PRIVACY POLICY
MAYAK Mobile Application & Platform
Data Fiduciary: Mr. Devadathan Nair | Last
Updated: [08/06/2026 ] | Version: 2.0 — India Edition
1. Who We Are
The MAYAK Platform is owned and operated
by Mr. Devadathan Nair (“Platform Owner”), who determines the purposes and
means of processing personal data of users in India and acts as the Data
Fiduciary within the meaning of the DPDP Act 2023.
Name: Mr. Devadathan
Nair
Email: operations@mayak.in
Telephone: +91 9497303078
Address: BN 60,
Vennila, Bapuji Nagar, Pongummoodu, Medical College P O, Trivandrum 695011
Data Processor — Trizent Technologies
Private Limited
Trizent Technologies Private Limited,
incorporated under the Companies Act 2013 and registered in Trivandrum, Kerala
(“Trizent”), acts as a Data Processor on behalf of the Platform Owner. Trizent
processes personal data only on the documented instructions of Mr. Devadathan
Nair and has no independent authority to determine the purposes or means of
processing. Trizent is bound by a written data-processing agreement with the
Platform Owner. The Platform Owner remains fully responsible for compliance
with the DPDP Act in respect of all processing carried out by Trizent on his
behalf.
2. Personal Data
We Collect
We collect only the personal data that is
necessary for the purposes described in Section 4. This includes:
•
Identity and contact data: first name,
last name, date of birth, mobile number, email address, postal address or
region.
•
Account data: login credentials, one-time
passwords (OTP), authentication tokens and account preferences.
•
Professional data (where you use
job-search features): resumé, work experience, qualifications and applications
submitted.
•
Payment data: transaction identifiers and
masked payment references processed by licensed payment providers. We do not
store full card numbers or CVV codes.
•
Technical and usage data: IP address,
device identifiers, operating system, application version, log files,
timestamps, in-app behavioural data and approximate location derived from IP
address.
•
Communications: content of messages,
support tickets and feedback you send us.
We do not collect sensitive personal data
or information (“SPDI”) as defined under the SPDI Rules 2011 — including
biometric data, health data, financial information beyond what is stated above,
sexual orientation, or passwords — unless such collection is strictly necessary
and supported by informed written consent obtained separately from your
acceptance of these terms.
3. Legal Grounds
for Processing
We process your personal data on one or
more of the following lawful grounds under the DPDP Act 2023:
•
Consent (s. 6): freely given, specific,
informed and unambiguous consent obtained through a clear affirmative action
before processing begins. You may withdraw consent at any time with equal ease.
•
Legitimate uses (s. 7): including
voluntary provision of data for a specified purpose; compliance with a court
order or legal obligation imposed under any law in India; medical emergencies
involving a threat to life or public health; and employment-related processing
where applicable.
4. Purposes of
Processing
We process your personal data solely for
the following purposes:
•
Creating, maintaining and verifying your
account, including OTP-based authentication.
•
Providing and operating the Services,
including matching users with job listings and employers.
•
Processing payments via licensed payment
service providers regulated under applicable Indian law.
•
Communicating with you about the Services:
service notices, security alerts and support responses.
•
Sending marketing or promotional messages
— only with your prior, separate, opt-in consent. You may withdraw this consent
at any time.
•
Preventing, detecting and investigating
fraud, security incidents and violations of our Terms of Service.
•
Complying with applicable Indian law and
responding to lawful requests from competent public authorities.
•
Generating anonymised and aggregated
statistics to improve the Services. Such data does not identify you personally.
5. How We Obtain
and Record Consent
Where consent is our legal ground, we will
present you with a consent request that:
•
Is written in plain language that is clear
and easy to understand;
•
Specifies each purpose separately (bundled
or omnibus consents are not used);
•
Is presented separately from our Terms of
Service and other contractual documents;
•
Does not use pre-ticked boxes, silence or
continued use of the Services as a substitute for consent.
You may withdraw your consent at any time
— with the same ease as it was given — through the in-app settings or by
contacting us at the details in Section 10. Withdrawal does not affect the
lawfulness of processing carried out before withdrawal. We will cease
processing within 30 days of a valid withdrawal request, unless another lawful
ground under s. 7 of the DPDP Act permits continued processing.
We maintain records of consents given and
withdrawn for the periods required by applicable law.
6. Sharing of
Personal Data
We do not sell your personal data. We
share it only where necessary and with the following categories of recipients:
•
Service providers acting as Data
Processors (cloud hosting, communications, analytics, identity verification,
customer-support tools) — bound by written contracts requiring them to process
data only on our instructions and to maintain appropriate security standards.
•
Employers and hiring organisations —
limited to the data you voluntarily submit in connection with a specific job
vacancy.
•
Payment service providers and financial
institutions — strictly for the purpose of a transaction you initiate and only
to the extent required.
•
Professional advisers (auditors, lawyers,
insurers) — under enforceable duties of confidentiality.
•
Competent public authorities — where
disclosure is required by applicable Indian law, a court order or a legally
binding government authority request.
•
Successors in interest — in connection
with a lawful merger, acquisition or sale of assets, subject to advance notice
to you.
7. Cross-Border
Transfer of Personal Data
Where personal data of Indian data
principals is transferred outside India — including to cloud service provider
data centres located in other countries — such transfer is carried out in
compliance with Section 16 of the DPDP Act 2023 and any rules or Central
Government notifications issued thereunder.
We do not transfer personal data to
countries or territories that have been restricted by Central Government
notification under s. 16(1) of the DPDP Act. Prior to any cross-border
transfer, we take reasonable steps to ensure that the recipient affords a level
of protection to such data comparable to that provided under the DPDP Act.
8. Retention and
Deletion
We retain personal data only for as long
as necessary to fulfil the purposes for which it was collected and to satisfy
our applicable legal obligations. Once the retention period expires, personal
data is securely deleted or irreversibly anonymised.
|
Category |
Retention
Period |
|
Active
account data |
Duration
of account + 30-day recycle period |
|
Payment
/ accounting records |
8
years (Income Tax Act / PMLA / AML obligations) |
|
Security
and access logs |
Up
to 180 days |
|
Consent
records |
Until
withdrawal + 3 years |
|
Support
correspondence |
Up
to 3 years from last contact |
|
HR /
employment records |
As
required by applicable Indian labour law |
9. Your Rights as
a Data Principal
Under the DPDP Act 2023, you have the
following rights in relation to your personal data:
•
Right to information and access (s. 11):
obtain a summary of the personal data processed about you and the identities of
Data Processors with whom it has been shared.
•
Right to correction and erasure (s. 12):
have inaccurate data corrected, incomplete data completed, and data erased
where it is no longer needed for the purpose for which it was collected or
where consent has been withdrawn.
•
Right to grievance redressal (s. 13):
raise a complaint with our Grievance Officer (see Section 10). We will
acknowledge your complaint within 72 hours and endeavour to resolve it within
30 days.
•
Right of nomination (s. 14): nominate
another individual to exercise these rights on your behalf in the event of your
death or incapacity.
•
Right to withdraw consent (s. 6(4)): at
any time and with the same ease as consent was given, through in-app settings
or by contacting us.
•
Right to complain to the Data Protection
Board of India: if you believe your rights under the DPDP Act have been
infringed and your complaint has not been resolved to your satisfaction.
To exercise any of the above rights,
please contact us using the details in Section 10. We may ask you to verify
your identity before acting on your request.
10. Contact
Details and Grievance Redressal
Grievance Officer / Data Fiduciary
Name: Ms. Jesly T M
Address: Thekkattil
House, Payam P O, Iritty, Kannur, Kerala, 670704
Email: jesly@mayak.in
Telephone: +91 9497303078
Response time: Acknowledgment
within 72 hours; resolution within 30 days.
Note: Trizent Technologies Private Limited
acts as a Data Processor only. Grievances regarding your personal data must be
directed to the Platform Owner and Data Fiduciary (Mr. Devadathan Nair), not to
Trizent.
Supervisory Authority
Data Protection Board of India — once
constituted and operational under the DPDP Act 2023. Until the Board is
operational, complaints regarding the processing of SPDI may also be directed
to the adjudicating officer appointed under the Information Technology Act
2000.
11. Personal Data
Breach Notification
In the event of a personal data breach, we
will:
•
Notify the Data Protection Board of India
and each affected data principal in the form and within the timelines
prescribed by the DPDP Act 2023 and rules thereunder.
•
Notify CERT-In (the Indian Computer
Emergency Response Team) in accordance with the IT Rules 2011 and the CERT-In
Directions dated 28 April 2022. Under those Directions, notification to CERT-In
must be made within 6 hours of becoming aware of the incident.
•
Document all breaches, including those
that do not require external notification, in an internal breach register.
•
Take prompt remedial steps to contain the
breach and prevent recurrence.
12. Children’s
Personal Data
The Services are not directed at children
under the age of 18 years. We do not knowingly collect or process personal data
from children without the verifiable consent of a parent or lawful guardian.
If we become aware that personal data of a
child has been collected without the required verifiable parental consent, we
will delete that data promptly. We do not engage in tracking, behavioural
monitoring or targeted advertising directed at children.
13. Security of
Personal Data
We implement reasonable technical and
organisational security measures appropriate to the nature of the personal data
held and the risks of its processing. These include, but are not limited to:
•
Encryption of personal data in transit
(TLS) and at rest where applicable.
•
Access controls limiting personal data
access to authorised personnel on a need-to-know basis.
•
Regular security assessments and
vulnerability reviews.
•
Written data-processing agreements with
all Data Processors imposing equivalent security obligations.
Notwithstanding the above, no system is
completely secure. In the event of a breach, we will act as described in
Section 11.
14. Changes to
This Policy
We may update this Policy to reflect
changes in applicable law or our operations. Where a change materially affects
your rights or the purposes for which we process your personal data, we will:
•
Provide notice through the Services at
least 14 days before the change takes effect; and
•
Where required by the DPDP Act, seek fresh
consent from you before commencing any new or materially different processing.
The updated Policy takes effect on the
date posted, as shown by the revised “Last Updated” date at the top of this
document.
15. Governing Law
and Jurisdiction
This Policy and all processing of personal
data described herein is governed by the Digital Personal Data Protection Act
2023, the Information Technology Act 2000 and all rules and regulations made
thereunder, as amended from time to time.
The courts at Trivandrum, Kerala shall
have non-exclusive jurisdiction over disputes arising in connection with this
Policy, without prejudice to the right of a data principal to file a complaint
with the Data Protection Board of India or, where applicable, to invoke other
statutory remedies under Indian law.
|
Approved by: Mr. Devadathan Nair, Data
Fiduciary Effective Date: [ 08/06/2026 ] Review Date: [ I08/05/2027] |
