Privacy Policy

1. Who we are

Data Controller: Bluecheck Gridbox LLP
Registered address: Bangalore, Karnataka, India
Product: Doer — a meeting action tracking application available at checkdoer.com
Privacy contact: privacy@checkdoer.com

Bluecheck Gridbox LLP ("Bluecheck", "we", "us", "our") is the data controller for personal data processed through the Doer application and this website. We are incorporated under the laws of India.

2. Data we collect

2.1 Account and profile data

• Name and email address (used to create and identify your account)
• Company or organisation name
• Role within your workspace (Admin or Member)
• Country / region (for billing currency and compliance)

2.2 Usage data

• Meeting records you create (title, date, duration, attendees, discussion points, takeaways, action points — all text only)
• Tasks you create, assign or update
• Comments you post on tasks
• Login timestamps and session information

2.3 Technical data

• IP address (logged for security and abuse prevention)
• Browser type and device type
• Pages visited and feature interactions (with your consent for analytics)

2.4 Contact form data

If you submit an enquiry via our website, we collect your name, email address, company name, and message content.

2.5 What we do NOT collect

• File attachments of any kind (Doer does not support file uploads — text only by design)
• Payment card details (handled directly by our payment processor)
• Sensitive personal data (health, biometric, political, religious data)

3. How we use your data

• To provide the service — creating and managing your account, workspaces, tasks, and meetings
• To communicate with you — responding to enquiries, sending service notifications and product updates
• To improve the product — analysing usage patterns (only with your consent where required)
• To prevent fraud and maintain security — detecting and preventing unauthorised access
• To comply with legal obligations — responding to lawful requests from authorities
• For billing and invoicing — processing subscriptions and maintaining transaction records

4. Legal basis for processing (GDPR / UK GDPR)

For users in the EU and UK, we process personal data on the following legal bases under Article 6 of the UK/EU GDPR:

• Contract (Art. 6(1)(b)) — Processing necessary to provide the Doer service under our Terms of Service
• Legitimate interests (Art. 6(1)(f)) — Security, fraud prevention, service improvement, and direct marketing to existing customers
• Consent (Art. 6(1)(a)) — Analytics cookies and marketing emails (where you have opted in)
• Legal obligation (Art. 6(1)(c)) — Where we are required by law to process or retain data

5. Data sharing and sub-processors

We do not sell your personal data. We share data only with the following categories of trusted third parties, under appropriate data processing agreements:

• Google Cloud APAC Pte Ltd — Infrastructure hosting, database, and authentication services. India. ISO 27001, SOC 1/2/3 certified.
• EmailJS — Used to route contact form submissions to our team. Data is transmitted securely and not retained by EmailJS beyond delivery.
• Google Analytics / Google Ads — Used for website analytics and advertising measurement, only where you have provided cookie consent.
• Payment processor — For subscription billing. Your payment card details are never stored by Bluecheck.

We may disclose data if required to do so by law, court order, or governmental authority, or to protect our rights and the safety of users.

6. International data transfers

Doer's primary infrastructure is hosted on Google Cloud in India. India is not currently recognised by the European Commission as providing an adequate level of data protection equivalent to the EU.

For transfers of personal data from the EU or UK to India, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (2021/914) and the UK International Data Transfer Agreement (IDTA) respectively.

A copy of our Data Processing Agreement incorporating SCCs is available on request at privacy@checkdoer.com, or can be downloaded from our Data Protection page.

7. Data retention

• Account data — Retained for the duration of your subscription plus 90 days after account closure (to allow recovery), then permanently deleted.
• Meeting and task records — Retained for the duration of your subscription. Upon cancellation, data is held for 90 days then deleted.
• Contact form submissions — Retained for 12 months, then deleted.
• Billing records — Retained for 7 years as required by Indian tax law (GST Act) and applicable law in client jurisdictions.
• Server logs (IP, security) — Retained for 90 days.

8. Your rights

Regardless of where you are located, you have the right to:

• Access — Request a copy of the personal data we hold about you
• Rectification — Ask us to correct inaccurate data
• Erasure — Ask us to delete your data (subject to legal retention obligations)
• Portability — Receive your data in a structured, machine-readable format
• Restriction — Ask us to restrict processing in certain circumstances
• Objection — Object to processing based on legitimate interests or for direct marketing
• Withdraw consent — At any time, where processing is based on consent

To exercise any right, email privacy@checkdoer.com. We will respond within 30 days (or 72 hours for urgent data breach notifications).

9. GDPR & UK GDPR — specific provisions

This section applies to users in the European Economic Area (EEA) and the United Kingdom.

Data Processing Agreement (DPA)

Where Bluecheck processes personal data on behalf of your organisation as a data processor (for example, when your employees use Doer and you are the data controller), we are prepared to enter into a Data Processing Agreement that incorporates EU Standard Contractual Clauses and UK IDTA. Please request this at privacy@checkdoer.com or download from our Data Protection page.

Supervisory authority

If you are in the EU or UK and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO). In Ireland, the Data Protection Commission (DPC).

No automated decision-making

Doer does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

10. India Digital Personal Data Protection Act 2023 (DPDPA)

This section applies to users in India and to the processing of personal data of Indian citizens.

Bluecheck Gridbox LLP is a Data Fiduciary under the DPDPA 2023. We process personal data of Indian data principals on the following grounds:

• Consent — You provide consent when registering for Doer. You may withdraw consent by closing your account or emailing us.
• Legitimate uses — As permitted under Section 7 of the DPDPA, including purposes related to the provision of services under a contract.

Your rights under DPDPA

• Right to information — Know what personal data we process and for what purpose
• Right to correction and erasure — Have inaccurate data corrected or data erased where no longer necessary
• Right to grievance redressal — Contact us at privacy@checkdoer.com and we will respond within 30 days
• Right to nominate — Nominate another person to exercise rights on your behalf in the event of death or incapacity

Grievance Officer (India)

In accordance with the DPDPA and IT Act 2000, our Grievance Officer can be reached at:
Name: Bluecheck Admin
Email: privacy@checkdoer.com
Address: Bluecheck Gridbox LLP, Bangalore, Karnataka, India
We will acknowledge grievances within 48 hours and resolve within 30 days.

11. Cookie policy

We use cookies and similar technologies on our website. Cookies are small text files stored on your device.

Essential cookies (no consent required)

• doer_cookie_consent — Stores your cookie consent preference. Expires: 1 year.
• Session cookies — Used for authentication and security. Expire: end of browser session.

Analytics & advertising cookies (consent required)

• Google Analytics (_ga, _gid) — Used to measure website traffic and usage patterns. Only set after you accept cookies.
• Google Ads (conversion cookies) — Used to measure the effectiveness of our advertising. Only set after you accept cookies.

You can withdraw cookie consent at any time by clearing your browser cookies and declining when the banner next appears, or by emailing us.

EU and UK users: our cookie banner requires affirmative consent before any non-essential cookies are set. We do not set Google Analytics or Ads cookies until you click "Accept all".

12. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud)
• Role-based access controls — users only see data within their authorised workspace
• Domain-level workspace restrictions — cross-organisation data access is architecturally prevented
• No file attachments stored — text-only data minimises attack surface
• Regular security reviews

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours of becoming aware, in accordance with GDPR Article 33.

13. Children's data

Doer is a professional business application and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice in the Doer application. The updated policy will be effective from the date shown at the top of this page. Your continued use of Doer after that date constitutes acceptance of the updated policy.

15. Contact us

For any privacy-related questions, to exercise your rights, or to request a Data Processing Agreement:

If you are in the EU and wish to raise a complaint, you may also contact your local data protection authority. If you are in the UK, you may contact the ICO.