Last Updated: 28 May 2026 | Effective Date: 28 May 2026
Legal Framework: This Privacy Policy is prepared in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act"), and any amendments thereto. This policy also meets the data disclosure requirements of the Google Play Store.
This Privacy Policy explains how Narevek Technologies ("Narevek", "we", "us", "our") collects, processes, stores, shares, and safeguards personal data when you use our mobile applications, website, and related services (collectively, "Services"). Please read this policy carefully before using our Services.
1. Scope and Applicability
This Privacy Policy applies to all products and services offered under the Narevek brand:
- Narevek CRM
- Narevek Inventory Management
- Narevek Point of Sale (POS)
- Narevek HRMS (Human Resource Management System)
- Narevek Attendance & Leave Management
- Narevek Library Management
- Narevek Visitor Management
- Narevek Manufacturing Execution System (MES)
- Estore HUB
- Narevek School Management
By downloading, installing, registering for, or using any Narevek application or website, you ("Data Principal" under the DPDP Act, 2023, or "Provider of Information" under the SPDI Rules, 2011) acknowledge that you have read, understood, and consent to the data practices described in this Policy. If you do not agree to this Privacy Policy, please do not use our Services.
2. Data Fiduciary / Controller
Under the Digital Personal Data Protection Act, 2023, Narevek Technologies is the Data Fiduciary — the entity that determines the purpose and means of processing your personal data.
3. Information We Collect
We collect only the information necessary to provide and improve our Services. Data collection is governed by the principle of data minimisation.
3.1 Information You Provide Directly
a) Account & Registration Data
- Full name, email address, mobile number, and password (stored as a one-way bcrypt hash — we never have access to your plain-text password).
- Business / organisation name, GSTIN (optional), industry type, employee count, and business address.
- Profile photograph (optional, uploaded at your discretion).
b) Business Data You Enter into Our Applications
As a B2B multi-tenant platform, the business data you enter is your data. You retain ownership. Categories include:
- CRM: Customer and prospect names, mobile numbers, email addresses, company names, deal values, quotations, invoices, follow-up notes, and lead stage history.
- Inventory: Product names, SKUs, stock quantities, purchase orders, and supplier contact details.
- POS: Sales transactions, item details, customer billing information, and daily reports.
- HRMS / Attendance: Employee names, designation, department, salary details, attendance logs, leave records. Government-issued IDs such as Aadhaar and PAN, if entered by an authorised company administrator, are classified as SPDI (see Section 5).
- School Management: Student names, parent/guardian names and contact details, admission records, fee payment history, and academic performance data.
- Library Management: Member names, book issue/return records.
- Visitor Management: Visitor names, contact numbers, host names, visit purpose, entry/exit timestamps, and optional visitor photographs.
c) Payment Information
Subscription payments are processed by RBI-authorised third-party payment gateways. We receive only transaction status confirmation and a masked payment identifier (last 4 digits of card, or UPI ID). We do not store, transmit, or have access to your full card number, CVV, PIN, or UPI credentials at any time.
d) Communications
Messages, support requests, bug reports, feature suggestions, or any other communications you send to us via email, in-app chat, or contact forms.
3.2 Information Collected Automatically
- Device Information: Device model, operating system version, and a unique device identifier used exclusively for Firebase Cloud Messaging (FCM) push notification delivery.
- Usage Analytics: Screens visited, features accessed, session duration, button interactions, and app performance metrics — collected in anonymised, aggregated form to improve product quality.
- Crash and Diagnostic Reports: Stack traces and error logs sent automatically via Firebase Crashlytics when the app encounters an error. These do not contain business data.
- Website Log Data: When you visit narevek.com — IP address, browser type and version, referring URL, pages visited, and access timestamps.
3.3 Information from Third Parties
- Firebase / Google: We receive aggregated, anonymised analytics and crash event data from Firebase services (Crashlytics, Analytics, Performance Monitoring) to monitor app health.
- Payment Gateways: Transaction status, amount, and masked payment instrument details from our authorised payment processing partners.
4. App Permissions (Android)
Our Android applications request device permissions only when required for a specific feature. Optional permissions are never accessed without your explicit, in-context action. You may revoke any permission at any time via Device Settings > Apps > [Narevek App] > Permissions.
| Permission |
Purpose |
Type |
| INTERNET |
Sync data securely with Narevek servers (HTTPS) |
Mandatory |
| CAMERA |
Scan barcodes / QR codes for inventory; capture visitor photographs in Visitor Management app |
Optional |
| READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE |
Import data files (CSV) and export reports (PDF) to/from device storage |
Optional |
| ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION |
Geo-tagged attendance check-ins — used only when this feature is explicitly enabled by the company administrator |
Optional |
| POST_NOTIFICATIONS |
Deliver business alerts: new lead assigned, quotation approved, task reminders, attendance alerts |
Optional |
| READ_CONTACTS |
Bulk-import device contacts into Narevek CRM — triggered only when the user explicitly initiates a contact import action |
Optional |
| RECEIVE_BOOT_COMPLETED |
Re-register the FCM push notification token after a device restart so notifications resume automatically |
Optional |
We do not use any device permission for advertising, tracking, profiling, or any purpose beyond what is stated above.
5. Sensitive Personal Data or Information (SPDI)
Under Rule 3 of the SPDI Rules, 2011, the following categories are classified as Sensitive Personal Data or Information and are subject to heightened protection:
- Passwords — Stored as irreversible bcrypt hashes. Never accessible in plain text to anyone, including Narevek staff.
- Financial Information — Bank account details or payment card information (where entered by users in HRMS for salary processing).
- Health / Medical Information — Medical leave reasons, health conditions entered by employers in HRMS.
- Biometric Data — Fingerprint or face data used for attendance (where applicable and only with employee consent).
- Government-Issued IDs — Aadhaar numbers, PAN numbers entered by authorised company administrators in HRMS.
We handle SPDI as follows:
- Collected only with the explicit prior written consent of the individual concerned, obtained before collection.
- Used exclusively for the specific purpose for which it was collected.
- Never sold, traded, or disclosed to third parties except as strictly required by law or necessary to provide the service (e.g., payroll processing with a payment gateway).
- Stored with additional access controls and encryption at rest.
- Retention limited to the minimum period required by law or business necessity.
We do not collect SPDI relating to sexual orientation, political affiliation, or religious beliefs.
6. Consent
In accordance with the DPDP Act, 2023 (Section 6) and SPDI Rules, 2011 (Rule 5), we obtain consent before collecting personal data:
- Account Registration: By creating an account and accepting this Privacy Policy and our Terms & Conditions, you provide informed, free, specific, and unambiguous consent to the data processing activities described herein.
- SPDI: Explicit prior consent is obtained at the time of collection of each SPDI category, with a clear statement of the purpose.
- Runtime Permissions: Optional Android permissions (camera, location, contacts) are requested at the point of first use of the relevant feature, consistent with Android's runtime permission model. The app continues to function without optional permissions.
- Marketing Communications: Consent is sought separately. You may opt out at any time via the unsubscribe link in any email or by contacting us.
Withdrawal of Consent: You may withdraw consent at any time by emailing us at hello@narevek.com with the subject "Withdraw Consent". Withdrawal does not affect the lawfulness of processing prior to withdrawal. It may affect your ability to use certain features or the Services as a whole, and we will inform you of any such impact before acting on your withdrawal.
7. How We Use Your Information
We process your personal data for the following lawful purposes. We process data only to the extent necessary for each purpose.
- Service Delivery: To create, maintain, and operate your Narevek account and company workspace, and to deliver all features of the subscribed applications.
- Authentication & Account Security: To verify your identity, authenticate logins, and protect your account from unauthorised access.
- Push Notifications: To deliver business-critical alerts (new leads, quotation approvals, attendance alerts, task reminders) via Firebase Cloud Messaging, when you have granted notification permissions.
- Billing & Payments: To process subscription payments, send billing receipts, manage renewals, and handle refund requests through our authorised payment gateway partners.
- Customer Support: To respond to your queries, resolve complaints, diagnose technical issues, and improve our support processes.
- Product Improvement & Analytics: To analyse anonymised, aggregated usage patterns, fix bugs, monitor performance, and develop new features.
- Security & Fraud Prevention: To detect, investigate, and prevent unauthorised access, fraudulent activity, and violations of our Terms & Conditions.
- Legal Compliance: To comply with obligations under the IT Act, 2000, DPDP Act, 2023, GST Act, and other applicable Indian laws and regulations.
- Product Communications: To inform you of new features, updates, maintenance windows, and policy changes (you may opt out of non-essential communications).
We do not use your personal data for automated decision-making that produces significant legal effects, or for behavioural advertising.
8. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data to any third party. We share your information only in the following circumstances:
8.1 Authorised Service Providers (Data Processors)
We engage the following categories of processors who access your data solely to perform services on our behalf and under our instructions:
- Cloud Infrastructure Provider: Our application servers and databases are hosted on a cloud infrastructure. Data is stored in India wherever feasible.
- Firebase / Google LLC: FCM device tokens are sent to Firebase for push notification delivery. Crash event data and anonymised app performance metrics are sent to Firebase Crashlytics and Performance Monitoring. Governed by Google's Privacy Policy and the Google Cloud Data Processing Addendum.
- Payment Gateway Partners: RBI-authorised payment processors receive transaction details solely for the purpose of processing your subscription payments.
- Transactional Email Providers: Used exclusively for sending account-related emails (activation, password reset, billing receipts). These providers do not receive business data.
All processors are bound by written data processing agreements requiring them to: (a) process data only as instructed; (b) maintain confidentiality; (c) implement appropriate security measures; and (d) not engage sub-processors without our approval.
8.2 Legal Obligations
We may disclose personal data if required to do so by a court order, judicial process, government directive, or lawful demand from an authorised authority in India under the IT Act, 2000, Code of Criminal Procedure, or any other applicable law. We will, to the extent permitted by law, notify you of such disclosure.
8.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our business assets, your data may be transferred to the successor entity. The successor will remain bound by this Privacy Policy, and we will notify you of any such transfer with reasonable advance notice.
8.4 Aggregated and Anonymised Data
We may publish aggregated, anonymised industry insights (e.g., "70% of Narevek CRM users close deals within 14 days") that cannot be used to identify any individual or company. No personal or business-identifiable data is shared in this form.
8.5 With Your Consent
We may share personal data with third parties in any other circumstance with your prior explicit consent.
9. Multi-Tenancy and Data Isolation
Narevek operates a strictly isolated multi-tenant architecture. Every company that registers on Narevek is assigned a unique company_id. All business data — customers, leads, employees, inventory, transactions, documents — is partitioned by company_id at the database level. This means:
- No user from Company A can ever view, query, modify, or delete data belonging to Company B.
- Every API endpoint enforces
company_id validation on the server side, regardless of client-side input.
- Narevek staff access production data only when required for support, under strict access control and audit logging.
10. Push Notifications
We use Firebase Cloud Messaging (FCM) to send push notifications. When you grant notification permission, your Android device's FCM token is stored in our database linked to your user account. This token is used exclusively to deliver business-relevant notifications to your device. We do not use FCM tokens for advertising or share them with third parties outside of Firebase.
FCM tokens are immediately deleted when you:
- Disable notifications in Narevek CRM Settings > Notifications, or
- Revoke the POST_NOTIFICATIONS permission on your device, or
- Log out from or deactivate your account.
11. Cookies and Analytics
Website (narevek.com):
- Essential Cookies: Used for session management, CSRF protection, and basic site functionality. These cannot be disabled as they are strictly necessary for the website to operate.
- Analytics: We may use a privacy-respecting, anonymised web analytics tool to understand page traffic patterns and improve the website. No personally identifiable information is collected via analytics cookies.
Mobile Applications: Our mobile apps do not use browser cookies. Usage analytics within the apps are collected via Firebase Analytics in a fully anonymised and aggregated form.
12. Data Retention
We retain personal data only for as long as necessary for the stated purpose or as required by law.
- Active Accounts: Personal and business data is retained for the duration of your active subscription.
- Post-Cancellation: After you cancel your subscription, data is retained for a grace period of 90 days during which you may request a full data export. After 90 days, data is permanently deleted or irreversibly anonymised.
- Account Deletion Request: Upon a verified deletion request, personal data is deleted within 30 days of confirmation, subject to legal retention obligations.
- Legal / Regulatory Hold: Certain data may be retained for longer periods as required by Indian law — for example, GST transaction records (minimum 6 years), financial records under applicable accounting law.
- FCM Tokens: Deleted immediately upon logout, account closure, or permission revocation.
- Crash / Diagnostic Data: Retained for up to 12 months for debugging purposes and then purged.
- Support Records: Retained for 2 years to maintain quality assurance and for potential dispute resolution.
13. Data Security
In compliance with Section 43A of the IT Act, 2000 and Rule 8 of the SPDI Rules, 2011, we implement the following reasonable security practices and procedures:
- Encryption in Transit: All communication between the Narevek app and our servers is encrypted using TLS 1.2 or higher (HTTPS). Plain HTTP is not permitted.
- Encryption at Rest: Sensitive fields including password hashes, authentication tokens, and SPDI are encrypted at rest using industry-standard algorithms.
- Password Hashing: Passwords are hashed using bcrypt with a work factor of 12. We are technically incapable of recovering your original password.
- JWT Authentication: All API calls are authenticated using short-lived JSON Web Tokens (JWT) with defined expiry periods to minimise the risk from token interception.
- Access Controls: Production server and database access is restricted to authorised personnel using multi-factor authentication. Access is logged and reviewed.
- Data Isolation: Multi-tenant data isolation is enforced at both the application logic level and the database query level.
- Vulnerability Management: We conduct regular security assessments of our application code, infrastructure, and third-party dependencies.
- Incident Response: We maintain a documented data breach incident response procedure including containment, investigation, notification, and post-incident review.
While we take every reasonable precaution, no data transmission or storage system is 100% immune to security risks. You are encouraged to use a strong, unique password and to report any suspected vulnerability to hello@narevek.com immediately.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, Narevek will:
- Notify affected users without undue delay, and in any event within 72 hours of becoming aware of the breach (to the extent reasonably practicable).
- Notify the relevant data protection authority as required under the DPDP Act, 2023 or any applicable law once the relevant provisions are in force.
- The notification will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and the measures taken or proposed to address the breach.
15. Your Rights as Data Principal
Under the DPDP Act, 2023 (Chapter III) and the SPDI Rules, 2011, you have the following rights with respect to your personal data:
- Right to Access Information (Section 11, DPDP Act): You have the right to obtain a summary of the personal data we hold about you, the processing activities carried out with it, and the identities of Data Processors to whom it has been disclosed.
- Right to Correction and Erasure (Section 12, DPDP Act): You may request that we correct inaccurate, incomplete, or outdated personal data. You may also request erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
- Right to Grievance Redressal (Section 13, DPDP Act): You have the right to raise a grievance with our designated Grievance Officer (see Section 20).
- Right to Nominate (Section 14, DPDP Act): You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.
- Right to Withdraw Consent: As described in Section 6, you may withdraw consent at any time.
- Right to Data Portability: You may request an export of your account and business data in a standard machine-readable format (CSV / JSON).
- Right to Opt Out of Marketing: You may unsubscribe from non-essential marketing communications at any time via the unsubscribe link in any email or by contacting us.
To exercise any of these rights, please email us at hello@narevek.com with the subject line "Data Principal Rights Request". We will acknowledge your request within 48 hours and fulfil it within 30 days, in accordance with the DPDP Act, 2023 and SPDI Rules, 2011.
We may need to verify your identity before processing the request to prevent fraudulent or unauthorised access to another person's data.
16. Children's Privacy
Narevek's business applications are designed for use by adults (18 years and above) in a professional capacity. We do not knowingly collect personal data from individuals under 18 years of age for account registration or individual use.
The Narevek School Management application is intended to be operated by educational institutions. Student and parent data entered into the School Management app is under the custody and responsibility of the institution (which acts as an independent Data Fiduciary or Data Processor under the DPDP Act). Institutions are responsible for obtaining all necessary parental/guardian consents required under applicable law before entering student data.
If you believe we have inadvertently collected personal data from a minor, please contact us immediately at hello@narevek.com and we will delete it promptly.
17. Third-Party Links and Services
Our applications and website may contain links to or integrations with third-party services, including payment gateways, WhatsApp Business API, and Google services. These third-party services operate under their own privacy policies, which we encourage you to review. Narevek is not responsible for the privacy practices, content, or availability of any third-party service. Your interactions with third-party services are at your own risk and are not governed by this Privacy Policy.
18. Cross-Border Data Transfers
Your personal data is primarily stored and processed within India. Certain service providers (such as Firebase / Google LLC) may process data in data centres located outside India. Such transfers are made only where:
- The third-party processor maintains data protection standards equivalent to or exceeding those required under Indian law.
- Appropriate contractual safeguards (including data processing agreements) are in place.
- The transfer is consistent with the requirements of the DPDP Act, 2023, including any government-notified restrictions on cross-border data transfers.
19. Changes to This Privacy Policy
We review and update this Privacy Policy periodically to reflect changes in our business practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify active users via in-app notification and/or email at least 14 days before the updated Policy takes effect.
- Where required by the DPDP Act, 2023, obtain fresh consent for any new or materially different processing activity.
Your continued use of our Services after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you must stop using the Services and request account closure.
20. Grievance Redressal
Designated Grievance Officer
In compliance with Rule 5(9) of the Information Technology (SPDI) Rules, 2011 and the Digital Personal Data Protection Act, 2023, Narevek Technologies has designated the following Grievance Officer to address concerns related to the processing of personal data:
- Name: Naresh Babu Krishnappa
- Designation: Founder & CEO, Narevek Technologies
- Email: hello@narevek.com
- Contact Form: narevek.com/contact
- Acknowledgement: Within 48 hours of receipt of complaint.
- Resolution: Within 30 days of receipt, as required by Rule 5(9) of the SPDI Rules, 2011.
You may raise a grievance regarding the processing of your personal data, exercise of your data rights, or any suspected privacy violation. If your grievance is not resolved to your satisfaction within 30 days, you may escalate it to the Data Protection Board of India (once constituted and operational under the DPDP Act, 2023) or approach the competent courts in India.
21. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or our data practices:
This Privacy Policy applies to all products under the Narevek brand: Narevek CRM, Inventory Management, POS, Library Management, Visitor Management, HRMS, Manufacturing Execution System (MES), Attendance & Leave Management, Estore HUB, and School Management. By using any Narevek product, you acknowledge and accept this Policy in full.