Privacy Policy

KaryaFlow collects the following categories of personal data from field technicians and service center administrators who use our platform:

a. Precise GPS Location

When a technician checks in for attendance, KaryaFlow activates a foreground location service that records GPS coordinates approximately every 5 seconds. Location data is batched and transmitted to our servers every 60 seconds. Tracking stops automatically when the technician checks out. This feature is employer-initiated and operates only during declared work hours. GPS coordinates are stored alongside attendance records and are subject to a configurable retention period set by the employing service center.

b. Photos

We collect selfie photographs for attendance verification and job-site photographs as part of work order documentation. Photos are uploaded directly to cloud object storage (Amazon S3-compatible) using time-limited presigned URLs and are linked to the relevant work record.

c. Personal Identification Information

We collect name and email address for account authentication and identification. Technician accounts are created by the employing service center administrator — technicians do not self-register.

d. Device Information

We may collect device manufacturer and model information to provide OEM-specific guidance for battery optimization settings that are required for reliable background location operation.

e. Attendance Records

Check-in and check-out timestamps are recorded along with the GPS coordinates at each event.

f. Expense Data

Technicians may submit expense claims through the app. Submitted expense records, including amounts, categories, and supporting attachments, are stored and visible to authorized managers within the same service center.

g. Billing and Invoice Data

We collect subscription plan details, invoice records, GST-related billing information, payment status, payment reference IDs, and reseller or tenant billing contacts where required to confirm prepaid subscriptions, issue invoices, support renewals, and resolve payment disputes.

h. Usage, Device, and Diagnostic Data

KaryaFlow uses Google Firebase Crashlytics to automatically collect crash reports and diagnostic data when the app encounters an error. This data includes stack traces, device model, operating system version, and anonymized installation identifiers. It does not include your name, email, GPS coordinates, photos, or any other content you enter into the app. Crash data is retained by Google per its Firebase data privacy policy. This data is used solely to identify and fix app stability issues.

i. Map Service Data

KaryaFlow uses Google Maps Platform to render maps and compute routes. When maps are displayed, Google may collect usage data such as IP address and approximate location in accordance with the Google Maps Platform Terms of Service and Google’s privacy policy. We do not share your technician identity or attendance records with Google.

We use the data we collect for the following purposes:

• Providing and operating the KaryaFlow field service management platform.
• Enabling attendance tracking, including GPS-based verification of check-in and check-out locations.
• Supporting work order management, including job assignment, progress tracking, and completion documentation.
• Processing and displaying employee expense claims to authorized managers.
• Authenticating users and maintaining session security via JWT tokens.
• Delivering OEM-specific device optimization guidance to ensure reliable app performance.
• Generating operational reports and analytics for service center administrators.
• Managing prepaid subscriptions, billing, GST invoices, payment status, and renewal or refund support.
• Complying with applicable legal obligations.

We do not use personal data for advertising, profiling unrelated to the services described above, or any automated decision-making that produces legal or similarly significant effects on individuals.

KaryaFlow operates a multi-tenant architecture. Each service center (tenant) has its data isolated using PostgreSQL Row-Level Security. Data belonging to one tenant is not accessible to another tenant.

We share data in the following circumstances:

• Within your service center: Managers and administrators at the employing service center can view attendance records, GPS trails, job records, photos, and expense submissions for technicians in their organization.
• Reseller partners: If your service center subscribes through a KaryaFlow reseller, that reseller administrator has access to aggregated and operational data for the tenants they manage.
• Cloud infrastructure providers: Data is stored on cloud servers and object storage services. These providers process data only as necessary to deliver infrastructure services and are bound by appropriate data processing agreements.
• Payment gateways and billing providers: When customers make payments or request billing support, we may share the minimum required billing, payment, invoice, and contact information with payment gateways, banks, tax advisors, resellers, or billing service providers to process transactions, verify payment status, issue invoices, and handle refunds or disputes.
• Legal requirements: We may disclose data when required to do so by applicable law, court order, or governmental authority.

We do not sell personal data to third parties.

• Encryption in transit: All data transmitted between the mobile app and our servers uses HTTPS/TLS encryption.
• Authentication: User sessions are secured with JSON Web Tokens (JWT) stored securely on-device using platform-provided secure storage.
• Data isolation: Row-Level Security in our PostgreSQL database ensures strict isolation between service center accounts.
• Default retention periods: Unless a service center configures a different retention policy, GPS location records are retained for 90 days, photos (both selfie attendance photos and job-site photos) are retained for 12 months, attendance records and expense records are retained for the duration of the tenant’s subscription. All data is deleted within 30 days of tenant account closure, except where a longer retention period is required by law.
• Photo storage: Photos are stored in cloud object storage and accessed only via short-lived presigned URLs.
• Storage location and cross-border transfers: KaryaFlow’s primary application servers are hosted in the European Union, and our object storage uses Cloudflare R2 distributed globally. This means your personal data, including GPS coordinates and photos, may be processed and stored outside India. In accordance with Section 16 of the Digital Personal Data Protection Act 2023, we will only transfer personal data to jurisdictions that are not restricted by notification of the Central Government, and we rely on our infrastructure providers’ contractual commitments and industry-standard security controls to ensure an equivalent level of protection.
• Breach notification: In the event of a personal data breach that is likely to result in harm to affected individuals, we will notify the Data Protection Board of India and the affected data principals without undue delay and in any case in accordance with the timelines prescribed under the DPDP Act 2023 and its rules. We maintain an internal incident response process to detect, contain, and communicate such incidents.

While we take reasonable technical and organizational measures to protect your data, no system is completely immune to risk. We encourage service center administrators to use strong credentials and report any suspected security concerns promptly.

Under India's Digital Personal Data Protection (DPDP) Act 2023 and applicable data protection principles, you have the following rights with respect to your personal data:

• Right to access: You may request confirmation of whether we hold your personal data and obtain a summary of what we hold.
• Right to correction: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to any overriding legal obligations.
• Right to grievance redressal: You have the right to raise a grievance regarding the processing of your personal data and receive a timely response.

Because technician accounts are created and managed by your employer (the service center), some requests — particularly for account deletion — should first be directed to your employer. We will cooperate with such requests in accordance with our obligations under the DPDP Act 2023.

To exercise any of the above rights, contact us at [email protected].

KaryaFlow is a business-to-business platform intended solely for use by adults employed at service centers. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been inadvertently collected, please contact us immediately so we can take corrective action.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product features. When we make material changes, we will update the effective date at the top of this page. Continued use of KaryaFlow after any such update constitutes your acknowledgment of the revised policy. We encourage you to review this page periodically.

KaryaFlow is operated by Human Reasoning Labs Private Limited, the data fiduciary under the DPDP Act 2023. If you have any questions, concerns, or requests regarding this Privacy Policy, the handling of your personal data, or wish to exercise any of your rights under applicable law, please reach out to our designated Grievance Officer:

If you remain dissatisfied with our response to your grievance, you have the right to register a complaint with the Data Protection Board of India established under the Digital Personal Data Protection Act 2023.