SFL
SmartFacilityLabs
  • Home
  • Features
  • Contact
Request Demo

Privacy Policy

Version 2.0 · Last updated: 12 July 2026 · SmartFacilityLabs Pvt Ltd

This Privacy Policy explains how SmartFacilityLabs Pvt Ltd ("SFL", "we", "our", "us") collects, uses, discloses, stores and protects personal data in connection with the SFL platform — our web applications, our control panel, our Android and iOS mobile applications, and our website at smartfacilitylabs.com (together, the "Platform").

It is written to comply with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 ("DPDP"), the Information Technology Act, 2000 and the rules made under it, and the Google Play Developer Program Policies.

Please read Section 2 carefully. It explains who is legally responsible for your data, which is different depending on who you are.

1. Who We Are and How to Reach Us

SmartFacilityLabs Pvt Ltd
HSR Layout, Bangalore, Karnataka 560102, India

Grievance Officer (as required under the DPDP Act and the IT Act):
Email: support@smartfacilitylabs.com
Phone: +91-7338662091
We acknowledge every grievance within 72 hours and aim to resolve it within 30 days.

General privacy queries: support@smartfacilitylabs.com

2. Our Role: Who Is Responsible for Your Data

Under the DPDP Act, the entity that decides why and how personal data is processed is the Data Fiduciary. An entity that merely processes data on the Data Fiduciary's instructions is a Data Processor. Our role changes depending on who you are:

2.1 If you are an employee or worker using the SFL app at a site

Your employer — the facility management company, property owner or association that engages you and subscribes to SFL — is the Data Fiduciary. They decide what is collected, why, for how long, and who sees it. They are also responsible for obtaining any consent required under employment law and for telling you what they will do with your data.

SFL acts as a Data Processor. We process your data only on your employer's documented instructions, under a written agreement with them. We do not decide the purposes of that processing, we do not use it for our own purposes, and we do not sell it.

If you want your data corrected or deleted, or you want to know why something is being collected, speak to your employer first. We will support them in responding to you. You may also contact our Grievance Officer, and we will route your request appropriately.

2.2 If you are a website visitor, a prospect, or a client administrator

SFL is the Data Fiduciary. We decide why and how we process your data, and you may exercise all your rights (Section 9) directly with us.

3. Personal Data We Collect

We collect only what the Platform needs to function. We do not collect data for advertising, and we do not build behavioural profiles for marketing.

3.1 Identity and account data

  • Name, mobile number, email address, employee or staff identifier
  • Designation or role, department, and the site(s) you are assigned to
  • Your employer (the FM company or association) and your reporting relationships
  • Login credentials (passwords are stored only as salted cryptographic hashes; we never store or transmit them in plain text)

3.2 Attendance data

  • Check-in and check-out timestamps, shift and roster records, leave and overtime records
  • A photograph of your face ("selfie") captured at check-in and check-out, used to confirm that the person marking attendance is the person recorded — see Section 4
  • The GPS coordinates of your device at the moment of check-in and check-out, and whether that location was inside or outside the site boundary

3.3 Location data

  • Point-in-time location captured when you perform an action in the app: marking attendance, submitting a checklist, completing an inspection or logging a maintenance task. This records where the work was carried out.
  • Continuous background location ("route tracking") — collected only if your employer enables this feature for you, only while you are checked in for a shift, and only after you have given consent in the app. See Section 5, which describes this in full.

3.4 Operational and facility data

  • Checklists, inspection records, audit findings, maintenance and service logs, work orders and complaints, along with the identity of the person who submitted them
  • Photographs and files you upload as evidence of work performed
  • Asset records, meter readings, utility and energy consumption data, and IoT sensor readings
  • Visitor, vendor and staff records imported from third-party systems by your employer

3.5 Communications data

  • Messages you send through the in-app chat, including the text of those messages
  • Voice recordings, where you use the voice messaging feature — see Section 4
  • Support tickets, complaints and correspondence with us
  • Push notification tokens, so we can deliver alerts to your device

3.6 Device and technical data

  • Device model, operating system version, app version and device identifiers
  • IP address, browser type and access timestamps
  • Battery level and network status of the mobile device (used to diagnose gaps in attendance or location data)
  • Application logs and diagnostic data

3.7 Website and marketing data

  • Name, email, phone, company and message when you submit an enquiry or request a demo
  • Pages visited, session duration and interaction data collected via essential and analytics cookies (Section 12)

4. Sensitive Data: Face Images and Voice Recordings

Two categories of data we handle deserve special attention, and we treat them with heightened care.

4.1 Face images (attendance selfies)

What we do: The app captures a photograph of your face when you mark attendance. It is stored against that attendance record and shown to your supervisor so they can confirm attendance was marked by the right person.

What we do not do: Except where expressly stated below, we do not run automated facial recognition, we do not generate a mathematical face template or faceprint, we do not match your face against any database, and we do not use your image to identify you anywhere else.

If your employer enables automated facial recognition attendance (a feature some customers use in place of, or alongside, the selfie), then a mathematical representation of your face is generated and compared against a stored template in order to identify you. This constitutes biometric data. Where this feature is enabled:

  • Your employer must obtain your separate, explicit, written consent before enrolment. We require this of them contractually.
  • You must be told, before enrolment, what is stored, for how long, and how to withdraw.
  • You may withdraw consent at any time, after which the face template is deleted and attendance reverts to another method.
  • Face templates are encrypted at rest and are never shared outside your employer's account.

If you are not sure whether facial recognition is enabled for you, ask your employer, or contact our Grievance Officer and we will tell you.

4.2 Voice recordings

If you use the voice messaging feature in the in-app chat, your recording is converted to text (and, where you have selected a different reading language, translated) so that colleagues who speak other languages can understand you. Processing is carried out by a speech-processing provider under contract to us. Recordings are used only to produce the message you sent, are not used to train any model without a separate agreement, and are retained in accordance with Section 8.

5. Background Location — Field Officer Route Tracking

Some SFL customers enable route tracking for staff who travel between multiple sites during their working day — field officers, auditors, supervisors and area managers. This section is written to be read on its own, and it is the disclosure we present to you in the app before tracking begins.

5.1 What is collected

GPS coordinates (latitude, longitude and accuracy), together with the time of each reading, the battery level of your device, and whether the device was moving. Readings are taken periodically — typically every one to five minutes — while tracking is active.

5.2 Why access to location in the background is required

Field officers keep their phone in a pocket or bag while travelling between sites, with the screen off and the app closed. If the app could only read your location while it was open on screen, the recorded route would have a gap every time you locked your phone, and the feature would not work. Access to location in the background is therefore necessary for this feature to function at all.

5.3 When it runs — and when it does not

  • Tracking starts when you check in for your shift.
  • Tracking stops automatically when you check out, or when the system automatically closes your shift.
  • Tracking does not run outside your working shift. It does not run at night, at weekends, on your days off, or before you have checked in.
  • A permanent notification is displayed on your device for the entire time tracking is active. If that notification is not visible, tracking is not running.

5.4 What is done with it

Your location readings are used to construct a record of your working day: the places you stopped, when you arrived and left, and how long you stayed. Where a stop falls within a site your employer has registered, it is labelled with that site's name. Where it does not, it may be labelled using a mapping service, or left as an unnamed location with coordinates only.

5.5 Who sees it

Your route is visible to authorised managers within your employer's organisation, for operational oversight. You can see your own route in the app. It is not visible to other employers, to other customers of SFL, or to the public.

5.6 Your control

  • You are asked for your consent in the app, in plain language, before tracking begins for the first time. You may decline.
  • You may turn tracking off at any time from the attendance screen, including part-way through a shift.
  • You may revoke the location permission entirely in your device settings.
  • Your attendance continues to work whether tracking is on or off. Declining tracking does not prevent you from checking in, being paid, or using any other part of the app.

If tracking is not recording — because location is switched off, permission has been withdrawn, or your device has stopped the app — the app tells you so on screen, and the gap is shown honestly to your manager as a period with no data. We do not present an incomplete route as though it were complete.

5.7 A note on your employment

Route tracking is a feature your employer chooses to enable. Any question about whether you are required to use it, and any consequence of declining, is a matter between you and your employer under your contract of employment and applicable labour law. SFL does not make that decision and cannot answer it for you. We provide the technical means to decline, and we record honestly when tracking is off.

6. Why We Process Your Data (Purpose and Lawful Basis)

PurposeData usedBasis
Operating the Platform for your employerIdentity, attendance, operationalEmployment / contract, on your employer's instruction
Recording attendance and calculating payAttendance, selfie, punch locationEmployment / legitimate use
Route trackingBackground locationYour consent, given in the app
Facial recognition attendance (where enabled)Biometric face templateYour separate explicit consent
Reporting and analytics for your employerOperational, attendanceEmployer's instruction
Security, fraud prevention, audit trailsDevice, technical, logsLegitimate use / legal obligation
Sales, demos, marketingWebsite enquiry dataYour consent

We do not use your data for any purpose beyond those listed above without telling you first and, where required, obtaining fresh consent.

7. Disclosure and Sharing

We do not sell personal data. We have never sold personal data. We do not share personal data with advertisers or data brokers.

We disclose personal data only as follows:

  • To your employer. Authorised users within your employer's organisation can see your data, according to the permissions your employer configures.
  • To sub-processors who help us run the Platform, under written contracts requiring confidentiality and security equivalent to our own. Our current categories of sub-processor are: cloud hosting and storage (Amazon Web Services), messaging and notification delivery (including WhatsApp Business and Firebase Cloud Messaging), speech and language processing (for the voice chat feature), mapping and geocoding (for naming locations), and AI model providers (for AI-generated summaries and insights). A current list is available on request to support@smartfacilitylabs.com.
  • To legal and regulatory authorities, where required by law, a court order, or a lawful request from a competent authority, or to establish, exercise or defend legal claims.
  • In a corporate transaction (merger, acquisition, restructuring), subject to the acquirer being bound by protections no less protective than this Policy. You will be notified.

7.1 Cross-border transfers

Personal data is primarily stored and processed in India. Some sub-processors — in particular certain AI model providers — process data outside India. Where this occurs, we transfer only what is necessary, under contractual safeguards, and in accordance with Section 16 of the DPDP Act. We do not transfer data to any country that the Central Government has restricted.

8. Retention

We retain personal data only for as long as it is needed for the purpose it was collected for, or for as long as your employer instructs us to, or as required by law — whichever is longer.

  • Attendance and payroll records: retained per your employer's instruction and applicable Indian labour and tax law (typically 3–8 years).
  • Location and route data: retained for the period agreed with your employer. We recommend, and default to, a short retention period.
  • Attendance selfies: retained alongside the attendance record they belong to.
  • Biometric face templates (where facial recognition is enabled): deleted immediately on withdrawal of consent or on the end of your engagement.
  • Voice recordings: retained only as long as needed to deliver the message and any dispute period agreed with your employer.
  • Processing logs: retained for one year, as required under the DPDP Rules.

When your employer's account with us is terminated, we return or delete their data in accordance with our agreement with them.

9. Your Rights

Under the DPDP Act you have the following rights. If SFL is the Data Fiduciary (Section 2.2), exercise them with us directly. If your employer is the Data Fiduciary (Section 2.1), address them to your employer — and if you cannot get a response, contact our Grievance Officer and we will help.

  • Right to access a summary of the personal data we process about you, and the identities of those with whom it has been shared.
  • Right to correction, completion and updating of inaccurate or incomplete data.
  • Right to erasure of your data, unless retention is required by law or for a legitimate specified purpose.
  • Right to withdraw consent at any time, as easily as it was given. Withdrawal does not affect processing already carried out. Withdrawing consent for route tracking or facial recognition does not affect your ability to use the rest of the Platform.
  • Right to grievance redressal — contact our Grievance Officer (Section 1). If you are not satisfied with our response, you may complain to the Data Protection Board of India.
  • Right to nominate another individual to exercise your rights in the event of your death or incapacity.

We will respond to any verified request within 30 days.

10. Security

We implement reasonable security safeguards appropriate to the sensitivity of the data, including:

  • Encryption of data in transit (TLS) and of application payloads (AES-256)
  • Encryption of data at rest, including all photographs and biometric templates
  • Role-based access control, so that users see only the sites and data they are authorised for
  • Logical separation of each customer's data, so that one customer cannot access another's
  • Passwords stored only as salted cryptographic hashes
  • Access logging and audit trails, retained for one year
  • Regular review of access rights, dependencies and infrastructure configuration

No system is perfectly secure, and we do not claim otherwise. In the event of a personal data breach, we will notify the affected individuals and the Data Protection Board of India in the form and within the timelines required by the DPDP Rules, and we will notify CERT-In where required.

11. Children

The Platform is a workplace tool and is not directed at children. We do not knowingly collect personal data of any individual under 18 years of age. If we become aware that we have done so, we will delete it. Where a customer's operations may involve individuals under 18, that customer is responsible for obtaining verifiable parental consent as required under the DPDP Act, and must tell us in advance.

12. Cookies

Our website uses essential cookies necessary for the site to function, and analytics cookies to understand how the site is used. You can control cookies through your browser settings. Our mobile applications do not use advertising identifiers and contain no advertising SDKs.

13. Automated Decision-Making

The Platform generates AI-assisted summaries, reports, alerts and insights from facility and operational data. These are decision-support tools presented to human managers. SFL does not make automated decisions about your employment, pay or discipline. Any such decision is made by your employer, by a person, and any question about it should be raised with them.

14. Changes to This Policy

We may update this Policy. Where a change is material — in particular, where we begin collecting a new category of data or processing it for a new purpose — we will notify affected users in the app or by email, and, where the law requires it, seek fresh consent before the change takes effect. The version number and date at the top of this page always reflect the current version.

15. Contact

SmartFacilityLabs Pvt Ltd
HSR Layout, Bangalore, Karnataka 560102, India
Privacy queries: support@smartfacilitylabs.com
Grievance Officer: support@smartfacilitylabs.com
Phone: +91-7338662091

If you are not satisfied with our response, you have the right to complain to the Data Protection Board of India.

SFL
SmartFacilityLabs

India's most intelligent facility management platform.

Platform
IoT PlatformPredictive MaintenanceAgentic AIESG
Company
FeaturesContact UsClient Login
Legal
Privacy PolicyTerms of Service
© 2026 Smart Facility Labs Pvt Ltd. All rights reserved.
Privacy PolicyTerms of Service