logo

Privacy Policy

Sterna Security Devices Pvt. Ltd.

1. Introduction

Sterna Security Devices Pvt. Ltd. (hereinafter “Sterna,” “we,” “us,” or “our”), including its brands Sterna, Sterna Aurum, Sterna Vault, and Selyek, is committed to protecting your privacy and handling your personal data in a lawful, fair, and transparent manner.

This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you visit our websites (including sternasecurity.com and selyek.com), use our connected security devices and software, engage with our customer support, or interact with us through any channel.

This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”), the Information Technology Act, 2000 and the rules made thereunder, and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”), and the Singapore Personal Data Protection Act 2012 (“PDPA”).

2. Who We Are (Data Fiduciary / Controller)

Sterna Security Devices Pvt. Ltd. is the Data Fiduciary (under the DPDP Act) and Data Controller (under the GDPR, where applicable) responsible for the personal data processed under this Policy.

Registered Office: 21 C-2, Captain Palaniswamy Layout, Coimbatore, Tamil Nadu - 641002

CIN: U74999TZ2013PTC020084

Email: info@sternasecurity.com

3. Scope of This Policy

This Policy applies to personal data we process in connection with:

  • Visitors to our websites and submitters of online forms;
  • Customers and authorized users of our connected security products (including locks, access control systems, locker monitoring systems, tracking devices, and associated mobile and web applications);
  • Personnel of our enterprise customers (for example, Indian Oil Corporation Ltd., Bharat Petroleum Corporation Ltd., Hindustan Petroleum Corporation Ltd., Reliance, and other B2B clients);
  • Prospective customers, vendors, and business partners; and
  • Individuals who communicate with us by email, phone, WhatsApp, or any other channel.

This Policy does not apply to third-party websites, applications, or services linked from our platforms. We encourage you to review their respective privacy policies.

4. Information We Collect

4.1 Information You Provide Directly

  • Identity and contact data: name, designation, company name, email address, phone number, postal address.
  • Account and authentication data: login credentials (hashed), device registration details, and multi-factor authentication identifiers.
  • Commercial data: purchase orders, tender-related information, billing and shipping details, and contractual correspondence.
  • Communications data: messages, enquiries, feedback, and support tickets shared with us via email, WhatsApp, phone, or web forms.

4.2 Information from Our Products and Devices

Our connected security products collect and transmit the following categories of data as part of their normal operation:

  • Device telemetry: device identifiers (serial numbers, IMEI, MAC/BLE addresses), firmware versions, battery and signal status, and diagnostic information.
  • Event and access logs: lock/unlock events, door open/close events, authentication attempts, tamper alerts, sensor readings (including accelerometer and Hall-effect sensor data), and timestamps.
  • Location data: where enabled by the product or the customer deployment, approximate or precise geographic location of devices (for example, via GNSS, cellular, or RF triangulation).
  • User action logs: records of operator actions performed through our mobile and web applications.

Where our enterprise customers deploy our products, those customers are typically the Data Fiduciary/Controller for personal data of their employees, contractors, and end users. Sterna acts as a Data Processor in such cases and processes data only in accordance with the customer’s written instructions and applicable data processing terms.

4.3 Information Collected Automatically

  • Usage data: pages visited, features used, session duration, click paths, and referral source.
  • Technical data: IP address, device type, operating system, browser type and version, and language settings.
  • Cookies and similar technologies: as described in Section 11.

4.4 Information from Third Parties

We may receive information about you from publicly available sources, business partners, resellers, enterprise customers who nominate you as their authorized contact, and service providers such as analytics, marketing, and authentication providers.

5. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so. Depending on the processing activity and the applicable law, the basis may be:

  • Consent — for example, when you submit an enquiry form, opt in to marketing communications, or agree to cookies.
  • Performance of a contract — to provide, activate, and support the products and services you or your employer has purchased.
  • Compliance with a legal obligation — such as tax, accounting, and statutory record-keeping obligations.
  • Legitimate interests / Certain legitimate uses — including protecting the security and integrity of our products and networks, preventing fraud and tampering, and improving our services, balanced against your rights and interests.
  • Vital interests and public interest — in limited circumstances such as responding to a safety or security incident.

6. How We Use Your Information

  • Provide, operate, maintain, and improve our products, services, websites, and mobile and web applications.
  • Authenticate users and devices, issue and validate one-time passwords (OTPs), and enable secure access, monitoring, alerts, and over-the-air updates.
  • Detect, investigate, and respond to tampering, intrusion, fraud, misuse, and security incidents, including through automated anomaly detection and machine-learning models.
  • Respond to enquiries and provide customer, technical, and warranty support.
  • Process orders, invoices, payments, shipping, and post-sales service.
  • Send transactional communications (for example, service notices, security alerts, and policy updates) and, with your consent, marketing communications.
  • Comply with legal, regulatory, and contractual obligations, including responses to lawful requests from public authorities.
  • Conduct internal analytics, research, and product development, using aggregated or de-identified data wherever feasible.

7. Automated Decision-Making and Profiling

Certain features of our products use automated processing — for example, algorithmic tamper detection and anomaly scoring — to help our customers safeguard assets. These systems generate alerts that are reviewed by human operators before significant action is taken. Where required by applicable law, you have the right to request human review of decisions that significantly affect you.

8. How We Share Your Information

We do not sell, rent, or trade your personal data. We share personal data only in the circumstances described below, and only to the extent necessary.

8.1 Categories of Recipients

  • Cloud infrastructure and hosting providers who host our websites, applications, and device backends (including the Sterna Vault platform).
  • Communications and messaging providers for transactional email, SMS/OTP delivery, and WhatsApp Business messaging (subject to Meta’s applicable terms).
  • Analytics and product telemetry providers that help us understand product usage and performance.
  • Payment and invoicing providers for processing payments and issuing invoices.
  • Professional advisers such as auditors, legal counsel, insurers, and tax advisers.
  • Enterprise customers for whom we act as a Data Processor, and their authorised integration partners.
  • Corporate transaction counterparties in connection with a merger, acquisition, restructuring, financing, or sale of assets, subject to appropriate confidentiality obligations.
  • Law enforcement and regulators when disclosure is required by law, legal process, or to protect rights, property, or safety.

8.2 Data Processing Agreements

Where we engage third parties to process personal data on our behalf, we require them to act under written agreements that impose confidentiality, security, and processing-limitation obligations consistent with this Policy and applicable law.

9. International Data Transfers

Sterna is headquartered in India and operates, or plans to operate, in jurisdictions including the United Arab Emirates and Singapore. Your personal data may be transferred to, stored, and processed in countries other than your own.

Where personal data is transferred across borders, we rely on lawful transfer mechanisms such as: transfers to jurisdictions that are not restricted under Section 16 of the DPDP Act; standard contractual clauses and similar contractual safeguards; binding intra-group data transfer agreements; and, where required, your explicit consent. You may contact us for further information on the safeguards applied to specific transfers.

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by applicable law. Indicative retention periods are set out below and may be adjusted based on contractual and statutory requirements:

  • Website enquiry and contact form data: up to 24 months after the last interaction.
  • Customer account data: for the duration of the customer relationship and up to 8 years thereafter for statutory records.
  • OTP and authentication logs: typically, up to 180 days, except where a longer period is required for security investigation.
  • Device event and access logs: in accordance with the enterprise customer’s data processing terms; typically up to 12 months, unless required to be retained longer.
  • Marketing data: until you withdraw consent or are inactive for 24 consecutive months, whichever is earlier.
  • Statutory records (financial, tax, regulatory): for the period required by applicable law.

Once personal data is no longer required, we securely delete, anonymize, or archive it in accordance with our internal retention and disposal standards.

11. Cookies and Similar Technologies

Our websites use cookies and similar technologies to operate the site, remember your preferences, understand how visitors use the site, and, where applicable, support marketing activities. We categorize cookies as:

  • Strictly necessary cookies — required for core site functionality and security.
  • Functional cookies — remember your preferences and settings.
  • Analytics cookies — help us measure and improve site performance.
  • Marketing cookies — used to deliver and measure relevant advertising.

Where required by law, non-essential cookies are set only after you provide consent through our cookie banner. You can manage your preferences at any time through the banner or your browser settings. Disabling certain cookies may affect the functionality of our websites.

12. Data Security

As a security-first organization, we apply layered technical and organizational measures that are reasonably designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit using industry-standard protocols (for example, TLS) and encryption of sensitive data at rest.
  • Hardware-backed cryptography on our connected devices, including dedicated secure elements and AES-256 class ciphers where implemented.
  • Role-based access controls, least-privilege principles, and audit logging on backend systems.
  • Secure software development practices, vulnerability management, and periodic security testing.
  • Physical and environmental controls at our development and manufacturing facilities.
  • Ongoing employee training on data protection and information security.

No method of transmission or storage is entirely secure. While we work to protect personal data, we cannot guarantee absolute security.

13. Personal Data Breach Notification

In the event of a personal data breach, we will assess the incident, take prompt containment and remediation measures, and notify the Data Protection Board of India, other competent supervisory authorities (such as the DPC in Singapore or the UAE Data Office, where applicable), and affected individuals without undue delay and in accordance with applicable legal timelines. We maintain internal incident response procedures and require our processors to notify us promptly of suspected incidents.

14. Your Rights

Subject to applicable law, you have the following rights in relation to your personal data:

  • Right to access and confirmation — obtain confirmation of whether we process your data and a summary of such data.
  • Right to correction and erasure — request that inaccurate or incomplete data be corrected, completed, updated, or erased.
  • Right to withdraw consent — withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
  • Right to grievance redressal — a readily available means to raise grievances with Sterna, as described in Section 17.
  • Additional rights under other laws — where the GDPR, PDPL, PDPA, or other laws apply to you, you may also have rights such as data portability, restriction of processing, objection to processing, and the right to lodge a complaint with the relevant supervisory authority.

We will respond to verifiable requests within the timelines required by applicable law, generally within thirty (30) days. We may require information to verify your identity before acting on a request. Where a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline to act, as permitted by law.

15. Children’s Data

Our products and services are intended for business and adult users. We do not knowingly collect personal data of children (individuals below 18 years of age, or such other age as specified under applicable law) without verifiable parental or lawful guardian consent. If you believe that we have inadvertently collected such data, please contact us using the details in Section 17 and we will take appropriate steps to delete it.

16. WhatsApp and Electronic Communications

By contacting us through WhatsApp, submitting your details on our websites, or otherwise providing your contact information, you consent to receive transactional and service communications from Sterna by email, phone, SMS, and WhatsApp, subject to applicable law and Meta’s terms for WhatsApp Business. Marketing communications are sent only with your separate consent.

You can opt out of marketing communications at any time by following the unsubscribe instructions in the message, replying “STOP” to WhatsApp or SMS communications, or contacting us at the address in Section 17. Opt-out does not affect communications that are strictly necessary for the services you have purchased (for example, OTPs, security alerts, and legal notices).

17. Contact and Grievance Redressal

If you have any questions, comments, or complaints about this Policy or about how we handle your personal data, or if you wish to exercise any of your rights, please contact our Data Protection Officer / Grievance Officer:

Data Protection Officer / Grievance Officer

Name: Premkumar S

Sterna Security Devices Pvt. Ltd.

169, West Sambandam Road, R.S Puram, Coimbatore, Tamil Nadu - 641 002, India.

Email: premks@sternadevices.in

Phone: +91 422 433 4800

We will acknowledge your request within a reasonable time and endeavor to resolve it within the timelines required by applicable law. If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India (or, where applicable, the supervisory authority in your jurisdiction).

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, products, legal or regulatory requirements, or industry standards. When we make material changes, we will update the “Last Updated” date above and, where appropriate, provide additional notice (for example, through our websites or by email). We encourage you to review this Policy periodically.

19. Governing Law and Jurisdiction

This Policy is governed by, and shall be construed in accordance with, the laws of India. Subject to applicable law, the courts at Coimbatore, India shall have exclusive jurisdiction over any disputes arising out of or in connection with this Policy, without prejudice to the rights of data principals to seek redress before competent authorities in their jurisdiction.

20. Severability

If any provision of this Policy is found by a competent court or authority to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.