Privacy Policy
Effective Date: June 2026
Last Updated: June 2026
1. Who We Are
MandateRoom is operated by Aniket Raj, an individual trading as MandateRoom, a sole proprietor registered under the MSME/Udyam framework in India (Udyam Registration No. UDYAM-UP-29-0238002).
For the purposes of data protection law:
- Under the GDPR (EU/EEA users): We act as the Data Controller for the personal data you provide when using the Service. We act as a Data Processor for the personal data contained within documents that you (the Workspace Owner) upload and share with other users.
- Under the UK GDPR: The same controller/processor framework applies.
- Contact: hello@mandateroom.com | Vasundhara, Ghaziabad, Uttar Pradesh - 201012, India
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Your email address
- Your name (if you choose to provide it)
- Your organisation name (if you choose to provide it)
This data is stored in Supabase, our authentication and database provider.
2.2 Usage and Activity Data
When you use the Service, we automatically collect:
- Log data: IP addresses, browser type, device type, timestamps of actions
- Access events: which documents were viewed, by whom, and when — this data forms the audit log and is retained for as long as your workspace is active
2.3 Payment Data
We do not collect or store payment card details. Payments are processed by Lemon Squeezy, the Merchant of Record. We receive from Lemon Squeezy only: your email address, subscription status, and transaction identifiers.
2.4 Document Content
Documents you upload are stored in Cloudflare R2. We do not read, analyse, or index the content of your documents. Documents are stored solely to provide the Service — to be rendered and displayed to authorised viewers.
2.5 Watermark Data
When a Viewer opens a document, we embed identifying metadata (viewer email, timestamp, workspace ID) into the rendered image. This is a functional security feature, not a separate data collection.
2.6 Communications
If you contact us by email, we retain that correspondence to handle your query.
3. Why We Collect This Data (Legal Bases Under GDPR)
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Account data | Providing and administering the Service | Performance of contract (Art. 6(1)(b)) |
| Activity/log data | Security, audit logging, debugging | Legitimate interests (Art. 6(1)(f)) — security and fraud prevention |
| Payment data | Billing and subscription management | Performance of contract (Art. 6(1)(b)) |
| Document content | Delivering the core Service | Performance of contract (Art. 6(1)(b)) |
| Communications | Responding to support requests | Legitimate interests (Art. 6(1)(f)) |
We do not use your data for advertising, profiling, or sale to third parties.
4. Who We Share Data With
We do not sell your data. We share data only with the infrastructure providers necessary to operate the Service:
| Provider | What They Receive | Location | Safeguard |
|---|---|---|---|
| Cloudflare (R2) | Uploaded documents | United States | [Cloudflare DPA / Standard Contractual Clauses] |
| Supabase | Account data, access logs | United States | [Supabase DPA / Standard Contractual Clauses] |
| Vercel | Application traffic | United States | [Vercel DPA / Standard Contractual Clauses] |
| Lemon Squeezy | Email, billing identifiers | United States | [Lemon Squeezy terms as Merchant of Record] |
Note for the operator: Before publishing this policy, confirm that each provider offers a Data Processing Agreement (DPA) and review the safeguard mechanism (usually Standard Contractual Clauses) they use for EEA/UK transfers. Link to or reference these in the table above.
5. International Data Transfers
Your data is processed and stored on infrastructure located primarily in the United States. As of this policy's effective date, the US does not benefit from an EU adequacy decision for all processing contexts.
For users in the European Economic Area (EEA) and United Kingdom, we rely on the following safeguards for these transfers:
- Standard Contractual Clauses (SCCs): Our sub-processors (Cloudflare, Supabase, Vercel) provide SCCs as a transfer mechanism. Copies of applicable SCCs are available from each provider's documentation or on request.
For UK users, we rely on the UK International Data Transfer Agreement (IDTA) or UK addendum to EU SCCs, as applicable.
As the operator of this Service, I am based in India. India has enacted data protection legislation (the Digital Personal Data Protection Act 2023), though its provisions for international transfers are still being implemented. We are committed to complying with applicable requirements as they come into force.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | For the duration of your account, plus 30 days after deletion request |
| Audit log data | For the duration of your workspace, plus 30 days after account deletion |
| Document files | Deleted promptly upon your request or within 30 days of account termination |
| Payment records | As required by applicable tax and accounting law (typically 7 years) |
| Support emails | 2 years from the date of correspondence |
You may request deletion of your data at any time by emailing hello@mandateroom.com. We will process deletion requests within 30 days.
7. Your Rights
7.1 EEA Users (GDPR)
Under the GDPR, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate data.
- Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Restriction: Ask us to restrict processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise these rights, contact us at hello@mandateroom.com. We will respond within 30 days. We will need to verify your identity before processing requests.
You also have the right to lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
7.2 UK Users (UK GDPR)
You have equivalent rights under the UK GDPR. You may also complain to the Information Commissioner's Office (ICO) at https://ico.org.uk/.
7.3 US Users
We do not currently discriminate against you for exercising privacy rights. If you are a California resident, you may have rights under the CCPA/CPRA, including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.
8. Cookies and Tracking
We use minimal cookies required for the Service to function (session cookies for authentication). We do not use advertising cookies, tracking pixels, or third-party analytics that identify you across sites.
If we add analytics tools in the future, we will update this policy and, where required, obtain your consent.
9. Security
We implement the technical security measures described in our Terms of Service, including encryption at rest (via Cloudflare R2) and in transit (via TLS). We maintain an immutable audit log of document access events.
We do not have a formal information security programme, dedicated security staff, or third-party security certification (such as SOC 2 or ISO 27001). In the event of a personal data breach, we will notify affected users and relevant supervisory authorities in accordance with our obligations under applicable law (within 72 hours of becoming aware of a breach under GDPR, where feasible).
10. Children
The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the changes take effect. The "Last Updated" date at the top of this document reflects the most recent revision.
12. Contact and Data Requests
For any privacy-related enquiries, data subject requests, or to report a concern:
Data Controller: Aniket Raj, operating as MandateRoom
Email: hello@mandateroom.com
Address: Vasundhara, Ghaziabad, Uttar Pradesh - 201012, India
Response time: We aim to respond to all requests within 30 days.
This Privacy Policy was drafted to honestly reflect the data practices of a solo-operated product. We do not have a legal or compliance team. If you have questions about how your data is handled, please contact us directly — we will answer honestly.