Privacy Policy

Last updated: 05 April 2026

This Privacy Policy explains how Maarkit ("we", "us", "our"), operated by Jain Allaudeen A, collects, uses, and protects your information. This policy complies with the Information Technology Act, 2000, the IT (SPDI) Rules, 2011, and the Digital Personal Data Protection Act, 2023.

1. Information We Collect

Information You Provide

Data Type	What We Collect	Why
Account Info	Name, email, phone, business name, city	Account creation, communication
Staff Profiles	Names, emails, phones, roles, locations	Multi-user access management
Business Data	Purchases, sales, stock, vendors, customers, expenses	Core service functionality
GPS Data	Check-in coordinates, selfie (if attendance enabled)	Staff attendance tracking
Payment Info	Transaction IDs via Razorpay (we never store card numbers)	Subscription billing

Information Collected Automatically

Device information: browser type, operating system, screen size
Usage data: pages visited, features used, session duration
IP address and approximate location (city-level)
Error logs and crash reports (via Sentry — no business data included)

What We Do NOT Collect

We do not collect: Aadhaar numbers, caste/religion data, medical records, political opinions, sexual orientation, or biometric data beyond optional GPS attendance.

2. How We Use Your Information

Service delivery: Stock tracking, sales, purchases, billing, reporting
Authentication: Account security and access management
Payments: Processing subscriptions via Razorpay
Communications: Transactional emails (welcome, password reset, plan expiry, daily summary)
Improvement: Analyzing anonymized usage patterns to improve features
Security: Detecting unauthorized access, fraud, abuse
AI features: Demand forecasting using aggregated patterns (never individual records)

We do NOT sell your data. We do NOT use your data for advertising. Ever.

3. Data Isolation

Maarkit uses strict multi-tenant data isolation. Every database query is filtered by your unique tenant ID. No user from one business can access another business's data. This is enforced at the code level across all 250+ API endpoints.

4. Data Security

We implement security measures as required under Rule 8 of the SPDI Rules, 2011:

All data encrypted in transit (TLS 1.2+)
Passwords hashed using bcrypt (never stored in plain text)
JWT authentication with 24-hour token expiry
Rate limiting: 25 login attempts per 15 minutes, 200 API calls per minute
9 roles with 232 field-level permission controls
Complete audit trail: every create, update, delete logged with timestamp and user
Security headers via Helmet.js (CSP, XSS protection, HSTS)
CORS restricted to authorized domains only

5. Data Sharing

We share data only with these service providers:

Service	Purpose	Data Shared
Render.com	Cloud hosting	All platform data (encrypted)
Razorpay	Payment processing	Transaction amount, email (PCI-DSS certified, RBI authorized)
Sentry	Error monitoring	Error logs and stack traces (no business data)
Anthropic	AI features	Anonymized aggregated patterns only
Google	Places API (lead scraper)	Search queries only
Gmail SMTP	Email delivery	Email addresses and email content

We may disclose data if required by court order or government authority under applicable law.

6. Data Retention

Active accounts: Data retained as long as your account is active
Cancelled accounts: Data retained for 90 days (reactivation possible)
After 90 days: Data may be permanently deleted with 15 days prior email notice
Audit logs: Retained for 3 years for compliance
Backups: Encrypted backups retained up to 180 days after deletion from live systems
Anonymized data: Aggregated analytics (no personal info) may be retained indefinitely

7. Your Rights (under DPDP Act, 2023)

As a Data Principal, you have the right to:

Access: Export all your data using the Backup feature or request a summary
Correction: Update your account and business information at any time
Erasure: Request complete deletion of your account and data
Portability: Download your data in JSON/CSV format
Withdraw consent: Opt out of non-essential data processing at any time
Grievance: File a complaint with our Grievance Officer

To exercise any right, email grievance@maarkit.biz. We respond within 30 days.

8. Cookies and Local Storage

We use essential cookies only:

maarkit_tokens — JWT authentication (required for login)
maarkit_plan — Cached plan info (required for feature access)
Language preference (EN/HI/TA)

We do NOT use tracking cookies, advertising cookies, Google Analytics, Facebook Pixel, or any third-party trackers. No cookie consent banner is needed as we only use strictly essential functional cookies.

9. AI and Data Improvement

We use AI for demand forecasting and content features. We do NOT train AI models on your data. Anthropic's API processes requests without retaining your data. Only anonymized, aggregated patterns are used — never individual business records. You may opt out of aggregated analytics by emailing hello@maarkit.biz.

10. Children's Privacy

Maarkit is for adults (18+). We do not knowingly collect data from minors. If we discover a minor has registered, the account will be deleted.

11. Cross-Border Data Transfers

Data may be stored on servers outside India (Render.com infrastructure). Where data is transferred outside India, we ensure adequate protection in compliance with Section 16 of the DPDP Act, 2023.

12. Data Breach Notification

In the event of a personal data breach, we will notify affected users within 72 hours, including: nature of the breach, data affected, likely consequences, and remedial measures taken. We will cooperate with the Data Protection Board of India as required.

13. Grievance Officer

In accordance with the IT Act, 2000 and DPDP Act, 2023:
Name: Jain Allaudeen A
Email: grievance@maarkit.biz
Address: Madurai, Tamil Nadu, India
Complaints acknowledged within 24 hours, resolved within 30 days.

14. Changes to This Policy

Material changes communicated via email at least 15 days before taking effect. The "Last updated" date reflects the latest revision.

15. Governing Law

This policy is governed by the Information Technology Act, 2000, the IT (SPDI) Rules, 2011, and the Digital Personal Data Protection Act, 2023 of India.

16. Contact

Privacy questions: grievance@maarkit.biz
General: hello@maarkit.biz
Location: Madurai, Tamil Nadu, India