Smart Studio

Privacy Policy

How Weffex Solutions Private Limited collects, uses, and protects your personal information.

Effective: 11 June 2026·Last updated: 11 June 2026
This policy applies to Smart Studio, operated by Weffex Solutions Private Limited — CIN: U74999UP2023PTC185XXX · GSTIN: 09AADCW0000A1Z5

1. Introduction

Weffex Solutions Private Limited ("Company", "We", "Us", or "Our"), a company incorporated under the Companies Act, 2013 and operating the Smart Studio platform at www.mysmartstudios.com and portal.mysmartstudios.com ("Platform"), is committed to protecting the privacy and personal data of all users, guests, and visitors.

This Privacy Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all other applicable Indian laws.

By accessing or using our Platform or services, you consent to the collection, processing, storage, and use of your personal data as described in this Privacy Policy.

2. Who We Are

  • Legal Name: Weffex Solutions Private Limited
  • Brand Name: Smart Studio
  • Registered Address: Gaur City Center, Greater Noida West, Gautam Buddha Nagar, Uttar Pradesh – 201009
  • CIN: U74999UP2023PTC185XXX
  • GSTIN: 09AADCW0000A1Z5
  • Email: privacy@mysmartstudios.com
  • Phone: +91 93199 22002

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide Directly

  • Identity Data: Full name, date of birth, gender, government-issued ID (Aadhaar, PAN, passport, driving licence)
  • Contact Data: Email address, mobile number, permanent and correspondence address
  • Booking Data: Check-in / check-out dates, room type, number of guests, special requests
  • Payment Data: Payment method (UPI, card, net banking), last 4 digits of card, billing address. Full card numbers and CVVs are never stored by us — they are processed by Razorpay / PayU under PCI DSS compliance.
  • Account Data: Username, password (hashed), preferences, notification settings
  • Communication Data: Messages sent via WhatsApp, email, or in-app chat
  • Guest Register Data: Names and ID details of guests you add to your booking, as required under the Hotels and Lodging Houses Act and local police regulations

3.2 Information Collected Automatically

  • Device & Technical Data: IP address, browser type and version, operating system, device identifiers
  • Usage Data: Pages visited, time spent, clicks, search queries, booking flow events
  • Location Data: Approximate location derived from IP address; precise GPS location only if you grant permission via our mobile application
  • Cookies & Tracking: Session cookies, preference cookies, analytics cookies (see Section 10)
  • Log Data: Server access logs, error logs, API call logs retained for security and debugging

3.3 Information from Third Parties

  • Identity verification data from government databases (DigiLocker, UIDAI) where you authorise eKYC
  • Payment transaction confirmations and risk signals from Razorpay and PayU
  • Social login profile data (name, email, profile photo) if you sign in with Google
  • Fraud and risk signals from third-party fraud prevention providers

4. Legal Basis for Processing

We process your personal data on the following lawful bases under the DPDP Act, 2023 and applicable law:

  • Consent: For marketing communications, optional features, and non-essential cookies
  • Performance of Contract: To fulfil your booking, manage your stay, and provide services you request
  • Legal Obligation: To comply with hotel registration, police intimation, GST, anti-money laundering (AML), and other legal requirements
  • Legitimate Interests: For fraud prevention, platform security, service improvement, and analytics

5. How We Use Your Personal Data

We use your personal data to:

  • Create and manage your account and profile
  • Process and confirm bookings; issue invoices, receipts, and GST bills
  • Enable smart keyless check-in via IoT door access systems
  • Send booking confirmations, access codes, reminders, and receipts via WhatsApp, SMS, and email
  • Process payments, refunds, and dispute resolution through Razorpay / PayU
  • Fulfil statutory obligations: police intimation (Form C), guest register maintenance, GST filing
  • Respond to support requests, complaints, and queries
  • Personalise your experience — saved preferences, loyalty tier, recommended rooms
  • Send promotional offers and marketing communications (only with your explicit consent; unsubscribe at any time)
  • Conduct fraud detection, risk assessment, and platform security monitoring
  • Perform analytics and improve our services
  • Comply with court orders, legal process, and law enforcement requests

6. Data Sharing and Disclosure

We do not sell your personal data. We share it only as described below:

6.1 Service Providers (Data Processors)

  • Razorpay Software Pvt. Ltd. / PayU India: Payment processing (PCI DSS Level 1 certified)
  • Amazon Web Services (AWS): Cloud hosting and data storage — data stored on servers in India (ap-south-1, Mumbai)
  • Cloudflare Inc.: CDN, DDoS protection, DNS
  • Neon Inc.: Database hosting (PostgreSQL)
  • Meta Platforms (WhatsApp Business API): Transactional messaging
  • Google LLC: Analytics (Google Analytics 4), Maps, Calendar integration
  • Twilio / MSG91: SMS OTP delivery
  • Firebase (Google LLC): Push notifications for mobile applications

6.2 Legal and Regulatory Disclosure

  • Police and government authorities as required under the Hotels and Lodging Houses Act, CrPC, and local regulations (Form C intimation)
  • GST authorities for invoice and tax compliance
  • Courts, tribunals, and law enforcement agencies pursuant to valid legal process
  • Financial intelligence units for AML compliance

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. Data Retention

  • Account data: Retained for the lifetime of your account, plus 7 years after account deletion (for statutory and audit purposes)
  • Booking and transaction records: 8 years (as required by the Income Tax Act and GST laws)
  • Guest register / police intimation records: As mandated by local hotel regulations (typically 12 months)
  • Marketing consent records: Until withdrawn, plus 3 years after withdrawal
  • Server logs: 90 days for standard logs; 1 year for security incident logs
  • Payment data: As required by Razorpay / PayU and PCI DSS (card data is never stored by us beyond transaction completion)

8. Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Bcrypt hashing for passwords; passwords are never stored in plain text
  • Multi-factor authentication (MFA) for admin and staff access
  • Role-based access control (RBAC) — staff access only what is necessary for their function
  • Regular penetration testing and vulnerability assessments
  • PCI DSS compliant payment processing (card data never touches our servers)
  • Secure IoT door access systems with audit logs
  • Incident response plan aligned with CERT-In guidelines

In the event of a personal data breach that is likely to result in a risk to your rights or freedoms, we will notify you and the relevant authorities within the timelines prescribed under the DPDP Act, 2023 and CERT-In Cyber Security Incident Reporting Guidelines.

9. Your Rights

Under the Digital Personal Data Protection Act, 2023 and applicable law, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete personal data
  • Erasure: Request deletion of your personal data (subject to legal retention obligations)
  • Withdrawal of Consent: Withdraw consent for optional processing at any time without affecting prior processing
  • Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 12)
  • Nomination: Nominate another individual to exercise your data rights in the event of death or incapacity

To exercise any of these rights, write to: privacy@mysmartstudios.com. We will respond within 30 days of a verified request.

10. Cookies and Tracking

We use the following categories of cookies:

  • Strictly Necessary: Session management, authentication, security (cannot be disabled)
  • Functional: Your preferences, language, recently viewed rooms
  • Analytics: Google Analytics 4 — understand how visitors use the Platform (opt-out available)
  • Marketing: Google Ads, Meta Pixel — only activated with your explicit consent

You can manage cookie preferences through your browser settings or our cookie consent banner. Rejecting non-essential cookies will not affect core Platform functionality.

11. International Data Transfers

Your data is primarily stored and processed in India (AWS ap-south-1, Mumbai). Where data is transferred to processors outside India (e.g., Cloudflare's global CDN nodes), we ensure appropriate safeguards are in place including Standard Contractual Clauses or adequacy decisions, in compliance with the DPDP Act, 2023 and RBI data localisation requirements. Payment transaction data is stored exclusively within India as mandated by the Reserve Bank of India.

12. Grievance Officer

In accordance with the Information Technology Act, 2000, IT Rules, 2011, and the DPDP Act, 2023, we have appointed a Grievance Officer to address any concerns regarding your personal data:

  • Name: Director — Weffex Solutions Private Limited
  • Address: Gaur City Center, Greater Noida West, Gautam Buddha Nagar, Uttar Pradesh – 201009
  • Email: grievance@mysmartstudios.com
  • Phone: +91 93199 22002
  • Response Time: Complaints will be acknowledged within 48 hours and resolved within 30 days

If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of Indiaonce it is constituted and operational under the DPDP Act, 2023.

13. Children's Privacy

Our Platform is not directed to children under 18 years of age. We do not knowingly collect personal data from minors. If we discover that a minor has provided us personal data without verifiable parental consent, we will delete such data promptly. Parents or guardians who believe their child has submitted personal data to us should contact us at privacy@mysmartstudios.com.

14. Third-Party Links

Our Platform may contain links to third-party websites (maps, payment gateways, etc.). We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policy of every site you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified to you by email or a prominent notice on the Platform at least 15 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

16. Contact Us

For all privacy-related inquiries, please contact:

  • Email: privacy@mysmartstudios.com
  • Post: Weffex Solutions Private Limited, Gaur City Center, Greater Noida West, Gautam Buddha Nagar, Uttar Pradesh – 201009
  • Phone: +91 93199 22002 (Mon–Sat, 10 AM – 6 PM IST)

Other Policies

Privacy PolicyTerms & ConditionsRefund & CancellationDelivery & Service PolicyContact Us