TSAW Drones Private Limited (“TSAW”, “we”, “us”) runs the TSAW Pilot Platform — the operator-facing software (also known internally as D.C.I.S, the Drone Cloud Intelligence System). This notice explains what personal data we collect from pilots and customers who use the Pilot Platform, why we collect it, how long we keep it, who we share it with, and the rights you have under India’s Digital Personal Data Protection Act, 2023 (DPDP). It is written to satisfy DPDP §5 (notice at the point of collection) and complementary rules.
1. Information we collect
We only collect what we need to operate the Pilot Platform safely and to meet our regulatory obligations (DGCA, MoCA).
- Account identity: your name, work email, mobile number, organisation, role, and (for pilots) your DGCA remote-pilot certificate number.
- Authentication metadata: sign-in timestamp, user agent (browser / device), approximate location (one-time per session, only if you allow it — you can opt out on the sign-in screen), and the IP address the request came from.
- Drone & mission data: the drones assigned to your operator account, their telemetry (GPS, battery, link state, sensor readings), planned and executed missions, flight logs, command history, B-Sheet uploads, and incident reports.
- Payments: if you make a payment, our payment partner (Razorpay) collects card / UPI / bank details directly. We receive only an order reference, last 4 digits, and a success / failure status — never full card numbers.
- Support correspondence: messages you send to support, attachments, and any session recordings you voluntarily share for troubleshooting.
- Diagnostics: crash reports, performance traces, and error logs needed to keep the Pilot Platform reliable. We sample these and strip obvious identifiers.
2. How we use your data
We process data for the following purposes only:
- To authenticate you and keep your account secure (DPDP §7(c)).
- To operate your drone fleet, run missions, and produce the regulatory paperwork DGCA requires.
- To respond to incident enquiries from regulators, law enforcement, or your own organisation’s safety review.
- To bill you for paid services and produce GST-compliant invoices.
- To improve the Pilot Platform — aggregate, anonymised usage patterns only.
- To send service messages (security alerts, payment confirmations, link-loss notifications). We do not send marketing email without your prior opt-in.
3. Legal bases under DPDP
We rely on the following lawful bases (DPDP §7):
- Consent for optional data (e.g. the sign-in location toggle, marketing opt-ins).
- Performance of contract for everything required to deliver the Pilot Platform you signed up for.
- Legal obligation for retention required by DGCA, GST, IT Act, and DPDP itself.
- Legitimate use for security incident response, fraud prevention, and grievance handling.
4. How long we keep your data
We keep personal data only as long as we need it for the purpose we collected it for, or as long as the law requires.
- Sign-in sessions and audit logs: 90 days.
- Drone command and flight history: 730 days (2 years), matching DGCA flight-record retention.
- Account profile (name, email, mobile, license number): for as long as your operator account is active, plus 180 days after closure to handle disputes.
- Payment metadata (invoices, GST records): 8 years, as required by Indian tax law.
- Diagnostics / crash reports: 30 days, then aggregated.
- Support correspondence: 365 days after the case closes.
When a retention window ends we delete the record or irreversibly anonymise it.
5. Who we share data with
We do not sell your data. We share specific categories of data with a small set of processors who help us run the Pilot Platform. Each is contractually bound to use the data only as we instruct.
| Processor | What we share | Region |
|---|---|---|
| Razorpay | Payment instruction, GST identifier | India |
| Amazon Web Services (S3) | Mission files, B-Sheet uploads, telemetry blobs | India (ap-south-1) |
| Microsoft Azure | Email delivery, hosting, key vault | India (Central India) |
| Google Firebase | Real-time telemetry, push notifications | India / global |
| Sentry | Crash reports, error traces (sampled, scrubbed) | Germany (de.sentry.io) |
| Slack | Operator emergency channel (anonymised drone IDs) | USA |
| Regulators (DGCA, MoCA, AAI) | Statutory reports, NOTAM data, incident filings | India |
We may also share data with law enforcement under a valid order or to defend our legal rights. We will notify you of such a request unless legally prohibited.
6. Your rights under DPDP
As a Data Principal under DPDP, you have the right to:
- Access your data — export everything we hold via Settings → Download my data, or by calling
GET /v1/api/users/me/export. - Correct inaccurate data — from Settings → Profile, or by writing to us.
- Erase your data — from Settings → Delete account. Some data we must retain by law (tax, regulatory). We will tell you what stays and why.
- Withdraw consent for optional processing (e.g. location, marketing) at any time, from Settings or the relevant feature’s toggle.
- Nominate a person to exercise your rights if you are incapacitated or deceased.
- Complain to the Data Protection Board of India if you believe we have failed in our duties.
We aim to respond to verified requests within 7 working days and never later than 30 days.
7. Security
We protect your data with TLS in transit (≥ 1.2), AES-256 at rest (S3, Mongo Atlas, Azure Key Vault), per-user RBAC, audit logs on every privileged action, and continuous vulnerability scanning. Sign-in credentials are stored as Argon2 / bcrypt hashes — we never see your password. We rotate keys quarterly and run third-party penetration tests every 12 months.
8. Cross-border transfers
We try to keep your data in India. Where a processor is outside India (Sentry in Germany, Slack in the USA), we rely on Standard Contractual Clauses and the processor’s own certifications (ISO 27001, SOC 2). We do not transfer data to countries the Government of India has restricted.
9. Children
The Pilot Platform is a professional tool. We do not knowingly accept users under 18. If we learn we hold the data of someone under 18, we will delete it.
10. Cookies and tracking
We use cookies only for sign-in sessions and to remember your preferences. We do not use third-party advertising or cross-site tracking cookies. The localStorage entries we write (dcis_skip_login_loc, dcis_post_login_target) are functional, not analytical.
11. Changes to this policy
If we materially change how we collect or use your data, we will give you in-app notice and email you at least 14 days before the change takes effect, so you can review and withdraw consent if you wish.
12. Contact and grievance officer
For any privacy concern, data request, or grievance, write to our Data Protection / Grievance Officer:
We acknowledge receipt of every privacy request within 72 hours. Unresolved grievances may be escalated to the Data Protection Board of India under DPDP §28.