Privacy Policy | Metriyo

1. Introduction

Metriyo ("we," "us," or "our") operates the Metriyoplatform (the "Service"), a multi-tenant SaaS application for organizational management. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

Account Information: Name, email address, organization name, and subdomain when you register.
Organizational Data: Departments, roles, users, holidays, tasks, and task instances you create within your tenant workspace.
Payment Information: Billing details processed through our payment provider (Razorpay). We do not store full payment card details on our servers.
AI Chat Data: Messages and queries you submit through our AI assistant feature.
API Keys (BYOK): If you use the Bring Your Own Key feature (Enterprise plan), your API keys are encrypted at rest using AES-256-GCM encryption.
Bulk Upload Data: Data contained in CSV files you upload for bulk operations.

2.2 Information Collected Automatically

Usage Data: Pages visited, features used, timestamps of interactions, and general usage patterns.
Device Information: Browser type, operating system, device type, and screen resolution.
Log Data: IP addresses, access times, and referring URLs for security and operational purposes.
Authentication Events: Login attempts, OTP verification events, and session activity for security monitoring.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service;
Process transactions and send related information (invoices, receipts);
Authenticate users and secure tenant workspaces;
Enforce plan entitlements and usage limits;
Deliver AI-powered features using our platform-managed or your own (BYOK) AI providers;
Generate task schedules and organizational reports;
Send administrative communications (OTP codes, account notifications);
Detect, prevent, and address security incidents, fraud, and abuse;
Comply with legal obligations and enforce our Terms of Service;
Analyze usage trends to improve and develop new features.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

Service Providers: Third-party vendors who assist us in operating the Service (e.g., Razorpay for payments, Resend for email delivery, AI providers for chat features).
AI Providers: When you use AI features, your queries are sent to third-party AI providers (OpenAI, Anthropic, Google) to generate responses. When using BYOK, data is sent directly to the provider associated with your key.
Legal Requirements: When required by law, regulation, legal process, or governmental request.
Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets.
With Your Consent: When you explicitly authorize us to share information.

5. Data Security

We implement industry-standard security measures to protect your data, including:

AES-256-GCM encryption for sensitive data at rest (e.g., BYOK API keys);
HTTPS/TLS encryption for all data in transit;
Tenant isolation through subdomain-based multi-tenancy architecture;
JWT-based stateless authentication with secure cookie configuration;
Rate limiting on authentication endpoints;
Server-side input validation on all API endpoints;
Soft-delete patterns to prevent accidental data loss.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Deleted data is soft-deleted and retained for audit and recovery purposes for a reasonable period before permanent deletion. Payment records are retained as required by applicable financial and tax regulations.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data (right to be forgotten).
Data Portability: Request a machine-readable copy of your data.
Restriction: Request restriction of processing of your personal data.
Objection: Object to processing of your personal data for certain purposes.
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at the email address provided below. We will respond within 30 days of receiving your request.

8. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies. Our authentication system uses secure, httpOnly, SameSite cookies to maintain user sessions.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

10. International Data Transfers

Your data may be processed and stored in servers located outside your country of residence. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction. We ensure appropriate safeguards are in place for such transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@metriyo.com
Address: Metriyo, India