Privacy Policy

This Privacy Policy explains how Tinkr Labs Private Limited ("Tinkr Labs", "we", "us") collects, uses, stores, and shares your personal data when you use Maria, our AI Executive Assistant on WhatsApp. We wrote this document to be honest and readable, not to hide things in footnotes. If anything here is unclear, email hello@tinkrlabs.ai and we will answer.

This policy is designed to meet the requirements of India's Digital Personal Data Protection Act, 2023 ("DPDP") and the EU General Data Protection Regulation ("GDPR"), as applicable to you. Tinkr Labs is the data fiduciary / data controller for personal data processed through Maria in our direct consumer offering.

1. Who we are

Tinkr Labs Private Limited is a company incorporated in India and is the operator of Maria. Our registered contact is hello@tinkrlabs.ai. For privacy questions, data-subject requests, or to reach our privacy team, use the same email and put "Privacy" in the subject line.

2. What data we collect

We collect only what we need to run Maria for you. Categories:

• Account information: your name, WhatsApp-enabled phone number, email address (if provided), timezone, preferred language, and the date you signed up.
• Authentication tokens: OAuth access and refresh tokens for Google Calendar (encrypted at rest). You can revoke these at any time from your Google account settings.
• Conversation history: the messages you send to Maria and the messages Maria sends back. This includes text, and the content you share with Maria such as photos of invitations, forwarded messages, and PDF attachments.
• Calendar data: events read from and written to your Google Calendar, including titles, times, locations, attendees, and descriptions.
• Contacts you share: contacts you ask Maria to remember — names, phone numbers, emails, birthdays, relationship labels — for features like birthday reminders and message proxying.
• Tasks and reminders: the tasks, notes, and reminders you create through Maria.
• Inferred preferences: the patterns Maria learns from how you use it — for example, that you prefer morning briefings, or that you usually message in Hindi before 8 AM. These are stored as key-value memories to make Maria more useful for you.
• Billing data: subscription status, plan, trial state, and Stripe customer ID. We do not store full card numbers — Stripe does.
• Technical logs: request timestamps, error traces, model and tool usage counts, and IP addresses for abuse prevention and debugging. These are retained for a limited period (see retention below).

3. Why we collect it (purposes and legal bases)

We use your data to:

• Provide the Service — respond to your messages, run your reminders, manage your calendar, and deliver morning briefings. (Legal basis: performance of contract; consent under DPDP.)
• Secure the Service — detect abuse, block spam, and prevent unauthorized access. (Legitimate interest.)
• Bill you — process subscriptions and handle cancellations. (Performance of contract.)
• Improve Maria — debug errors, review aggregated usage, and refine prompts. We do not use your messages to train public AI models. (Legitimate interest.)
• Communicate with you — send operational emails, outage notices, and respond to support requests. (Performance of contract / legitimate interest.)
• Comply with law — respond to valid legal requests. (Legal obligation.)

4. Third-party processors we use

We use a small number of trusted third parties to run Maria. Each of these companies processes your data on our behalf, only as needed to provide their service:

• Twilio — delivers WhatsApp messages between you and Maria. Twilio Privacy Notice.
• Meta / WhatsApp — the messaging surface itself. WhatsApp Privacy Policy.
• Google LLC — Google Calendar access via OAuth 2.0. Google Privacy Policy. Maria's use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
• Anthropic PBC — provides the Claude AI models that power Maria's responses. Your messages are sent to Anthropic's API to generate responses. Under Anthropic's commercial API terms, Anthropic does not train its models on your API inputs or outputs. Anthropic Privacy Policy.
• Stripe — processes subscription payments. Stripe is PCI-DSS certified. Stripe Privacy Policy.
• Railway — hosts the application backend and PostgreSQL database. Railway Privacy Policy.
• Vercel — hosts the tinkrlabs.ai website. Vercel Privacy Policy.

A current list of sub-processors is maintained at /legal/data-processing. We will update it when we add or remove providers.

5. International data transfers

Tinkr Labs is based in India. Some of our processors are based in the United States (Anthropic, Stripe, Vercel, Twilio) and the European Union or other regions, depending on the service. Operating Maria therefore involves transferring your personal data outside India, including to jurisdictions that may not offer the same level of data protection.

For transfers subject to the GDPR, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses where available. For transfers subject to the DPDP, we rely on the framework notified by the Indian government, including the permitted-countries regime as it evolves. By using Maria, you acknowledge and consent to these transfers to the extent consent is required.

6. Data retention

• Active account: we keep your data while your account is active so Maria can do its job.
• After cancellation: we retain your account and its associated data for 30 days in case you come back, then we permanently delete it from our primary systems.
• Technical logs: retained for up to 90 days for security and debugging, then purged.
• Billing records: we keep minimum records (invoices, amounts, dates) for up to 8 years as required by Indian tax and accounting law. These records do not include your message content.
• Backups: encrypted backups may persist for up to 30 days beyond the primary deletion; they are overwritten on rotation.

7. Your rights

Subject to applicable law, you have the following rights over your personal data:

• Access: ask for a copy of the personal data we hold about you.
• Correction: ask us to fix data that is inaccurate or out of date.
• Deletion / erasure: ask us to delete your personal data.
• Portability: receive your data in a structured, machine-readable format.
• Restriction and objection: limit how we use your data or object to specific uses (such as legitimate-interest processing).
• Withdraw consent: where we rely on your consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
• Nominate: under the DPDP, you can nominate another person to exercise your rights in the event of your death or incapacity.
• Complain: you can lodge a complaint with the Data Protection Board of India or your local supervisory authority.

To exercise any of these rights, email hello@tinkrlabs.ai with "Privacy Request" in the subject line. We will respond within 30 days. We may ask you to verify your identity (usually by confirming the WhatsApp number on file) before acting on a request.

8. Security

We take reasonable technical and organizational steps to protect your data, including:

• TLS/HTTPS encryption in transit for all traffic.
• Encryption at rest for Google OAuth tokens and sensitive secrets.
• Role-based access controls and secret management.
• Access logs and audit trails for administrative operations.
• Regular security reviews, dependency updates, and patches.
• Principle of least privilege — engineers access production data only when strictly necessary, and access is logged.

No system is perfectly secure. If we become aware of a personal data breach that affects you, we will notify you and the relevant regulator as required by law (for DPDP, promptly; for GDPR, within 72 hours of becoming aware, where feasible).

9. Children

Maria is not intended for people under the age of 18. We do not knowingly collect personal data from children. If you believe a child has used Maria, please contact us at hello@tinkrlabs.ai so we can delete the account.

10. Cookies and website analytics

Our website at tinkrlabs.ai may use a small number of strictly necessary cookies and basic, privacy-friendly analytics to understand how the site is used. We do not use advertising cookies or third-party trackers. Maria itself (the WhatsApp experience) does not use cookies.

11. AI and training

Tinkr Labs does not use your conversations with Maria to train public or third-party AI models. Anthropic processes your messages under its commercial API terms to generate Maria's responses, and Anthropic does not train its models on those inputs or outputs under those terms. We may use aggregated, de-identified data (for example, counts of tool calls) to improve the product.

12. Changes to this policy

We may update this Privacy Policy as Maria evolves. If changes are material, we will notify you through Maria, by email, or on the website at least 30 days before they take effect. The "Last updated" date at the top will always reflect the most recent version.

13. Contact

Tinkr Labs Private Limited
Email: hello@tinkrlabs.ai
Website: tinkrlabs.ai

Last updated: [DATE] · Effective date: [DATE]. These are draft documents and should be reviewed by a licensed attorney before use.