CNYKRA

Legal

Privacy Policy

Effective 2026-07-03

Draft — under legal review. This page is provided for information and is being reviewed by counsel; it is not yet final.

This Privacy Policy explains how Cnykra Technologies (“Cnykra”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data in connection with our multi-tenant hotel-management software-as-a-service platform (the “Services”), including:

  • the operator dashboard (dash.cnykra.com),
  • the property-management system (PMS), channel manager, and subscription billing tools used by hotels,
  • per-hotel direct-booking and landing websites (<hotel>.cnykra.com and any hotel-owned domains connected to the Services),
  • the WhatsApp inbox, messaging automation, and AI chatbot features, and
  • our own marketing site and API (api.cnykra.com).

This policy applies to (a) the hotels and their staff who use Cnykra as customers, and (b) the guests of those hotels whose data passes through the Services.

Read this policy together with our Cookie and Tracking Notice and our Data Processing Agreement overview. For questions about children’s data or our sub-processor register, contact connect@cnykra.com.

1. Who we are

Cnykra Technologies B-6, Mukherjee Colony, Shastri Nagar, Jaipur – 302016, Rajasthan, India Email: connect@cnykra.com

[CONFIRM: legal entity type — sole proprietorship / LLP / Private Limited Company] [CONFIRM: GSTIN] [CONFIRM: CIN, if incorporated as a company]

2. The two roles Cnykra plays under the DPDP Act (read this first)

This is the single most important thing to understand about how Cnykra handles personal data. Under the Digital Personal Data Protection Act, 2023, an organisation that processes personal data is either a Data Fiduciary (the entity that decides why and how data is processed, and that owes duties directly to the individual) or a Data Processor (an entity that processes data on behalf of a Data Fiduciary, under contract). Cnykra plays both roles, depending on whose data is at issue:

Whose dataCnykra’s roleWho is the Data FiduciaryWho a data principal deals with
Hotel owner / staff account data (the people who log into dash.cnykra.com)Data FiduciaryCnykraCnykra, directly
Cnykra’s own subscription billing data (for the hotel as our customer)Data FiduciaryCnykraCnykra, directly
Hotel guest data (the people who book rooms, stay, and are messaged by the hotel)Data ProcessorThe hotel operating the propertyThe hotel, with Cnykra providing supporting tools

In practice:

  • When a hotel signs up for Cnykra, each hotel is the Data Fiduciary for its own guests’ personal data. The hotel decides what guest data to collect, obtains the guest’s consent (e.g., at booking or check-in), and is responsible for lawful processing under the DPDP Act. Cnykra processes that guest data only on the hotel’s instructions, as set out in our customer terms of service and a data processing agreement (see the DPA overview).
  • When Cnykra processes the personal data of a hotel’s owner and staff — to create their account, operate the dashboard, bill the hotel’s subscription, provide support, and secure the platform — Cnykra is the Data Fiduciary and deals directly with that person on rights requests.
  • Cnykra is never the Data Fiduciary for guest data. If you are a hotel guest and want to exercise a data-protection right, you should generally go through the hotel first (see Section 5).

3. What data we collect, and why

3.1 Account data (Cnykra is the Data Fiduciary)

Collected from hotel owners and staff who use the Services.

CategoryExamplesWhy we collect itLawful basis
Identity & contactName, email address, phone numberCreate and manage user accounts; communicate about the ServicesConsent (at signup) / performance of contract
CredentialsHashed password, session/device tokensAuthenticate access; secure accountsPerformance of contract
Billing & taxBilling name/address, GST details, subscription plan, payment history (via Razorpay)Invoice the hotel for its Cnykra subscription; comply with tax lawPerformance of contract; legal obligation
Usage & audit logsLogin times, actions taken in the dashboard, device/IP metadataSecurity, fraud prevention, troubleshooting, audit trailLegitimate use / legal obligation
Support communicationsMessages sent to connect@cnykra.com or in-app supportRespond to queries and resolve issuesConsent / performance of contract

3.2 Guest data (Cnykra is the Data Processor, hotel is the Data Fiduciary)

Collected by a hotel through the Services (booking engine, front-desk PMS, WhatsApp, chatbot, call-capture) on that hotel’s own behalf and instructions.

CategoryExamplesTypical purpose (set by the hotel)
IdentityName, date of birth, anniversary, nationalityReservation records, guest recognition, hotel-authored marketing (e.g. birthday messages)
ContactPhone number, email address, addressBooking confirmations, WhatsApp messaging, invoices
Government IDID document type/number and a scanned or photographed image, including Form C details for foreign national guestsStatutory guest-registration requirements (police/FRRO reporting where applicable)
Stay & financialReservation dates, room, rate, folio/billing line items, payment recordsOperating the reservation and billing the guest for their stay
CommunicationsWhatsApp conversation history with the hotel, call-capture events (missed/received reception calls)Guest service, follow-up, hotel-authored automated messages
PreferencesLoyalty program activity, tags, and internal notes added by hotel staffGuest relationship management by the hotel

Cnykra does not decide why this data is collected — the hotel does, as part of running its property, and is responsible for having a lawful basis (typically the guest’s consent, given to the hotel at time of booking/check-in, or a legal obligation such as ID-verification/Form-C reporting under applicable law). Cnykra’s role is to provide the software the hotel uses to collect, store, and act on that data securely, and to process it strictly per the hotel’s instructions and our contract with the hotel.

4. How guest data is processed on hotels’ behalf

Because Cnykra is a Data Processor for guest data, we:

  • process guest personal data only to provide the Services to the hotel (e.g., store a reservation, send a booking confirmation, power the WhatsApp inbox and AI chatbot, run the channel manager) and only on the hotel’s documented instructions;
  • do not sell guest personal data, and do not use it for our own independent marketing or profiling purposes;
  • maintain strict tenant (per-hotel) data isolation in our systems — one hotel cannot see another hotel’s guest data (see Section 7);
  • engage sub-processors (Section 6) solely to help deliver the Services, under contractual confidentiality and security obligations;
  • assist the hotel in responding to guest rights requests and, where legally required, in reporting personal data breaches;
  • return or delete guest personal data at the end of the relationship with a hotel, subject to statutory retention obligations (Section 8).

If you are a hotel guest, the specific promises made to you about your data — what’s collected, why, and for how long — are set by the hotel’s own privacy notice, which the hotel is responsible for providing to you (typically at booking or check-in). This Cnykra policy describes the platform-level protections that apply underneath every hotel’s use of the Services.

5. Data principal rights (DPDP Act, Sections 11–14)

The DPDP Act gives individuals (“data principals”) the right to:

  1. Access — obtain a summary of personal data processed and the processing activities.
  2. Correction and completion — have inaccurate or incomplete data corrected or completed.
  3. Erasure — have personal data erased once it’s no longer needed for the purpose it was collected for (subject to legal retention requirements).
  4. Grievance redressal — raise a grievance and have it addressed within the statutory timeline.
  5. Nomination — nominate another individual to exercise these rights on your behalf in the event of death or incapacity.

How these rights are exercised depends on whose data it is:

You are…How to exercise your rights
A hotel owner or staff member with a Cnykra accountContact Cnykra directly at connect@cnykra.com, or use in-dashboard profile/account settings where available. We are the Data Fiduciary for this data and will respond directly.
A hotel guestContact the hotel you booked with or stayed at — they are the Data Fiduciary responsible for your data and for responding to your request. Cnykra provides the hotel with export and erasure tooling in the dashboard so that hotels can action guest requests (including deletion/anonymisation requests) promptly. If you are unable to reach the hotel, you may write to connect@cnykra.com and we will make reasonable efforts to route your request to the relevant hotel.

We will verify the identity of the person making a request before acting on it.

6. Sub-processors and cross-border data transfers

Cnykra uses a number of specialist service providers (“sub-processors”) to deliver the Services. Some of these providers process data outside India. Under DPDP Act Section 16, cross-border transfer of personal data is permitted unless the destination is a country restricted by the Central Government, and this policy discloses that such transfers occur.

As of this policy, sub-processors include (non-exhaustively):

  • Cloudflare — content delivery, Pages hosting, and object storage (R2), global infrastructure.
  • Meta Platforms (Ireland/US) — WhatsApp Cloud API, when a hotel enables Meta-based WhatsApp messaging.
  • An Evolution API host — bridges WhatsApp-Web-based messaging where a hotel uses that connection method.
  • Anthropic, OpenAI, and Google — AI model providers powering the optional AI chatbot feature, used only when a hotel connects its own (“bring your own key”) account with one of these providers.
  • Razorpay — payment processing for guest payments and hotel subscription billing.
  • Our infrastructure/VPS hosting provider.

We require sub-processors to protect personal data under contractual confidentiality and security commitments consistent with this policy. For the current detailed sub-processor list, contact connect@cnykra.com.

7. Multi-tenant data isolation

Cnykra’s platform is built so that each hotel’s data — including its guests’ data — is logically isolated from every other hotel on the platform. Access controls, authentication, and our data layer are designed so that one hotel’s staff cannot access another hotel’s records through normal use of the Services.

8. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. Key points:

  • Guest erasure requests, once actioned by a hotel, result in the guest’s identity being anonymised and non-statutory personal data being deleted promptly.
  • Statutory records — including GST-related billing records and Form C foreign-guest registration records — are retained for the period required by applicable law, approximately 8 years [CONFIRM: exact statutory retention period], before being scrubbed, even if an erasure request is made earlier.
  • Account data is retained for the duration of the hotel’s relationship with Cnykra plus a reasonable period thereafter for legal, tax, and dispute-resolution purposes.

9. Security measures

We apply the following technical and organisational measures to protect personal data (this list describes the platform generally; it is not an exhaustive security audit):

  • Encryption in transit via TLS on all Services.
  • Envelope encryption (AES-256-GCM) for sensitive stored secrets and credentials.
  • Passwords and device authentication tokens stored as one-way bcrypt hashes, never in plaintext.
  • Token-based (JWT) authentication with short-lived access tokens.
  • Strict per-hotel (tenant) data isolation, enforced at the application data-access layer.
  • Audit logging of key account and administrative actions.

No system is completely secure, and we cannot guarantee absolute security.

10. Grievance redressal

If you have a concern, complaint, or grievance about how your personal data is handled by Cnykra (in our capacity as Data Fiduciary — see Section 2), please contact:

Grievance Officer: [CONFIRM: name of designated Grievance Officer] Email: connect@cnykra.com Address: B-6, Mukherjee Colony, Shastri Nagar, Jaipur – 302016, Rajasthan, India

We will acknowledge and address grievances within the timeline required by the DPDP Act and its rules. [CONFIRM: target response SLA to state publicly, if any].

Significant Data Fiduciary status: As of the date of this policy, Cnykra has not been notified by the Central Government as a “Significant Data Fiduciary” under the DPDP Act. Certain additional obligations that apply to Significant Data Fiduciaries — including the mandatory appointment of a Data Protection Officer based in India and periodic Data Protection Impact Assessments — do not currently apply to us. We will update this policy if our status changes.

If you are a hotel guest with a grievance about how a hotel has handled your data, you should raise it with the hotel first, as they are the Data Fiduciary responsible for your data (see Section 2 and Section 5).

11. Children’s data

The Services are business software sold to hotels (a B2B product) and are not directed at children. However, hotel guests under the age of 18 may appear in booking and stay records (for example, as a family member on a reservation). Hotels are required to obtain verifiable parental or guardian consent where applicable, and Cnykra prohibits tracking, behavioural monitoring, or targeted advertising directed at children. Contact connect@cnykra.com with any questions about children’s data.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post the updated policy at this location with a revised “Last updated” date, and where changes are material, we will provide additional notice [CONFIRM: notice method — email, in-dashboard banner, etc.].

13. Contact us

Questions about this policy, or about how Cnykra handles personal data, can be sent to:

Cnykra Technologies Email: connect@cnykra.com Address: B-6, Mukherjee Colony, Shastri Nagar, Jaipur – 302016, Rajasthan, India

See also: Cookie and Tracking Notice · Data Processing Agreement overview

Cnykra Technologies

B-6, Mukherjee Colony, Shastri Nagar, Jaipur – 302016, Rajasthan, India

connect@cnykra.com

Start free trial