Privacy Policy — MeraTheka

Last updated: April 2025

MeraTheka ("we", "us", or "our") operates the platform at app.meratheka.com. This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and the rights available to you. We are committed to protecting personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable Indian laws.

By using the Platform, you consent to the practices described in this Policy.

        Summary: We collect only what is necessary to operate the Platform. We do not sell your data. Face encoding data is stored solely for attendance matching and can be deleted by you at any time.
    

1. Data We Collect

1.1 Account Data (Firm Owners & Managers)

When you sign in via Google, we receive from Google:

Name — displayed in the platform UI.
Email address — used as your unique identifier and for account communications.
Profile picture — displayed in the platform UI.
Firebase UID — a unique token used to securely associate your session with your account.

We do not receive or store your Google password.

1.2 Worker Data (Collected by Firm Owners)

Firm Owners add worker profiles to the Platform. This may include:

Name, mobile number, address.
Worker documents (e.g., ID proofs, labour cards) — stored as encrypted files.
Face encoding data (biometric) — a numerical vector derived from the worker's photograph, used exclusively for face-recognition attendance matching. The original photograph is not retained after encoding; only the mathematical vector is stored.
Attendance records, wage history, payment advances.

1.3 Task & Activity Data

When a manager submits a task progress log, we collect:

A photograph taken at the time of submission.
GPS coordinates and accuracy — to geotag the log entry.
Timestamp and submitting user's email.

Location data is used solely to record the physical location of the work log. It is not tracked continuously.

1.4 Financial & Project Records

Records created within the Platform — vendor bills, payments, contracts, invoices, purchase orders — are stored and associated with your firm account.

1.5 Usage & Technical Data

We may collect standard server logs including IP addresses, browser type, and pages visited. This data is used for security monitoring, debugging, and improving platform performance. It is not used for advertising.

2. How We Use Your Data

Platform operation: To provide attendance tracking, project management, invoicing, and related features.
Authentication: To verify your identity and maintain secure sessions via Firebase.
Face recognition attendance: To match a worker's live scan against stored face encodings for shift check-in.
Communication: To send account-related notifications (e.g., invite links, support responses). We do not send marketing emails without explicit opt-in.
Legal compliance: To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms.

3. Biometric Data (Face Encodings)

Face encoding is a sensitive category of data under the DPDPA. We treat it with the highest level of care:

Face vectors are stored in an encrypted database field associated with the worker record.
They are transmitted only over encrypted (HTTPS) connections.
They are used exclusively for attendance matching within the enrolled worker's own firm.
They are never shared with third parties, used for marketing, or used to identify individuals outside the Platform.
A Firm Owner can permanently delete a worker's face data from the worker's profile at any time. Deletion is immediate and irreversible.

Firm Owners are responsible for obtaining appropriate worker consent before enrolling face data. See our Terms of Use §4 for details.

4. Data Sharing

We do not sell, rent, or trade your personal data. Data may be shared only in the following limited circumstances:

Service providers: We use third-party infrastructure services (e.g., cloud hosting, Firebase by Google) that process data on our behalf under strict data processing agreements.
Payment processors: If you initiate a payment, transaction data is shared with PhonePe or other authorised payment gateways. These providers have their own privacy policies.
Legal obligations: We may disclose data if required by a court order, government request, or applicable law.
Business transfer: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will notify you in advance.

5. Data Retention

Account data is retained for as long as your account is active.
Firm and project data is retained for as long as the firm account remains open.
Face encoding data is retained until deleted by the Firm Owner or until the worker record is permanently removed.
Upon account closure, data will be retained for 30 days to allow export, then permanently deleted.
Server logs are retained for up to 90 days for security and debugging purposes.

6. Data Security

We implement industry-standard technical and organisational measures to protect your data:

All data in transit is encrypted via TLS/HTTPS.
Sensitive files (documents, task photos) are stored in private, access-controlled cloud storage.
Database records are protected by access controls and server-level encryption at rest.
Authentication is managed by Google Firebase, which provides brute-force protection and secure token issuance.
Application-level security controls include role-scoped data access and obfuscated record identifiers.

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Under the DPDPA and applicable law, you have the right to:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data, subject to legal retention requirements.
Withdraw consent: Where processing is based on consent, withdraw it at any time (this will not affect prior processing).
Grievance redressal: Lodge a complaint with us or with the Data Protection Board of India.

To exercise any of these rights, contact us at support@meratheka.com. We will respond within 30 days.

8. Cookies

The Platform uses session cookies to maintain your login state. These are strictly necessary for the Platform to function and do not track you across other websites. We do not use advertising or analytics cookies.

9. Children's Privacy

The Platform is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Third-Party Services

The Platform integrates with the following third-party services, each governed by their own privacy policies:

Google Firebase — authentication and identity management.
PhonePe — payment processing.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will update the "Last updated" date and, for material changes, notify you via the Platform or by email. Continued use of the Platform after changes constitutes acceptance of the revised Policy.

12. Contact Us

For privacy-related queries, data access requests, or complaints:

Email: support@meratheka.com
Platform: app.meratheka.com