B
BITE Digital
Legal

Privacy Policy

Effective date: 1 May 2026 · Version 1.0 · Compliant with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and Meta Platform policies.

1. Who we are

BITE Digital is operated by the Banaras Institute of Teacher's Education (BITE), an educational trust registered in Varanasi, Uttar Pradesh, India. BITE is the Data Fiduciary (controller) for the purposes of the DPDP Act 2023.

Registered address: Babatpur, Varanasi — 221204, Uttar Pradesh, India.
Domain: bitevns.ac.in

2. What this app does

BITE Digital is an internal compliance and monitoring platform used by BITE staff (Owners, Director, Trustee) to:

  • Track recurring institutional tasks and their completion
  • Monitor BITE's presence on public platforms (Google Business Profile, Facebook Page, Instagram Business, LinkedIn Page, Wikipedia, Quora) for reviews, comments, and engagement metrics
  • Generate compliance reports for institutional governance

The app is not public-facing. Only pre-registered BITE staff can sign in (phone + OTP). Self-registration is disabled.

3. Data we collect

3.1 Personal data of BITE staff

  • Identity: name, phone number (used as login identifier), email address (optional), role assignment
  • Activity: tasks completed, evidence uploaded, comments posted, reschedule requests submitted
  • Authentication metadata: hashed OTP codes (one-way SHA-256 hash with pepper), JWT session IDs, IP address and user-agent at login, device type
  • Audit metadata: timestamps and actor for every state-changing action, retained for three years per institutional policy

3.2 Data from connected platforms (Facebook, Instagram, etc.)

When the Trustee connects a platform via OAuth, BITE Digital receives and stores the following read-only data:

  • Platform account identifiers: the connected Page ID, Instagram Business Account ID, Google Business Profile location ID, etc. We never store passwords — only OAuth refresh tokens, encrypted at rest with AES-128 (Fernet) using keys held in our secrets store
  • Public posts and engagement: posts authored by the connected Page, public comments on those posts, public reviews, page-level metrics (followers, impressions, reach)
  • Reviewer/commenter display names, where the platform exposes them publicly (e.g. Google Business reviews show the reviewer's name)

We do not collect or store: private messages, direct messages, content from accounts the connected Page does not own, contact information of reviewers/commenters, photos, videos, advertising data, or any data about users who have not interacted publicly with BITE's connected accounts.

4. How we use it

  1. Operate the platform — log staff in, deliver task assignments, render dashboards
  2. Send notifications — push, WhatsApp, SMS, email — to inform staff of task assignments, escalations, and reschedule decisions
  3. Detect anomalies — algorithmically flag unusual changes in platform metrics or critical (1-2 star) reviews so the Trustee is alerted within minutes
  4. Classify sentiment + topic of public reviews and comments using machine learning (Anthropic Claude Haiku, with a self-hosted BERT fallback). Results are stored alongside the source row and never used to target advertising or shared with any third party
  5. Generate institutional reports — daily, weekly, monthly PDF reports for BITE's Director and Trustee

We do not use your data for advertising. We do not sell, rent, or trade your data. We do not transfer your data outside India.

5. Legal basis (DPDP Act 2023)

For BITE staff, processing is based on explicit consentrecorded at first sign-in (DPDP §6) — staff cannot use the app until they actively accept the data-processing notice. For data fetched from public platforms (Facebook, Google, etc.), processing is based on the connecting Page admin's explicit OAuth consent and the public nature of the data.

6. Your rights

Under the DPDP Act 2023 and applicable platform policies, you may:

  • Access — download a complete JSON export of every record on BITE Digital that references you, via Privacy → Right of access → Export my data after sign-in
  • Correct — edit your name, email, profile photo from your profile; for other corrections contact the Trustee
  • Erase — submit a deletion request via Privacy → Right of erasure → Request erasure. On Trustee approval, your account is permanently deleted, comments you posted are scrubbed, and operational records (task history, audit log) are anonymised. See our Data Deletion Instructions
  • Withdraw consent — at any time. Withdrawal removes your access to BITE Digital but does not erase historical records unless you also submit an erasure request
  • File a grievance — contact our Grievance Officer (below). If unresolved within seven days, escalate to the Data Protection Board of India

7. Storage, retention, security

  • Location — all data is stored in AWS's Mumbai (ap-south-1) region. No data leaves India.
  • Retention — staff personal data is retained for the duration of employment plus 30 days; audit logs are retained for three years (compliance requirement); platform metrics are retained for 13 months for year-over-year reporting
  • Encryption — TLS 1.2+ in transit; AES-256 (RDS), AES-128 (Fernet) for tokens at rest; OTP codes never stored in plaintext (SHA-256 with secret pepper)
  • Access control — role-based: Owners see only their own tasks; Director sees institutional dashboards; Trustee has full access. Audit log records every state change

8. Third parties

We use the following service providers, none of whom receive your personal data for their own purposes:

  • Amazon Web Services (Mumbai region) — infrastructure
  • Anthropic PBC — sentiment classification (review/comment text only; no identity data; not used for model training; data residency in US-East with India fallback to BERT)
  • MSG91 — SMS OTP delivery (phone number only)
  • DoubleTick — WhatsApp Business API delivery (phone number + templated message body only)
  • Sentry — error monitoring (error stack traces only; user data is scrubbed before transmission)

9. Children

BITE Digital is for institutional staff only. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact the Grievance Officer immediately.

10. Changes to this policy

Material changes will require re-consent at next sign-in. We post the version and effective date at the top of this page.

11. Grievance Officer

Sri Praveen Rai, Executive Trustee
Banaras Institute of Teacher's Education
Babatpur, Varanasi — 221204, Uttar Pradesh, India
Email: grievance@bitevns.ac.in