Privacy policy.

fursat OS is operated by Fursat Farms Private Limited, a company incorporated in India and registered at Siliguri, West Bengal. CIN U55101WB2023PTC266520. GSTIN 19AAFCF7211E1ZU. We are the data fiduciary for personal data of our direct users (chain admins and operators). For guest data flowing through the platform on behalf of a chain customer, we act as the data processor; the chain is the data fiduciary.

Contact for any privacy question or DPDP request: hi@fursat.fun. Our named grievance officer and the response window required under DPDP §13 are in Section 8 below.

Account data: name, email, phone, employer (hospitality chain), authentication identifiers from Clerk, and the role you hold in your organization.

Property and inventory data: property names, room types, rates, photos, amenities, FAQs, descriptions, third-party listing identifiers (Google Place ID, OTA property IDs, social page handles), and content you choose to publish to those platforms.

Operational data passing through: inbound and outbound WhatsApp messages, voice call audio and transcripts, email content (when email channels are connected), reviews and replies (when review sources are connected), and the metadata around these (timestamps, guest phone, channel of origin, sentiment tags, AI-suggested drafts).

Billing data: the payment-method tokens that Cashfree or Stripe return to us. We never see your full card number or UPI VPA in plain form.

Operational telemetry: server-side request logs, error traces, and aggregate usage counters. We do not rely on third-party advertising trackers.

To deliver the platform: route messages and calls, generate AI drafts, push availability to OTAs, materialize prices, surface reviews.

To bill you and meet our tax obligations: GST invoicing, Cashfree mandate management.

To support you: respond to questions, investigate incidents, fix bugs.

To improve the product: anonymous or aggregated analytics. We do not train AI models on your tenant data without an explicit, written opt-in.

Primary application data sits in MongoDB Atlas in Mumbai (ap-south-1). The application itself runs on Vercel functions pinned to the Mumbai (bom1) region. Some sub-processors listed below operate from outside India (notably Retell, Cartesia, Anthropic, Google, Clerk). Where data leaves India, we rely on contractual safeguards and the cross-border transfer mechanism permitted under the DPDP Act.

We use the following third parties to run fursat OS. The list is current as of the effective date and will be updated as we add or remove vendors.

Voice call recordings: ninety days, then automatic deletion, unless you ask us to retain longer or shorter.

WhatsApp / email / review threads: kept for the life of your subscription so your team has history. On termination, exported and deleted within thirty days unless retention is required by law.

GST and billing records: as required under Indian tax law (currently eight years from the end of the financial year).

CCTV event clips (Stage F, when enabled): thirty days by default, configurable per chain within DPDP-compliant limits. Ambient frames never leave the property; only event clips are uploaded.

If you are a user of fursat OS, the DPDP Act gives you the right to:

• Access the personal data we hold about you and a summary of how we have used it.
• Correct, complete, or update inaccurate data.
• Withdraw consent for processing that relies on consent. Withdrawal will not affect lawfulness of processing before withdrawal.
• Request erasure of your personal data, subject to legal retention obligations such as GST records. We will action erasure within seven days unless legally required to retain.
• Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
• Lodge a grievance with our Grievance Officer (Section 8), and if unresolved, escalate to the Data Protection Board of India.

To exercise any of these rights, write to hi@fursat.funwith subject "DPDP Request". To help us identify you in our records, include your registered email, mobile number, or chain account name plus a brief description of the request. We will acknowledge within seven working days.

If you are a guest of one of our chain customers, the chain is the data fiduciary. Send your request to them. We will support the chain in fulfilling it.

We have appointed a named grievance officer who is the single point of contact for any complaint about how your personal data is handled by fursat OS.

Grievance Officer: Yogesh Bansal · hi@fursat.fun · WhatsApp +91 79084 38456.

We will acknowledge any grievance within seven working days and resolve it within thirty days, as required by DPDP §13. If you are not satisfied with the resolution, you can escalate to the Data Protection Board of India.

We encrypt data in transit (TLS 1.2+) and at rest. We isolate every chain's data behind a tenant-scope guard that fails closed on missing context. We rotate secrets, restrict admin access to a minimum set of authorized engineers, log privileged actions, and conduct regular dependency audits. No system is perfect; in the event of a personal data breach affecting your data we will notify you and the Data Protection Board of India within seventy-two hours, as DPDP §8(6) requires.

We use a small number of first-party cookies for authentication and to remember your sidebar preference. We do not use third-party advertising cookies. If we ever add analytics that involves third-party trackers, we will surface a consent banner and update this policy first.

AI features (voice answering, message parsing, review drafting, vision events, pricing suggestions) call large language model providers listed in the sub-processor table above. Inputs are sent to the provider for the duration of the call and are subject to that provider's zero-retention or enterprise-retention terms, which we negotiate where available.

We do not use your tenant data to train third-party AI models. We do not permit our sub-processors to use it to train their models without an explicit opt-in from you.

fursat OS is not intended for use by children. Where a chain customer's guest record relates to a minor, the chain remains responsible for ensuring appropriate consent from parents or guardians as required by DPDP.

We will post changes here. For material changes, we will notify the primary admin on each chain account and the user's registered email address. Continued use after the change date constitutes acceptance.