Privacy Policy

Last updated: 6 June 2026 · Effective for: India (DPDP Act 2023), EU/UK (GDPR), CCPA

This Privacy Policy explains how Project MARINA ("MARINA", "we", "us") collects, uses, and protects information when employers ("Customers") and their employees ("Users") use our software, websites, and Mac/Windows agents (collectively the "Service").

Under India's Digital Personal Data Protection Act, 2023, MARINA acts as a Data Processor on behalf of the Customer (Data Fiduciary). Customers are responsible for obtaining legal basis from their employees; MARINA processes data on documented instructions.

1. What we collect

• Account info: name, email, GitHub login, avatar, character selection.
• GitHub activity: commits, PRs opened, PR reviews, issues closed — fetched via OAuth at the User's consent.
• Workstation telemetry (Mac/Windows agent): active app name, idle time, optionally foreground window title — only between punch-in and punch-out, and only after explicit on-device consent.
• Disclosed-randomized screenshots: 2–4 captures per active hour, ONLY if the Customer enables this and the User accepts. Original images are deleted within 48 hours; only AI-derived labels persist.
• HR data: punch-in/out shifts with work summaries, breaks with reasons, leave requests with types and dates.
• Audit logs: who did what, when, from where — for security and compliance.

2. What we never collect

• Keystrokes, mouse positions, or file contents.
• Workstation activity while tracking is paused or the User is off-clock.
• Screenshots while a video-call app (Zoom, Meet, Teams, Webex, FaceTime, BlueJeans) is in the foreground.
• Activity from your personal device — only the device on which you install the agent and explicitly consent.

3. How we use it

• To compute daily-state signals (Productive / Blocked / Inactive) for managers — a support tool, not a performance scoring tool.
• To generate AI work narratives and verify end-of-shift summaries against telemetry.
• To deliver invitations, notifications, and the dashboard you logged in to view.
• To detect abuse, debug issues, and improve the Service.

4. Third-party processors

We rely on the following sub-processors:

• Neon (Postgres hosting) — primary data store.
• Vercel (web hosting + edge functions).
• Groq and OpenAI — AI providers for narrative generation and shift verification. We send only the minimum context needed.
• Resend — transactional email.
• Slack (only if your Customer configures a webhook).

A current list of sub-processors is available at /sub-processors.

5. Cross-border transfers

Some of our processors host data outside India. The list above includes the relevant regions. We rely on contractual safeguards (DPAs incorporating the SCCs where applicable) and the Indian government's permitted-country framework under DPDP Act § 16. Customers can request India-region deployment under a custom contract.

6. Retention

• Screenshots (raw): 48 hours, auto-purged.
• Derived screenshot labels: 12 months.
• GitHub events, narratives, activity, shifts, breaks, leaves: kept for the duration of your subscription.
• Audit logs: 24 months.
• After Customer deletion: 30-day rolling backup window, then full erasure.

7. Your rights (DPDP Act / GDPR)

You can, at any time:

• Access: download all your data as JSON via /dashboard → Settings → Export my data or GET /api/me/export.
• Correct: update your profile in settings.
• Erase: permanently delete your account via Settings → Danger zone, or DELETE /api/me/account. Cascade is immediate.
• Pause: stop the agent from collecting anything new — the menu bar "Pause tracking" button.
• Object / complain: contact our DPO at thetanishgarg@gmail.com, or file a complaint with the Data Protection Board of India.

8. Security

Bearer tokens are sha256-hashed at rest. The Mac agent encrypts the local token copy via macOS Keychain (Electron safeStorage). All traffic is TLS-only. We run rate-limiting on agent endpoints and append-only audit logs on every privileged action. Full controls are described at /security.

9. Data Protection Officer

Project MARINA Private Limited
DPO: thetanishgarg@gmail.com
Security incidents: thetanishgarg@gmail.com (24h SLA)
Postal: [Registered office address — TBD]

10. Changes

Material changes are notified 30 days in advance via email to org owners and a banner in the dashboard. The current version is always at this URL.