Track your progress with the OneMaanicare App
Privacy policy
Maanicare digital platforms, Maanicare application and Maanicare AI
Effective date: [02Jun2026]
Last updated: [02Jun2026]
Policy version: [V1]
1. Introduction
At Maanicare, clarity, control and continuity guide the way we deliver our services. These principles also shape the way we collect, use, store and protect personal data.
This Privacy Policy explains how [MAANI CARE SYSTEM INDIA PRIVATE LIMITED], having its registered office at [1st Floor, Shop 101, B wing - Samartha Aishwarya, Off New Link Road, K L Walawalkar Marg, Andheri (West), Mumbai 400 053 ] (“Maanicare”, “we”, “our” or “us”), processes personal data through:
the Maanicare website at http://www.maanicare.com] and any webpages or microsites operated by us;
the OneMaanicare & Maanicare mobile application available through the Apple App Store and Google Play Store;
web-based portals, dashboards, administrative consoles and client interfaces;
employee, manager, vendor, contractor, client and operations interfaces;
Maanicare AI, our artificial-intelligence-enabled assistance layer;
forms, support channels, newsletters, alerts and notifications; and
any other digital service that links to this Privacy Policy.
Together, these are referred to as the “Platform”.
This Privacy Policy applies only to the processing of personal data. It should be read together with the applicable Terms of Use, employment policies, client agreements, consent notices, cookie notices and feature-specific disclosures presented through the Platform.
The Platform is modular. The features available to you will depend on your organisation, your role and the services enabled for your account. Not every category of personal data described in this Privacy Policy is collected from every user.
2. About Maanicare
Maanicare provides business support and workplace-management services, including:
interiors and fit-out project management;
payroll, staffing and compliance support;
total facility-management services;
workplace operations;
employee and workforce-management tools;
on-demand service support;
document and policy access;
digital helpdesk services; and
AI-assisted information and workflow guidance.
The Platform is designed to support authorised employees, client organisations, managers, administrators, vendors, technicians, contractors and service teams.
3. Applicable data-protection laws
Maanicare processes personal data in accordance with applicable laws and regulations, including, to the extent applicable and as brought into force:
the Digital Personal Data Protection Act, 2023 (“DPDP Act”);
the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”);
the Information Technology Act, 2000;
the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”); and
applicable employment, labour, tax, safety, statutory and contractual requirements.
The DPDP Act and DPDP Rules follow a phased commencement. The DPDP Rules were notified in November 2025. Rules 1, 2 and 17 to 21 came into force upon publication; Rule 4 comes into force one year after publication; and Rules 3, 5 to 16, 22 and 23 come into force eighteen months after publication. The corresponding provisions of the DPDP Act also follow a phased commencement. Maanicare is implementing its privacy programme in line with the requirements that apply from time to time.
Where another applicable law or contractual obligation imposes a higher standard of protection, the stricter requirement will apply.
4. Key terms
For the purposes of this Privacy Policy:
|
Term |
Meaning |
|
Personal data |
Any data about an individual who is identifiable by or in relation to that data. |
|
Digital personal data |
Personal data in digital form, including data collected digitally or collected in another form and digitised later. |
|
Data Principal |
The individual to whom the personal data relates. Where applicable, this includes the parent or lawful guardian of a child and the lawful guardian of a person with a disability. |
|
Data Fiduciary |
A person or organisation that determines the purpose and means of processing personal data. |
|
Data Processor |
A person or organisation that processes personal data on behalf of a Data Fiduciary. |
|
Processing |
Any automated or partly automated operation performed on digital personal data, including collection, recording, organisation, storage, retrieval, use, analysis, sharing, transmission, restriction, erasure or destruction. |
|
Specified purpose |
The purpose communicated to a Data Principal through a notice or another appropriate disclosure. |
|
Consent |
A free, specific, informed, unconditional and unambiguous indication of agreement through a clear affirmative action. |
|
Personal-data breach |
An unauthorised processing of personal data or an accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access that compromises its confidentiality, integrity or availability. |
|
Child |
An individual who has not completed 18 years of age. |
|
Sensitive personal data or information |
Information treated as sensitive under applicable law, which may include passwords, financial information, health information, medical records, sexual-orientation information and biometric information. |
|
Maanicare AI |
The artificial-intelligence-enabled assistance layer made available through the Platform. |
5. Who this Privacy Policy applies to
This Privacy Policy may apply to you if you are:
a Maanicare employee, worker, consultant or team member;
an employee deployed by Maanicare at a client site;
an employee of a client organisation using Maanicare services;
a candidate, applicant, intern, trainee or onboarding employee;
a reporting manager, site supervisor, facility manager or client administrator;
a member of an HR, payroll, compliance, finance, recruitment, support or operations team;
a vendor, service partner, contractor or technician;
an auditor, consultant, visitor or authorised representative;
a user raising a facility-management or on-demand service request;
a website visitor;
a person contacting us through a form, email or support channel; or
any other authorised user of the Platform.
The personal data processed will depend on your relationship with Maanicare, the features you use and the services enabled for your organisation.
6. Our role in processing personal data
Depending on the service, Maanicare may process personal data in different capacities.
6.1 Where Maanicare acts as a Data Fiduciary
Maanicare may act as a Data Fiduciary where it determines why and how personal data is processed. This may include processing for:
user-account creation;
authentication and access management;
Maanicare’s own workforce-management processes;
Platform administration;
support and helpdesk services;
Platform security;
website enquiries;
service-related communications;
Maanicare AI;
business continuity;
audit requirements; and
compliance with applicable law.
6.2 Where Maanicare acts as a Data Processor
Maanicare may process personal data on behalf of a client organisation, employer or another Data Fiduciary.
This may include:
employee records;
recruitment and onboarding data;
attendance and shift data;
payroll inputs;
statutory-compliance records;
facility-management data;
site records;
service requests;
client-specific documents; and
reports or dashboards prepared for the relevant organisation.
Where Maanicare acts as a Data Processor, the relevant employer or client organisation may determine the permitted purpose of processing. Certain privacy requests may need to be directed to, approved by or coordinated with that organisation.
6.3 Role-based access
Access to personal data is restricted according to the user’s authorised role and legitimate operational requirements.
For example:
a reporting manager may be able to view attendance, leave and team information;
an authorised payroll user may be able to view salary, bank and statutory information;
a facility manager may be able to view task, asset and site records;
a client administrator may receive agreed operational reports;
an authorised grievance or POSH reviewer may receive access to restricted confidential records; and
an ordinary administrator will not automatically receive access to confidential grievance, POSH or disciplinary records.
7. Personal data we may collect
We collect only the personal data reasonably necessary for the relevant service, workflow, legal requirement or Platform function.
7.1 Account, identity and contact information
We may collect:
full name;
profile photograph;
employee code;
candidate ID;
vendor ID;
client ID;
user ID;
service-request ID;
work email address;
personal email address, where required;
mobile number;
alternate contact number;
date of birth and age, where required;
gender, where required for a lawful purpose;
residential or correspondence address;
emergency-contact details;
organisation name;
department;
designation;
grade;
site;
work location;
reporting manager;
account status;
user role;
permissions;
login credentials;
authentication details;
OTP records;
password-reset details;
consent records;
acknowledgement records;
electronic signatures; and
communication preferences.
7.2 Recruitment, onboarding and employment information
Where relevant, we may collect:
résumé or curriculum vitae;
application details;
work history;
previous-employer information;
educational qualifications;
professional certifications;
skills;
references;
interview records;
assessment results;
recruitment status;
background-verification records, where lawfully required;
offer details;
appointment details;
joining date;
employment type;
probation status;
confirmation records;
transfer records;
promotion records;
deployment details;
reporting structure;
training records;
performance-review information;
feedback;
resignation details;
notice-period information;
exit records; and
full-and-final-settlement records.
7.3 Payroll, banking and statutory information
Where payroll, reimbursement or compliance services are enabled, we may collect:
salary structure;
wages;
incentives;
bonuses;
deductions;
arrears;
overtime;
reimbursement details;
payslips;
bank-account details;
payment instructions;
PAN details;
Aadhaar details, only where lawfully required and subject to applicable restrictions;
UAN;
provident-fund details;
ESIC details;
professional-tax details;
TDS information;
insurance details;
benefits information;
nominee details;
dependant details;
invoices;
receipts;
expense claims;
approvals;
statutory filings;
compliance records; and
audit records.
We will not request financial information or government-issued identifiers unless they are reasonably necessary for a lawful employment, payroll, statutory, reimbursement or service-related purpose.
7.4 Attendance, shift, leave and workforce-management information
Where enabled, we may collect:
punch-in and punch-out time;
attendance status;
attendance date;
shift schedule;
roster;
site;
branch;
project;
work area;
leave type;
leave dates;
leave balance;
leave reason;
supporting records;
manager approval;
remarks;
late arrival;
early departure;
missed punch;
overtime;
attendance exception;
regularisation request;
QR-based attendance records;
geo-tagged attendance information;
current location at the time of attendance;
GPS coordinates, where enabled;
attendance photograph or selfie, where enabled;
device details; and
attendance audit trails.
Unless separately disclosed for a specific operational purpose, location information is collected only when you actively perform a relevant action, such as marking attendance, verifying site presence or completing a task.
Continuous background-location collection will not be enabled unless it is necessary for a clearly stated core function, separately approved and prominently disclosed.
7.5 Facility-management and workplace-operations information
Where enabled, we may collect:
client details;
site details;
building, floor, room and zone details;
work-area details;
asset codes;
asset information;
equipment details;
service history;
maintenance schedules;
preventive-maintenance records;
corrective-maintenance records;
breakdown reports;
work orders;
task allocations;
task status;
checklists;
completion records;
inspections;
quality records;
escalation records;
service-level records;
technician details;
supervisor details;
vendor details;
approver details;
incident records;
safety records;
environmental, health and safety records;
risk-assessment records;
access-control data, where enabled;
visitor-management data, where enabled;
consumables;
inventory records;
material-usage records;
photographs;
videos;
documents;
task-completion evidence;
timestamps;
task-location details;
comments;
client feedback; and
audit trails.
Operational information will be treated as personal data where it identifies or can reasonably be linked to an individual.
7.6 Helpdesk, grievance, POSH, disciplinary and safety information
Where a user submits information through a helpdesk or restricted workflow, we may process:
support requests;
complaints;
grievances;
workplace concerns;
disciplinary records;
safety concerns;
incident reports;
whistleblowing reports;
prevention-of-sexual-harassment-related information;
supporting documents;
witness details;
investigation records;
authorised reviewer comments;
escalations; and
resolution records.
These records may contain sensitive, confidential or legally significant information.
Access is restricted to authorised personnel with a legitimate need to review the relevant matter. Such information will not be used for unrelated purposes.
Maanicare AI is not a substitute for a formal grievance, POSH, disciplinary, safety or whistleblowing process. Users should submit sensitive matters through the designated secure workflow.
7.7 Health-related information
Where lawful and reasonably necessary, we may process limited health-related information, such as:
medical certificates submitted for leave;
workplace-injury records;
incident-related health information;
insurance-related records;
information required for statutory benefits;
emergency-support information; and
occupational-safety records.
Health-related information is subject to appropriate access restrictions.
7.8 Documents, files, photographs, audio and videos
The Platform may allow authorised users to upload, store or share:
identity documents;
employment documents;
statutory records;
payslips;
letters;
certificates;
forms;
invoices;
receipts;
policies;
SOPs;
manuals;
site photographs;
inspection photographs;
task-completion evidence;
incident photographs;
safety records;
audio notes, where enabled;
videos, where enabled;
résumé files;
helpdesk attachments; and
other documents required for an authorised workflow.
Users should upload only the information required for the relevant purpose.
7.9 Maanicare AI interaction data
When you use Maanicare AI, we may process:
the prompt, question or instruction you submit;
follow-up questions;
relevant conversation history;
AI-generated responses;
your feedback, ratings and corrections;
uploaded files;
referenced documents;
your user ID;
your organisation;
your role;
your access permissions;
the module used;
timestamps;
technical logs;
audit trails;
escalations; and
support tickets created from the interaction.
7.10 Device, browser and technical information
When you access the Platform, we may collect:
device type;
device model;
operating system;
browser type;
browser language;
application version;
IP address;
session details;
login timestamps;
device identifiers;
authentication events;
crash reports;
performance data;
diagnostic information;
network information;
security events;
audit logs;
cookies;
similar identifiers; and
feature-usage information.
7.11 Website enquiries and communications
When you contact Maanicare through the website, email, phone or another channel, we may collect:
name;
contact details;
organisation;
designation;
enquiry details;
service interest;
communication history;
follow-up notes; and
communication preferences.
7.12 Dependant and nominee information
Where lawful and necessary for employment, insurance, benefits or statutory purposes, we may process limited information relating to:
nominees;
dependants;
children;
family members; and
lawful guardians.
Such information will be restricted to the relevant permitted purpose.
8. Sources of personal data
We may receive personal data:
directly from you;
from your employer;
from a client organisation;
from an authorised HR representative;
from an authorised manager or administrator;
from a reporting manager or supervisor;
from a vendor, contractor or service partner;
from a recruitment partner;
from a background-verification provider;
from an approved technology integration;
from a statutory authority;
from your device when you grant permission;
from your use of the Platform; or
from another source permitted by law.
Where personal data is shared with us by another organisation, that organisation is responsible for ensuring that it is authorised to provide the information.
9. How we use personal data
We may process personal data for the following purposes.
9.1 Account creation, authentication and access management
To:
create and manage accounts;
verify identity;
authenticate users;
issue OTPs;
manage passwords;
allocate permissions;
restrict unauthorised access;
monitor account activity; and
maintain audit trails.
9.2 Recruitment, onboarding and employee management
To:
manage applications;
assess candidates;
complete onboarding;
maintain employee records;
administer attendance;
manage shifts and rosters;
process leave;
manage transfers and promotions;
coordinate deployment;
provide training;
support performance workflows;
process exits; and
complete full-and-final settlement.
9.3 Payroll, reimbursement and compliance
To:
calculate payroll;
process wages;
manage deductions;
issue payslips;
administer reimbursements;
process expenses;
maintain statutory records;
support statutory filings;
provide benefits;
meet employment-related obligations; and
support audits.
9.4 Facility management and workplace operations
To:
receive service requests;
create and assign work orders;
manage assets;
manage maintenance schedules;
record task completion;
verify service delivery;
monitor quality;
manage safety;
process incidents;
coordinate vendors;
manage approvals;
monitor service levels;
support client reporting; and
maintain audit readiness.
9.5 Helpdesk and support
To:
respond to employee enquiries;
route requests;
manage grievances;
support confidential workflows;
address technical issues;
provide service assistance; and
record resolutions.
9.6 Maanicare AI
To:
answer routine questions;
help users locate authorised information;
summarise approved documents;
explain policies and SOPs;
guide users through workflows;
identify the appropriate form, team or escalation route;
create or route support tickets;
resolve technical issues;
monitor quality;
detect misuse;
maintain security; and
improve reliability.
9.7 Communications
To:
send OTPs;
provide login alerts;
send security alerts;
share service updates;
send attendance reminders;
send payroll alerts;
issue approval notifications;
provide support responses;
communicate policy updates;
send operational announcements;
deliver newsletters; and
send permitted marketing communications.
9.8 Safety, security and accountability
To:
prevent fraud;
identify misuse;
investigate suspicious activity;
manage security incidents;
protect confidential information;
maintain logs;
enforce access controls;
support business continuity;
manage risk; and
respond to lawful requests.
9.9 Legal, regulatory and contractual compliance
To:
comply with applicable laws;
maintain statutory records;
fulfil contractual obligations;
respond to regulators;
support audits;
establish, exercise or defend legal claims; and
enforce applicable agreements.
9.10 Platform improvement
To:
understand how features are used;
identify errors;
resolve technical issues;
improve performance;
improve accessibility;
improve user experience;
improve workflows;
develop new features; and
analyse aggregated operational trends.
Where reasonably possible, information used for analytics and improvement will be aggregated or de-identified.
10. Grounds for processing personal data
Maanicare processes personal data only for lawful purposes.
Depending on the context, we may process personal data:
with your consent;
where you voluntarily provide personal data for a specified purpose and have not indicated that you do not consent to its use for that purpose;
where processing is necessary for employment-related purposes;
where processing is necessary to protect an employer from loss or liability;
where processing is required to provide a service or benefit requested by an employee;
where processing is necessary to provide a requested service;
where processing is necessary to fulfil a contractual obligation;
where processing is required to comply with applicable law;
where processing is necessary to respond to a lawful request, order or legal process;
where processing is required for safety, security, fraud prevention or incident response;
where processing is required to establish, exercise or defend legal rights; or
where another legitimate use recognised under applicable law applies.
The DPDP Act recognises consent and specified legitimate uses as grounds for processing. Employment-related processing and processing required to safeguard an employer from loss or liability are expressly recognised.
11. Notices and consent
11.1 Clear and specific notices
This Privacy Policy provides an overarching explanation of our privacy practices.
Where required, we will also display a clear, feature-specific notice before collecting personal data or activating a permission. The notice may describe:
the personal-data items being collected;
the specified purpose;
the feature, service or benefit enabled by the processing;
the method for withdrawing consent;
the method for exercising applicable rights; and
the method for raising a grievance or complaint.
The DPDP Rules require relevant notices to be independently understandable, written in clear and plain language, and supported by an itemised description of the personal data and the specified purpose.
11.2 Consent
Where consent is relied upon, consent will be sought through a clear affirmative action.
Consent should be:
free;
specific;
informed;
unconditional;
unambiguous; and
limited to the personal data reasonably necessary for the stated purpose.
11.3 Withdrawal of consent
Where processing is based on consent, you may withdraw consent through:
an in-app setting;
the applicable feature screen;
the privacy-request page;
the account-deletion route;
email; or
another method made available by Maanicare.
The method for withdrawing consent will be reasonably comparable in ease to the method used to provide consent.
Withdrawal will not affect the legality of processing completed before the withdrawal. Certain features may stop functioning where the personal data is necessary to provide the feature. We may continue to retain or process limited information where required or permitted by law.
11.4 Records of consent
Where required, Maanicare may maintain records of:
the notice presented;
the version of the notice;
the date and time of consent;
the affirmative action taken;
the purpose;
the withdrawal of consent; and
changes to user preferences.
11.5 Language accessibility
Where required under applicable law, consent requests and privacy notices may be made available in English or another applicable language specified in the Eighth Schedule to the Constitution of India.
11.6 Consent Managers
Where supported and applicable, you may manage, review or withdraw consent through a Consent Manager registered with the Data Protection Board of India.
12. Maanicare AI
12.1 Purpose of Maanicare AI
Maanicare AI is designed to provide authorised users with easier access to information, guidance and support.
Depending on the features enabled for your organisation, Maanicare AI may help you:
find approved company policies;
locate SOPs;
understand compliance processes;
navigate HRMS workflows;
navigate facility-management workflows;
locate company documents;
obtain summaries;
receive routine workplace guidance;
identify the appropriate form;
identify the relevant team;
create or route a helpdesk ticket; and
receive operational assistance.
12.2 Information processed by Maanicare AI
When you use Maanicare AI, it may process:
your prompt;
your follow-up questions;
your organisation;
your role;
your access permissions;
relevant conversation history;
uploaded files;
authorised company documents;
approved policies;
SOPs;
FAQs;
manuals;
client-specific resources;
training materials;
AI-generated responses;
feedback;
ratings;
technical logs; and
escalation records.
12.3 Access controls
Maanicare AI is intended to retrieve, summarise or display only the information that the relevant user is authorised to access.
A user will not receive access to restricted information merely because:
another user can access the information;
the information exists within a broader knowledge base; or
the AI system is technically capable of retrieving it.
Client-specific information should remain segregated and subject to role-based permissions.
12.4 Human review and decision-making
Maanicare AI is intended to assist users. It is not intended to independently make final decisions relating to:
recruitment;
candidate rejection;
payroll approval;
salary adjustments;
deductions;
leave approval;
performance ratings;
disciplinary action;
termination;
employee grievances;
POSH complaints;
statutory determinations;
safety incidents;
client approvals;
access-control decisions; or
any matter that may materially affect an individual’s rights, employment, payment, safety or legal position.
Such matters remain subject to the relevant authorised human process.
12.5 Limitations of AI-generated responses
AI-generated responses may occasionally be incomplete, outdated or inaccurate.
Users should:
verify important information against the official policy, document or system record;
seek confirmation from an authorised team before relying on a response for a high-impact decision;
use the formal workflow for complaints, grievances, POSH matters, safety incidents or legally significant issues; and
avoid treating an AI-generated response as legal, financial, medical or professional advice.
Where there is a conflict between an AI-generated response and an approved policy or official record, the approved policy or official record will prevail.
12.6 Sensitive information and AI interactions
Do not submit unnecessary personal, sensitive or confidential information through a general AI chat.
Do not enter:
passwords;
OTPs;
payment credentials;
complete bank-account credentials;
full government-identifier numbers unless specifically requested through a secure workflow;
POSH complaints;
detailed grievances;
disciplinary matters;
detailed health information;
confidential client information;
trade secrets; or
another person’s personal data unless specifically required and authorised.
Use the designated secure workflow for sensitive matters.
12.7 External AI providers
Maanicare may use authorised cloud, AI, document-retrieval or technology providers to support Maanicare AI.
Where an authorised provider processes personal data, the provider will be required to process the information only for the permitted purpose and subject to appropriate contractual, technical and organisational safeguards.
12.8 AI training and improvement
Maanicare does not sell AI prompts or confidential enterprise content.
Unless separately disclosed, lawfully authorised and contractually agreed:
personal data submitted through Maanicare AI will not be used to train a publicly available general-purpose AI model;
confidential client information will not be used to train a publicly available general-purpose AI model; and
restricted company documents will not be made available to unauthorised users.
Maanicare may use controlled, de-identified or aggregated information to improve the quality, reliability and safety of internal services, subject to applicable law and contractual requirements.
12.9 AI quality monitoring
A limited set of AI interactions may be reviewed by authorised personnel or service providers where reasonably necessary to:
investigate an error;
resolve a support request;
improve response quality;
identify inaccurate outputs;
detect misuse;
maintain security;
conduct an audit; or
test reliability.
Access will be restricted to persons with a legitimate need to review the relevant interaction.
13. Device permissions
Certain Platform features may request access to device capabilities.
|
Permission |
Purpose |
|
Camera |
To capture attendance-verification photographs, profile photographs, documents, task-completion evidence, inspection images or incident photographs. |
|
Photos, files or media |
To upload or download permitted documents, images, invoices, certificates, records or task evidence. |
|
Location |
To geo-tag attendance, confirm worksite presence, verify task completion or support another clearly disclosed operational workflow. |
|
Notifications |
To send service alerts, approvals, reminders, task updates, announcements and security messages. |
|
Microphone |
Only where an enabled feature permits voice input, voice interaction or audio notes. |
|
Device biometrics |
To allow secure login using the device’s authentication system. Maanicare does not ordinarily receive the biometric template stored on your device. |
|
Bluetooth or nearby-device access |
Only where an enabled operational or attendance feature genuinely requires it. |
|
Calendar |
Only where you expressly enable an applicable scheduling feature. |
Maanicare will not request access to your personal contacts, SMS records, call logs or installed-app inventory unless a specific feature genuinely requires that access, the access is lawful and a separate prominent disclosure is presented before access.
You may manage permissions through your device settings. Disabling a necessary permission may prevent the relevant feature from functioning correctly.
If facial-recognition or another biometric-comparison feature is introduced, a separate notice will be provided before the feature is enabled.
14. Data minimisation, purpose limitation and accuracy
Maanicare aims to collect and process only the personal data reasonably necessary for the relevant purpose.
Personal data collected for one purpose will not be used for an unrelated purpose unless:
the additional processing is permitted by law;
an updated notice is provided where required; and
fresh consent is obtained where required.
For example:
attendance photographs will not be used for marketing;
GPS data collected for attendance verification will not be used for continuous tracking unless separately justified, authorised and disclosed;
grievance and POSH records will not be accessible to general administrators;
payroll information will not be visible to operational teams without a legitimate requirement;
AI prompts will not be used to train publicly available models without lawful authorisation; and
uploaded client documents will remain subject to role-based access controls.
Where personal data is likely to be used to make a decision affecting an individual or disclosed to another Data Fiduciary, Maanicare will take reasonable steps to maintain its completeness, accuracy and consistency, as required by applicable law.
15. Cookies and similar technologies
The website and web-based portions of the Platform may use cookies, pixels, logs and similar technologies.
15.1 Essential cookies
These may be used for:
secure login;
authentication;
session management;
load balancing;
fraud prevention;
security; and
core Platform functionality.
15.2 Preference cookies
These may remember:
language settings;
display preferences;
accessibility settings; and
other user choices.
15.3 Analytics cookies
These may help us understand:
website traffic;
Platform usage;
technical errors;
performance; and
opportunities for improvement.
15.4 Marketing cookies
Where used, advertising or marketing cookies will be managed in accordance with applicable law and appropriate choices will be provided where required.
You may manage cookies through your browser settings and any cookie-preference tool made available on the website. Disabling essential cookies may affect Platform functionality.
16. Communications
We may communicate with you through:
email;
SMS;
WhatsApp;
push notifications;
in-app notifications;
phone calls; or
another permitted communication channel.
Communications may include:
OTPs;
login alerts;
security alerts;
attendance reminders;
payroll alerts;
task updates;
approval reminders;
service confirmations;
support responses;
policy updates;
operational announcements;
newsletters; and
permitted marketing communications.
You may opt out of non-essential marketing communications through the unsubscribe mechanism provided in the relevant message or by contacting us.
You may continue to receive essential security, statutory, service-related or transactional communications after opting out of marketing communications.
17. When we may share personal data
We do not sell personal data.
We may share personal data only where reasonably necessary for a lawful and permitted purpose.
17.1 Your employer, client or contracting organisation
Where the Platform is provided through an employer or organisation, authorised representatives may receive information relevant to their role, such as:
employee records;
attendance information;
leave records;
payroll inputs;
task status;
compliance records;
site records;
approvals;
reports; and
audit trails.
17.2 Authorised Maanicare personnel
Authorised Maanicare personnel may access personal data where necessary to:
provide services;
administer the Platform;
support users;
manage HRMS workflows;
administer payroll;
provide compliance support;
coordinate facility operations;
resolve requests;
manage security;
respond to incidents; and
comply with legal obligations.
17.3 Technology and service providers
We may use authorised providers for:
cloud hosting;
storage;
databases;
backups;
authentication;
OTP delivery;
SMS;
email;
WhatsApp communications;
push notifications;
analytics;
crash reporting;
application monitoring;
cybersecurity;
customer support;
ticketing;
document processing;
AI infrastructure;
document retrieval;
maps and location services;
payroll support;
recruitment;
verification; and
professional services.
Service providers are expected to process personal data only for the authorised purpose and subject to appropriate safeguards.
17.4 Vendors, technicians and contractors
Where required to complete a service request, we may share limited personal data with an authorised vendor, technician, contractor or service partner.
Only the information reasonably necessary for the assigned task will be shared.
17.5 Government authorities and lawful requests
We may disclose personal data where reasonably required to:
comply with law;
respond to a legally valid request;
comply with a court order;
cooperate with a regulator;
investigate a security incident;
prevent fraud;
investigate misconduct;
protect safety;
protect legal rights; or
fulfil a statutory obligation.
17.6 Professional advisers
We may share relevant information with authorised:
auditors;
lawyers;
accountants;
insurers;
consultants; and
other professional advisers,
where reasonably necessary and subject to confidentiality obligations.
17.7 Corporate transactions
Personal data may be disclosed as part of a proposed or completed:
merger;
acquisition;
restructuring;
business transfer;
financing;
sale of business;
insolvency process; or
similar transaction,
subject to appropriate confidentiality and lawful-processing requirements.
17.8 At your direction
We may share personal data where you or your authorised organisation expressly directs or authorises us to do so.
18. Data Processors and contractual safeguards
Where Maanicare appoints a Data Processor, it will use an appropriate written contract or other enforceable arrangement.
Depending on the service, the arrangement may require the Data Processor to:
process personal data only for permitted purposes;
implement reasonable security safeguards;
restrict access;
maintain confidentiality;
support privacy-rights requests;
support deletion requests;
support incident response;
notify Maanicare of relevant breaches;
manage sub-processors appropriately;
follow retention requirements; and
return, delete or securely dispose of personal data when required.
Under the DPDP Act, a Data Fiduciary remains responsible for processing undertaken on its behalf by a Data Processor and may engage a Data Processor through a valid contract.
19. International processing and storage
The Platform may use infrastructure, cloud services or authorised service providers located in India or other jurisdictions.
Where personal data is processed outside India, Maanicare will take reasonable steps to ensure that:
the processing is permitted under applicable law;
the recipient processes personal data only for the permitted purpose;
appropriate contractual, technical and organisational safeguards apply;
client-specific hosting requirements are followed; and
restrictions notified by the Central Government are observed.
The DPDP Act allows the Central Government to restrict transfers of personal data to specified countries or territories. The DPDP Rules also permit the Government to specify requirements relating to making personal data available to a foreign State or an entity controlled by a foreign State.
Cross-border processing used: [Yes / No]
India-only hosting available for specific clients: [Yes / No]
20. Retention and deletion
We retain personal data only for as long as reasonably necessary for:
the specified purpose;
legal compliance;
statutory record-keeping;
employment requirements;
payroll;
labour-law compliance;
tax requirements;
contractual obligations;
client reporting;
audit;
safety;
incident management;
dispute resolution;
fraud prevention;
security monitoring;
business continuity; or
legal claims.
Where personal data is no longer required, we may delete, anonymise, de-identify or securely archive it, subject to applicable law.
20.1 General retention approach
|
Data category |
Retention approach |
|
Account and profile data |
Retained while the account or organisational relationship is active and for a reasonable closure period afterwards, unless longer retention is required. |
|
Recruitment records |
Retained for the recruitment process and for [●] afterwards, unless a longer period is required for audit, legal or contractual purposes. |
|
Employment records |
Retained during employment and for [●] afterwards, unless a longer period is required by law. |
|
Payroll and statutory records |
Retained for the period required under applicable payroll, labour, tax, statutory and audit requirements. |
|
Attendance, shift and leave records |
Retained for [●] or the longer period required for payroll, employment, client, statutory or audit purposes. |
|
Facility-management records |
Retained for [●] or the longer period required for operational continuity, reporting, safety, evidence, audit or contractual purposes. |
|
Work-order evidence |
Retained for 365 or the longer period required for service verification, audit, quality assurance or contractual purposes. |
|
Helpdesk tickets |
Retained for 365 or the longer period required for resolution, audit or legal purposes. |
|
Grievance, POSH and disciplinary records |
Retained only for the period required for lawful review, confidentiality, evidence, legal obligations and authorised record-keeping. |
|
Maanicare AI interactions |
Retained for 365 or the shorter or longer period required for service delivery, support, reliability, security, audit or legal purposes. |
|
Files uploaded through Maanicare AI |
Retained for 365 or until the relevant workflow is completed, unless longer retention is required. |
|
Technical and security logs |
Retained for 365, subject to applicable minimum legal requirements. |
|
Website enquiries |
Retained for 365 or until the enquiry and relevant follow-up are completed. |
|
Marketing preferences |
Retained until you opt out or the preference is no longer required. |
|
Cookies |
Retained according to their purpose and the applicable cookie settings. |
|
Backups |
Retained according to the approved backup cycle and securely overwritten or deleted in due course. |
20.2 Erasure after completion of purpose
Where required by applicable law, Maanicare will erase personal data and cause relevant Data Processors to erase personal data where:
consent is withdrawn; or
it is reasonable to assume that the specified purpose is no longer being served,
unless continued retention is necessary for compliance with law or another permitted purpose.
20.3 Security-related log retention
Where the relevant provisions of the DPDP Rules apply, Maanicare will retain the logs and personal data required to detect, investigate and remediate unauthorised access for at least one year, unless another applicable law requires a longer period.
20.4 Inactivity-based erasure
Where an inactivity-based erasure requirement under the DPDP Rules applies to Maanicare or a relevant class of services, Maanicare will provide the required advance notice before erasing the relevant personal data.
The applicable DPDP Rule requires at least 48 hours’ advance notice for the classes and purposes specified in the Rules.
20.5 Account deletion
Where the Platform permits account creation, you may request deletion of your account.
Deletion-request email: [vighnesh@8masons.com]
When an account-deletion request is approved:
your account will be disabled or removed;
your access to the Platform will end;
personal data that is no longer required will be deleted, de-identified or restricted;
relevant Data Processors will be instructed to erase personal data where required; and
information required for payroll, statutory compliance, audit, safety, security, contractual obligations or legal claims may continue to be retained.
Your employer or client organisation may also continue to retain relevant records independently where it is legally or contractually required to do so.
21. Security safeguards
We use reasonable technical and organisational safeguards designed to protect personal data against unauthorised access, processing, disclosure, alteration, destruction or loss.
Depending on the nature of the information and the relevant service, these safeguards may include:
encryption in transit;
encryption at rest, where appropriate;
masking;
tokenisation;
obfuscation;
secure authentication;
OTP-based verification;
multi-factor authentication, where enabled;
password controls;
role-based access control;
least-privilege access;
client-wise access restrictions;
tenant segregation;
periodic access reviews;
confidentiality obligations;
audit trails;
logging;
monitoring;
security reviews;
secure backups;
restoration procedures;
incident-response procedures;
vulnerability management;
secure-development practices;
processor contracts;
retention controls;
deletion workflows;
business-continuity measures; and
disaster-recovery measures.
The DPDP Rules identify safeguards including encryption or masking, access controls, logs, monitoring, backups, processor-contract provisions and appropriate technical and organisational measures.
No method of transmission or storage is completely risk-free. Users should protect their login credentials, avoid sharing OTPs and report suspected misuse immediately.
22. Personal-data breach response
Where Maanicare becomes aware of a personal-data breach, we will take reasonable steps to:
contain the incident;
investigate the incident;
assess the affected information;
identify the likely consequences;
mitigate risk;
restore secure operations;
preserve relevant evidence;
prevent recurrence;
notify affected individuals where required; and
notify relevant authorities where required.
22.1 Notification to affected individuals
Where required, a notification to an affected individual may include:
a description of the breach;
the nature, extent and timing of the incident;
the likely consequences;
the measures implemented or being implemented;
recommended safety steps; and
contact information for relevant questions.
22.2 Notification to the Data Protection Board of India
Where the applicable DPDP provisions are in force and notification is required, Maanicare will:
provide an initial intimation to the Data Protection Board of India without delay; and
provide updated and detailed information within 72 hours of becoming aware of the breach, unless a longer period is permitted by the Board.
The DPDP Rules specify these notification requirements for affected individuals and the Board.
22.3 Reporting a suspected breach
Security and privacy incident email: [vighnesh@8masons.com]
Emergency escalation number: [7977658696]
23. Your rights
Subject to applicable law and the nature of the processing, you may exercise the following rights.
23.1 Right to obtain information
You may request:
a summary of the personal data being processed;
a summary of the processing activities;
the identities of other Data Fiduciaries and Data Processors with whom your personal data has been shared, where disclosure is required; and
a description of the personal data shared.
23.2 Right to correction, completion and updating
You may request that Maanicare:
correct inaccurate or misleading personal data;
complete incomplete personal data; and
update outdated personal data.
23.3 Right to erasure
You may request erasure of your personal data.
We may continue to retain information where required for:
the specified purpose;
statutory compliance;
employment records;
payroll;
labour-law requirements;
tax;
audit;
safety;
security;
contractual obligations;
dispute resolution;
grievance, POSH or disciplinary processes; or
legal claims.
23.4 Right to withdraw consent
Where processing is based on consent, you may withdraw that consent through the relevant in-app route, feature screen, webpage or email address.
23.5 Right to grievance redressal
You may raise a grievance regarding:
the way your personal data is processed;
a rights request;
a deletion request;
a security concern;
an inaccurate record;
an unauthorised disclosure; or
another privacy-related concern.
23.6 Right to nominate
Where applicable, you may nominate one or more individuals who may exercise your rights in the event of your death or incapacity.
23.7 Complaint to the Data Protection Board of India
Where applicable, and after exhausting Maanicare’s grievance-redressal mechanism, you may submit a complaint to the Data Protection Board of India in accordance with the applicable process.
The DPDP Act provides rights relating to access, correction, completion, updating, erasure, grievance redressal and nomination.
24. How to exercise your rights
You may submit a privacy request through:
Email: [vighnesh@8masons.com]
Written correspondence: [1st Floor, Shop 101, B wing - Samartha Aishwarya, Off New Link Road, K L Walawalkar Marg, Andheri (West), Mumbai 400 053]
To protect your personal data, we may ask you to provide an appropriate identifier, such as:
your registered email address;
your registered mobile number;
your employee code;
your user ID;
your candidate ID;
your vendor ID;
your application-reference number;
your service-request number; or
another identifier linked to your account.
We may request additional verification where reasonably necessary to prevent unauthorised access.
Where Maanicare processes information on behalf of a client or employer, we may forward your request to or coordinate with that organisation.
Grievance-response period
We aim to respond to privacy grievances within 2 working days.
Where the relevant DPDP Rule applies, the published grievance-response period will not exceed 90 days.
25. Children, minors and lawful guardians
The Platform is intended primarily for authorised business, workforce, client, vendor, contractor and administrative users.
It is not designed for independent use by children.
Maanicare does not knowingly create a Platform account for a child unless:
the relevant workflow is legally permitted;
processing is reasonably necessary;
appropriate safeguards are applied; and
verifiable consent is obtained from a parent or lawful guardian where required.
Maanicare will not knowingly:
process a child’s personal data in a manner likely to cause a detrimental effect on the child’s well-being;
undertake behavioural monitoring or tracking of children except where a lawful exemption applies; or
direct targeted advertising at children.
Where Maanicare processes limited information relating to a dependant or nominee for payroll, insurance, statutory or employee-benefit purposes, access will be restricted and the information will be used only for the relevant permitted purpose.
Where consent is provided by the lawful guardian of a person with a disability, we may undertake reasonable due diligence to verify the guardian’s authority.
The DPDP Act and DPDP Rules set out requirements for verifiable parental consent and lawful-guardian verification.
26. Duties of users
When using the Platform or exercising privacy rights, users should:
comply with applicable law;
avoid impersonating another person;
provide authentic information;
avoid suppressing material information;
avoid submitting false or frivolous grievances;
protect login credentials;
avoid sharing OTPs;
avoid uploading unnecessary personal data;
avoid uploading another person’s personal data without authority;
avoid entering confidential information into an inappropriate workflow; and
use the designated secure channel for sensitive matters.
These duties are consistent with the obligations of Data Principals under the DPDP Act.
27. Significant Data Fiduciary obligations
The Central Government may notify an organisation or a class of organisations as a Significant Data Fiduciary based on factors including the volume and sensitivity of personal data processed and the risks to individuals.
If Maanicare is notified as a Significant Data Fiduciary, we will implement the additional measures required by applicable law, which may include:
appointing a Data Protection Officer based in India;
ensuring that the Data Protection Officer reports to the Board of Directors or a similar governing body;
appointing an independent data auditor;
conducting periodic Data Protection Impact Assessments;
conducting periodic audits;
conducting the applicable assessment and audit at least once every twelve months;
assessing technical measures, including algorithmic software, for risks to the rights of individuals;
furnishing required reports; and
applying localisation restrictions for specified personal data where notified.
The DPDP Act and DPDP Rules prescribe additional obligations for Significant Data Fiduciaries, including annual assessments and due diligence relating to algorithmic software.
28. Third-party links and external services
The Platform may contain links to third-party websites, applications, communication tools or resources.
This Privacy Policy does not govern the independent privacy practices of those third parties.
You should review the relevant third-party privacy policy before providing personal data.
29. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect:
changes in law;
regulatory guidance;
changes to the Platform;
new modules;
new integrations;
changes in data-processing practices;
changes to Maanicare AI;
improvements in security; or
operational requirements.
The updated Privacy Policy will be published on the website and made available through the Platform.
Where a change materially affects the way personal data is processed, we will provide an appropriate notice and obtain consent where required.
30. Privacy contact and grievance redressal
For questions, privacy requests, complaints or concerns relating to this Privacy Policy or the processing of personal data, contact:
Privacy Contact / Grievance Officer
Name: [Vignesh Dudani]
Designation: [Technical Officer]
Legal entity: [MAANI CARE SYSTEM INDIA PRIVATE LIMITED]
Email: [vighnesh@8masons.com]
Phone: [7977658696]
Registered office: [1st Floor, Shop 101, B wing - Samartha Aishwarya, Off New Link Road, K L Walawalkar Marg, Andheri (West), Mumbai 400 053]
Where Maanicare is required to appoint a Data Protection Officer, the relevant details will be published on the Platform.
The DPDP Rules require the relevant business contact information to be prominently published on the website or app and included in communications responding to privacy-rights requests.
Track your progress with the OneMaanicare App
