Trust & Data
Privacy Policy
Last updated: 22 June 2026
StibaOS (“we”, “us”, “our”) operates a cloud and on-premise software platform for pharmaceutical manufacturing, quality, and compliance. This policy explains what data we collect, why we collect it, how it is processed, and the rights of users and their tenants.
This is a template policy. The legal entity name, registered address, GSTIN, and Data Protection Officer contact will be finalized before commercial rollout. Treat this as draft for evaluation purposes only.
1. Data Controller & Applicable Law
StibaOS is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and, where applicable, the Information Technology (Reasonable Security Practices) Rules, 2011. For tenants operating across borders, we additionally align with GDPR principles for data minimization, consent, and breach notification.
Data Controller: StibaOS (legal entity name to be confirmed at contract signing).
Jurisdiction: Hyderabad, India.
GSTIN: Provided in the executed Master Services Agreement.
2. Data We Process
We process the following categories of data, each tied to a documented business purpose:
- Account & identity data — name, work email, role, phone. Purpose: tenant administration, audit trail identity.
- Tenant operational data — batch records, deviations, CAPAs, documents, training records, equipment logs, regulatory filings you create in the platform. Purpose: delivering the contracted SaaS features.
- Audit trail data — every create, update, approve, sign, and delete action by every user, with timestamp and IP. Purpose: 21 CFR Part 11 and Schedule M compliance.
- Tech support data — logs, screenshots, and metadata you share during support interactions. Purpose: incident resolution.
- Aggregated usage analytics — feature adoption rates, performance metrics. Purpose: product improvement. This is anonymized and never tied to a specific batch, person, or tenant identity.
3. Data We Do Not Collect
- Personal data unrelated to your role at the tenant (e.g., personal social accounts, browsing history outside the platform).
- Sensitive personal data (caste, religion, biometric) — we do not request or store these.
- Direct marketing data — we do not sell or rent any data.
4. Data Residency
All tenant operational data and audit trail data is stored on infrastructure provisioned in India (Mumbai / Hyderabad region)by default. On-premise deployments keep all data inside the customer’s network. We do not transfer personal or operational data outside India without (a) explicit contractual consent and (b) standard contractual clauses where applicable.
5. Sub-processors
We engage the following categories of sub-processors. A current list with vendor names is available on request:
- Cloud infrastructure (compute, storage, backups)
- Transactional email (system notifications only)
- Error monitoring & logging (anonymized stack traces)
- Document preview and rendering
We notify tenants at least 30 days before engaging a new sub-processor that would process operational data. Tenants may raise objections in writing.
6. Data Retention
- Active tenant data: retained for the duration of the contract.
- After termination: tenant data is available for export for 60 days, then irrecoverably deleted from production systems.
- Backups: encrypted backups are purged within 90 days of deletion from production.
- Audit trail records: retained per Schedule M and 21 CFR Part 11 requirements (minimum 5 years, or longer if specified in your MSA).
- Aggregated/anonymized analytics: retained indefinitely as they no longer identify individuals.
7. Security Controls
A detailed description of technical and organizational measures is in our Security Overview. In summary: TLS 1.2+ in transit, AES-256 at rest, role-based access control with least-privilege, MFA for all administrative access, segregated audit trail with cryptographic integrity, and quarterly internal access reviews.
8. User & Tenant Rights
Under the DPDP Act, principals (data subjects) have the right to:
- Access a summary of personal data processed about them.
- Correct inaccurate or incomplete data.
- Request erasure of personal data (subject to regulatory retention obligations under Schedule M / Part 11).
- Withdraw consent for optional processing (may affect feature availability).
- Lodge a grievance with StibaOS at grievance@stibaos.com.
Tenant administrators may export or delete their tenant’s operational data via the Settings module or by written request. StibaOS acknowledges grievances within 48 hours and resolves them within 30 days, per DPDP Act timelines.
9. Breach Notification
In the event of a personal data breach, we notify affected tenants within 72 hours of confirmation, including the nature of the breach, data categories affected, mitigation steps, and remediation plan. We additionally report to the Data Protection Board of India where required by the DPDP Act.
10. Cookies & Local Storage
StibaOS is a signed-in application. We use essential cookies/local storage for session authentication, theme preference, and CSRF protection. We do not use third-party advertising or behavioral tracking cookies. Analytics, where enabled by the tenant administrator, is first-party and anonymized.
11. Changes to This Policy
We may update this policy to reflect regulatory changes or product evolution. Material changes are notified to tenant administrators via email at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.
12. Contact
For privacy questions, data subject requests, or sub-processor inquiries: privacy@stibaos.com.
Questions about this document? Email legal@stibaos.com or write to us at the registered address listed in your agreement.