1. Why this document exists
When a hotel puts its guests' names, phone numbers and identity documents into Digilight PMS, the hotel decides what happens to that data and Digilight India merely acts on its instructions.
Under the Digital Personal Data Protection Act 2023 ("DPDP Act") the hotel is the Data Fiduciary and Digilight India is its Data Processor, and the Act requires that relationship to be governed by a contract.
This addendum is that contract. It forms part of the Terms of Service and applies automatically to every subscriber — there is nothing to sign and nothing to request.
LAWYER REVIEW REQUIRED — is a web page enough?
Reason: Confirm the Fiduciary/Processor characterisation, and confirm that incorporating this addendum by reference into the Terms is sufficient under the Act. If a signed instrument is required for some class of subscriber, this cannot stay a web page.
Note the interaction with Terms §1: the signup flow does not currently record acceptance of anything. If click-wrap is needed for the Terms, it is needed for this too.
Suggested options:
- Incorporation by reference, if counsel confirms it is sufficient.
- A signed DPA offered on request to enterprise subscribers, with this page as the default for everyone else.
2. Definitions
Data Fiduciary, Data Processor, Data Principal, Personal Data, Processing and Personal Data Breach carry the meanings given to them in the DPDP Act. Guest Data means personal data about the Subscriber's guests, entered into the Service by the Subscriber. Sub-processor means a third party we engage to process Guest Data.
LAWYER REVIEW REQUIRED. Align the vocabulary to the DPDP Act rather than the GDPR, while noting the equivalences (Fiduciary ≈ Controller, Principal ≈ Data Subject) that a subscriber's auditors will expect to see.
3. The roles, stated exactly
3.1 The hotel is the Data Fiduciary
You decide why guest data is collected and what is done with it. You are responsible for having a lawful basis to hold it, and for giving your guests whatever notice the law requires. See your warranty at Terms §9.1.
3.2 Digilight India is the Data Processor
We process Guest Data only on your documented instructions — which, in the ordinary course, are the instructions you give by using the product's features.
3.3 Where we are a Fiduciary in our own right
For your own account data — your staff, their logins, your billing records — and for the records we generate ourselves, such as audit and security logs, Digilight India decides the purposes and is therefore a Data Fiduciary. The Privacy Policy governs that data.
4. Scope of processing
- Subject matter: provision of the Digilight PMS hotel management service.
- Duration: the term of the subscription, plus any retention period agreed at §11.
- Nature and purpose: as set out at §5.
- Categories of Data Principal: your guests, and your own staff.
- Categories of personal data: as enumerated in Privacy Policy §3 — including, today, identity-document numbers.
5. What we do with the data
We store bookings and stays; produce invoices; run the reports you ask for; send the communications you trigger; back the data up; and provide support when you ask for it.
We do not sell it, share it for advertising, or use it to train machine-learning models. No AI or LLM service is integrated into Digilight PMS.
6. Support access
Digilight India's staff can enter your account to provide support. We are telling you this rather than letting you discover it, because concealing a capability that demonstrably exists in the software would be the single most damaging thing this document could do.
The safeguards are built into the mechanism, not promised in prose:
- A support session is time-limited to 30 minutes.
- It requires a written reason, recorded before access begins.
- It can be revoked at any time.
- It is logged, including who accessed the account and why.
LAWYER REVIEW REQUIRED
Reason: Turn the four safeguards above into operative clauses. Decide whether the Subscriber must be notified when their account is accessed, and whether they may refuse — today they are not asked.
Suggested options:
- Disclose as built, with the safeguards as contractual commitments.
- Additionally notify the account owner by email whenever a support session begins. This is a small product change and a very strong trust signal.
7. Sub-processors
You give a general authorisation for Digilight India to engage the sub-processors below. Each is bound to obligations no less protective than those in this addendum.
| Sub-processor | What it does | Where it runs |
|---|---|---|
| Vercel | Application hosting and scheduled jobs | Singapore |
| Neon | Managed PostgreSQL — where Guest Data is stored | Singapore |
| Resend | Transactional email | To be confirmed |
| Razorpay | Subscription payments (not yet enabled) | India |
| OpenStreetMap Foundation | Map tiles on one screen, loaded by the browser | To be confirmed |
| Cloudflare | Map marker icons on the same screen | To be confirmed |
| Overpass API | Nearby-hotel lookup for the same screen, server-side | To be confirmed |
LAWYER REVIEW REQUIRED — the last three, and the contract we do not have
Reason: The bottom three rows exist to serve one screen that is not linked from any menu in the product. The Overpass API is a public, volunteer-operated service with no contract, no SLA, and no data-processing agreement with us — and we send it the property's coordinates. We cannot bind it to anything, so the sentence above the table ("each is bound to obligations no less protective") is not true of it.
Suggested options:
- Remove the map screen, or self-host its assets. Three sub-processors disappear, including the one we have no contract with, and this table becomes four rows of real vendors we can actually bind. Strongly recommended.
- Keep them, and rewrite the sentence above the table so it is not false.
LAWYER REVIEW REQUIRED — notice of change
Reason: State the notice period before a new sub-processor is engaged, and whether a subscriber may object — and if they may, what happens when they do.
Suggested options: 30 days' notice by email, with a right to terminate without penalty if the subscriber objects. Do not grant a veto: one subscriber cannot be allowed to block infrastructure for all the others.
8. Cross-border transfer
LAWYER REVIEW REQUIRED — the data is not in India
Reason: The application and the database both run in Singapore. Every piece of Guest Data — including guests' Aadhaar and passport numbers — is stored outside India. This is a matter of fact, taken from the deployment configuration, and it engages s.16 of the DPDP Act.
It is also the first question an enterprise customer's auditor will ask, and the answer must be ready before they ask it, not after.
Suggested options:
- Confirm Singapore is not a restricted territory as notified, disclose it plainly here and in the Privacy Policy, and continue.
- Migrate to an Indian region. Both providers offer one. This removes the question entirely and is a genuine commercial asset for an India-first product.
Advise before the first paying customer — migrating after the data exists is materially harder than migrating now.
9. Personal data breach
If Guest Data is exposed, we will tell you, and give you what you need to meet your own notification duties to the Data Protection Board and to your guests.
LAWYER REVIEW REQUIRED — the deadline is a promise a rota has to keep
Reason: The DPDP Act's breach-notification obligations run against the hotel, not against us — but the hotel can only meet them if we tell it fast enough. The number set here must leave the hotel enough of its own window to act.
Suggested options: 24, 48 or 72 hours from becoming aware. Choose the number the on-call arrangements can actually meet, then staff to it. A deadline nobody can meet is worse than a longer one that is kept.
Counsel must also be told: a data-export endpoint in the product was, at one time, unauthenticated — its own code comment records that anyone with the URL could have dumped a property's full guest data. It has been fixed. Whether that historical exposure is itself a reportable incident, and to whom, is a question for counsel and it should be asked now, not when someone else finds it.
10. Our obligations as Processor
We will: process Guest Data only on your instructions; keep it confidential and bind our staff to confidentiality; apply the security measures described in the Security Policy; assist you in responding to your guests' rights requests; assist you with breach notification; and make available the information you need to demonstrate compliance.
LAWYER REVIEW REQUIRED. Turn each into an operative clause with a response time attached. Do not commit to an assistance timeline operations cannot meet — and note that two of these are currently impossible to honour. See §11.
11. Return and deletion
LAWYER REVIEW REQUIRED — this clause cannot be drafted until the product changes. It is the hardest blocker in the set.
Reason: A DPA of this kind normally promises to return and then delete the customer's data at the end of the subscription. Digilight PMS can do neither reliably today:
- Deletion. There is no retention policy, no purge job, and no way for a hotelier to delete a guest — the endpoint does not exist. Even deleting a guest record would not erase the person, because their name, nationality and identity-document number are copied into the stay and occupant records at check-in and would survive.
- Return. Export is a Growth-and-above feature, and it is switched off the moment a subscription is cancelled (and after ten days of non-payment). So a departing customer is blocked from exporting their data at exactly the moment they are departing. They can still read every record — check-in, check-out, billing and payment collection never stop — but they cannot get the data out. See Terms §9.2.
A DPA that promises return and deletion would be false on the day it is published. These are product tickets, not drafting choices:
- Allow export on every plan, in every subscription state.
- Build a guest-erasure path that scrubs the identity fields in all three tables.
- Set a retention period per record class, and build the purge. Resolve the conflict counsel must rule on: Indian tax law requires invoice records to be kept for years, while an erasure request may ask for deletion sooner.
12. Liability
LAWYER REVIEW REQUIRED
Reason: How this addendum interacts with the cap in Terms §14. Data-protection liability is frequently carved out of the general cap.
Suggested options: decide whether it is carved out here, and at what number. Read it against the Aadhaar exposure in Privacy Policy §3 — the size of that exposure is a product decision, and it can be reduced to near zero before this number is ever tested.
13. Audits
LAWYER REVIEW REQUIRED
Reason: What a subscriber may ask for to satisfy itself that we do what this addendum says.
Suggested options:
- A written security questionnaire, answered within a stated period.
- A third-party report — we have none, and cannot offer one (see Security Policy §2).
- An on-site audit right. An unqualified one granted to every subscriber is not operable for a company this size — but refusing all assurance will cost enterprise deals. Find the line.
14. Order of precedence
Where this addendum and the Terms of Service conflict, this addendum prevails in respect of the processing of Guest Data.
LAWYER REVIEW REQUIRED. Confirm the precedence, and confirm it does not accidentally override the limitation of liability at Terms §14.