Log in

Cart

Your cart is empty

Unnati Privacy Policy

Vellvette Lifestyle Private Limited · SUGAR Cosmetics

Privacy Policy

Unnati — Field Sales & Attendance App

Effective Date: 13 May 2026  |  Last Reviewed: 13 May 2026  |  Version: 1.0

This Privacy Policy explains how Vellvette Lifestyle Private Limited ("Vellvette", "we", "us", or "our") collects, uses, stores, shares, and protects personal information when you use the Unnati Android mobile application. By downloading, installing, or using Unnati, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, you must discontinue use of the app and notify your HR representative.

Contents

  1. About the Unnati App
  2. Scope & Applicability
  3. Device Permissions
  4. Information We Collect
  5. Legal Basis for Processing
  6. How We Use Your Information
  7. Camera — Detailed Disclosure
  8. Location — Detailed Disclosure
  9. Data Sharing & Third Parties
  10. Cross-Border Data Transfers
  11. Data Retention
  12. Data Security
  13. Children's Privacy
  14. Your Rights as a Data Principal
  15. Compliance with Indian IT Laws
  16. Grievance Officer
  17. Changes to This Policy
  18. Contact Us

1. About the Unnati App

Unnati (meaning "progress" in Hindi) is an internal enterprise mobility application developed and operated by Vellvette Lifestyle Private Limited for use by its field sales force and distribution teams across India. The app enables authorised users to:

  • Record and submit daily attendance via selfie-based check-in and check-out.
  • Log and verify field visits using GPS location data.
  • Upload photographic proof of task completion (e.g. outlet visits, delivery confirmations).
  • View individual performance dashboards, attendance calendars, and field reports.
  • Receive notifications and communications from team managers.

Unnati is an internal enterprise application — it is not a general consumer product. Access is restricted to individuals who have been onboarded by Vellvette's HR or IT department and who possess a valid employee or contractor credential.

2. Scope & Applicability

This Privacy Policy applies to:

  • All Vellvette employees, contractual staff, and authorised field agents who install and use the Unnati Android application.
  • All personal data processed through the Unnati app, including data collected on the device, transmitted to our servers, or stored in our backend systems.

This policy does not apply to Vellvette's other products, websites, or services. Links to third-party sites or services (e.g. Google Maps) are governed by those parties' own privacy policies.

Note for Google Play users: This application is listed on Google Play for internal distribution to authorised Vellvette personnel. If you are not an authorised Vellvette employee or contractor, please do not install or use this application.

3. Device Permissions Used

Unnati requests the following Android system permissions. Each permission is requested only at the moment the corresponding feature is first used, and you will be prompted by the Android system before any permission is granted. You may revoke any permission at any time through your device's Settings app.

Camera (android.permission.CAMERA)

Capture attendance selfies and on-site photos. Used only when you tap the camera button — never accessed silently or in the background.

Precise Location (android.permission.ACCESS_FINE_LOCATION)

GPS coordinate captured at check-in / check-out to verify field presence. Point-in-time only — not tracked continuously.

Approximate Location (android.permission.ACCESS_COARSE_LOCATION)

Fallback when GPS is unavailable. Used for the same attendance verification purpose as precise location.

Internet Access (android.permission.INTERNET)

Syncs attendance records, photos, and reports with Vellvette's secure cloud servers over an encrypted HTTPS connection.

Revoking a permission from Settings will disable the related feature but will not affect your other app functions. No sensitive permission is used without an active, visible user action within the app.

4. Information We Collect

We follow the principle of data minimisation — we collect only the information that is necessary for a specific, stated purpose. The table below details every category of data the app collects:

Category What is collected On device On server Purpose
Identity Full name, mobile number, employee ID Yes Yes Authentication & identity verification
Attendance Check-in / check-out timestamps, attendance status Yes Yes Attendance tracking & payroll reporting
Location (GPS) Latitude & longitude at moment of attendance event No Yes Verify attendance from a valid field location
Photos / Camera Selfie or on-site photo at check-in or task completion Temporary Yes Visual proof of attendance & task completion
Device Info Device model, OS version, app version, device ID No Yes Technical support, crash diagnostics
Authentication OTP (used once, not stored), session Bearer token Token only OTP not stored Secure login & session management
App Usage Feature interactions, screens visited, error logs No Yes App performance monitoring & improvement

"Temporary" on-device storage means the file exists briefly in the app's private sandbox during compression and upload, then is deleted. It is never written to your device's shared media library (Gallery / Photos).

5. Legal Basis for Processing Your Data

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we are required to have a lawful basis for processing personal data. Our processing of your data is based on the following grounds:

a) Consent

By installing the Unnati app and continuing to use it after reading this policy, you provide your free, specific, informed, and unambiguous consent to the collection and use of your personal data as described herein. You may withdraw consent at any time by ceasing use of the app and submitting a deletion request to your HR or IT department.

b) Employment Contract / Legitimate Purpose

The processing of attendance, location, and photographic data is necessary for the performance of your employment or contractual engagement with Vellvette. Recording field attendance is an operational requirement under your terms of employment.

c) Legal Obligation

Certain data may be retained or processed to comply with applicable Indian labour laws, tax regulations, or directions from competent authorities.

6. How We Use Your Information

  • Verify employee or contractor identity and authorise app access.
  • Record, manage, and process daily attendance and field visits.
  • Validate that attendance check-ins are submitted from valid field locations.
  • Store work-related photographs as evidence of task or visit completion.
  • Generate attendance summaries and performance reports for HR and regional managers.
  • Compute payroll-related inputs (attendance days, leave status).
  • Monitor app health, diagnose crashes, and improve application performance.
  • Comply with applicable laws, regulations, and lawful government requests.

We do not use your personal data for:

  • Targeted advertising or marketing to you or any third party.
  • Selling, renting, or trading your information to any external party.
  • Automated decision-making or profiling that produces legal or similarly significant effects.
  • Any purpose other than the employment-related functions described in this policy.

7. Camera Permission — Detailed Disclosure

Google Play requires explicit disclosure about camera usage. The following is our full declaration:

When the camera is used

The camera is accessed only when you actively tap a camera button within the app interface — for example, to capture an attendance selfie at check-in or to photograph a retail outlet during a field visit. There is no background camera access at any time.

What happens to photos

  • The photo is captured in the app's private, sandboxed storage (never your Gallery).
  • It is immediately compressed on-device using the react-native-compressor library to reduce file size.
  • The compressed image is uploaded to Vellvette's secure servers over TLS/HTTPS.
  • The temporary on-device file is deleted after successful upload.
  • Uploaded photos are stored on the server and accessible only to authorised HR and management personnel.
  • Photos are never shared with advertising networks, analytics platforms, or any unrelated third party.

Sensitive Personal Data

Facial images captured through the camera may constitute biometric or sensitive personal data under Rule 3 of the IT (SPDI) Rules, 2011. We process such images solely for attendance verification and comply with the security obligations prescribed under Rule 8 of those Rules.

8. Location Permission — Detailed Disclosure

When location is accessed

Precise or approximate GPS location is captured exclusively at the moment you perform an attendance check-in, check-out, or log a field visit. A single coordinate (latitude and longitude) is recorded and immediately transmitted to the server.

What we do NOT do

  • We do not track your location continuously or in the background.
  • We do not build a movement history or travel log on the device.
  • We do not share location data with advertising or analytics services.
  • We do not access location when the app is running in the background.

Google Maps

The app displays maps using the Google Maps Android SDK to help you visualise visit locations. Map rendering by Google may involve Google's own data collection practices, governed by the Google Privacy Policy.

9. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information to any third party. Data is shared only in the following strictly limited circumstances:

  • Within Vellvette: HR managers, regional managers, payroll teams, and authorised IT administrators access data solely for legitimate employment functions. Access is governed by internal role-based access controls.
  • Cloud infrastructure providers: We use cloud hosting services to operate the Unnati backend. These providers act as data processors under contractual obligations of confidentiality and security. They do not have independent rights to use your data.
  • Google Maps Platform: Map tile rendering and geocoding services. Refer to Google's Privacy Policy.
  • Legal or regulatory authorities: When we are required to disclose information by law, court order, or direction of a competent government authority, including under the Information Technology Act, 2000 or DPDPA, 2023.
  • Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the successor entity, subject to equivalent privacy protections.

10. Cross-Border Data Transfers

Your personal data is primarily processed and stored on servers located in India. In limited circumstances, data may be processed by cloud service providers or sub-processors whose infrastructure is located outside India (e.g. content delivery networks or communication services).

Any such transfer is conducted in compliance with the requirements of the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable rules notified by the Central Government. We ensure that adequate contractual safeguards (such as standard data protection clauses) are in place before transferring data cross-border.

11. Data Retention

We retain personal data only for as long as it is necessary for the purposes stated in this policy, or as required by applicable law:

Data Type Retention Period Basis
Attendance records & timestamps Duration of employment + 3 years Indian labour laws, payroll audits
Location data (check-in coordinates) Duration of employment + 1 year HR audit & dispute resolution
Photos / camera images Duration of employment + 1 year Task completion records
Device & app usage logs 90 days Technical support & security
Session tokens (on device) Until logout or app uninstall Session management

Upon termination of employment or contract, or upon a valid erasure request, we will delete non-legally-required personal data within 30 days. Data that must be retained under a legal obligation will be securely held until the mandatory period expires, then deleted.

12. Data Security

We implement technical and organisational security measures as required under Rule 8 of the IT (SPDI) Rules, 2011 and the DPDPA, 2023:

  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
  • API endpoints are protected by API key authentication and employee-specific Bearer tokens with expiry.
  • Backend access is governed by role-based access control (RBAC); only authorised personnel can access specific data.
  • Photos and sensitive records are stored in access-controlled cloud storage, not publicly accessible.
  • Session tokens stored on device use Android's sandboxed AsyncStorage, inaccessible to other apps.
  • The app does not cache sensitive data beyond the active session.
  • Security vulnerabilities are remediated promptly through app updates distributed via Google Play.

While we take all reasonable precautions, no electronic transmission or storage is 100% secure. In the event of a personal data breach, we will take steps to contain it, notify the relevant authority (where required under DPDPA), and inform affected users as required by law — promptly and without undue delay.

13. Children's Privacy

Unnati is an enterprise application intended solely for adults (aged 18 and above) who are employed by or contracted to Vellvette Lifestyle Private Limited. We do not knowingly collect personal data from any person under the age of 18.

Under the DPDPA, 2023, processing of personal data of children requires verifiable parental consent. Since this app is restricted to employees and contractors, it falls outside the scope of child data processing. If we become aware that data of a minor has inadvertently been collected, we will delete it immediately and terminate the relevant account.

14. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and the IT (SPDI) Rules, 2011, you have the following rights with respect to your personal data:

  • Right to Access: Request a summary of the personal data we hold about you, the purposes for which it is processed, and with whom it has been shared.
  • Right to Correction & Erasure: Request correction of inaccurate or misleading data, and request deletion of data that is no longer necessary or for which consent has been withdrawn (subject to legal retention obligations).
  • Right to Grievance Redressal: Raise a complaint with our Grievance Officer (see Section 16) and receive a response within 30 days.
  • Right to Nominate: Under DPDPA, you may nominate another individual to exercise your data rights in the event of death or incapacity.
  • Right to Withdraw Consent: Withdraw your consent to data processing at any time. Note that withdrawal will require discontinuation of the app and may affect your employment obligations.

To exercise any of these rights, write to our Grievance Officer at the contact details in Section 16. We will acknowledge your request within 7 days and resolve it within 30 days, unless a longer period is permitted by law.

15. Compliance with Indian IT Laws

This Privacy Policy and the Unnati app are designed to comply with applicable Indian data protection laws:

  • IT Act, 2000 (amended 2008) — Section 43A: We maintain reasonable security practices for all sensitive personal data, including location and biometric (facial) images collected through the app.
  • IT (SPDI) Rules, 2011: Location data and facial photographs are treated as Sensitive Personal Data or Information (SPDI). We collect them only with your consent, for a stated purpose, and do not share them without authorisation. This policy is publicly accessible in compliance with Rule 4.
  • Digital Personal Data Protection Act, 2023 (DPDPA): Vellvette acts as the Data Fiduciary. We process data only for the purposes stated in this policy, retain it no longer than necessary, honour your rights as a Data Principal, and have appointed a Grievance Officer as required under Section 13.
  • Google Play Developer Policy: All permissions are disclosed upfront, used only for the purposes stated here, and no data is collected beyond what is described in this policy. This publicly accessible Privacy Policy is linked from the app's Play Store listing.

16. Grievance Officer

As required under Rule 5(9) of the IT (SPDI) Rules, 2011 and Section 13 of the DPDPA, 2023, Vellvette has designated a Grievance Officer to address any concerns or complaints relating to the processing of your personal data.

If you have a complaint, concern, or data request, you must first contact the Grievance Officer. We will acknowledge your complaint within 7 working days and resolve it within 30 days. If you are dissatisfied with the resolution, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDPA, 2023.

Grievance Officer — Grievance / Data Privacy Team
Vellvette Lifestyle Private Limited
Email: abdul.shaikh@sugarcosmetics.com
Response time: within 7 working days  |  Resolution time: within 30 days

Registered Office — Vellvette Lifestyle Private Limited
1st Floor, Hiranandani Business Park – Lightbridge,
102/103, Saki Vihar Rd, Tunga Village,
Chandivali, Powai, Mumbai,
Maharashtra – 400072, India

17. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. Changes may be made to reflect:

  • New features or permissions added to the Unnati app.
  • Changes in applicable Indian law, including DPDPA rules or IT Rules notifications.
  • Updates to Google Play policies that require additional disclosures.
  • Changes in our data practices, third-party service providers, or security measures.

If we ever change the way we handle Sensitive Personal Data or Information (biometric images, location data) in a materially different way, we will obtain fresh consent from you before applying those changes.

18. Contact Us

For general questions about this Privacy Policy or your personal data, you may contact us through any of the following channels:

Privacy & Data Requests — Vellvette Lifestyle Private Limited
Email: abdul.shaikh@sugarcosmetics.com
Website: www.sugarcosmetics.com

Office Address — SUGAR Cosmetics (Vellvette)
B-1004, Palatial Heights, Chandivali Farm Road, Andheri East, Mumbai, Maharashtra - 400072, India.

© 2026 Vellvette Lifestyle Private Limited. All rights reserved.  |  Unnati App

Easy Returns

Cruelty Free

QUALITY FIRST

Ask me!
SUGAR AI
Please double check important information.