Privacy Policy.

Who we are.

Certopact is a visitor verification platform owned and operated by Perigeon Software Pvt. Ltd., a private limited company incorporated in India and registered in Ahmedabad, Gujarat (referred to as "Perigeon," "Certopact," "we," "us," or "our" in this policy).

This privacy policy applies to the Certopact website at certopact.com, the Certopact Entry application, and any related products, kiosks, or integrations we operate (collectively, the "Services").

If you are using Certopact as a visitor checking into a site, your data is being processed on behalf of the enterprise that operates that site. That enterprise is the Data Fiduciary under the DPDP Act 2023. Certopact acts as their Data Processor. See Section 02 for what this distinction means in practice.

Scope and our role.

When you are a visitor checking in

Your employer, host organisation, or the enterprise whose premises you are entering is the Data Fiduciary. They decide what data is collected, why, and for how long it is retained. Certopact processes your data only on their documented instructions, under a Data Processing Agreement (DPA) executed with each enterprise customer.

For questions about your visitor data, contact the Data Protection Officer (DPO) of the enterprise you visited first. If they are unable to help, contact us directly using the details in Section 13.

When you are an enterprise customer or admin user

For account, billing, support, and product communications, Certopact is the Data Fiduciary. We decide what data we hold about you and why.

When you visit our website

For website analytics, cookies, contact form submissions, and marketing, Certopact is the Data Fiduciary.

What data we collect.

We collect different categories of data depending on how you interact with us. We always practice data minimisation — we collect only what is necessary for the stated purpose.

Aadhaar and DigiLocker data.

Because Aadhaar data is regulated specially by the Aadhaar Act 2016 and UIDAI regulations, this section explains in detail how we handle it.

How Aadhaar verification works

1. The visitor enters their name, the last four digits of their Aadhaar number, and their date of birth at the kiosk. The full Aadhaar number is never typed on screen and never seen by the receptionist.
2. An OTP is generated and sent by UIDAI to the visitor's registered mobile number. The visitor enters the OTP at the kiosk.
3. UIDAI confirms whether the OTP is valid and returns a success or failure response, along with limited demographic data (name, date of birth, gender) under e-KYC.
4. Certopact compares the typed name against the UIDAI-returned name and calculates a name match score.
5. The success / failure result, the masked Aadhaar (last 4 digits only), the name match score, and a transaction reference number are stored in the visitor's check-in record.

How DigiLocker pull works

DigiLocker is an opt-in step. The visitor must explicitly tap "Yes, fetch from DigiLocker" and authenticate with DigiLocker directly. We never see the visitor's DigiLocker password. DigiLocker returns digitally-signed copies of the documents the visitor has chosen to share — typically PAN, Driving Licence, or Vehicle RC.

What we store

• The masked Aadhaar number (last 4 digits only, e.g. XXXXXXXX4892)
• The UIDAI authentication transaction reference
• The success / failure result of the verification
• The name match score
• Demographic data returned by UIDAI under e-KYC, where required by the enterprise's policy
• Digitally-signed DigiLocker documents, where the visitor opted in
• The visitor's photograph captured at the kiosk, where applicable

What we do not store

• The full Aadhaar number — ever, in any form, encrypted or otherwise
• Biometric data of any kind
• The OTP entered by the visitor
• Any data UIDAI does not return to us

How it's protected

• Encryption at rest — All Aadhaar-linked data is encrypted with AES-256 in our database
• Encryption in transit — All API calls between the kiosk, our servers, UIDAI, and DigiLocker use TLS 1.2 or higher
• India data residency — All data is hosted in India (GCP Mumbai region). No cross-border transfer of Aadhaar data is permitted
• Access controls — Only authorised Perigeon engineers with a documented business need can access production data, and all access is logged
• Tenant isolation — Each enterprise customer's visitor data is logically separated and never co-mingled with another customer's data

Sub-AUA / KUA arrangement

Certopact is operated as a Sub-AUA (Authentication User Agency) under a licensed AUA / KUA. Our verification transactions pass through that licensed entity to UIDAI. The licensed AUA/KUA is bound by UIDAI's regulations and audit requirements.

How we use it.

We process personal data for specified, lawful purposes only. The legal bases under the DPDP Act 2023 are: (a) the consent you provide at the kiosk or sign-up, (b) the legitimate uses permitted under Section 7 of the Act, and (c) compliance with legal obligations.

• To verify identity at the point of visitor entry, on behalf of the enterprise running that premises
• To produce visitor records the enterprise can use for audit, compliance, evacuation, and security purposes
• To generate analytics and reports for the enterprise admin — daily, weekly, monthly check-in trends, name match score distributions, wrong-ID flags
• To deliver Excel reports by email when explicitly requested by an authorised admin
• To operate, secure, and improve the Certopact Service — diagnose errors, prevent abuse, build new features
• To communicate with you about the product, service updates, security advisories, and account matters
• To comply with legal obligations under Indian law, including responding to lawful requests from UIDAI, regulators, or courts

We do not use Aadhaar data, DigiLocker documents, or visitor records for marketing, profiling, or advertising. Ever.

Sharing and processors.

We share data only with the parties listed below, only for the purposes listed, and only under contractual safeguards.

All processors operate under written agreements that include confidentiality, security, breach-notification, and India data-residency clauses. Where a processor is the recipient of Aadhaar data, they must independently comply with the Aadhaar Act and UIDAI regulations.

We do not sell, rent, or trade your personal data. Not now. Not ever.

How long we keep it.

For visitor data, the enterprise customer (Data Fiduciary) sets the retention period in their Data Processing Agreement, subject to a default of 180 days for active visit records and 3 years for masked audit logs (which is the typical enterprise compliance window).

For our own records:

• Account data — kept for as long as you have an account, plus 12 months after closure for legal and tax records
• Billing records — kept for 8 years to comply with India's Companies Act and tax laws
• Communications and support tickets — kept for 24 months
• Website analytics — kept for 14 months
• Security logs — kept for 12 months for incident investigation

When the retention period expires, we delete or irreversibly anonymise the data. Backups are purged within 90 days of the deletion event.

How we protect it.

We follow defence-in-depth and apply both technical and organisational safeguards. Our key controls:

• AES-256 encryption at rest for all production data, with managed keys rotated regularly
• TLS 1.2+ encryption in transit on every API and front-end interaction
• Role-based access control with least privilege for all internal users
• Multi-factor authentication for all admin and engineering accounts
• Audit logging on every access to production systems, retained for at least 12 months
• Quarterly security reviews and annual penetration testing by an independent firm
• Vulnerability disclosure programme (see our Responsible Disclosure Policy)
• Incident response runbook with breach-notification timelines aligned to the DPDP Act 2023 and CERT-In Cyber Incident Reporting Rules

SOC 2 Type II and ISO 27001 audits are in progress in 2026. We will update this section when those certifications are issued.

No system is impenetrable. If you discover a vulnerability, please report it under our Responsible Disclosure programme.

Your rights.

Under the DPDP Act 2023, you have the following rights with respect to your personal data:

• Right to information — to know what data we hold about you and how it is being processed
• Right to correction and erasure — to have inaccurate data corrected, or completed if it is incomplete, and to have data erased when no longer required for the original purpose
• Right of grievance redressal — to raise a grievance with our Grievance Officer (contact details below)
• Right to nominate — to nominate someone to exercise these rights on your behalf in the event of your death or incapacity
• Right to withdraw consent — to withdraw any consent you previously gave, with effect for the future

How to exercise your rights

For visitor data, contact the enterprise that hosted you first — they are the Data Fiduciary. If they are unable to help, or for account / website / marketing data where Certopact is the Data Fiduciary, write to our Grievance Officer at [email protected].

We will acknowledge your request within 3 working days and respond substantively within 30 calendar days, in line with the DPDP Act timeline. If we are unable to fulfil your request, we will tell you why.

If you are dissatisfied with our response, you have the right to escalate to the Data Protection Board of India once it is operational under the DPDP Act 2023.

Cookies and tracking.

Our website uses a small number of cookies to function and to understand how visitors use the site. We use:

• Strictly necessary cookies — for session management, security, and remembering your cookie preferences. These are always on
• Analytics cookies — to understand which pages perform well, in aggregate. These run only with your consent

We do not run advertising cookies, retargeting pixels, or third-party tracking on this site. You can manage your preferences from the cookie banner shown on your first visit, or by clearing cookies in your browser.

Children and minors.

Certopact is an enterprise B2B product designed for adult visitors at workplaces. We do not knowingly collect personal data from anyone under the age of 18. Aadhaar verification at our kiosks is intended for adult visitors only.

If you believe a child's personal data has been collected by us in error, please write to [email protected] and we will delete it within 7 working days of confirmation.

Changes to this policy.

We may update this Privacy Policy from time to time, for example when we add new features, change our infrastructure, or when the law changes. When we make material changes, we will:

• Update the "Effective" date at the top of this page
• Email account holders of the change at least 14 days before it takes effect
• Post a notice on the Certopact website
• Maintain a publicly accessible changelog of past versions

If you continue to use Certopact after a material change takes effect, you accept the updated policy. If you don't, please contact us to close your account or withdraw consent.

How to contact us.

For privacy questions, data subject requests, or grievances:

Grievance Officer

[email protected]

Data Protection Officer

[email protected]

Postal address

Perigeon Software Pvt. Ltd.
Ahmedabad, Gujarat, India

Phone (sales)

+91 63574 97151

Please mention "Privacy / DPDP request" in the subject line so we can route your message to the right person quickly.