queries are logged, no connection data is collected. The exact shift hours applicable to you are determined by your employer and visible in your assigned group schedule. Workers on attendance-based enforcement are monitored only during clock-in periods. Always-on enforcement (24/7) is only possible if explicitly configured by your employer and is visible in the app's enforcement status indicator.

10. Cross-Border Data Transfers

Data is currently processed on servers located in India (Google Cloud Platform — asia-south1 region). If your employer's VPS is provisioned in a region outside India in the future, data processing may occur outside India. In such cases, Samay Invotech will ensure appropriate contractual safeguards are in place between Samay Invotech and the employer (Tenant) in accordance with applicable data protection law. You will be notified through updates to this policy.

11. Use of Aggregated and Anonymised Data

Samay Invotech may use anonymised, aggregated data that cannot identify individual workers or employers (e.g., ‘percentage of DNS queries blocked platform-wide’, ‘most common blocked categories’) to improve platform reliability, publish research insights, or demonstrate platform effectiveness. This aggregated data contains no personally identifiable information. No individual worker's DNS history, IP address, or device data is included in any aggregated dataset shared externally. We will not share individually identifiable data with any research partner or third party.

12. Changes to This Policy

We may update this policy periodically. The “Last updated” date at the top reflects the most recent revision. Continued use of the application after changes constitutes acceptance.

13. Contact