Privacy Policy

Sikka is a Google Business Profile and Merchant Center management platform operated by Ascendlink Technologies Private Limited (“Ascendlink”, “Sikka”, “we”, “us”), a company incorporated in India with its registered office in Gurgaon, Haryana.

This policy explains what personal data we collect when you use Sikka (the “Service”), why we collect it, how long we keep it, and the choices you have. It is written to comply with India's Digital Personal Data Protection Act, 2023 (the “DPDP Act”), the Information Technology Act, 2000 and the Reasonable Security Practices Rules, 2011, and Google's API Services User Data Policy.

a. Account data you give us

• Full name, work email, phone number, business name, role.
• Authentication credentials (passwords are stored hashed using industry-standard algorithms - we never see the plaintext).
• Billing details where applicable (GSTIN, billing address, invoice history). Card data is handled by our PCI-DSS compliant payment partner; Sikka does not store full card numbers.

b. Google account data you authorize

When you connect a Google account, Sikka requests OAuth scopes for the Google Business Profile and Google Merchant APIs. Subject to your consent, we may access:

• Business locations (name, address, hours, attributes, photos, categories, service area).
• Reviews, replies, ratings, and question-and-answer threads.
• Local posts, offers, events, and product catalog listings.
• Performance insights such as Maps impressions, calls, direction requests, and clicks.
• Verification status, ownership records, and place actions where applicable.

We use this data solely to provide the Service to you. We do not sell it, we do not use it to train general-purpose AI models, and we do not share it with advertisers.

c. Usage and device data we record

• IP address, browser and operating system, device identifiers, referring URL, timestamps, pages visited inside Sikka.
• Action logs (which buttons you clicked, which posts you scheduled, which replies were approved) for audit, debugging, and to power multi-location role-based access.
• First-party cookies to keep you signed in and remember settings. Sikka does not run third-party advertising cookies.

• To create your account, authenticate sign-in, and bill you.
• To pull, display, and let you operate on your Google Business Profile and Merchant Center data inside Sikka.
• To generate AI drafts for review replies, posts, and Q&A using the language and tone you select. Drafts are generated per-request and are not used to train shared models.
• To send transactional messages on WhatsApp, email, or SMS for the approval workflows you configure.
• To detect abuse, prevent fraud, debug issues, and meet legal obligations including responses to lawful government requests.

Sikka's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google data to provide or improve user-facing features inside Sikka that are prominent in the user interface.
• We do not transfer Google data to third parties except as necessary to provide the Service, comply with law, or with your explicit consent.
• We do not use Google data to serve advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read Google data unless we have your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for our internal operations and even then only when the data is aggregated and anonymised.

We share your data only with the categories of recipients listed below, and only for the purposes described above:

• Cloud infrastructure - we host Sikka on Microsoft Azure servers located in the South India region by default.
• AI processors - large-language-model providers that generate draft replies and posts on a per-request basis under strict no-training contracts.
• Messaging providers - WhatsApp Business, email, and SMS gateways used solely to deliver the notifications you configure.
• Payment processors - for plan billing and GST invoicing.
• Government and legal - when compelled by a valid order from an Indian court or authority of competent jurisdiction.

We do not sell personal data. We do not share Google API data with advertisers.

• Account data is retained while your account is active and for 12 months after deletion, after which it is anonymised or deleted.
• Google-derived data is retained only as long as your Google account is connected. Disconnecting revokes our tokens; we delete the cached copy within 30 days.
• Invoices and tax records are retained for 8 years to comply with the Indian Companies Act and GST law.
• Backups are rotated on a 35-day window.

Under the DPDP Act, 2023 you have the right to:

• Access a summary of the personal data we hold about you.
• Request correction or update of inaccurate data.
• Request erasure when retention is no longer required by law.
• Nominate another person to exercise these rights in case of your death or incapacity.
• Withdraw consent at any time.
• Raise a grievance with us and, if unresolved, with the Data Protection Board of India.

To exercise any of these rights, email hello@sikka.my. We respond within 30 days.

• TLS 1.2 or higher for all data in transit.
• AES-256 encryption at rest for databases and object storage.
• OAuth refresh tokens are encrypted with envelope keys held in a managed secrets vault.
• Role-based access inside the Sikka team; production access is logged, time-bound, and audited.
• Independent vulnerability testing of the public surface area at least once a year.
• Documented incident response plan; affected users and the Data Protection Board are notified within 72 hours of a confirmed breach materially affecting personal data.

Sikka primarily stores data within India. Some sub-processors (for example AI inference providers or transactional email vendors) may process limited data outside India under standard contractual clauses that require equivalent protection. We do not transfer data to jurisdictions notified by the Central Government as restricted under the DPDP Act.

Sikka is a B2B product for business owners and is not directed at children under 18. We do not knowingly collect data from children. If you believe a child has provided us data, write to hello@sikka.my and we will delete it.

We will update this policy from time to time. Material changes will be announced inside the product and by email at least 14 days before they take effect. The version date at the top of this page tells you when we last changed it.

For any privacy question, including DPDP rights requests, write to: