Privacy Policy
This Privacy Policy explains how recon ("we", "us", or "our") collects, uses, stores, shares, and protects information when you use our website, dashboard, and CLI (collectively, the "Service"). It is published in compliance with Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 made under the Information Technology Act, 2000, and tracks the obligations of a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") as its provisions are brought into force.
Our handling of personal data is also informed by the right to privacy recognised as a fundamental right under Article 21 of the Constitution of India in Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
01Who we are
recon is the data fiduciary for personal data processed in connection with your account, licence, and payments. For matters under the IT Act, 2000 and the DPDP Act, 2023, we have appointed a Grievance Officer (see Section 13).
02Scope
This Policy covers data processed when you (i) visit our website at mcprecon.pages.dev; (ii) create or sign in to an account; (iii) purchase or renew a Subscription; or (iv) authenticate the recon CLI. It does not cover the source code on your local machine — that never leaves your device.
03What we collect
| Category | Examples | Lawful basis |
|---|---|---|
| Account | Email address, hashed password, display name, OAuth subject identifier (if you sign in with a third party). | Performance of the contract with you; your consent. |
| Billing | Plan tier, billing cycle, GSTIN if you provide one, country, invoice metadata. Card / UPI / netbanking data is collected and tokenised by Razorpay; we receive only a payment reference. | Performance of the contract; legal obligation under tax law. |
| Licence & repo registration | Licence key, machine fingerprint, SHA-256 fingerprint of canonical repo paths registered with your account. | Performance of the contract; legitimate interest in licence enforcement. |
| Diagnostic telemetry (optional) | CLI version, OS, anonymous error counts. No file contents, paths, or symbols. Can be disabled. | Your consent. |
| Web analytics | Aggregate page views, referrer, country (from IP, then discarded), device class. We do not use cross-site tracking cookies. | Legitimate interest in product improvement. |
| Support correspondence | Emails you send to useoboltrack@gmail.com and any attachments you choose to send. | Your consent; performance of the contract. |
04What we never collect
- Your source code, file contents, or symbol names.
- Your file paths beyond the SHA-256 fingerprint required to enforce per-account repo limits.
- Your card number, CVV, OTP, UPI PIN, or netbanking credentials — these are handled by Razorpay under RBI tokenisation rules.
- Sensitive Personal Data or Information as defined in Rule 3 of the SPDI Rules, 2011, except passwords (stored only as a salted hash).
05How we use the data
- To create, authenticate, and operate your account.
- To process payments and issue tax-compliant invoices.
- To enforce Subscription limits (such as the per-plan repository cap) and prevent abuse.
- To respond to your support requests.
- To send service emails (renewals, security advisories, material policy changes). We do not send marketing emails without your separate opt-in.
- To comply with applicable Indian law and respond to lawful requests by public authorities.
06How we share data
We share data only with vetted processors acting under written contracts:
- Razorpay Software Private Limited — payment processing, refunds, and chargebacks.
- Cloudflare — hosting (Cloudflare Pages) and edge security for the website and worker.
- Email providers — for transactional email delivery.
We do not sell personal data and do not share it for third-party advertising. We may disclose data when required by law, by a court order, or to protect rights, life, or property.
07Cross-border transfer
Some processors may store or process data outside India. Such transfers are made under contractual safeguards and only to the extent permitted by Section 16 of the DPDP Act, 2023, read with notifications issued by the Central Government. By using the Service, you consent to such transfers where required for performance of the contract.
08Retention
- Account data is retained while your account is active and for up to thirty (30) days after closure, after which it is deleted or anonymised.
- Invoices and tax records are retained for eight (8) years as required by the CGST Act, 2017 and the Income-tax Act, 1961.
- Diagnostic telemetry is retained in aggregate form for up to twelve (12) months.
- Server logs are retained for up to ninety (90) days for security and abuse-prevention purposes.
09Security
We implement reasonable security practices and procedures within the meaning of Section 43A of the IT Act, 2000 and Rule 8 of the SPDI Rules, 2011, including TLS in transit, encryption at rest for sensitive fields, salted password hashing (Argon2 / bcrypt class), least-privilege access controls, and audit logging. No method of transmission or storage is perfectly secure; we will notify affected users and the relevant authority of a personal-data breach where required by law.
10Your rights
Subject to applicable law, you have the right to:
- Access and confirmation of the personal data we hold about you (DPDP Act §11).
- Correction and updating of inaccurate or incomplete data (DPDP Act §12).
- Erasure of personal data once the purpose is no longer served (DPDP Act §12, subject to retention obligations above).
- Withdraw consent previously given, with prospective effect (DPDP Act §6).
- Grievance redressal through our Grievance Officer (DPDP Act §13).
- Nominate another person to exercise your rights in the event of death or incapacity (DPDP Act §14).
- Opt out of optional telemetry at any time, from the dashboard or by setting
RECON_TELEMETRY=0.
To exercise any right, write to useoboltrack@gmail.com from the email associated with your account.
11Cookies
We use a small number of strictly-necessary cookies for authentication (session token), preference (theme), and abuse prevention. We do not use advertising or cross-site tracking cookies. You may block cookies in your browser, but parts of the dashboard will then stop working.
12Children
The Service is not directed at children under the age of 18 in India. We do not knowingly collect personal data of children. If you believe a child has provided data to us, write to the Grievance Officer and we will delete it.
13Grievance officer
In compliance with Rule 5(9) of the SPDI Rules, 2011, Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 8(10) read with Section 13 of the DPDP Act, 2023:
- Email: useoboltrack@gmail.com
- Acknowledgement: within twenty-four (24) hours
- Resolution window: within fifteen (15) days of receipt
14Changes to this policy
We may update this Policy as the law evolves — for example, when subordinate rules under the DPDP Act, 2023 are notified by the Central Government. Material changes will be announced on the website or by email at least fifteen (15) days before they take effect.
15Contact
Questions about this Policy: useoboltrack@gmail.com. Grievances: useoboltrack@gmail.com.