Privacy Policy

AlGraphy Pro — HRMS, Talent Marketplace & CRM
Effective Date: April 29, 2026 · Last Updated: April 29, 2026

AlGraphy Pro Est. ("AlGraphy Pro," "we," "us," or "our") operates the AlGraphy Pro mobile and web application ("App") — a combined Human Resources Management System (HRMS), Talent Marketplace, and CRM platform. This Privacy Policy explains what information we collect, how we use and protect it, and the rights you have over your personal data.

By downloading, installing, or using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

1. Who This Policy Applies To

AlGraphy Pro serves three types of users, each with a different experience:

Employees: Staff members of organizations that use AlGraphy's HRMS. Accounts are provisioned by an organization administrator.
Clients: Client contacts onboarded by an administrator for project collaboration and CRM interaction.
Talent / Public users: Content creators, influencers, UGC managers, suppliers, or vendors who register independently via the Talent Marketplace to showcase their profiles and receive bookings.

2. Information We Collect

2.1 Information You Provide Directly

Account credentials: Name, email address, and password (stored only as a secure bcrypt hash — we never store plain-text passwords).
Profile information: Profile picture, biography, phone number, gender, date of birth, and expertise or skill tags (for Talent profiles).
Employment details: Job title, department, designation, work schedule, salary information, and leave balances (collected and managed by your organization's administrator).
Onboarding documents: Digital signatures, signed employment contracts, and other HR documents completed during the mandatory onboarding flow. Signed copies are stored as immutable PDF files and are not modified after signing.
Chat messages and media: Text messages, images, videos, files, and voice notes (audio recordings) sent through the in-app messaging feature.
Meeting information: Meeting titles, descriptions, dates, times, and attendee lists created through the Meetings module.
CRM data: Lead records, account information, contact details, quotations, invoices, and items that you or your team create in the CRM module.
Talent Marketplace activity: Portfolio media, highlight reels, booking requests, and service availability that you publish on your public Talent profile.
Booking and payment information: When a booking is placed for a talent, booking details are recorded. Payment is processed by a third-party payment gateway — we do not store card numbers or payment credentials on our servers.

2.2 Information Collected Automatically

Device information: Device model, operating system version, and platform type (iOS, Android, or Web), used to ensure App compatibility and deliver push notifications.
Push notification tokens: Firebase Cloud Messaging (FCM) device tokens are collected to deliver work-related notifications such as task assignments, meeting reminders, attendance alerts, and new messages.
Session data: Authentication tokens (JWTs) stored locally on your device to maintain your session without requiring repeated logins.
Offline queue data: Messages composed while offline are stored temporarily in an on-device database (SQLite) and synced to our servers when connectivity is restored.

2.3 Information Collected with Your Explicit Permission

We request device permissions only when you perform an action that requires them. You can grant or revoke any permission at any time via Settings → Privacy & Security on your device. Revoking a permission disables only the associated feature — the rest of the App continues to work normally.

Permission	When Requested	How It Is Used
Location (When In Use)	When you tap Clock In or Clock Out	A single GPS coordinate is captured at the exact moment of the attendance event to verify your presence at a work location. Location is never tracked continuously or in the background.
Camera	When you choose to take a photo for your profile, signature, or chat	Used to capture images you explicitly choose to upload. No photos are taken without your action.
Photo Library	When you choose to select a photo or video from your library	Used to upload profile pictures, Talent portfolio media, chat images, or document attachments you select.
Microphone	When you hold the record button to send a voice note in chat	Audio is recorded only while you actively hold the record button. The recording is uploaded as a voice message. No audio is captured at any other time.
Calendar	When you choose to sync a meeting to your device's calendar	Used to create or update calendar events on your device. Calendar data is not uploaded to AlGraphy's servers.

3. How We Use Your Information

3.1 Core App Functionality

Attendance management: Verifying employee clock-in/out using GPS coordinates and recording work hours, overtime, and leave balances.
HR administration: Managing employee records, employment contracts, leave requests, shift assignments, and organizational hierarchy.
Employee onboarding: Delivering invitation links, guiding new hires through the mandatory onboarding steps (password setup, signature capture, document signing), and recording onboarding completion status.
Document management: Generating, previewing, and storing signed HR documents (offer letters, contracts, policies) with a complete audit trail (timestamp, IP address, device, and signature reference). Signed documents are immutable and stored securely.
Project and task collaboration: Enabling teams to create projects, assign tasks, track progress, and share files.
Messaging and communication: Facilitating real-time chat between employees, including text, images, video, files, and voice notes, with offline-first delivery.
Meetings: Scheduling, managing, and optionally syncing meetings with Google Calendar via OAuth.
Talent Marketplace: Displaying public Talent profiles, highlights, portfolio media, and enabling clients to place real-world service bookings (content creation, influencer campaigns, UGC production).
CRM: Managing leads, contacts, accounts, quotations, invoices, and sales activity for organizations that have CRM access enabled.
Authentication and security: Issuing and validating JSON Web Tokens (JWT) to secure sessions, supporting multi-email login (org email, personal email, and domain-alias variants), and enabling silent re-authentication for a seamless experience.
Push notifications: Delivering timely alerts for tasks, messages, meetings, and attendance via Firebase Cloud Messaging.

3.2 What We Do Not Do

We do not use your data for advertising, behavioral profiling, or any purpose unrelated to the core functionality described above. We do not sell, rent, or trade your personal information to any third party.

4. Data Storage and Security

Encryption in transit: All communication between the App and our servers uses TLS/HTTPS. App Transport Security (ATS) is enforced — the App will not communicate over unencrypted connections.
Encryption at rest (device): Sensitive credentials such as saved login tokens are stored in the iOS Keychain via Flutter Secure Storage, not in plaintext.
Local offline database: Chat messages and queued actions are cached locally in an encrypted SQLite database and synced when connectivity is restored.
Password hashing: All passwords are hashed with bcrypt before storage. Plain-text passwords are never stored or logged.
Signed documents: Signed PDF copies are stored outside of the web-accessible directory and delivered only via short-lived (5-minute), HMAC-signed download URLs. Signed copies are immutable — editing a template never alters a previously signed document.
Server security: Our backend infrastructure uses firewall protection, regular security patches, and role-based access controls. Only authorised administrators can access employee HR data.
Data retention: We retain your data for as long as your account is active or as required by applicable labor, employment, and tax laws. When you request account deletion, your account is deactivated immediately. Data subject to legal retention obligations is kept only for the required period and then deleted.

5. Data Sharing and Third Parties

We do not sell your data. We share information only with the following service providers, strictly to operate the App:

Service Provider	Purpose	Privacy Policy
Firebase (Google)	Push notification delivery via Firebase Cloud Messaging (FCM). Firebase receives your device token and notification payload.	firebase.google.com/support/privacy
Google Calendar API	Optional meeting sync. Used only if you explicitly connect your Google account. Google receives meeting details you choose to sync.	policies.google.com/privacy
Third-Party Payment Gateway	Processing payments for Talent Marketplace bookings (real-world talent engagement services). Payment is handled entirely by the external gateway — AlGraphy does not receive or store card details.	Governed by the gateway provider's privacy policy, displayed at payment time.
OpenStreetMap Nominatim	Reverse geocoding (converting GPS coordinates to a readable address for attendance records). Only latitude and longitude are sent — no personal identifiers.	osmfoundation.org

Organizational Administrators

If you use the App as an employee or client, your organization's designated administrator may access your work-related data (attendance records, task activity, project participation, signed documents, and leave history) as part of standard HR management. This access is governed by your employment agreement with that organization.

Legal Disclosures

We may disclose personal information if required by applicable law, a valid court order, or an enforceable governmental request, and only to the extent necessary to comply.

6. Your Rights and Choices

You have the following rights over your personal data:

Access: View your personal profile data at any time through the Profile section of the App.
Correction: Update your profile information (name, picture, bio, phone number, social links) through the Edit Profile feature or by contacting your organization's administrator for employment-record corrections.
Account deletion: Request deletion of your account at any time via Settings → Delete Account in the App. The process requires you to type "DELETE" to confirm intent. Your account is deactivated immediately. Data subject to legal retention obligations (e.g., payroll records, signed employment documents) is retained only as required by law.
Permission revocation: Revoke any device permission (location, camera, microphone, photo library, calendar) at any time via your device's Settings → Privacy & Security → AlGraphy Pro.
Push notification control: Disable push notifications through your device's Settings → Notifications → AlGraphy Pro at any time.
Google Calendar disconnection: Disconnect your Google account from the Meetings module at any time through the Meetings settings. This immediately revokes AlGraphy's access to your calendar.
Data portability: Request a copy of your personal data by emailing us at the address below.
Data erasure requests: To request erasure of data beyond what the in-app deletion covers, contact us directly. We will respond within 30 days.

7. Talent Marketplace and Bookings

The Talent Marketplace is a public-facing section of the App where Talent users can create a public profile visible to other users.

Public profile data: Information you add to your Talent profile (name, bio, portfolio media, highlight reels, social media links, expertise tags) is publicly visible to other App users and may be displayed on the AlGraphy web platform.
Booking data: When a client places a booking, both parties' contact details, booking dates, and service descriptions are recorded and visible to both the talent and the client.
Payment data: Booking payments are processed by a third-party payment gateway. AlGraphy records the booking status (pending, paid, completed, cancelled) but does not store card numbers or payment credentials. See Section 5 for the gateway's privacy policy reference.
Booking payments are for real-world services (content creation, influencer campaigns, UGC production, etc.) and are not purchases of digital goods within the App.

8. Employee Onboarding and Document Signing

When your organization invites you to join AlGraphy Pro via an invitation link:

A time-limited invitation token (valid for 72 hours) is emailed to you. This token is used only to authenticate the onboarding flow and expires after use.
During onboarding you will set a password, draw or upload a signature, and review and sign required HR documents.
Each signed document produces an immutable PDF stored securely on AlGraphy's servers with a full audit trail: your user ID, a timestamp, your IP address, device information, and a reference to the signature used. Signed copies cannot be altered retroactively.
Your signature image is stored encrypted and used only for document signing within AlGraphy Pro.

9. Children's Privacy

AlGraphy Pro is designed exclusively for use by adults in a professional or business context. It is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we discover that a child under 16 has created an account, we will delete their data promptly. If you believe a child has submitted personal information through the App, please contact us immediately.

10. International Data Transfers

Your data may be processed and stored on servers located outside your country of residence, including in countries that may have different data protection laws than your own. By using the App, you consent to these transfers. We apply appropriate safeguards — including contractual protections with service providers — to ensure your data is protected regardless of where it is processed.

11. Changes to This Privacy Policy

We may update this Privacy Policy as the App evolves or as legal requirements change. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Notify you through the App or via email where required by law or where we judge the change to be significant.

We encourage you to review this policy periodically. Continued use of the App after a change is posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests about this Privacy Policy or how we handle your personal data, please reach out:

Email: syed.huzaifa@algraphy.pro
Website: www.algraphy.pro

We aim to respond to all data-related requests within 30 days.