1. Introduction
IMAST Operations Private Limited ("IMAST," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use any of our platforms, web applications, and mobile applications (collectively, the "Services").
By accessing or using any of our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use immediately.
2. Data We Collect
2.1 Account Information
Name, email address, phone number, company name, job title, and billing information provided during registration or account setup.
2.2 Customer Data
Data you or your end-users input into the Platform — including loyalty transactions, distribution records, sales orders, leads, service tickets, reward redemptions, customer records, and visit reports. You retain full ownership of Customer Data.
2.3 Usage Data
Device information (model, OS version, unique device identifiers), IP addresses, browser type, pages viewed, features used, session duration, and interaction patterns.
2.4 Mobile Application Data
Our mobile applications may collect additional data depending on the features you use and the permissions you grant. This includes:
a) Location Data
- Precise GPS location is collected to enable features such as attendance marking, visit verification, geofence-based check-in/check-out, route tracking, and distance calculation.
- Background location may be collected during active work hours to track field routes and kilometres travelled, subject to configurable time-based cutoffs.
- Location data is transmitted to our servers and stored to generate visit reports, route trails, and travel summaries.
b) Camera and Photos
- The device camera (front and rear) is accessed for capturing attendance selfies, visit photos, audit evidence, expense receipt images, and event documentation.
- Photos are uploaded to our servers and stored for record-keeping, verification, and reporting purposes.
c) Biometric Data
- Facial recognition is used for identity verification during attendance marking. Facial feature embeddings (mathematical representations) are generated on-device and stored securely on our servers.
- Biometric data is used solely for identity verification and is never shared with third parties.
- You may request deletion of your biometric data at any time by contacting us.
d) Microphone and Speech
- The microphone is accessed when you use voice-to-text features for note entry, remarks, or search. Audio is processed on-device and is not recorded or transmitted to our servers.
e) Push Notifications
- Firebase Cloud Messaging (FCM) tokens are collected to deliver push notifications about approvals, alerts, and updates relevant to your work.
2.5 Cookies & Tracking Technologies
- Essential cookies for session management and authentication.
- Analytics cookies (e.g., Google Analytics) to understand usage patterns.
- Marketing cookies (only with your consent).
3. How We Use Your Data
- Delivering, operating, and maintaining the Services
- Verifying employee identity and attendance
- Tracking field visits, routes, and customer interactions
- Processing orders, expenses, and business transactions
- Providing customer support and resolving technical issues
- Processing payments and generating invoices
- Analysing usage to improve features and performance
- Ensuring security, detecting fraud, and preventing abuse
- Sending communications (updates, alerts, and marketing with consent)
- Meeting legal and regulatory obligations
We never sell, rent, or trade your personal data to third parties.
4. Legal Basis for Processing
- Contract performance — to deliver Services you have subscribed to
- Legitimate interests — to improve Services, ensure security, and prevent fraud
- Consent — for marketing communications, non-essential cookies, and optional features (withdrawable at any time)
- Legal obligations — for tax, accounting, and regulatory compliance
5. Data Sharing
We may share data with:
- Service providers (e.g., AWS for hosting, payment processors, email delivery services, mapping/geocoding services) under Data Processing Agreements with equivalent privacy protections
- Legal authorities when required by law, regulation, or legal process
- With your explicit consent for any purpose not covered above
We do not share biometric data, precise location history, or camera captures with any third party for advertising or marketing purposes.
6. Data Retention
| Data Type | Retention Period |
|---|
| Active account data | Duration of subscription plus 90 days |
| Customer data after deletion request | Purged within 90 days; backups within 30 days |
| Billing and tax records | 7 years (Indian tax law) |
| Location and visit history | Duration of employment/subscription plus 90 days |
| Biometric data (facial embeddings) | Until deletion request or account termination, whichever is earlier |
| Attendance and visit photos | Duration of subscription plus 90 days |
| Anonymised analytics | Retained indefinitely |
7. Your Rights
You have the right to:
- Access your personal data we hold
- Rectify inaccurate or incomplete data
- Erase your data (subject to legal retention requirements)
- Export your data in standard formats (CSV, JSON, PDF)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Withdraw consent for marketing or optional features at any time
- Request deletion of biometric data at any time
To exercise any of these rights, contact privacy@imast.in. We will respond within 30 days.
8. Mobile App Permissions Summary
Our mobile applications request only the permissions necessary for their features:
| Permission | Purpose | When Used |
|---|
| Location (precise) | Attendance geofencing, visit verification, route tracking | During active work sessions |
| Location (background) | Route trail and distance calculation | During active work hours only (configurable cutoff) |
| Camera | Attendance selfies, visit/audit/expense photos | When capturing photos within the app |
| Biometric / Face Recognition | Identity verification | During attendance check-in |
| Microphone | Voice-to-text for notes and remarks | When speech input is activated by user |
| Internet | Data sync, API communication | Always |
| Notifications | Work alerts, approval updates | Always (can be disabled in device settings) |
| Storage | Offline data caching, photo storage | Always |
You may revoke any permission at any time through your device settings. Revoking certain permissions may limit the functionality of the app.
9. International Data Transfers
Primary data storage is on AWS Mumbai (ap-south-1). For users in the EU/EEA, data transfers are protected by Standard Contractual Clauses (SCCs) and Transfer Impact Assessments.
10. Children's Privacy
Our Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected such data, we will delete it promptly.
11. Security Measures
We implement industry-standard security measures including:
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- AWS KMS key management with 90-day rotation
- Multi-factor authentication (MFA) for production access
- 24/7 Security Operations Centre (SOC) monitoring
- Quarterly penetration testing
- Role-based access control
- On-device biometric processing to minimise data exposure
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or an in-app notification at least 30 days before they take effect. Continued use of the Services after changes constitutes acceptance.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy:
Privacy Team: privacy@imast.in
Data Protection Officer: dpo@imast.in
Legal: legal@imast.in
IMAST Operations Private Limited
IMAST House, 1 Eastern Ring Rd,
Indore, Madhya Pradesh 452001, India