1. Introduction and Applicability

SCANilla ("Service", "Platform", "we", "us", or "our") is owned, operated, and administered by Elicus Technologies Private Limited ("Company"). This Privacy Policy ("Policy") governs the collection, processing, storage, disclosure, transfer, and disposal of personal data and user-generated content in connection with your ("User", "you", "your") access to or use of the Service through https://scanilla.com, any subdomain, mobile or desktop application, API endpoint, or other interface operated by us.

By accessing, registering on, or otherwise using the Service in any manner whatsoever, you expressly and unconditionally acknowledge that you have read, understood, and agreed to be bound by this Policy and the associated Terms of Service. If you do not agree with any part of this Policy, you must immediately cease use of the Service and delete any locally stored data pertaining thereto.

This Policy is published in accordance with, and shall be read in conformity with, the provisions of:

1. the Information Technology Act, 2000, and the rules framed thereunder, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
2. the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the rules framed or to be framed thereunder;
3. applicable provisions of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), where you are a data subject located in the European Economic Area or the United Kingdom; and
4. such other statutes, rules, regulations, notifications, or directions as may be applicable from time to time.

2. Definitions

• "Personal Data" means any data about an identified or identifiable natural person, within the meaning of Section 2(t) of the DPDP Act.
• "Processing" has the meaning assigned to it under the DPDP Act and includes, without limitation, collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, disclosure, dissemination, erasure, or destruction.
• "Static QR Code" means a QR code whose payload is fixed at the moment of generation and cannot subsequently be altered.
• "Dynamic QR Code" means a QR code generated via the Service whose destination or payload may be edited after creation and whose scan events are logged by the Service.
• "User Content" means any data, text, URL, hyperlink, code, image, credential, file, or information encoded into or associated with a QR code by you, together with any related metadata.

3. Information We Collect

We collect only such information as is reasonably necessary for the lawful operation, security, continuity, and improvement of the Service. Specifically:

3.1 Account Information

Name, email address, one-way cryptographic hash of your password (plain-text passwords are never stored, transmitted in readable form, or logged), assigned role, account creation timestamp, last-login timestamp, email-verification status, and account status (active, suspended, blocked).

3.2 User Content

Any and all data you encode into a QR code, including but not limited to URLs, Wi-Fi credentials (SSID and network password), vCard details, SMS text, email body, geographic coordinates, cryptocurrency addresses, plain text, and media. You are solely and exclusively responsible for the lawfulness, accuracy, completeness, and appropriateness of such User Content.

3.3 Dynamic QR Analytics

For each scan of a Dynamic QR Code generated via the Service, we automatically record: (i) the Internet Protocol (IP) address of the scanning device; (ii) the approximate geolocation inferred from such IP address; (iii) the user-agent string; (iv) operating system and browser family; (v) device type (mobile, tablet, desktop); (vi) the referrer (where available); and (vii) the precise timestamp of the scan. By creating and distributing a Dynamic QR Code you cause us to Process the foregoing data from every person who scans such code, and you represent that you have all necessary rights and legal bases to do so.

3.4 Activity and Audit Logs

Authentication events, password-reset events, administrative actions, API calls, and security events are recorded for audit, forensic, fraud-prevention, and debugging purposes.

3.5 Cookies and Session Tokens

We issue signed JSON Web Tokens ("JWT") via HTTP-only cookies strictly for the purpose of authentication and session management. We do not operate advertising cookies, third-party behavioural tracking, or cross-site profiling.

3.6 Signup and Abuse-Prevention Metadata

IP-level metadata is retained transiently in order to prevent abusive signups, throttle requests, and mitigate denial-of-service and credential-stuffing attempts.

4. Purposes of Processing

Your Personal Data and User Content are Processed solely for the following purposes:

1. to provide, operate, maintain, secure, and improve the Service;
2. to authenticate users and protect accounts from unauthorised access;
3. to generate, store, redirect, track, and meter QR codes created by you;
4. to produce scan analytics in respect of Dynamic QR Codes as an advertised feature of the Service;
5. to detect, prevent, investigate, and respond to fraud, abuse, prohibited use, spam, malware, or any security incident;
6. to comply with applicable law, lawful directions of governmental or statutory authorities, subpoenas, court orders, and regulatory requirements; and
7. to enforce this Policy, the Terms of Service, and any agreement between you and the Company.

We do not sell, rent, barter, trade, or otherwise monetise your Personal Data to any third party for advertising, marketing, or data-broker purposes.

5. Administrative Access and Support

You expressly acknowledge, consent to, and agree that the Service operates on a role-based access-control model comprising three tiers: "User", "Support", and "Admin". Personnel of the Company holding the Support or Admin role have the technical capability to:

1. view the metadata and encoded payload of any QR code (whether static or dynamic) created by any User of the Service;
2. view account profile data, role assignment, login history, and verification status;
3. view scan analytics and scan logs for any Dynamic QR Code;
4. initiate password resets, block or unblock accounts, modify user roles, and soft-delete, restore, or permanently erase any QR code or account;
5. access activity and audit logs.

Such access is restricted to authorised personnel, acting on a strict need-to-know basis and under contractual confidentiality obligations, solely for one or more of the following purposes:

1. to respond to legitimate support requests initiated by you or on your behalf;
2. to investigate suspected abuse, fraud, security incidents, or violations of the Terms of Service or applicable law;
3. to comply with legal process or a lawful direction of a competent authority;
4. to maintain the integrity, availability, security, and performance of the Service; or
5. to discharge any statutory obligation.

All administrative actions are recorded in an immutable activity log. By using the Service, you irrevocably grant the Company a limited, royalty-free licence to access, review, and, where necessary, modify or delete your account data and User Content for the purposes set forth above.

6. Disclosure to Third Parties

We shall not disclose Personal Data to any third party except:

1. to data processors and sub-processors (including hosting, infrastructure, email-delivery, and payment-processing providers) who are contractually bound to confidentiality and data-protection obligations at least as protective as those set out herein;
2. where required by applicable law, subpoena, court order, or directive of any governmental, regulatory, tax, or law-enforcement authority having competent jurisdiction;
3. in the event of a merger, acquisition, reorganisation, amalgamation, insolvency, or sale of all or substantially all of the Company's assets, subject to the successor entity being bound by obligations no less protective than those contained in this Policy; or
4. with your explicit, specific, and informed consent.

7. Data Retention

• Account data is retained for so long as your account remains active and for a reasonable period thereafter to satisfy legal, tax, audit, statutory, and security obligations.
• Static QR Codes deleted by the User are moved to a recovery area ("Trash") for a period of thirty (30) days and are permanently and irreversibly deleted thereafter.
• Dynamic QR Code scan logs are retained for the lifetime of the corresponding Dynamic QR Code, unless earlier deleted by you or required to be retained for a longer period under any applicable law.
• Activity and audit logs are retained for such period as is reasonably necessary for security, forensic, and legal purposes.
• Encrypted backups may persist beyond the above periods for a limited window as part of routine disaster-recovery procedures.

8. Prohibited Use — Illegal Purposes Strictly Forbidden

You warrant, represent, covenant, and unconditionally agree that you shall not use the Service, nor permit any other person to use the Service on your behalf or with your assistance, for any purpose which is, in whole or in part:

1. unlawful under the laws of India, the law of the jurisdiction in which you reside, or the law of the jurisdiction of any person who may scan or receive a QR code generated by you;
2. fraudulent, deceptive, misleading, or intended to defraud, extort, phish, impersonate, or otherwise deceive any person or entity;
3. in furtherance of the distribution of malware, ransomware, spyware, trojans, worms, rootkits, or any other malicious code or exploit;
4. in furtherance of spam, unsolicited commercial communication, or any violation of the Information Technology Act, 2000 and the rules framed thereunder;
5. obscene, indecent, pornographic, or otherwise harmful — and, in particular, any content constituting child sexual abuse material ("CSAM") is absolutely prohibited, will be blocked on detection, will be preserved for the purposes of the Protection of Children from Sexual Offences Act, 2012 and the Information Technology Act, 2000, and will be reported to the National Cyber Crime Reporting Portal, the National Center for Missing & Exploited Children (NCMEC) where applicable, and/or such competent law-enforcement authority as may be appropriate;
6. harassing, defamatory, libellous, hateful, discriminatory, or in contravention of any provision of the Indian Penal Code, the Bharatiya Nyaya Sanhita, 2023, or similar statutes;
7. in infringement of any intellectual-property right, right of publicity, right of privacy, trade secret, or other right of any third party;
8. in support of, or in connection with, terrorism, money laundering, the financing of proscribed organisations, narcotics trafficking, human trafficking, or any activity prohibited under the Unlawful Activities (Prevention) Act, 1967, the Prevention of Money-Laundering Act, 2002, the Narcotic Drugs and Psychotropic Substances Act, 1985, or any allied statute;
9. directed at, or designed primarily to be scanned by, children under the age of eighteen (18) years, except in compliance with applicable law and with verifiable parental consent;
10. in violation of any applicable export-control law, trade-sanctions regime, or anti-bribery or anti-corruption statute (including, without limitation, the Prevention of Corruption Act, 1988, the U.S. Foreign Corrupt Practices Act, and the U.K. Bribery Act 2010); or
11. intended to circumvent or disable any security feature, rate limit, content filter, authentication mechanism, or technical protection measure of the Service.

We employ automated and manual measures (including, without limitation, adult-content URL filtering, signup rate limiting, and abuse monitoring) to block certain categories of prohibited content. However, you acknowledge and agree that such measures are not and cannot be exhaustive, and that the absence of detection in any particular instance shall not be construed as endorsement, permission, approval, warranty, or waiver by the Company.

We reserve the right, at our sole and absolute discretion and without any prior notice or liability to you, to: (a) investigate any suspected violation of this Policy or applicable law; (b) suspend, disable, or terminate your account; (c) remove, block, or permanently delete any User Content; (d) disclose information to law-enforcement authorities or other competent authorities; and (e) pursue all remedies available at law or in equity.

9. Disclaimer of Warranties and Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

(a) The Service is provided strictly on an "AS IS" and "AS AVAILABLE" basis, with all faults and without warranty of any kind. The Company, its directors, officers, employees, affiliates, agents, licensors, and suppliers expressly disclaim all representations, warranties, and conditions of any kind, whether express, implied, statutory, or otherwise, including without limitation warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, reliability, uninterrupted availability, freedom from error, or freedom from malicious code.

(b) The Company is not responsible and shall under no circumstance be held liable for:

1. the content of any QR code generated, hosted, redirected, published, or distributed via the Service, whether by you or any third party;
2. any use, misuse, abuse, or criminal or tortious application of the Service by any User, third party, or scanning party;
3. any direct, indirect, incidental, consequential, exemplary, punitive, or special damages of any nature, howsoever arising out of or in connection with your use of, or inability to use, the Service, including without limitation loss of profits, loss of revenue, loss of data, loss of goodwill, business interruption, or procurement of substitute services;
4. the acts, omissions, or conduct of any scanning party, any destination website, or any content to which a QR code redirects;
5. any malware, virus, trojan, or malicious code present on any destination URL or associated with any User Content;
6. any downtime, outage, latency, data loss, data corruption, or security incident, notwithstanding the reasonable technical and organisational security measures maintained by the Company;
7. any decision, action, or omission you or any third party take in reliance upon any information obtained via the Service;
8. any event of force majeure, including but not limited to acts of God, government action, pandemic, war, insurrection, strike, utility failure, cable cut, cyber-attack, or failure of any upstream third-party service provider.

(c) In no event shall the aggregate liability of the Company, its directors, officers, employees, affiliates, agents, licensors, or suppliers, arising out of or in connection with this Policy, the Service, or any use thereof, whether in contract, tort (including negligence), statute, or otherwise, exceed the greater of (i) the amount actually paid by you to the Company in the twelve (12) months immediately preceding the event giving rise to the claim, or (ii) Indian Rupees One Hundred (INR 100) only.

(d) You acknowledge that the foregoing disclaimers and limitations are a material basis on which the Service is provided to you, and that the Service would not be offered at the stated price or at all without them.

10. Indemnification

You shall defend, indemnify, and hold harmless the Company, Elicus Technologies Private Limited, and their respective directors, officers, employees, affiliates, agents, licensors, and suppliers from and against any and all claims, demands, actions, proceedings, losses, damages, liabilities, costs, and expenses (including reasonable legal fees on a full-indemnity basis) arising out of or in connection with (i) your breach of this Policy or the Terms of Service; (ii) your use of the Service; (iii) your User Content; (iv) your infringement of any third-party right; or (v) your violation of any applicable law, regulation, or order of a competent authority.

11. Security Measures

We maintain reasonable technical and organisational security measures proportionate to the nature and sensitivity of the Personal Data Processed by us, including:

• encryption in transit via Transport Layer Security (TLS);
• one-way cryptographic hashing of passwords with per-user salts and industry-standard algorithms;
• role-based access control and enforcement of the principle of least privilege for personnel;
• periodic backups and integrity checks;
• rate limiting, anomaly detection, and abuse-prevention mechanisms;
• audit logging of administrative actions.

Notwithstanding the foregoing, no method of transmission over the Internet or method of electronic storage is one-hundred percent secure. You acknowledge that you provide data at your own risk and release the Company from any and all liability arising from an unauthorised disclosure not attributable to the Company's gross negligence or wilful misconduct.

12. Children's Privacy

The Service is not directed to, nor intended for use by, persons below the age of eighteen (18) years. We do not knowingly collect Personal Data from children. If a parent or lawful guardian becomes aware that a child has provided Personal Data to us without lawful consent, such parent or guardian may request removal via the channel set forth in Section 16, and we shall take reasonable steps to delete such data.

13. International Data Transfers

Your data may be Processed on, or transferred to, servers or personnel located within or outside India, including jurisdictions whose data-protection standards may differ from those of your home jurisdiction. By using the Service, you expressly consent to such transfer, storage, and Processing outside your home jurisdiction.

14. Your Rights

Subject to applicable law, you have the right to:

1. access a copy of the Personal Data we hold about you;
2. request correction or updation of inaccurate or incomplete Personal Data;
3. request erasure of your Personal Data (subject to our legal, contractual, security, and retention obligations);
4. nominate another individual to exercise your rights in the event of death or incapacity, in accordance with the DPDP Act;
5. withdraw consent previously granted, which may result in the immediate termination of your access to the Service;
6. lodge a complaint with the Data Protection Board of India or any other competent supervisory authority.

Requests must be submitted via the contact channel referenced in Section 16. We may seek reasonable verification of your identity before acting on any request and may decline requests that are manifestly unfounded, excessive, repetitive, or in conflict with our legal obligations.

15. Governing Law, Jurisdiction, and Dispute Resolution

This Policy shall be governed by, and construed in accordance with, the laws of the Republic of India, without reference to its conflict-of-laws principles. Subject to the arbitration clause below, any dispute, claim, controversy, or cause of action arising out of or in connection with this Policy, its subject matter, or its formation shall be subject to the exclusive jurisdiction of the competent courts situate at the registered office of the Company in India.

Prior to instituting any legal proceedings, the parties shall endeavour in good faith to resolve the dispute through amicable discussion for a period of thirty (30) days. If the dispute is not resolved within such period, the matter shall be referred to and finally resolved by arbitration by a sole arbitrator appointed by the Company, conducted in the English language under and in accordance with the Arbitration and Conciliation Act, 1996, as amended from time to time. The seat and venue of arbitration shall be the registered office of the Company in India. The arbitral award shall be final and binding upon the parties.

16. Grievance Redressal and Contact

In compliance with the Information Technology Act, 2000, and the rules framed thereunder, you may raise any grievance, query, or request in relation to this Policy, the Service, or your Personal Data by using the contact form available at https://elicus.com/contact. We shall endeavour to acknowledge any complaint within forty-eight (48) hours of receipt and resolve it within such period as is prescribed by law, or as soon as reasonably practicable.

17. Amendment

We may, at our sole discretion and without prior individual notice, amend, supplement, or replace this Policy at any time. The amended Policy shall take effect upon publication on https://scanilla.com/privacy.html. Your continued use of the Service following such publication shall constitute your conclusive acceptance of the amended Policy. It is your responsibility to review this Policy periodically.

18. Severability and Waiver

If any provision of this Policy is held invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect, and the invalid provision shall be deemed replaced by a valid provision that most closely reflects the original intent. No failure or delay by the Company in exercising any right under this Policy shall operate as a waiver thereof.

19. Entire Agreement

This Policy, together with the Terms of Service and any other binding document referenced herein, constitutes the entire agreement between you and the Company with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, representations, warranties, and understandings, whether oral or written.