Privacy Policy

This Privacy Policy explains how the Ellora EPC ERP application (the "App") — provided to authorised personnel of Ellora EPC Pvt Ltd ("Ellora EPC", "we", "us") — collects, uses, and protects information when employees, contractors, vendors, or other authorised users (each a "User") access the App on web or Android devices.

By signing in to the App, the User acknowledges and accepts this Policy. Access is granted solely under the User's employment, contractor, or vendor relationship with Ellora EPC, and may be revoked at any time.

To operate the ERP, the App collects only the data needed to deliver business workflows:

• Account & profile data — name, work email, phone, employee ID, department, designation, reporting manager, RBAC role.
• Operational data — projects, BOQ, WBS, daily progress reports, site visit reports, procurement records, RA bills, attendance, HSE incidents, tasks, dependencies, and approvals you create or interact with.
• Device & location data — GPS coordinates and timestamp when you punch in/out or capture a site visit; device model, OS version, and IP address for security auditing.
• Camera & media — photos / videos you explicitly capture for DPR, SVR, HSE incidents, or face-verified attendance. Face descriptors used for verification are stored as encoded vectors, not raw images.
• Files you upload — drawings, documents, invoices, and other attachments stored in our project storage.
• Authentication tokens — JWT session tokens kept securely on your device for the duration of your active session; logging out invalidates the token server-side.
• Diagnostic & audit logs — anonymised request logs (endpoint, status, latency) for security monitoring; full audit trails of who created, modified, or deleted records.

The App does not collect contacts, SMS, call logs, browsing history outside the App, advertising identifiers, or biometric data from your device's hardware (face/fingerprint sensors stay on-device under Android's BiometricPrompt API).

All data is used strictly for legitimate business operations:

• Running ERP workflows: project execution, procurement, billing, HR, attendance, quality, HSE.
• Calculating cost performance, EVM metrics, and management reports.
• Enforcing access control, audit trails, and statutory compliance.
• Sending in-app notifications, optional email digests, and approval prompts.
• Investigating security incidents and preventing misuse.

We do not sell, rent, monetise, or share your data with advertisers or unaffiliated third parties.

• Data is stored on infrastructure managed by Ellora EPC and its hosting providers, with encryption in transit (HTTPS / TLS) and at rest.
• Passwords are stored as bcrypt hashes, never in plain text.
• Session tokens are JWT-based with a server-side denylist on logout (active-session control).
• RBAC + department-scoped access ensures users only see data relevant to their role.
• Security findings from periodic audits are tracked and remediated.

Despite our safeguards, no system is 100% secure. Users should report any suspected breach immediately to the IT team.

Operational records are retained for the duration of the User's engagement with Ellora EPC and for periods mandated by Indian statutory, contractual, and audit requirements (e.g. Companies Act, Income Tax Act, GST, EPF, labour laws). Project and financial records are typically retained for at least 8 years post-completion.

Upon termination of engagement, a User's account is deactivated; personal data may be anonymised or deleted upon written request to hr@elloraepc.com, subject to overriding legal-retention obligations.

The App requests Android permissions only when necessary, and only when the User initiates the corresponding action:

• Camera — to capture DPR/SVR/HSE photos and for face-verified attendance.
• Location (fine) — to geo-stamp punch-in/out and site visit reports.
• Storage / Photos — to upload attachments you choose.
• Internet & Network state — to reach the ERP backend.
• Notifications (Android 13+) — for in-app pings on tasks, approvals, and alerts.

All permissions can be revoked from Android Settings → Apps → Ellora EPC ERP → Permissions at any time.

The App is intended for adult employees and authorised personnel only. It is not directed to children under 18. We do not knowingly collect personal data from minors.

We may update this Policy from time to time. Material changes will be notified inside the App and via email to active Users. Continued use after the effective date constitutes acceptance.

For any questions, data-access or deletion requests, or grievances regarding privacy, please contact: