Privacy Policy

01

Who we are

mehman.io (“we”, “us”, or “our”) is an AI-powered property management platform built for Indian short-term rental operators. Our platform helps hosts manage guest communication, OTA channel syncing, GST invoicing, FRRO/Form C compliance, and payment collection.

For the purposes of applicable data-protection law, mehman.io acts as a Data Fiduciary (under India's DPDP Act) and/or a data controller in respect of personal data collected from users of our platform.

When we process guest data on behalf of a property manager (our customer), we act as a Data Processor / Consent Manager and handle that data strictly according to the instructions of the relevant property manager.

02

Information we collect

Account & profile data

• Name, email address, phone number, and profile photo when you create an account.
• Business details (property name, GST number, registered address) required for invoicing and regulatory compliance.
• Authentication credentials managed securely via Clerk.

Guest data (processed on behalf of property managers)

• Name, contact details, government-issued ID information collected for FRRO / Form C compliance.
• Booking details: check-in/check-out dates, room type, payment status.
• Conversation history across channels (WhatsApp, email, OTA messaging).

Usage and technical data

• Log data (IP address, browser type, pages visited, timestamps).
• Device identifiers and session tokens.
• Feature usage telemetry to improve the platform.

Payment data

Payment transactions are processed by third-party payment gateways (e.g., Razorpay, Stripe). We store only non-sensitive reference identifiers returned by those processors and never retain raw card or bank account numbers.

AI interaction data

When you use our AI features, prompts and responses may be logged for quality assurance, safety review, and model improvement, in de-identified or aggregated form where possible.

03

How we use your information

We use personal data to:

• Provide, operate, and improve the mehman.io platform and its features.
• Authenticate users and maintain account security.
• Generate GST-compliant invoices and support FRRO / Form C regulatory filings on your behalf.
• Sync reservation calendars with OTA platforms (Airbnb, Booking.com, MakeMyTrip, etc.).
• Power AI-assisted guest communication and automated workflows.
• Send transactional notifications (booking confirmations, alerts, billing receipts).
• Send product updates and marketing communications (only with your consent; you may opt out at any time).
• Detect, investigate, and prevent fraudulent or unauthorized activity.
• Comply with applicable laws and legal obligations.

We do not sell personal data to third parties, use it to build advertising profiles, or share it for behavioural advertising purposes.

04

Legal basis for processing

Where European or UK data-protection law (GDPR / UK GDPR) applies, we rely on the following legal bases:

• Contract performance: processing necessary to deliver the services you have subscribed to.
• Legitimate interests: security monitoring, fraud prevention, platform analytics, and product improvement.
• Legal obligation: compliance with GST, FRRO, and other statutory requirements.
• Consent: marketing emails and optional analytics features.

Under India's DPDP Act 2023, we process personal data on the basis of your consent and/or certain legitimate uses permitted by that Act, including the fulfilment of a lawful contract and compliance with applicable law.

05

Data sharing and disclosures

We share personal data only in the following circumstances:

Service providers

We engage trusted sub-processors (cloud hosting, email delivery, payment processors, AI model providers) under data-processing agreements that restrict their use to providing services to us.

OTA integrations

Reservation and guest data is synchronised with OTA platforms at the direction of the property manager. Each OTA's privacy policy governs data held on their systems.

Regulatory authorities

We may disclose data to government agencies (e.g., FRRO, Income Tax, GST authorities) where required by law.

Business transfers

If mehman.io is acquired or merges with another entity, personal data may be transferred as part of that transaction, subject to equivalent privacy protections.

With your consent

We share data with third parties in any other circumstances only with your explicit consent.

06

International data transfers

Our infrastructure may involve data transfers outside India. Where such transfers occur, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms recognised under applicable law.

For EU/EEA or UK data subjects, transfers to third countries are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office.

07

Data retention

We retain personal data for as long as necessary to provide our services and comply with legal obligations:

• Account data: retained while your account is active and for 90 days after deletion to allow for reinstatement.
• Booking and financial records: retained for 7 years to meet GST and accounting obligations.
• FRRO / Form C records: retained in accordance with the Foreigners Act, 1946 and Ministry of Home Affairs guidelines (typically 1 year after guest departure).
• Conversation logs: retained for 2 years for support and dispute resolution, then deleted or anonymised.
• AI interaction logs: retained in de-identified form for model improvement; identified logs deleted within 90 days.

You may request earlier deletion subject to legal retention requirements. See Your rights for details.

08

Your rights

Depending on your jurisdiction, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Correction: ask us to correct inaccurate or incomplete data.
• Erasure (Right to be Forgotten): request deletion of your personal data where we no longer have a lawful basis to retain it.
• Restriction: ask us to restrict processing in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Nominate: under the DPDP Act, you may nominate an individual to exercise your rights on your behalf.

To exercise any of these rights, please submit a request at our data deletion page or email us at privacy@mehman.io. We will respond within 30 days (or such shorter period as required by law).

You also have the right to lodge a complaint with your relevant supervisory authority. In India, this is the Data Protection Board of India once constituted. In the EU/EEA, contact your national data protection authority.

09

Cookies and tracking

We use essential cookies and similar technologies to operate the platform (authentication sessions, CSRF protection). We also use analytics cookies to understand aggregate usage patterns.

We do not use third-party advertising cookies or cross-site tracking pixels. You can disable non-essential cookies in your browser settings; this will not prevent you from using core platform features.

10

Children's privacy

The mehman.io platform is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately at privacy@mehman.io.

11

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or a prominent notice on the platform at least 14 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.

Your continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.

12

Contact us