Legal

Privacy Policy

How Workclave collects, uses, and protects personal data — covering session data, employee records, cookies, data subject rights, and retention.

Effective: March 12, 2026Questions? help@mecverse.comDPDP ComplianceTerms of Service

1. Overview

  • This Privacy Policy explains how Workclave collects, uses, discloses, and protects personal data when you use our website, product, demo environment, and related services.
  • It also explains your privacy choices and how to contact us regarding data protection questions.
  • By accessing or using Workclave, you acknowledge that you have read and understood this policy.

2. Who we are

  • Workclave is a session-based workforce management platform built for Indian IT teams, agencies, and project-based organisations. We provide attendance tracking, approval workflows, project-linked session management, and compliance reporting.
  • Workclave is operated by Mecverse. For privacy questions, contact help@mecverse.com.
  • Where Workclave acts as a data processor on behalf of enterprise customers, the customer is the data fiduciary/controller. This policy describes Workclave's practices as both controller (for our own website, sign-up, and marketing data) and processor (for customer workspace data).

3. Data we collect

  • Account and profile data: name, work email address, organisation name, job role, and authentication metadata (hashed passwords, OTP records, token metadata).
  • Workspace and session data: session start/end times, project and client attribution, break intervals, approval status, manager actions, export records, and configuration settings set by workspace administrators.
  • Support and communication data: messages submitted through contact forms, email correspondence, demo request details, procurement enquiries, and support ticket history.
  • Usage and technical data: IP address, browser type and version, device type, operating system, page interactions, feature usage events, error logs, and performance diagnostics.
  • Marketing and attribution data: UTM parameters, referral source, campaign identifiers — collected only where consent has been granted and used solely for understanding acquisition channels.
  • Payment data: billing details are processed directly by our payment provider. Workclave does not store full card numbers or sensitive payment credentials.

4. Data sources

  • Directly from you: when you create an account, use the product, submit forms, request support, book a demo, or correspond with us.
  • Automatically via the platform: server logs, session events, and browser telemetry collected when you use the product or website.
  • From your organisation: workspace administrators may add your account to a Workclave workspace, assigning you a role and associating your work record with the organisation's data.
  • From authorised integrations: if your organisation connects third-party tools (e.g. project management systems), limited data may flow through those integrations as configured by your administrator.

5. How we use data

  • Provision and operate Workclave features including account access, session tracking, approvals, reports, and data exports.
  • Authenticate users and maintain workspace security — detecting and responding to unauthorised access attempts, abuse, and anomalies.
  • Deliver customer support, onboarding assistance, and product communications relevant to your account status.
  • Process subscriptions, billing, invoices, and refund requests.
  • Send service notifications (security alerts, billing notices, policy updates) — these cannot be opted out of while you hold an active account.
  • Send marketing communications about Workclave features, guides, and updates — only where consent has been granted. You can opt out at any time using the unsubscribe link.
  • Improve product performance and user experience using aggregated, de-identified analytics.
  • Comply with legal obligations, respond to lawful requests, and enforce contractual rights.

6. Legal bases

  • Contract: processing necessary to provide the service you have signed up for — account provisioning, session data handling, billing, and support.
  • Legitimate interests: security monitoring, fraud prevention, product improvement using aggregated data, and B2B marketing to existing customers — where our interests are not overridden by your privacy rights.
  • Legal obligation: retaining records to comply with applicable Indian labour law, tax requirements, and regulatory obligations.
  • Consent: optional analytics cookies, marketing communications, and any processing we explicitly ask consent for. You can withdraw consent at any time.

7. Cookies and local storage

  • Essential cookies and local storage items are used for authentication token management, CSRF protection, and session continuity. These are required for the product to function and cannot be disabled.
  • Optional analytics cookies are disabled by default on first visit. They are activated only after you grant consent through the cookie banner.
  • We use localStorage to persist lightweight preferences (theme, tour state) on the client — no personally identifiable data is stored there.
  • You can withdraw analytics consent at any time by clearing site storage and declining when the banner reappears, or by contacting help@mecverse.com.

8. How we share data

  • Subprocessors: vetted service providers who assist with hosting, database management, transactional email, analytics (if enabled), payment processing, and customer support tooling. All subprocessors are bound by data processing agreements.
  • Legal obligations: we may disclose data to comply with a court order, regulatory request, or applicable law. Where legally permitted, we will notify affected customers before disclosure.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, customer data may be transferred to the successor entity subject to equivalent data protection obligations.
  • We do not sell personal data to third parties for money or equivalent value.
  • We do not share personal data with third-party advertisers.

9. International transfers

  • Workclave's primary infrastructure is located in data centres with adequate data protection controls. We strive to process Indian employee data within jurisdictions that offer equivalent protection.
  • Where transfers to other countries occur (e.g. subprocessors providing email or analytics services), we ensure appropriate contractual safeguards are in place.
  • Customers with data residency requirements should contact hello@mecverse.com to discuss available options.

10. Data retention

  • Account and workspace data: retained for the duration of the active subscription, plus a 90-day post-termination grace period to allow data export.
  • After the grace period: data is permanently deleted from production systems and purged from backup rotation within 30 days.
  • Support records: retained for up to 2 years to resolve disputes and comply with applicable legal requirements.
  • Audit log data: retained for 12 months to support Labour Code compliance and billing audit requirements.
  • Aggregated and anonymised analytics data may be retained indefinitely as it cannot be re-linked to individuals.
  • Early deletion requests can be submitted to help@mecverse.com. We confirm deletion in writing within 30 days.

11. Security

  • We apply technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, and loss — including TLS 1.3 in transit, AES-256 at rest, RBAC, and immutable audit logs.
  • No system is perfectly secure. In the event of a breach likely to result in harm, we will notify affected customers within 72 hours.
  • See the Security page for the full list of controls.

12. Your privacy rights

  • Access: request a copy of personal data we hold about you and information on how it is processed.
  • Correction: request correction of inaccurate or incomplete personal data.
  • Erasure: request deletion of personal data where retention is no longer necessary or legally required.
  • Restriction: request that we limit processing in certain circumstances (e.g. while disputing accuracy).
  • Objection: object to processing based on legitimate interests.
  • Portability: receive your personal data in a structured, machine-readable format.
  • Withdrawal of consent: where processing is based on consent, you can withdraw at any time without affecting the lawfulness of prior processing.
  • To exercise any right, contact help@mecverse.com. We may verify your identity before processing requests to prevent unauthorised access to third-party data. We respond within 30 days.

13. India DPDP Act

  • Workclave aligns its data practices with the Digital Personal Data Protection Act 2023. Data principals have rights to information, correction, erasure, grievance redressal, and nomination under the Act.
  • For a full DPDP-specific overview including subprocessors, breach notification, and DPA availability, see the DPDP Compliance page.

14. Children

  • Workclave is not designed for or directed at individuals under 18 years of age. We do not knowingly collect personal data from minors.
  • If you believe a child has submitted personal data, contact help@mecverse.com and we will take appropriate action.

15. Changes to this policy

  • We may update this policy to reflect legal, technical, or business changes. The effective date at the top of the page indicates when the policy was last revised.
  • For material changes, we will provide notice via the product dashboard or email to the workspace administrator before the changes take effect.
  • Continued use of Workclave after the effective date of a revised policy constitutes acceptance of the updated terms.

16. Contact

  • Privacy questions, data rights requests, or DPA enquiries: help@mecverse.com
  • General and sales enquiries: hello@mecverse.com
  • We aim to respond to all privacy requests within 30 days.

Data rights requests or privacy questions — help@mecverse.com. We respond within 30 days.