Privacy Policy

Last updated: May 7, 2026

SapTrack by Insightcore Analytics ("we", "our", "us") is an all-in-one business management platform built for small business owners. From our Android app or any modern web browser, you can manage members, staff, memberships, payments, attendance, leads, and communications — and track how your business is performing through advanced dashboards and reports. This policy explains what data we collect, why, and how we protect it.

1. Roles & Responsibilities

SapTrack operates as a data processor on behalf of business owners. The business owner who signs up is the data controller for the information they upload about their members, leads, and employees, and is responsible for collecting consent from those individuals before adding their data to SapTrack.

2. Information We Collect

• Business owner & app users: Name, phone number, email address, encrypted login credentials, branch assignment, last login timestamp.
• Members: Name, phone number, email, date of birth, gender, address, emergency contact, profile photo, government-issued ID proof image (Aadhaar / PAN / driver's licence — uploaded at the owner's discretion), biometric template ID (for device-based entry), QR code identifier.
• Memberships & payments: Plan details, start/end dates, amount paid, payment method (cash / UPI / card / online), freeze status, renewal history.
• Member attendance: Entry/exit timestamps, entry method (QR, biometric, manual), branch, whether entry was allowed.
• Employees / staff (HR records): Name, phone number, email, designation, monthly salary, joined-on date, profile photo, biometric template ID, branch assignment, active/inactive status, and (optionally) login credentials if app access is enabled.
• Staff attendance: Daily check-in / check-out timestamps and method (QR, biometric, manual) for each employee.
• Staff leaves: Leave date, type (paid / unpaid / sick), reason (free-text — may include health-related details if the employee chooses to provide them), approval status, and the gym user who decided.
• Salary payments: Period covered, amount paid, payment date, mode (cash / UPI / bank / cheque), notes, and the gym user who recorded the payment.
• Leads / enquiries: Walk-in or referred prospect details — name, phone, plan of interest, source (walk-in / referral / social media / website), follow-up date, notes, conversion status.
• Communications & messaging: WhatsApp message templates created by the owner; logs of when WhatsApp messages were sent to a member (recipient phone, timestamp, message type) for the purposes of avoiding duplicate sends.
• Branches: Branch name, address, city, timezone, and (optionally) biometric device connection details (IP address, port, and serial number) for any integrated attendance device.
• Support submissions: Subject, body, and submitter ID for any in-app "Contact Support" tickets, plus the corresponding email if delivered.
• Device tokens: Firebase Cloud Messaging tokens for push notifications.

3. App Permissions

The following permissions apply only to the SapTrack Android app — the web version runs in the browser and does not request device-level permissions beyond what the browser itself controls. On Android, SapTrack requests:

• Camera — used to capture member and staff profile photos, scan member QR codes for entry, and (optionally) photograph government-issued ID proofs at the business owner's discretion. The camera is activated only when the user explicitly taps to take a photo or scan a QR code. SapTrack does not record video or audio in the background.
• Notifications (Android 13+ requires explicit opt-in) — used to send push notifications such as entry alerts, daily expiry summaries, and renewal confirmations to business owners.

We do not request location, contacts, calendar, microphone, or any background data access.

4. Sensitive Personal Data

Some categories of data we store are considered sensitive under India's Digital Personal Data Protection Act, 2023 and similar laws elsewhere:

• Government-issued ID proofs (Aadhaar / PAN / driver's licence images) — only stored when the business owner chooses to upload them per member.
• Biometric template IDs from connected biometric devices.
• Health-related details that may appear in leave reasons.

These are stored in encrypted Supabase Storage buckets behind row-level security, accessible only to the originating business via authenticated requests. We never transfer this data to third parties for marketing, advertising, or any non-operational purpose.

5. How We Use Your Information

• To run the core platform features — member registration, attendance tracking, membership renewals, payments, leads, staff operations, and salary records.
• To send push notifications (entry alerts, expiry reminders, daily summaries) to business owners.
• To send WhatsApp messages (membership expiry warnings, welcome messages, renewal confirmations) — initiated either automatically by the system or manually by the owner from within the app.
• To process the business owner's SapTrack subscription payments via Razorpay.
• To display dashboard analytics, charts, and reports to business owners about their own business performance.
• To deliver in-app support — Contact Support submissions are emailed to our team and stored for record-keeping.
• To improve the platform — we analyse aggregate, anonymised usage patterns. We never analyse individual member or employee records to train AI models or for any non-operational purpose.

6. Third-Party Services

We use the following third-party services that may process your data on our behalf. Each has its own privacy policy and handles data per their terms.

• Supabase — Database hosting, file storage (photos & ID proofs), and authentication infrastructure.
• Firebase (Google) — Push notifications and crash reporting.
• Razorpay — Payment processing for the business owner's SapTrack subscription.
• WhatsApp (Meta) — Messaging delivery, either via the WhatsApp Business API (when the owner has connected it) or via deep-link handoff to the owner's personal WhatsApp account.
• Resend — Outbound email delivery for support correspondence.
• Cloud hosting providers — Our backend runs on commercial cloud infrastructure with industry-standard encryption at rest and in transit.

7. Data Retention

We retain data for as long as the business account is active. When a business owner deletes their account, all associated data — members, memberships, attendance, staff records, salaries, leads, ID proofs, and uploaded images — is permanently removed within 30 days. Backups containing the data are rotated out within 90 days.

Business owners can also delete individual member, employee, lead, or salary records directly from the app at any time, which removes them immediately from active databases.

Financial records — membership purchases, salary payments, and ledger entries — are retained in an anonymized form for the period required by Indian tax law (Income Tax Act Rule 6F: 8 years; CGST Act Section 36: 6 years). After a member or staff member is deleted, only the transaction amount, date, GST breakdown, and payment method are kept; all personally identifying information (name, phone, email, photo) is permanently removed and the counterparty is reduced to an opaque identifier that cannot be linked back to an individual.

8. Data Security

We use industry-standard measures including:

• Encrypted connections for all data in transit.
• Encryption at rest for stored files (photos, ID proofs).
• Passwords are stored using industry-standard one-way hashing — we never keep plaintext passwords.
• Strict database-level tenant isolation so one business cannot see another business's data, even in the event of an application-level bug.
• Authenticated sessions with short expiry and re-issue on login.
• Server-side rate limiting on sensitive endpoints.

9. Your Rights & Account Deletion

If you are an end user (a member, employee, or lead whose data has been uploaded to SapTrack by a business), you have the right to:

• Request access to your personal data held in SapTrack.
• Request correction of inaccurate data.
• Request deletion of your data.
• Withdraw consent for processing.

Because the business owner is the data controller, please first contact the business that added you. If they cannot resolve your request, contact us at support@saptrack.in and we will assist.

Account deletion for business owners. If you are a SapTrack business account holder and wish to permanently delete your entire account — including all member, staff, attendance, payment, lead, and salary records associated with the account — email support@saptrack.in from the email address registered to your account, with the subject "Account Deletion Request". We will verify your identity and complete the deletion within 7 business days. Database backups containing the data are rotated out within 90 days thereafter. You do not need to be logged into the SapTrack app to make this request.

10. Children's Privacy

SapTrack is not intended for use by individuals under the age of 16 as direct users. Business owners may add member records of minors only with verifiable consent from a parent or legal guardian, and remain responsible for that consent.

11. Cross-Border Data Transfer

Some of our infrastructure providers (Supabase, Firebase, Razorpay) may store or process data in regions outside India. By using SapTrack, you consent to this transfer. We select providers that maintain industry-standard security and data-protection practices.

12. Changes to This Policy

We may update this policy from time to time as our features or third-party providers change. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated to business owners via in-app notification or email before they take effect.

13. Contact Us

If you have questions about this privacy policy, contact us at:
Email: support@saptrack.in

For general questions or support requests, see our Contact page.