Privacy Policy

1. Introduction

Dheeram Innovations Private Limited (the "Company", "we", "us", or "our") operates the websites CamsBiometrics.com and CamsUnit.com (collectively, the "Websites") and provides biometric device management services, including our Biometric Gateway platform, AI-powered support agents, and Model Context Protocol (MCP) integration services.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Websites, services, and integrated technologies. We are committed to protecting your privacy and ensuring the security of your personal and biometric data in compliance with applicable data protection laws.

2. Definitions

For the purposes of this Privacy Policy:

• "Biometric Data" refers to fingerprint templates, facial recognition data, iris scans, and other biological identifiers processed by biometric devices connected to our platform.
• "Biometric Gateway" refers to our cloud-based platform that manages communication between biometric devices and client systems.
• "MCP (Model Context Protocol)" refers to the integration protocol that enables AI agents to interact with our biometric systems and retrieve device information.
• "AI Agent" or "AI Support Agent" refers to artificial intelligence systems, including those powered by Anthropic's Claude, that provide automated support and device management assistance.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Client" or "Customer" refers to organizations that use our Biometric Gateway services to manage their biometric devices.
• "End User" refers to individuals whose biometric data is captured by devices managed through our platform.

3. Information We Collect

3.1 Information Collected Directly from You

When you register for an account, use our services, or communicate with us, we may collect:

• Account Information: Name, email address, phone number, company name, job title
• Authentication Credentials: Client keys, passcodes, API keys, and access tokens
• Billing Information: Payment details, billing address, tax information
• Communication Data: Messages, support tickets, feedback, and correspondence
• Device Registration Data: Serial numbers, device models, custom labels, installation locations

3.2 Device and Transaction Data

Our Biometric Gateway automatically collects operational data from connected devices:

• Device Metadata: Serial numbers, model information, firmware versions, license status
• Transaction Logs: Attendance records, access events, timestamps, queue status
• System Metrics: Online/offline status, connection times, data synchronization records
• Queue Information: Processing queues, retry attempts, error logs
• Server Configuration: Callback URLs, service connections, API endpoints

3.3 Biometric Data (Limited Processing)

We process the following biometric-related information:

• Biometric Templates: Encrypted mathematical representations (not raw biometric images) temporarily passed through our system for synchronization
• Transaction Metadata: Employee IDs, timestamps, device IDs associated with biometric events
• Attendance Records: Check-in/check-out times, location data (device-level only)

Raw biometric data remains on the biometric devices and is transmitted directly to client-controlled servers. Our gateway facilitates this transmission but does not retain the biometric templates or images.

3.4 MCP Integration and AI Agent Data

When you interact with our AI-powered support agents through MCP integration:

• Query Data: Questions, commands, and requests submitted to AI agents
• Session Information: Conversation context, interaction timestamps, user preferences
• Diagnostic Data: Device status queries, health check results, troubleshooting logs
• MCP Tool Usage: Function calls made through the MCP interface for device management, diagnostics, queue operations, configuration management, and other administrative tasks
• API Responses: Data returned from our services to the AI agent for processing

As we expand our end-to-end Agent AI capabilities, additional data types may be collected to support new intelligent automation features. Current MCP tools and their data access patterns are documented in our technical documentation and API reference guides.

3.5 Automatically Collected Information

• Website Usage Data: IP addresses, browser types, device information, operating systems
• Cookies and Tracking: Session cookies, authentication tokens, analytics data
• Log Files: Access logs, error reports, performance metrics
• Location Data: Approximate geographic location based on IP address (for service optimization)

4. How We Use Your Information

4.1 Service Delivery and Operations

• Operate and maintain the Biometric Gateway platform
• Facilitate real-time communication between biometric devices and client servers
• Process attendance data and synchronize device queues
• Monitor device health, connectivity, and license validity
• Enable MCP-powered AI agent interactions for device management and support
• Generate device inventory reports and transaction logs

4.2 AI Agent and MCP Services

• Provide intelligent device diagnostics and troubleshooting through AI agents
• Respond to natural language queries about device status and performance
• Automate device queue management and error resolution
• Generate insights from device activity and transaction patterns
• Enable conversational interfaces for system administration
• Improve AI agent accuracy and response quality through usage analysis

4.3 Customer Support and Communications

• Respond to support requests and technical inquiries
• Send service notifications, system alerts, and security updates
• Provide device configuration assistance and migration support
• Deliver training materials and documentation

4.4 Security and Compliance

• Authenticate users and prevent unauthorized access
• Detect and prevent fraudulent activities and security threats
• Conduct security audits and vulnerability assessments
• Comply with legal obligations and regulatory requirements
• Enforce our Terms and Conditions and protect our rights

4.5 Analytics and Improvement

• Analyze service usage patterns and performance metrics
• Improve platform functionality and user experience
• Develop new features and enhancements
• Conduct research and statistical analysis

5. MCP Integration and AI Agent Privacy

5.0 Overview of Our AI Platform Evolution

Cams Biometrics is continuously developing its AI capabilities to provide end-to-end Agent AI solutions for intelligent biometric device management. Our MCP (Model Context Protocol) integration serves as the foundation for these AI-driven services, enabling sophisticated automation, intelligent diagnostics, predictive maintenance, and conversational management interfaces.

As our Agent AI platform evolves, we will introduce new capabilities, tools, and integrations to enhance automation and intelligence across all aspects of device management. This Privacy Policy applies to all current and future AI agent services, with the core privacy principles remaining consistent: stateless operations, authentication requirements, scoped access, and user control.

5.1 MCP Server Architecture

Our MCP server provides a standardized interface for AI agents to interact with biometric device data. The MCP integration is designed with privacy and security at its core:

• Stateless Operations: MCP interactions do not retain conversation history on our servers
• Authentication Required: All MCP requests require valid client keys and passcodes
• Scoped Access: AI agents can only access data authorized for the authenticated client
• Read-Only by Default: Most MCP tools provide read-only access to device information
• Audit Logging: All MCP tool invocations are logged for security monitoring
• Extensible Architecture: Designed to accommodate future Agent AI capabilities while maintaining privacy and security standards

5.2 AI Agent Data Processing

When AI agents (including Anthropic's Claude) interact with our MCP server:

• Query Processing: User queries are processed by the AI provider (e.g., Anthropic) according to their privacy policies
• Data Transmission: Only requested device data is transmitted to the AI agent for generating responses
• Temporary Access: Data is provided to the AI agent for the duration of the conversation session only
• No Long-term Storage: We do not permanently store AI conversation transcripts unless required for support purposes
• Third-Party Processing: When using third-party AI providers, their privacy policies apply to the processing of conversation data

5.3 User Control Over AI Interactions

You maintain control over AI agent access to your data:

• AI agents require explicit authentication credentials (client key and passcode)
• You can revoke API access at any time through your account settings
• You can choose which devices and data are accessible via MCP tools
• You can request deletion of AI interaction logs (subject to legal retention requirements)

5.4 AI-Powered Features and Data Access

Our AI-powered features leverage MCP integration to provide intelligent device management capabilities. The types of data accessed and processed include:

• Device Information: Serial numbers, models, labels, online status, license information, firmware versions, and client associations
• Operational Metrics: Transaction logs, attendance counts, timestamps, queue status, error logs, and retry schedules
• System Health Data: Connectivity metrics, performance indicators, synchronization status, and diagnostic information
• Configuration Data: Device settings, callback URLs, migration records, and configuration changes

Purpose of AI Data Access: AI agents use this data to diagnose device connectivity and operational issues, generate usage insights and identify anomalies, provide comprehensive device management overviews, automate queue resets and troubleshoot data flow, track and assist with device migrations, and deliver proactive recommendations for system optimization.

As we continue to develop our end-to-end Agent AI platform, additional data access patterns and AI-powered features may be introduced. All AI features will continue to operate under the same privacy and security principles outlined in this policy, with authentication requirements, scoped access controls, and user control over AI interactions.

6. Biometric Gateway Data Architecture

6.1 Gateway Role and Data Flow

The Biometric Gateway operates as a secure intermediary between biometric devices and client systems:

• Device → Gateway: Devices send attendance transactions and status updates to our gateway
• Gateway → Client Server: Gateway forwards data to client-configured callback URLs
• Temporary Queue Storage: Data is queued temporarily (typically minutes to hours) for reliable delivery
• No Permanent Biometric Storage: Raw biometric templates are never stored on our servers

6.2 Data Retention in the Gateway

6.3 Client Server Responsibilities

Important: Clients who receive biometric data through our gateway are independent data controllers responsible for:

• Obtaining proper consent from end users for biometric data collection
• Implementing secure storage and access controls on their servers
• Complying with applicable biometric privacy laws in their jurisdiction
• Managing end user data subject rights (access, deletion, portability)
• Maintaining their own privacy policies and data protection practices

7. Data Sharing and Third-Party Services

7.1 Service Providers and Partners

We may share your information with trusted third-party service providers who assist us in operating our services:

• Cloud Infrastructure: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform for hosting and data storage
• AI Service Providers: Anthropic (Claude AI), OpenAI, or other AI platforms for powering intelligent support features
• Payment Processors: Stripe, Razorpay, or similar services for handling billing and payments
• Analytics Services: Google Analytics, Mixpanel for understanding service usage
• Communication Tools: Email service providers, SMS gateways for notifications
• Security Services: Cloudflare, security monitoring and threat detection services

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

7.2 Client Organizations

Device data and transaction information are shared with the client organizations that own and operate the biometric devices. Clients receive:

• Attendance transaction data from their registered devices
• Device status and health information
• System alerts and notifications
• Usage reports and analytics

7.3 Legal Obligations and Protection

We may disclose your information when required by law or to protect our rights:

• Compliance with legal processes, court orders, or government requests
• Enforcement of our Terms and Conditions
• Protection against fraud, security threats, or illegal activities
• Defense of legal claims or protection of rights and property
• Protection of the safety of our users or the public

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change and the choices you may have regarding your data.

7.5 No Sale of Personal Data

We do not sell your personal data or biometric information to third parties for monetary or other valuable consideration.

8. Data Security

8.1 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: TLS/SSL encryption for data in transit; AES-256 encryption for data at rest
• Authentication: Multi-factor authentication, strong password requirements, API key management
• Access Controls: Role-based access control (RBAC), principle of least privilege
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Monitoring: 24/7 security monitoring, automated threat detection, regular vulnerability scans
• Audit Logging: Comprehensive logging of access and changes to sensitive data
• Secure Development: Security code reviews, penetration testing, secure SDLC practices

8.2 Biometric Data Security

Additional security measures for biometric-related data:

• Biometric templates are transmitted only over encrypted channels
• Templates are stored in encrypted format on devices and client servers
• Our gateway does not cache or permanently store raw biometric data
• Access to biometric transaction logs is strictly controlled and audited
• Biometric data is segregated from other system data

8.3 MCP and AI Security

• All MCP requests require authentication via client keys and passcodes
• API rate limiting prevents abuse and unauthorized access attempts
• AI agent interactions are logged for security auditing
• Sensitive data is filtered before being provided to AI agents
• AI providers are required to meet our security standards

8.4 Incident Response

In the event of a data breach affecting personal or biometric data, we will:

• Investigate and contain the incident promptly
• Notify affected users within 72 hours of discovery
• Report to relevant regulatory authorities as required by law
• Provide information about the nature of the breach and remediation steps
• Offer assistance to affected individuals (e.g., credit monitoring if applicable)

8.5 Your Security Responsibilities

You play a critical role in protecting your data:

• Keep your client keys, passcodes, and API credentials confidential
• Use strong, unique passwords and enable multi-factor authentication
• Regularly review access logs and device activity
• Report suspicious activity or security concerns immediately
• Keep your contact information up to date for security notifications

9. Your Rights and Choices

9.1 Access and Portability

You have the right to:

• Access your personal data held by us
• Request a copy of your data in a structured, machine-readable format
• Export device transaction logs and analytics reports

9.2 Correction and Update

You can:

• Update your account information through the user dashboard
• Correct inaccurate device labels or configurations
• Request correction of erroneous data in our systems

9.3 Deletion and Erasure

You may request deletion of:

• Your account and associated personal data
• Specific device records (subject to legal retention requirements)
• AI interaction logs and conversation histories

Note: We may retain certain data for legal, security, or operational purposes even after account deletion, including transaction logs required for compliance or dispute resolution.

9.4 Restriction and Objection

You can:

• Restrict processing of your data for specific purposes
• Object to processing based on legitimate interests
• Opt out of non-essential data collection and analytics
• Disable AI-powered features if you prefer manual support

9.5 Withdrawal of Consent

Where processing is based on consent, you may withdraw consent at any time, including:

• Marketing communications (via unsubscribe links)
• Optional analytics and improvement programs
• MCP/AI agent access to your account

9.6 How to Exercise Your Rights

To exercise any of these rights:

• Email us at: [email protected]
• Use the privacy request form in your account dashboard
• Contact our Data Protection Officer (see Section 14)

We will respond to your request within 30 days and may require identity verification.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

10.2 Managing Cookie Preferences

You can control cookies through:

• Browser settings (most browsers allow you to refuse cookies)
• Our cookie preference center (accessible in website footer)
• Third-party opt-out tools (e.g., Google Analytics opt-out)

Note: Disabling essential cookies may limit website functionality.

10.3 Third-Party Analytics

We use analytics services that may collect data about your website usage:

• Google Analytics: Website traffic and user behavior analysis
• Mixpanel: Product usage analytics and feature adoption

These services have their own privacy policies governing their data collection practices.

11. International Data Transfers

Our services are operated from India, and data may be transferred to, stored, or processed in India or other countries where we or our service providers maintain facilities.

11.1 Transfer Safeguards

When transferring data internationally, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Adequacy decisions recognizing equivalent data protection standards
• Binding Corporate Rules for intra-company transfers
• Certification mechanisms (e.g., EU-U.S. Data Privacy Framework, if applicable)

11.2 Cross-Border Data Flow

Data may flow across borders in the following scenarios:

• Client servers located in different countries than the devices
• Cloud infrastructure distributed across multiple regions
• AI service providers operating in different jurisdictions
• Support services provided from various global locations

12. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

Special Note on Biometric Data: If biometric devices are used in educational institutions or other settings involving minors, it is the responsibility of the client organization to:

• Obtain appropriate parental or guardian consent
• Comply with applicable laws regarding children's biometric data
• Provide clear notice to parents about biometric data collection
• Offer alternative non-biometric authentication methods

If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected].

13. Compliance with Biometric Privacy Laws

13.1 General Compliance

We are committed to compliance with biometric privacy regulations, including but not limited to:

• Illinois Biometric Information Privacy Act (BIPA)
• Texas Capture or Use of Biometric Identifier Act (CUBI)
• California Consumer Privacy Act (CCPA) biometric provisions
• EU General Data Protection Regulation (GDPR) special category data rules
• Indian Digital Personal Data Protection Act (DPDPA)

13.2 Client Responsibilities for Biometric Compliance

Critical: As the entity deploying biometric devices and collecting end-user biometric data, client organizations are responsible for:

1. Notice: Informing individuals in writing that biometric data is being collected
2. Consent: Obtaining written consent before collecting biometric identifiers
3. Purpose Limitation: Collecting biometric data only for legitimate, specified purposes
4. Retention Limits: Establishing and adhering to biometric data retention schedules
5. Security: Implementing reasonable security measures to protect biometric data
6. No Sale: Not selling, leasing, or disclosing biometric data without consent
7. Destruction: Permanently destroying biometric data when the purpose is satisfied or within specified timeframes

13.3 Our Role and Limitations

Dheeram Innovations acts as a data processor providing technical infrastructure. We:

• Do NOT collect consent from end users (this is the client's responsibility)
• Do NOT determine the purposes for biometric data collection
• Do NOT permanently store raw biometric data on our servers
• Provide technical capabilities for clients to fulfill their compliance obligations
• Assist clients with data deletion and data subject access requests upon instruction

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs.

14.1 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email to your registered email address
• Display a prominent notice on our Websites
• Request your consent for material changes that expand our data processing activities

14.2 Your Acceptance

Continued use of our services after notification of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of our services and contact us to close your account.

14.3 User Responsibility for Monitoring Changes

15. Contact Information

16. Regulatory Authority

If you have concerns about our data practices that we have not adequately addressed, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

• India: Data Protection Board of India (under DPDPA)
• EU/EEA: Your local Data Protection Authority
• UK: Information Commissioner's Office (ICO)
• USA: Federal Trade Commission (FTC) or state Attorney General

17. Acknowledgment and Consent

By using our Websites and services, you acknowledge that:

• You have read and understood this Privacy Policy in its entirety
• You consent to the collection, use, and disclosure of your information as described
• You understand the role of MCP integration and AI agents in processing your data
• If you are a client organization, you acknowledge your responsibilities for end-user biometric data compliance
• You agree to receive communications from us regarding your account and services