1. Who this policy covers
Atithi Pro is used by two kinds of people, and their data is treated differently:
- Hotel users — owners, admins and staff who create an account and operate the app. For this data, we are the data fiduciary under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).
- Hotel guests — people whose details a hotel records during check-in. Here the hotel is the data fiduciary (it decides to collect the data to meet its legal obligations), and Atithi Pro processes that data on the hotel's behalf. Guests should direct requests about their data to the hotel they stayed at; we assist hotels in fulfilling them.
2. Data we collect
From hotel users
- Name, mobile number and role, verified via SMS OTP at login.
- Property details you configure: hotel name, address, GSTIN, logo, rooms, pricing, invoice settings, staff list and permissions.
- Subscription and payment status. Payments are processed by Razorpay — we never see or store your card, UPI or bank credentials.
- Basic diagnostic data needed to keep the app working reliably.
About hotel guests (entered by the hotel)
- Guest register details: name, address, date of birth, mobile number, ID document type and number, travel details, room, stay dates and payment records.
- Images of identity documents (such as Aadhaar, PAN, Driving Licence, Voter ID or Passport) captured by hotel staff during check-in.
3. How we use data
- To operate the guest register, room board, daybook and invoicing.
- To auto-fill your state's official guest-reporting portal (for example, Gujarat's Pathik system) at the hotel's explicit direction — this is the hotel submitting its own legally required record, with typing automated.
- To extract text from ID images using AI (see section 4).
- To provide support, process subscriptions and send service messages (OTP, billing, critical notices).
We do not sell personal data. We do not use guest data for advertising or marketing. Ever.
4. AI processing of ID images
When staff scan an ID, the image is sent to Google's Gemini API solely to extract the text fields (name, address, document number) for the entry form. This happens under Google's paid API terms, under which submitted content is not used to train Google's models. The extracted text is shown to staff for review before anything is saved.
5. Storage & security
- Data is stored in a managed cloud database (Supabase) with encryption in transit and at rest.
- Every hotel's data is isolated by row-level security — one property can never read another's records.
- Staff access is limited by per-screen permissions set by the hotel admin.
- Aadhaar numbers are masked to the last four digits wherever they are printed or exported (registers, reports).
6. Retention & automatic deletion
Retention follows the principle of the DPDP Act: keep data only as long as its purpose requires.
- Guest register text (name, address, document number, dates) is retained for the period state lodging and guest-reporting rules require hotels to keep guest records (typically 3–5 years), then purged.
- ID images are automatically and permanently deleted after a short retention window (90 days after checkout by default) — long-term storage of Aadhaar copies is a risk, not a feature. Hotels download a monthly Guest Register PDF beforehand so their legal record stays complete.
- Hotel user accounts are kept until deleted — see Delete your account.
7. Sharing
We share data only with the services needed to run Atithi Pro:
- Official state guest-reporting portals (such as Gujarat's Pathik system) — at the hotel's direction, for its legally required guest reports.
- Razorpay — subscription payments.
- Google (Gemini API) — ID text extraction, as described above.
- Google Firebase — OTP delivery for login.
- Supabase — database and file storage infrastructure.
Each provider receives only what its function requires. We may disclose data if required by law or a valid government request, and we will tell the affected hotel unless legally barred from doing so.
8. Your rights
Under the DPDP Act you may:
- Access a summary of your personal data we hold;
- Correct inaccurate or incomplete data (most of it is editable in-app);
- Request erasure, subject to the legal retention duties above;
- Nominate a person to exercise these rights on your behalf;
- Raise a grievance and, if unresolved, complain to the Data Protection Board of India.
Guests should contact the hotel they stayed at first (it controls the record); we support hotels in responding.
9. Children
Atithi Pro accounts are for adults operating a lodging business. Guest records may include children's counts or details where law requires — entered by the hotel for compliance only.
10. Grievance officer
Vishal Patel · support@atithipro.in · +91 95582 86341 · India. We acknowledge grievances within 72 hours and aim to resolve them within 7 working days.
11. Changes
We will update this policy as the product and law evolve. Material changes are announced in-app and the “last updated” date revised. Continued use after a change means acceptance.