Privacy Policy

Last updated: March 2026

Dealpost ("we", "our", or "us") operates the digital signage platform available at dealpost.co.in and related services. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our platform, websites, applications, and related services (collectively, the "Services").

We are committed to transparency and plain language, in accordance with GDPR Article 12. If anything in this policy is unclear, please contact us and we will explain it further.

Dealpost is a business-to-business (B2B) platform. Our Services are designed for businesses that operate digital signage networks. We do not offer consumer-facing services. References to "you" or "user" in this policy refer to authorised representatives of businesses that use our platform.

1. Who We Are

Dealpost is a multi-vertical SaaS digital signage platform headquartered in India. For the purposes of applicable data protection laws, Dealpost is the data controller for the personal data we process about our users, and a data processor for any personal data our customers process through our platform.

Data Protection Contact

Dealpost

Email: hello@dealpost.co.in

Phone: +91 8015004952

Website: dealpost.co.in

2. Data We Collect

2.1 Account and Business Information

When you register for or use our Services, we collect:

Business name, address, and registration details (GST, PAN, or equivalent)
Contact person name, email address, and phone number
Role and access permissions within your organisation
KYC (Know Your Customer) documentation where required for vendor onboarding
Billing address and invoicing details

2.2 Platform Usage Data

We automatically collect information about how you interact with our Services:

Login timestamps, session duration, and feature usage patterns
Pages visited, actions taken, and workflow completions
Device type, browser type, operating system, and screen resolution
IP address and approximate geographic location (city-level)
Error logs and performance metrics

2.3 Device and Screen Data

For digital signage devices managed through our platform:

Device identifiers (serial number, hardware ID, MAC address)
Device health telemetry (CPU, memory, temperature, storage, network status)
Screen configuration (resolution, orientation, brightness settings)
Playback logs (content played, timestamps, duration)
GPS coordinates for mobile signage installations (vehicle-mounted displays)
Peripheral hardware information (cameras, sensors, LED controllers)

2.4 Audience Analytics Data (Privacy-First Approach)

Important: Dealpost uses on-device AI processing for audience analytics. Our computer vision models run entirely on the signage device itself. No photographs, video footage, or personally identifiable information (PII) is collected, transmitted, or stored from camera feeds.

The only data generated and transmitted from audience analytics is:

Aggregate counts (number of people detected in a time window)
Estimated demographic distributions (age bracket, gender distribution) as statistical aggregates
Attention and dwell-time metrics (average gaze duration, not linked to individuals)
Foot traffic patterns (density over time, not individual trajectories)

No facial recognition, individual tracking, or biometric identification is performed. All inference is statistical and anonymous by design. Camera frames are processed in volatile memory and discarded immediately after inference. No raw imagery leaves the device.

2.5 Payment Information

Payment processing is handled exclusively by Razorpay, a PCI-DSS Level 1 compliant payment processor. Dealpost does not collect, store, or have access to your full card numbers, CVV codes, or banking credentials. We receive only:

Transaction reference IDs
Payment status (success, failure, pending)
Last four digits of the payment instrument (for your reference only)
Invoice and receipt records

2.6 Content and Media

Creative assets (images, videos, HTML content) uploaded to the platform for display on signage screens. This content is owned by you and stored on your behalf.

2.7 Communication Data

Records of support requests, emails, chat messages, and feedback you send us.

3. How We Use Your Data

We process your data only for the following purposes:

Purpose	Legal Basis (GDPR)
Providing and operating the Services	Performance of contract
User authentication and access control	Performance of contract
Processing payments and generating invoices	Performance of contract
Device provisioning, monitoring, and health reporting	Performance of contract
Generating audience analytics (aggregate, anonymous)	Legitimate interest
Improving platform performance and reliability	Legitimate interest
Detecting and preventing fraud, abuse, or security threats	Legitimate interest
Sending service-critical notifications (outages, billing, security)	Performance of contract
Sending product updates and feature announcements	Legitimate interest (opt-out available)
Responding to support requests	Performance of contract
Complying with legal obligations (tax, audit, law enforcement)	Legal obligation
Generating proof-of-play reports for advertisers	Performance of contract

We do not sell your personal data. We do not use your data for automated individual decision-making or profiling that produces legal effects concerning you.

4. Data Sharing and Disclosure

We share data only in the following circumstances:

4.1 Service Providers (Sub-Processors)

We use trusted third-party providers to operate our Services. Each operates under a data processing agreement:

Cloud Infrastructure — Enterprise-grade cloud providers (AWS / GCP) for hosting, compute, and storage
Razorpay — Payment processing (PCI-DSS Level 1 compliant)
Keycloak — Identity and access management (self-hosted)
Sentry — Error monitoring and crash reporting
Email delivery services — Transactional email notifications
Content delivery networks — Media asset delivery to signage devices

4.2 Programmatic Advertising Partners

If you participate in our advertising marketplace, anonymised screen availability and audience aggregate data may be shared with demand-side platforms (DSPs) through industry-standard OpenRTB protocols. This data never includes personal information of individuals near the screens.

4.3 Legal Requirements

We may disclose data when required by law, regulation, court order, or governmental request, or when disclosure is necessary to protect the rights, property, or safety of Dealpost, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our business, user data may be transferred as part of the transaction. We will notify affected users before their data becomes subject to a different privacy policy.

5. Data Storage and Security

5.1 Infrastructure

Your data is hosted on enterprise-grade cloud infrastructure with the following security measures:

Encryption at rest — All data is encrypted using AES-256 encryption at the storage layer
Encryption in transit — All data transmission uses TLS 1.2 or higher
SOC 2 aligned practices — Our operational procedures are aligned with SOC 2 Type II trust service criteria for security, availability, and confidentiality
ISO 27001 principles — Our information security management follows ISO 27001 framework principles
Access controls — Role-based access control (RBAC) with least-privilege principles, multi-factor authentication for administrative access
Audit logging — Comprehensive audit trails for all data access and modifications
Regular backups — Automated, encrypted backups with tested recovery procedures
Vulnerability management — Regular security assessments, dependency audits, and patch management

5.2 Multi-Tenant Isolation

Dealpost is a multi-tenant platform. Each customer's data is logically isolated at the database level using tenant-scoped access controls. No customer can access another customer's data through the platform.

5.3 Incident Response

We maintain an incident response plan. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33 and the DPDP Act 2023.

6. Data Retention

We retain your data only for as long as necessary to fulfil the purposes described in this policy:

Data Category	Retention Period
Account and business information	Duration of contract + 3 years
Platform usage logs	12 months (rolling)
Device telemetry and health data	6 months (rolling)
Audience analytics aggregates	24 months
Payment and billing records	Duration of contract + 7 years (tax/legal)
Proof-of-play records	Duration of contract + 5 years
Uploaded creative assets	Duration of contract + 90 days
Support communications	Duration of contract + 2 years
Audit logs	Duration of contract + 5 years

After the retention period expires, data is securely deleted or anonymised. You may request earlier deletion subject to our legal and contractual obligations (see Section 8).

7. International Data Transfers

Dealpost primarily processes data within India. Where data is transferred to countries outside India or outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) — As approved by the European Commission for GDPR-compliant transfers
Adequacy decisions — Where the destination country has been recognised as providing adequate data protection
Data processing agreements — Binding agreements with all sub-processors that require equivalent data protection standards
DPDP Act 2023 compliance — We comply with the Indian Digital Personal Data Protection Act requirements for cross-border transfers, including any restrictions notified by the Government of India

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

8.1 Rights Under GDPR (EU/EEA)

Right of access — Obtain a copy of your personal data we hold (Article 15)
Right to rectification — Correct inaccurate or incomplete data (Article 16)
Right to erasure — Request deletion of your data where there is no compelling reason to continue processing (Article 17)
Right to restrict processing — Limit how we use your data in certain circumstances (Article 18)
Right to data portability — Receive your data in a structured, machine-readable format (Article 20)
Right to object — Object to processing based on legitimate interest (Article 21)
Right to withdraw consent — Where processing is based on consent, withdraw it at any time (Article 7)
Right to lodge a complaint — Contact your local supervisory authority

8.2 Rights Under DPDP Act 2023 (India)

Right to access information — Obtain a summary of your personal data and processing activities
Right to correction and erasure — Correct inaccurate data or request deletion
Right to grievance redressal — File a complaint with our Grievance Officer or the Data Protection Board of India
Right to nominate — Nominate another person to exercise your rights in case of death or incapacity

8.3 Rights Under CCPA (California, USA)

Right to know — What personal information we collect, use, and disclose
Right to delete — Request deletion of personal information
Right to opt-out — Opt out of the sale of personal information (note: Dealpost does not sell personal information)
Right to non-discrimination — We will not discriminate against you for exercising your rights

8.4 Rights Under PDPA (Singapore)

Right to access — Request access to your personal data in our possession
Right to correction — Request correction of errors or omissions
Right to withdraw consent — Withdraw consent for collection, use, or disclosure
Right to data portability — Receive your data in a commonly used format

8.5 Rights Under POPIA (South Africa)

Right to access — Confirm whether we hold your personal information and request a copy
Right to correction — Request correction or deletion of inaccurate information
Right to object — Object to processing of your personal information
Right to complain — Lodge a complaint with the Information Regulator

8.6 How to Exercise Your Rights

To exercise any of these rights, contact us at hello@dealpost.co.in. We will respond within 30 days (or sooner where required by applicable law). We may need to verify your identity before processing your request. If we cannot fulfil your request due to a legal obligation or legitimate exception, we will explain why.

9. Cookies and Tracking Technologies

Our web applications use cookies and similar technologies for the following purposes:

Cookie Type	Purpose	Duration
Strictly necessary	Authentication, session management, security (CSRF tokens)	Session / 24 hours
Functional	Remembering preferences (language, dashboard layout, timezone)	1 year
Analytics	Understanding usage patterns to improve the platform	12 months

We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent you from using the platform.

10. Third-Party Services and Links

Our platform may integrate with or contain links to third-party services (e.g., Razorpay for payments, DSP platforms for programmatic advertising). These services have their own privacy policies, and we encourage you to review them. We are not responsible for the privacy practices of third-party services.

11. Children's Privacy

Dealpost is a B2B platform not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly.

With respect to audience analytics at signage locations: our on-device AI processing generates only anonymous, aggregate statistical data. No individual — child or adult — is identified, tracked, or profiled.

12. Automated Decision-Making

Our platform uses automated systems for:

Content scheduling — Algorithmic content selection based on time, audience aggregate data, and campaign rules
Bid processing — Automated evaluation of programmatic advertising bids against floor prices and campaign criteria
Device health monitoring — Automated alerts and actions based on device telemetry thresholds

None of these automated processes make decisions that produce legal effects concerning individuals. All automated decisions relate to content scheduling, device management, and advertising operations at the business level.

13. Grievance Officer and Data Protection Contact

In accordance with the DPDP Act 2023, we have designated a Grievance Officer. For all data protection inquiries, rights requests, or complaints:

Grievance Officer / Data Protection Contact

Dealpost

Email: hello@dealpost.co.in

Phone: +91 8015004952

If you are not satisfied with our response, you have the right to escalate your complaint to the relevant supervisory authority in your jurisdiction (e.g., the Data Protection Board of India, your EU Member State supervisory authority, or the California Attorney General).

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify registered users via email or in-platform notification
Where required by law, obtain your consent before applying changes that materially affect how we process your data

We encourage you to review this policy periodically. Your continued use of the Services after changes are posted constitutes acceptance of the updated policy.

15. Jurisdiction-Specific Provisions

15.1 India (DPDP Act 2023)

Dealpost complies with the Digital Personal Data Protection Act, 2023 and any rules notified thereunder. We process personal data as a "Data Fiduciary" and ensure that any cross-border transfer of personal data complies with government-notified restrictions. Users may exercise their rights through the Grievance Officer identified above or by filing a complaint with the Data Protection Board of India.

15.2 European Union (GDPR)

For EU/EEA users, the legal bases for processing are set out in Section 3. Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights. You may request a copy of these assessments by contacting us.

15.3 California (CCPA / CPRA)

In the preceding 12 months, the categories of personal information we have collected are described in Section 2. We do not sell personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA. California residents may designate an authorised agent to make requests on their behalf.

15.4 Singapore (PDPA)

We collect, use, and disclose personal data in accordance with the Personal Data Protection Act 2012 (as amended). Consent is obtained at the point of collection or through your agreement to our Terms of Service.

15.5 South Africa (POPIA)

We process personal information lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Our processing activities satisfy at least one of the conditions for lawful processing under POPIA Section 11.

If you have any questions about this Privacy Policy or our data practices, please contact us at hello@dealpost.co.in or call +91 8015004952.