Privacy Policy — OneTeam Lead Referral Platform

01

Who We Are

Langsat Technologies Pvt. Ltd ("we", "us", "our", "OneTeam") is a company incorporated in India, operating the OneTeam Lead Referral Platform available at app.oneteam.uno.

OneTeam is a B2B SaaS platform that enables hotel chains to refer business leads between their member properties. We act as a Data Processor on behalf of hotel chains (our customers, who are the Data Controllers) and as a Data Fiduciary under the Digital Personal Data Protection Act 2023 in respect of our platform users.

Registered Address: Langsat Technologies Pvt. Ltd, Kochi, Kerala, India.

02

Data We Collect

We collect only the personal data necessary to provide our services. The following table describes each category:

Category	Examples	Source
Account Data	Full name, work email address, password (hashed), role, hotel affiliation	Provided by you at registration or by your hotel administrator
Lead Data	Client/company name, contact email, phone number, event details, room block requirements, revenue estimates	Entered by platform users when submitting or managing leads
Consent Records	Timestamp of consent, IP address, privacy policy version accepted, purpose of consent	Automatically recorded when you accept our Privacy Policy
Usage Data	Pages visited, actions taken, timestamps, browser type, device type	Automatically collected via our platform infrastructure
Communications	Support requests, feedback emails, in-app messages	Provided by you when you contact us
Uploaded Files	Proposal documents, floor plans, brochures attached to leads	Uploaded by you as part of lead submissions

We do not collect sensitive personal data such as financial account details, biometric data, health information, or government identification numbers.

03

How We Use Your Data

We use your personal data only for the following purposes:

Platform operation: Creating and managing your account, authenticating your identity, and enabling you to send and receive hotel leads.
Lead referral service: Sharing lead information between hotels within the same chain as directed by your organisation.
Communications: Sending transactional emails such as lead notifications, password resets, and account confirmations.
Compliance and audit: Maintaining records of data processing activities, consent logs, and access logs as required by applicable law.
Platform improvement: Analysing aggregated, anonymised usage patterns to improve product features.
Legal obligations: Responding to lawful requests from regulatory authorities.

We will never sell your personal data to third parties, use it for advertising purposes, or process it for any purpose not listed above without obtaining fresh consent.

04

Lawful Basis for Processing

We process your personal data under the following lawful bases, in compliance with both the Digital Personal Data Protection Act 2023 (India) and the General Data Protection Regulation (EU/UK GDPR):

Processing Activity	Lawful Basis (DPDP)	Lawful Basis (GDPR)
Account creation and login	Consent	Contract performance
Lead referral between hotels	Legitimate use	Legitimate interests
Transactional emails	Consent	Contract performance
Audit and compliance logging	Legal obligation	Legal obligation
Product analytics (anonymised)	Legitimate use	Legitimate interests

Where we rely on consent as our lawful basis, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

05

Data Sharing

We share your personal data only in the following limited circumstances:

Within your hotel chain: Lead data is shared between hotels in the same chain as directed by your Chain Administrator. This is the core function of the platform.
Infrastructure sub-processors: We use trusted third-party services to operate our platform. Each is bound by a Data Processing Agreement:

Sub-processor	Purpose	Data Location
Supabase Inc.	Database, authentication, file storage	Mumbai, India (ap-south-1)
Vercel Inc.	Application hosting and delivery	Global CDN (application code only, no personal data)
Resend Inc.	Transactional email delivery	EU / USA

Legal requirements: We may disclose personal data if required to do so by law, court order, or a competent regulatory authority including the Data Protection Board of India.
Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not share personal data with any other third parties, advertisers, data brokers, or marketing platforms.

06

Cross-Border Data Transfers

Your personal data is primarily stored and processed in Mumbai, India via our Supabase database infrastructure.

Where data is transferred outside India (for example, for email delivery via Resend), we ensure appropriate safeguards are in place:

For transfers to countries within the EU/EEA: transfers are covered by the EU Standard Contractual Clauses (SCCs) as approved by the European Commission.
For transfers to other countries: we ensure the recipient provides a comparable level of data protection through contractual obligations.

When a lead is referred between hotels in different countries, the transfer is carried out on the basis of legitimate interests — the lead referral is in the direct interest of the client being better served. This is documented in our Legitimate Interests Assessment.

07

Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law:

Data Type	Retention Period	Reason
Account data	Duration of account + 2 years	Service provision and dispute resolution
Lead data	3 years from lead creation	Business records and audit requirements
Consent records	5 years	DPDP Act compliance
Audit logs	5 years	Legal obligation and security
Uploaded files	Duration of account + 1 year	Service provision

After retention periods expire, data is permanently deleted or anonymised so it can no longer be linked to an individual.

08

Your Rights

Under the DPDP Act 2023 and GDPR, you have the following rights regarding your personal data. To exercise any right, contact us at grievance@oneteam.uno. We will respond within 30 days.

👁️

Right to Access

Request a copy of all personal data we hold about you, in a readable format.

✏️

Right to Correction

Request correction of inaccurate or incomplete personal data we hold about you.

🗑️

Right to Erasure

Request deletion of your personal data, subject to legal retention requirements.

📦

Right to Portability

Receive your personal data in a structured, machine-readable format (JSON/CSV).

🚫

Right to Object

Object to processing based on legitimate interests or withdraw consent at any time.

📋

Right to Grievance

Lodge a complaint with our Grievance Officer or the Data Protection Board of India.

✅ EU/UK users: You also have the right to lodge a complaint with your local supervisory authority. In the EU, you may contact your national Data Protection Authority. In India, you may contact the Data Protection Board of India once operational.

09

Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration:

Encryption in transit: All data is transmitted over HTTPS/TLS.
Encryption at rest: Database storage is encrypted at rest by our infrastructure provider.
Access controls: Role-based access ensures users can only access data relevant to their hotel and role.
Authentication: Secure password hashing and session management via industry-standard authentication infrastructure.
Data minimisation: We collect and retain only the minimum data necessary for each purpose.
Audit logging: All access to and modifications of personal data are logged with timestamps.

In the event of a personal data breach that poses a risk to your rights, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware of the breach, as required by the DPDP Act 2023 and GDPR Article 33.

10

Cookies

OneTeam uses a minimal set of cookies strictly necessary to operate the platform:

Cookie	Purpose	Duration
sb-auth-token	Maintains your authenticated session (set by Supabase Auth)	7 days (or until sign out)

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required as we use only strictly necessary cookies.

11

Children's Privacy

OneTeam is a B2B platform intended solely for use by business professionals aged 18 and above. We do not knowingly collect personal data from anyone under the age of 18.

If you believe a minor has provided us with personal data, please contact us immediately at grievance@oneteam.uno and we will promptly delete that information.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify all registered users by email at least 14 days before the changes take effect.
Where required by law, seek fresh consent for new processing activities.

Your continued use of the platform after the effective date of an updated policy constitutes your acceptance of the changes. Previous versions of this policy are available on request.

This policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts in Kochi, Kerala.