This Privacy Policy applies to WorkSync, operated by Chandra Mohan Dhakad (Sole Proprietorship), trading as WorkSync, with registered address at Indore, Madhya Pradesh — 452001, India.
Under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act"), we act as the Data Fiduciary for your personal data. This means we decide the purposes and means of processing your personal data.
For any question about this policy, contact our Grievance Officer at the email address in Section 9.
| Category | Examples | Who it applies to |
|---|---|---|
| Identity & contact | Name, mobile number, email, firm name, date of birth, gender | All users |
| Business identifiers | GST number, PAN number, MSME registration, PF registration, ESI registration, company registration number | Sub-contractors, companies, project teams |
| Address & location | Registered address, GST address, city, state, approximate geo-location for "Nearby Projects" discovery | All users |
| Professional info | Years of experience, trade specialisations, annual turnover band, project types, states of operation, past work orders | Sub-contractors |
| Documents | Aadhaar (number only if provided — we do not require it), PAN card image, GST certificate, MSME certificate, work order PDFs, completion certificates, insurance policies, drawings | Users who upload |
| Commercial data | Requirements floated, quotations submitted, rates, awards, ratings, evaluations | All business users |
| Account credentials | Password (stored hashed with bcrypt, never plaintext), OTP verification history | All users |
Under the DPDP Act, we process your personal data based on consent that you provide when you register and tick the consent checkbox. For certain limited cases we rely on legitimate use (such as security, fraud prevention, and compliance with law).
When you register, you see a clear notice listing the specific purposes below. Ticking the consent box means you agree to processing for those purposes. You can withdraw this consent at any time (see Section 8).
Specific purposes for which we process your personal data:
We use your personal data only for the purposes listed in Section 3. We do not use your data for automated decision-making that has a significant effect on you without human review. We do not use your data for advertising or profiling for third parties.
We display limited information (firm name, trade, city, verified-badge status) in the searchable contractor directory so that project managers and companies can find you. Your contact details remain hidden until you explicitly approve sharing them with a specific company.
We share your personal data only in these limited situations:
| Recipient | What is shared | Why |
|---|---|---|
| Other platform users (companies, project managers, SCs) | Profile info you have marked as public; rates in quotations you submit to a specific requirement | Core platform matching and tendering workflow |
| Payment gateway (e.g., Razorpay, Cashfree) | Name, email, mobile for billing | Subscription payment processing |
| Cloud infrastructure providers (Supabase, Vercel, Cloudflare) | All data necessary to host the service | Running the platform. See Section 11 on location. |
| Communication providers (SMS, WhatsApp Business, email service) | Mobile number, email, notification content | Sending OTPs and platform notifications |
| Government authorities | Whatever is specifically requested under valid legal process | Compliance with law |
We never sell your personal data. We never share it for third-party marketing.
Your personal data is stored on servers managed by our infrastructure providers. The primary database is hosted with Supabase. File uploads are stored in Supabase Storage. Some backups and logs may be stored in other regions for redundancy.
Retention schedule:
| Data type | How long we keep it |
|---|---|
| Active account data | As long as your account is active |
| After account deletion — transaction records (awards, quotations, work orders) | 7 years (for tax, audit, and dispute resolution — as required by Indian law) |
| After account deletion — profile data, search keywords, uploaded documents | Deleted within 180 days of deletion request (with immediate soft-delete from platform) |
| Server logs (IP, access records) | 12 months |
| OTP verification records | 30 days |
You can request deletion earlier by writing to our Grievance Officer. We will confirm within 7 days and delete within 30 days, unless retention is required by law.
We use industry-standard safeguards:
Breach notification: If a personal data breach occurs, we will notify affected users and the Data Protection Board of India within 72 hours of becoming aware, in line with DPDP Rules 2025.
No system is 100% secure. If you discover a vulnerability, please report it to security@worksyncapp.com.
Under the DPDP Act, you have the following rights. To exercise any of them, write to our Grievance Officer (Section 9).
We respond to rights requests within 15 working days.
Grievance Officer: Chandra Mohan Dhakad
Designation: Grievance Officer, WorkSync
Email: grievance@worksyncapp.com
Postal address: Indore, Madhya Pradesh — 452001, India
Response commitment: We acknowledge grievances within 48 hours and resolve within 15 days, extendable to 30 days for complex cases.
WorkSync is a business-to-business construction procurement platform not intended for anyone under 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected such data, contact the Grievance Officer for immediate deletion.
Our primary hosting providers maintain data centres in multiple regions. Some of your personal data may be processed on servers located outside India. We rely on the provider's contractual commitments and security certifications (SOC 2, ISO 27001) to ensure adequate protection.
The Indian Government may notify specific categories of data that must remain in India. We comply with all such notifications as and when issued.
We may update this policy as the platform evolves or laws change. Material changes will be communicated by email, SMS, or an in-app banner at least 7 days before taking effect. The "Last updated" date at the top always shows the current version date.