1. Who We Are
Invasystems Pvt Ltd ("Invasystems", "we", "us", or "our") is a private limited company incorporated in India. We develop and operate FieldDNA, an enterprise SaaS platform designed to automate and optimise field sales operations for FMCG, pharmaceutical, and consumer goods companies.
For the purposes of applicable data protection law, Invasystems Pvt Ltd acts as the data controller in relation to information we collect directly from visitors to our website and from users of the FieldDNA platform. Where we process data on behalf of our enterprise customers (subscribers), we act as a data processor under the customer's instructions (see our Data Processing Agreement for details).
Registered address: [REGISTERED ADDRESS], Pune, Maharashtra, India — [PIN CODE]
CIN: [CORPORATE IDENTIFICATION NUMBER]
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors to our website(s) and marketing pages, including [fielddna.com / dna.invasystems.com]
- Individuals who register for, or use, the FieldDNA platform (including field sales representatives, sales managers, regional heads, and administrators)
- Prospective customers who request demos, download resources, or communicate with our sales and support teams
This Policy does not apply to data our enterprise customers upload or process using FieldDNA (e.g., their own customer records or outlet databases). That data is governed by the relevant customer's privacy policy and our Data Processing Agreement.
3. Information We Collect
3.1 Information You Provide to Us
| Category | Examples | When Collected |
|---|---|---|
| Account & identity information | Full name, work email address, job title, company name, phone number | Account registration, demo requests, contact forms |
| Authentication credentials | Username, hashed password, MFA tokens | Account creation and login |
| Profile data | Role, reporting hierarchy, assigned territory/beat | Set up by administrator or during onboarding |
| Communications | Emails, support tickets, in-app messages, feedback | Whenever you contact us |
| Payment & billing | Billing address, GST/tax identification, invoice records (card details handled by our payment processor) | Subscription purchase and renewal |
3.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device & technical data | IP address, browser type and version, OS, device identifier, screen resolution | Security, compatibility, fraud prevention |
| Usage & activity data | Pages visited, features accessed, clicks, session duration, module activity logs, reports generated | Platform improvement, support, analytics |
| Location data | GPS coordinates and location history (field sales representatives using the mobile app, with in-app permission) | Route optimisation, attendance and beat plan verification, compliance reporting |
| Log data | Access logs, error logs, API call records, timestamps | Security monitoring, debugging, SLA tracking |
| Cookies & tracking | Session cookies, analytics cookies, preference cookies | Authentication, analytics, personalisation — see our Cookie Policy |
3.3 Information From Third Parties
We may receive information about you from:
- Your employer / our enterprise customer — when your company subscribes to FieldDNA and provisions your account
- Single Sign-On (SSO) providers — such as Microsoft Azure AD or Google Workspace, if your organisation uses SSO
- Analytics and marketing partners — aggregated or pseudonymised data to help us understand platform engagement and marketing performance
- Payment processors — transaction confirmation and fraud signals (we do not receive full card numbers)
4. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Types of Data Used |
|---|---|
| Providing, operating, and maintaining the FieldDNA platform | Account data, usage data, location data, credentials |
| Processing and managing subscriptions and billing | Billing data, account data, communications |
| Customer support and responding to enquiries | Communications, account data, usage logs |
| Platform personalisation and AI-powered recommendations (Smart Route Optimisation, Upsell & Cross-Sell) | Usage data, location data, order history |
| Security, fraud detection, and access control | Device data, log data, credentials |
| Analytics and product improvement | Usage data, device data (aggregated or pseudonymised where possible) |
| Sending transactional communications (account alerts, password resets, billing notifications) | Account data, communications |
| Sending marketing communications (product updates, newsletters, event invitations) | Account data, communications — with consent or legitimate interest, with opt-out available |
| Compliance with legal obligations and enforcement of our Terms | All applicable categories |
| Route adherence monitoring and field activity reporting on behalf of enterprise customers | Location data, attendance data (processed as a data processor per the customer's instructions) |
5. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under GDPR / UK GDPR:
- Contract performance — Processing necessary to deliver the FieldDNA service to you or your employer.
- Legitimate interests — Security monitoring, fraud prevention, analytics, and direct marketing to existing customers where our interests are not overridden by your rights.
- Legal obligation — Compliance with applicable laws, including tax, accounting, and law enforcement requests.
- Consent — Where we rely on your consent (e.g., non-essential cookies, certain marketing emails), you may withdraw it at any time without affecting prior processing.
For processing of location data, which may constitute sensitive processing in certain jurisdictions, we rely on your explicit consent (obtained via the mobile app permission prompt) and, where applicable, the contractual necessity of providing route optimisation services.
6. How We Share Your Information
We do not sell your personal data. We share it only as follows:
6.1 Within Our Organisation
Access to personal data is limited to employees and contractors who need it to perform their job functions, and is governed by internal access controls and confidentiality obligations.
6.2 With Enterprise Customers (Your Employer)
If you access FieldDNA as an end user through your employer's subscription, your employer has access to data relating to your platform use, attendance, location, and performance reports in their role as the data controller. Please refer to your employer's privacy policy for information on how they process this data.
6.3 With Sub-Processors and Service Providers
| Service Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure (Microsoft Azure) | Hosting, storage, compute | All platform data (encrypted at rest and in transit) |
| Payment processor ([e.g., Razorpay / Stripe]) | Subscription billing | Billing address, transaction data (not card numbers) |
| Email delivery service | Transactional and marketing emails | Email address, name |
| Analytics provider | Product analytics | Pseudonymised usage data |
| Customer support platform | Helpdesk ticketing | Support communications, account data |
| Error monitoring | Bug tracking and debugging | Log data, device data (no PII by default) |
All sub-processors are bound by data processing agreements and are required to maintain appropriate security measures.
6.4 Legal and Safety Disclosures
We may disclose information where required by law, court order, or government authority, or where necessary to protect the rights, property, or safety of Invasystems, our customers, or the public.
6.5 Business Transfers
In the event of a merger, acquisition, asset sale, or restructuring, personal data may be transferred to the acquiring entity, subject to the same privacy protections.
7. International Data Transfers
FieldDNA is hosted on Microsoft Azure infrastructure. Data may be stored and processed in Azure data centres located in India (primary) and, for certain sub-processors, in other regions including the European Economic Area or the United States.
Where we transfer personal data outside India or the EEA, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the relevant supervisory authority
- Binding Corporate Rules or other recognised transfer mechanisms
8. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by applicable law. Our standard retention practices are:
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of the subscription, plus 90 days post-termination (to allow data export) |
| Location and attendance logs | Up to 3 years (or as specified in the enterprise customer agreement) |
| Financial and billing records | 7 years (as required by Indian tax and accounting regulations) |
| Support communications | 3 years from last interaction |
| Marketing contact data | Until opt-out or 3 years from last engagement, whichever is earlier |
| Security and access logs | 12 months |
| Anonymised analytics data | Indefinitely (as it cannot be linked back to individuals) |
Upon expiry of the retention period, data is securely deleted or anonymised.
9. Security
We implement industry-standard technical and organisational measures to protect your data, including:
- Encryption: TLS 1.2+ in transit; AES-256 at rest on Azure infrastructure
- Access controls: Role-based access control (RBAC), multi-factor authentication for administrative access
- Network security: Firewalls, intrusion detection, DDoS mitigation via Azure security services
- Vulnerability management: Regular penetration testing, security patching, and dependency scanning
- Data minimisation: Collection limited to what is necessary for stated purposes
- Employee training: All staff complete data protection and security awareness training
However, no method of transmission or storage is 100% secure. If you suspect unauthorised access to your account, please contact us immediately at security@invasystems.com.
10. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal data:
| Right | Description | Applicable Jurisdictions |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | India (DPDPA), EEA/UK (GDPR) |
| Correction | Ask us to correct inaccurate or incomplete data | India, EEA/UK, most jurisdictions |
| Erasure ("Right to be Forgotten") | Request deletion of your data where no longer necessary or where consent is withdrawn | EEA/UK, CCPA (right to delete), India (DPDPA) |
| Restriction | Ask us to restrict processing in certain circumstances | EEA/UK |
| Portability | Receive your data in a structured, machine-readable format | EEA/UK |
| Object to processing | Object to processing based on legitimate interests or for direct marketing | EEA/UK |
| Opt out of sale / sharing | We do not sell data. You may opt out of data sharing for cross-context behavioural advertising. | California (CCPA/CPRA) |
| Non-discrimination | We will not discriminate against you for exercising your rights | California (CCPA) |
To exercise any of these rights, please submit a request to privacy@invasystems.com. We will respond within 30 days (or the period required by applicable law). We may need to verify your identity before fulfilling your request.
Note for enterprise users: If you access FieldDNA through your employer's subscription, some rights must be exercised through your employer as the data controller. We will redirect requests to the appropriate party where applicable.
Marketing communications: You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email or contacting us at the address below. Transactional communications (e.g., account alerts) are not subject to opt-out while your account is active.
11. Children's Privacy
FieldDNA is an enterprise business platform and is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.
12. Third-Party Links
Our platform or website may contain links to third-party websites, integrations, or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy
- Notify enterprise account administrators by email at least 14 days before the change takes effect
- Display a notice on the FieldDNA platform for active users
Your continued use of FieldDNA after the effective date of any updated Policy constitutes your acceptance of the changes. If you disagree with a change, please stop using the platform and contact us.
14. Contact & Grievance Officer
Data Privacy & Grievance Contact
Grievance Officer (India — DPDPA/IT Act):
[Name of Grievance Officer]
Invasystems Pvt Ltd
[Address], Pune, Maharashtra — [PIN CODE], India
Email: privacy@invasystems.com
Phone: [+91 XX XXXX XXXX]
Response time: within 30 days of receipt of complaint
EU/UK Representative (if applicable):
[Representative name and contact — required under GDPR Art. 27 if you regularly process data of EU/UK data subjects]
If you are in the EEA or UK and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority at edpb.europa.eu.