rekaman

Legal

Privacy Policy

Last updated: 7 May 2026 · Effective: 7 May 2026

Rekaman Spatial Private Limited (“Rekaman,” “we,” “our”) operates the Rekaman platform — a B2B SaaS service that enables e-commerce brands to add augmented reality experiences to their product pages. This Privacy Policy explains how we handle personal information of brand customers (our paying users) and shoppers who interact with the Rekaman SDK on brand websites.

We comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP”) and the General Data Protection Regulation (“GDPR”) where applicable.

1. Who is the Data Fiduciary

Rekaman Spatial Private Limited acts as the Data Fiduciary for personal information you provide directly to us when you create a brand account. For data collected from shoppers via the Rekaman SDK on brand websites, we act as a Data Processor on behalf of the brand, who is the Data Fiduciary for their shoppers.

2. What data we collect

From brand customers (paying users)

  • Account information: name, email address, password (hashed with bcrypt), phone number (optional), and the company name you provide.
  • Payment information: processed by Razorpay. We never store full card numbers, CVV, or UPI VPAs — Razorpay handles all payment data per RBI guidelines.
  • Product information: photos you upload to generate 3D models, product names, prices, dimensions, and descriptions.
  • Usage data: API requests, dashboard interactions, login times, IP addresses for security monitoring.

From shoppers (via the SDK on brand websites)

  • Anonymous session data: approximate location (country/city via IP geolocation, never precise GPS), device type (Android/iOS/desktop), browser language, viewport size.
  • AR engagement events: whether the AR button was tapped, whether a 3D model was placed, session duration, which product variants were viewed.
  • No camera or photo data is sent to Rekaman servers. All AR processing happens locally on the shopper’s device. Shoppers’ rooms, faces, and bodies are never uploaded.

3. How we use this data

  • To provide the Rekaman service: generate 3D models, host the SDK, render AR experiences.
  • To bill and process payments via Razorpay.
  • To send transactional emails (invoices, account notifications, security alerts) via Resend. We do not send marketing emails without explicit opt-in.
  • To provide analytics dashboards to brands so they can measure AR engagement.
  • To detect and prevent abuse, fraud, and security incidents.
  • To comply with legal obligations under Indian law (tax, accounting, court orders).

4. Who we share data with

We share data only with sub-processors strictly necessary to operate the service:

  • Meshy.ai (3D model generation) — your product photos are sent to Meshy for AI processing. Photos are deleted from Meshy’s servers within 30 days per their data retention policy.
  • Razorpay (payments) — billing details only. Razorpay is PCI-DSS certified and RBI-regulated.
  • Amazon Web Services (Mumbai region) — primary infrastructure. All data stored within India unless explicitly elected otherwise (no current customer has elected this).
  • Neon (Postgres) — database hosted in Singapore (Mumbai unavailable on Neon as of May 2026; we will migrate to Mumbai hosting when available).
  • Upstash Redis — Mumbai region, used for transient queue data, no PII stored.
  • Sentry (error tracking) — receives stack traces with PII redacted via Pino logger before transmission.
  • PostHog (product analytics) — only on the brand-facing dashboard, not on shopper-facing AR experiences. Anonymous usage events.
  • Resend (transactional email) — your email address only.
  • Google (OAuth login, optional) — only if you sign in with Google.

We do not sell your personal information. We do not share data with advertising networks or data brokers.

5. Data retention

  • Active account data: retained while your subscription is active.
  • After account deletion: personal information deleted within 30 days. Financial records (invoices, transactions) retained for 7 years to comply with Indian tax law (Income Tax Act, GST regulations).
  • AR session events: aggregated anonymously after 90 days; raw event-level data deleted.
  • Backups: rotating 30-day backup window; deleted data is removed from backups within 30 days of deletion request.

6. Your rights (DPDP Act 2023 + GDPR)

  • Right to access: request a copy of all your data via the dashboard or by emailing privacy@rekaman.io.
  • Right to correction: update inaccurate data via the dashboard or by emailing us.
  • Right to erasure: request account deletion. We will delete or anonymize your data within 30 days, subject to legal retention obligations.
  • Right to data portability: request a JSON export of your account data.
  • Right to grievance redressal: contact our Data Protection Officer (below). We respond within 15 working days as required by DPDP.
  • Right to consent withdrawal: withdraw consent for processing at any time. May affect service availability.

7. Security measures

  • All data in transit is encrypted via TLS 1.3.
  • Passwords hashed with bcrypt (cost factor 12).
  • API keys stored as SHA-256 hashes; never stored in plaintext.
  • Strict tenant isolation enforced at three layers (auth middleware, repository signatures, DB constraints) with automated tests on every code commit.
  • Multi-factor authentication available for all dashboard accounts.
  • Vendor SOC 2 / ISO 27001 certifications verified for AWS, Razorpay, Sentry.
  • Sentry error tracking with PII redaction.
  • Regular security audits before each major release.

8. Cookies

The Rekaman dashboard uses functional cookies for authentication (JWT session tokens) and CSRF protection. We do not use advertising or tracking cookies. The Rekaman SDK does not use cookies on shopper-facing brand websites.

9. Children’s privacy

Rekaman is a B2B service intended for e-commerce businesses. We do not knowingly collect personal information from individuals under 18. If you believe we have collected data from a minor, contact us immediately and we will delete it.

10. International transfers

Some sub-processors (Neon Postgres in Singapore, Sentry, Resend) may store or process data outside India. Where this occurs, we rely on Standard Contractual Clauses or equivalent legal mechanisms to ensure adequate protection. We will migrate to India-only hosting where vendor support becomes available (target: Phase 4, 2027).

11. Changes to this policy

We will notify brand customers via email at least 14 days before any material change to this policy. Continued use after changes take effect constitutes acceptance.

12. Grievance Officer

Per Section 10 of the DPDP Act 2023, our designated Grievance Officer is:

Sivasankari E (Founder & Data Protection Officer)
Email: privacy@rekaman.io
Response time: within 15 working days

If you are unsatisfied with our response, you may escalate to the Data Protection Board of India (DPB) under the DPDP Act 2023.

13. Contact

For any privacy-related questions, please email privacy@rekaman.io or write to:

Rekaman Spatial Private Limited
[Registered office address — to be added post-COI]
Thanjavur, Tamil Nadu, India