Legal

Privacy policy

Last updated: 2026-05-21

1. Who we are

ProductionLens is a service operated by Reya Technologies LLP (“we”, “us”, “our”), with its registered office in Mumbai, India. We are the data controller for the personal data described in this policy that we collect directly from visitors and account holders.

When ProductionLens is used by a production company, audit firm or studio to process records about their own employees, vendors, contractors and engagements, that customer is the data controller for those records, and ProductionLens is the data processor. Our processor obligations are described in our Data Processing Addendum.

2. Lawful basis

We rely on the following lawful bases under the DPDP Act 2023 and (where applicable) the GDPR:

  • Performance of a contract — to provide the ProductionLens service to account holders and customer organisations.
  • Legitimate interest — to operate, secure and improve the service (anti-abuse, error telemetry, product analytics in aggregate).
  • Consent — for optional features (marketing emails, beta programmes). You may withdraw consent at any time without affecting prior processing.
  • Legal obligation — tax records, statutory audit trails, and law-enforcement requests we are required to honour.

3. Data categories we collect

  • Account data — name, email, role, authentication tokens, login history.
  • Project data — production / film / OTT series metadata you create in the product.
  • Transaction data — budget heads, expense rows, vendor invoices, payment instructions, GST and TDS fields, uploaded source documents.
  • Audit-log data — every state-changing request, with actor, timestamp, before/after snapshot.
  • Operational telemetry — IP, user-agent, error stack traces, performance traces (via sub-processors).

4. Retention

We retain customer transaction and audit-log data for seven (7) years from the close of the financial year in which the record was created. This aligns with:

  • Section 44AA of the Income Tax Act, 1961 — books of account retention for assessees carrying on profession;
  • Section 36 of the CGST Act, 2017 — period of retention of accounts and records.

Account-only data (sign-in metadata, support correspondence) is retained for 24 months after account closure. Operational telemetry is retained for 90 days.

5. Your rights as a data principal

Subject to the DPDP Act 2023 and any other applicable law, you have the right to:

  • Request access to your personal data;
  • Request rectification of inaccurate data;
  • Request erasure of data we no longer have a lawful basis to process;
  • Request portability of data you provided to us;
  • Lodge a grievance with our Grievance Officer.

Grievance Officer: Email legal@reyatech.com with the subject line “Data principal request”. We acknowledge within 7 working days and respond substantively within 30 days.

6. International transfers

Primary customer records are held in India (ap-south-1). A small number of operational sub-processors may process data outside India. See /sub-processors for the current list and regions.

7. Security

See /security for our security posture, including encryption, authentication model, backup cadence and incident response window.

8. Cookies

We use essential cookies for authentication and session continuity, and a small set of analytics cookies (Google Analytics) for aggregate product usage. We do not run third-party advertising trackers.

9. Changes to this policy

We will update this policy as our product and regulatory environment evolves. Material changes will be communicated to account holders at least 30 days in advance via email.

10. Contact

Reya Technologies LLP — Mumbai, India.
Privacy & data-principal requests: legal@reyatech.com.