This Privacy Policy (“Policy”) describes how MAK SOFTBOX PRIVATE LIMITED, a company incorporated under the Companies Act, 2013, bearing CIN: U74999PN2018PTC176752, having its Registered Office at E-603, Park Ivory, Park Street, Wakad, Pune 411 057, and Principal Place of Business at B-713–714, Suratwala Mark Plazzo, Hinjewadi, Pune 411 057, Maharashtra, India (“Company,” “We,” “Us,” or “Our”), collects, uses, stores, protects, and discloses personal information when users (“You”, “User”, or “Client”) access or use the MDOC Web Portal and Mobile Application (collectively, the “Platform”). By accessing or using the Platform, You agree to this Policy. If You do not agree, please do not access or use the Platform.
1. PURPOSE: This Policy explains;
1.1 What information We collect;
1.2 How We use and protect it;
1.3 When We share it with third parties; and
1.4 The rights and choices available to You.
2.1Information Provided by Users:
2.1.1 Account Information: Name, organisation name, designation, email address, phone number, login credentials, and subscription details.
2.1.2 Business Information: Project names, client details, or workflow data entered by Users for operational purposes.
2.1.3 Payment Information: Limited transaction data such as invoice numbers or payment status (processed via secure payment gateways).
2.2 Automatically Collected Information:
2.2.1 Device and Log Data: Browser type, device type, IP address, time zone, operating system, and login timestamps.
2.2.2 Usage Data: Frequency of login, module access, and actions performed to improve user experience.
2.2.3 No cookies or analytics trackers such as Google Analytics or Meta Pixel are used.)
2.3 Information Received from Third Parties: Where Clients opt to integrate third-party tools (e.g., WhatsApp, mail servers, payment gateways, or cloud telephony), limited data is exchanged to enable such integrations.
3. HOW WE USE YOUR INFORMATION:
3.1 General Purpose: The Company uses the information collected from Users and Clients strictly in connection with the operation and improvement of the MDOC Platform and for no unrelated or commercial purposes. Every use of personal or business information is governed by this Privacy Policy, the User Agreement, and applicable data-protection laws of India.
3.2 Specific Purposes of Use:
3.2.1 To Provide, Operate, and Maintain the Platform and Its Services
3.2.2 The information You provide enables the Company to:
3.2.2.1 Create and manage your user profile and login credentials;
3.2.2.2 Facilitate secure access to Your account and maintain authentication between sessions;
3.2.2.3 Deliver core functionalities such as project management, CRM modules, reporting dashboards, and communication features;
3.2.2.4 Customize modules and workflows according to the Client’s subscribed plan or role structure; and
3.2.2.5 Monitor technical performance, uptime, and responsiveness of the Platform.
3.2.2.6 All operations are essential for the proper functioning of the MDOC application and do not involve any sale or external monetization of Your data.
3.3 To Manage Client Accounts, Authentication, and Access Control: Information such as login IDs, passwords, and role-based permissions allows the Company to;
3.3.1 Identify each authorized user within a client organization;
3.3.2 Enforce secure password policies and access hierarchies;
3.3.3 Detect and prevent unauthorized logins, credential sharing, or multiple concurrent sessions beyond licensed capacity; and
3.3.4 Maintain accurate records for audit, invoicing, and compliance verification.
3.3.5 This ensures that only authenticated users can access confidential Client Data stored on the Platform.
3.3.6 To Communicate About Renewals, AMC Reminders, and Technical Issues: The Company may use Your registered contact details (email, phone, or WhatsApp number) to:
3.3.6.1 Send timely alerts for AMC or Cloud renewal dates, invoices, and payment confirmations;
3.3.6.2 Notify Users about scheduled maintenance, version updates, or downtime;
3.3.6.3 Provide technical assistance, troubleshooting, or responses to support tickets; and
3.3.6.4 Inform Clients of new modules, patches, or security enhancements relevant to their subscribed services.
3.3.6.5 All such communications are transactional or service-related and not promotional in nature.
3.3.7 To Generate Reports and Analytics for Service Improvement
3.3.7.1 Aggregated and anonymized usage data—such as number of logins, feature utilization, and error frequencies—is analyzed to:
3.3.7.2 Understand how Clients use different modules of MDOC;
3.3.7.3 Identify trends or performance bottlenecks;
3.3.7.4 Enhance user experience, speed, and reliability; and
3.3.7.5 Develop new features, interfaces, or integrations that benefit all users.
3.3.7.6 These analytics are internal and do not contain any personally identifiable information.
3.3.8To Comply with Legal, Regulatory, and Contractual Obligations
3.3.8.1 The Company may process certain information to:
3.3.8.2 Maintain accounting, invoicing, and taxation records as required by Indian law;
3.3.8.3 Respond to lawful requests from governmental or regulatory authorities;
3.3.8.4 Verify Client identity and eligibility under applicable business regulations; and
3.3.8.5 Retain records necessary for contractual enforcement, dispute resolution, or audit purposes.
3.3.8.6 All such disclosures are made in good faith and in accordance with statutory requirements.
3.3.9 To Prevent Fraud, Unauthorized Access, or Misuse of the Platform User data and activity logs are analyzed to:
3.3.9.1 Detect unusual login patterns or suspicious activity;
3.3.9.2 Safeguard Client Data from unauthorized disclosure, alteration, or destruction;
3.3.9.3 Enforce compliance with license terms, intellectual-property rights, and security policies; and
3.3.9.4 Investigate and resolve any breach, cyber incident, or violation of the User Agreement.
3.3.9.5 Such preventive monitoring is automated, limited to legitimate security purposes, and does not involve profiling or behavioral targeting.
3.4 Prohibited Uses:
3.4.1 The Company expressly undertakes that it does not:
3.4.2 Sell, rent, or trade any personal or Client information;
3.4.3 Use Client Data for advertising, marketing, or unrelated third-party analytics; or
3.4.4 Combine User data with information from external databases for profiling or solicitation.
3.5 Transparency and Limitation Principle: Every use of personal information is limited to the purpose for which it was collected. If the Company intends to use data for a materially different purpose, it shall provide prior notice to the User and obtain explicit consent wherever required by law.
4. DATA STORAGE AND RETENTION:
4.1 Location and Manner of Storage: All data collected or processed through the MDOC Platform including Client Data, login credentials, and operational records is stored in secure servers physically located within the territory of India or with reputed third-party cloud service providers that maintain equivalent or higher standards of data security and confidentiality. Such service providers are engaged under written agreements that include obligations of confidentiality, restricted use, and compliance with applicable privacy and data-protection laws. The storage environment is protected by encryption, firewall protection, redundancy, and continuous monitoring to prevent unauthorized access or accidental loss. Data centers used by the Company maintain multiple layers of physical and logical security, including biometric access control, video surveillance, and controlled entry procedures.
4.2 Retention Duration and Deletion Policy:
4.2.1 Active Account Period: All Client Data remains accessible and retained in its original form for the duration of the active subscription, AMC, or Cloud-service period.
4.2.2 Post-Closure Retention: Upon account closure, termination, or expiry of a subscription, Client Data will be retained for a grace period of thirty (30) days to facilitate reactivation or retrieval requests.
4.2.3 Deletion and Anonymization: After the 30-day grace period, the data shall be permanently deleted or irreversibly anonymized, rendering it incapable of identifying any Client or User.
4.2.4 Exceptions: Data may be retained beyond the 30-day period only when:
4.2.4.1 Retention is required by applicable law, taxation, accounting, or regulatory obligations;
4.2.4.2 The Company has to preserve information for audit, dispute-resolution, or enforcement of contractual rights; or
4.2.4.3 Backup copies exist temporarily in disaster-recovery systems, which are automatically overwritten in the normal backup cycle.
4.2.4.4 Once the statutory or contractual necessity ends, the data is securely purged following the Company’s internal destruction protocol.
4.3 Access Controls and Monitoring: Access to stored data is governed by a strict role-based access control (RBAC) system that limits viewing or modification privileges solely to authorized personnel based on their job responsibilities. Every administrative access attempt is logged and periodically reviewed. Internal monitoring tools flag unusual data-access activity to the Information-Security Officer for investigation. Personnel with such access are bound by confidentiality agreements and trained in data-protection procedures.
4.4 Data Integrity and Backup: The Company performs regular, encrypted backups of Client Data to ensure continuity in case of system failure, corruption, or disaster. Backups are stored in secure repositories separate from primary servers and are subject to the same confidentiality and security controls. Integrity checks are conducted to verify that backup data matches original records.
4.5 User Rights on Retention Clients may, within the 30-day post-termination period, request a copy or export of their data in a machine-readable format. Such requests must be made in writing to info@maksoftbox.com from the registered contact email. After the expiration of this period, the Company shall not be obligated to retrieve or restore deleted data.
4.6 Commitment to Minimal Retention: The Company adheres to the principle of data minimization retaining personal or business information only for as long as necessary to fulfill the purpose for which it was collected or as mandated by law. This ensures responsible data lifecycle management and aligns with global privacy standards.
5. DATA SECURITY:
5.1 Commitment to Data Protection: The Company recognizes that the confidentiality, integrity, and availability of Client Data are critical to business trust. Accordingly, We employ a combination of technical, administrative, and organizational safeguards designed to protect all information collected or processed through the MDOC Platform against loss, misuse, unauthorized access, disclosure, alteration, or destruction.
5.2 Technical Safeguards:
5.2.1 To maintain secure digital infrastructure, the Company implements: End-to-End Encryption – All data transmitted between the User’s device and our servers is protected using SSL/TLS encryption protocols to prevent interception during transit.
5.2.2 Secure Firewalls and Network Segmentation – Multiple firewall layers, intrusion-prevention systems, and segmented environments are maintained to isolate production servers from public networks.
5.2.3 Access Control and Authentication User accounts are password-protected, and access is restricted through unique credentials and role-based permissions. Failed login attempts are monitored and flagged for review.
5.2.4 Regular System Updates and Patch Management Operating systems, application frameworks, and third-party libraries are periodically updated to minimize vulnerabilities.
5.2.5 Encrypted Backups Critical data is backed up at regular intervals on secure storage with encryption and integrity checks to ensure recovery in case of hardware failure or disaster.
5.3 Organizational and Administrative Safeguards:
5.3.1 Limited Administrative Access Only designated personnel with appropriate authorization and confidentiality undertakings are permitted to access production systems or Client Data.
5.3.2 b. Confidentiality and Training All employees and contractors handling data are bound by nondisclosure agreements and receive periodic training on data-protection and cyber-hygiene practices.
5.3.3 c. Internal Security Audits and Compliance Reviews – Regular internal audits, log reviews, and vulnerability assessments are conducted to verify adherence to the Company’s information-security policies.
5.3.4 d. Incident Response Procedure A defined escalation matrix is in place for prompt detection, containment, and investigation of security incidents. Confirmed breaches trigger notifications as provided under Clause 12 (Data Breach Response).
5.4 Physical Safeguards: The servers hosting the Platform are located in secure data-center environments managed by reputed cloud providers. These facilities maintain multi-factor physical access control, round-the-clock surveillance, redundant power supplies, and disaster-recovery infrastructure to ensure service continuity.
5.5 User Responsibilities: While the Company takes all reasonable precautions, Users also play a vital role in maintaining data security. You agree to:
5.5.1 Keep login credentials confidential and change passwords periodically;
5.5.2 Refrain from sharing access tokens or devices with unauthorized persons; and
5.5.3 Immediately notify the Company of any suspected compromise or misuse of Your account.
5.5.4 Failure to follow good security practices on the User’s side may reduce the effectiveness of these safeguards.
5.6 Limitation of Liability: Despite the implementation of the above measures, no digital system can be guaranteed to be completely immune from cyber risks, attacks, or unauthorized intrusions. Accordingly, the Company shall not be held liable for any data loss, corruption, or unauthorized disclosure resulting from events beyond its reasonable control—including, but not limited to, sophisticated hacking, denial-of-service attacks, internet failures, or acts of God. The Company nevertheless undertakes to act diligently to mitigate the effects of any such event and restore normal operations at the earliest possible time.
5.7 Continuous Improvement: The Company reviews and updates its data-security framework on an ongoing basis to align with emerging technologies, regulatory developments, and industry best practices.
6. DATA SHARING AND DISCLOSURE: We do not sell, trade, or rent personal information. Data may be shared only in the following limited circumstances:
6.1 With Authorized Third-Party Service Providers: such as payment gateways, cloud telephony providers, or email service providers, solely to enable integrations or communications;
6.2 b. With Legal Authorities: where required by applicable law, regulation, or government request;
6.3 c. With Business Successors: in case of merger, acquisition, or reorganization, subject to equivalent privacy safeguards.
6.4 All such third parties are contractually bound to maintain confidentiality and use data only for the purpose specified by the Company.
7. CLIENT DATA OWNERSHIP: All data, documents, and information uploaded by Clients remain their exclusive property. The Company acts only as a data processor and shall not use Client Data for any purpose other than providing services through the Platform.
8. OWNERSHIP AND COPYRIGHT:
The Platform “MDOC” (formerly known as “MDocBOX”) is the proprietary platform owned and operated by the Company. All intellectual property rights and ownership in and to the Platform, including but not limited to the software, source code, user interface (UI), graphical user interface (GUI), UI/UX design, look and feel, written text, icons, graphics, sound, video, flow charts, trademarks, architecture diagrams, trade dress, and any original expression of ideas or concepts, are protected under applicable intellectual property laws. The Platform is registered under Copyright Registration Certificate No.: SW-13544/2020 in the name of the Company. Any unauthorized use, copying, modification, creation of derivative works, reproduction, distribution, or exploitation of the Platform or any part thereof is strictly prohibited and shall be subject to appropriate civil and criminal legal action under applicable laws.
9. USER RIGHTS: Subject to applicable laws, Users have the right to:
9.1 Access: Request a summary of data stored about them;
9.2 Rectify: Request corrections to inaccurate or outdated information;
9.3 Delete: Request deletion of personal data after account termination;
9.4 Withdraw Consent: opt out of communications or revoke consent (which may limit Platform functionality).
9.5 Requests may be sent to info@maksoftbox.com with subject line “Privacy Request – [User Name]”. Verification may be required to protect data integrity.
10. COOKIES AND TRACKING: The MDOC Platform does not use cookies or third-party analytics tools for tracking, marketing, or profiling purposes. Minimal session identifiers are stored temporarily for authentication during active login sessions.
11. THIRD-PARTY LINKS AND INTEGRATIONS: The Platform may offer optional integrations or links to third-party systems such as WhatsApp, Google services, or payment gateways. These third parties operate independently under their own privacy policies. The Company is not responsible for their practices and recommends Users review such third-party terms before enabling integrations.
12. DATA BREACH RESPONSE:
12.1 Commitment to Transparency: The Company is committed to responding promptly and responsibly to any confirmed or suspected breach of security that may affect Client Data. All incidents are handled in accordance with an internal incident-management and reporting protocol designed to minimize impact and restore normal operations swiftly.
12.2 Definition of Data Breach: For the purposes of this Policy, a “Data Breach” means any unauthorized access, acquisition, use, alteration, disclosure, or destruction of Client Data that compromises its confidentiality, integrity, or availability whether caused by malicious attack, human error, system failure, or other unforeseen events.
12.3 Incident Detection and Assessment:
12.3.1 All network and application logs are continuously monitored to detect suspicious activities or security anomalies.
12.3.2 Upon identification of an incident, the Company’s Information-Security Team conducts a preliminary assessment to confirm the breach and determine its scope, nature, and potential impact on Clients and data subjects.
12.3.3 The assessment includes identifying affected systems, data sets, and user accounts as well as determining whether the breach arose from external intrusion or internal misuse.
12.4 Immediate Containment and Remediation Once a breach is confirmed, the Company shall take immediate steps to: Isolate affected servers or modules to prevent further data exfiltration; Disable compromised credentials or API keys; Apply patches or security fixes to the vulnerable component; and Commence data recovery and integrity verification from secure backups. All actions are recorded in the incident-response register for audit purposes.
12.5 Notification to Clients: In the event of a confirmed breach affecting Client Data, the Company shall:
12.5.1 Notify the affected Client(s) through their registered email addresses within a reasonable timeframe after verification of the incident, ensuring accuracy of information disclosed;
12.5.2 Provide details of the breach, including its nature, categories of data affected, probable consequences, and corrective measures taken; and
12.2.3 Advise Clients on recommended precautionary steps (such as password changes or access review) to limit potential impact.
12.5.4 If the incident poses a material risk to data subjects, the Company may also notify relevant regulatory or law-enforcement authorities as required under applicable law.
12.6 Co-operation and Remediation: The Company will extend full co-operation to Clients and competent authorities in investigating and resolving the incident, including providing logs, technical details, and support documentation where legally permissible. Following containment, a root-cause analysis is conducted to identify preventive and corrective actions for future risk mitigation.
12.7 Post-Incident Reporting and Review: After closure of a data breach incident, a formal incident report is prepared and reviewed by the Company’s management and Information-Security Officer; Lessons learned are documented, and security policies or controls are updated accordingly; and Staff training sessions are conducted to strengthen awareness and prevent recurrence.
12.8 Disclaimer of Liability: While the Company shall exercise reasonable care and due diligence in handling and securing Client Data, it cannot guarantee absolute protection against all cyber threats. Accordingly, the Company shall not be liable for any loss arising from breaches caused by events beyond its reasonable control such as sophisticated hacking, internet failures, or acts of third parties provided it has acted in good faith and in accordance with this Policy.
13. CHILDREN’S PRIVACY: The Platform is intended for business and professional use. It is not designed for or directed to individuals under 18 years of age. The Company does not knowingly collect personal data from minors.
14. INTERNATIONAL DATA TRANSFER: All processing is performed within India. Where integrations require international data transfer (e.g., global payment or cloud services), the Company ensures that such transfers comply with applicable Indian laws and reasonable security standards.
15. CHANGES TO THIS POLICY: The Company may amend this Policy from time to time to reflect legal or operational changes. Updates will be posted on the Platform, and continued use after such posting constitutes acceptance of the revised Policy.
16. CONTACT INFORMATION: For any questions, concerns, or privacy-related requests, please contact:
MAK SOFTBOX PRIVATE LIMITED
Registered Office: E-603, Park Ivory, Park Street, Wakad, Pune 411057
Business Office: B-713–714, Suratwala Mark Plazzo, Hinjewadi, Pune 411057, Maharashtra, India
Email: info@maksoftbox.com
Attn: Data Protection Officer: MDOC Platform
17. ACKNOWLEDGMENT: By accessing or using the MDOC Platform, you acknowledge that You have read, understood, and agreed to this Privacy Policy and consent to the collection and use of information as described herein.
Tell us how we can help, and we’ll reply within one business day.
