Legal

Privacy Policy

Last updated: 2026-05-29

FARIS ("we," "our," "us") provides a professional services automation platform at app.farisintel.com. This policy explains what we collect, how we use it, who we share it with, and the rights you have over your data.

If you are a Google or Microsoft account holder using FARIS to ingest mail or calendar data, the sections on Google API Services and Microsoft Graph data apply specifically to you.

1. Who we are

FARIS is operated by Shehzad Shaikh, a sole proprietor based in India, acting as the data controller. You can contact us at i@shehzadshaikh.com for any privacy questions, data access requests, or deletion requests.

2. Data we collect

2.1 Account data

• Identity: your email address, name, and Google account ID (for sign-in via Cognito federation).
• Tenant data: organization name, currency, timezone, theme preferences.
• Settings: notification preferences, custom task statuses, integration configuration.

2.2 Workspace data you create

• Clients, projects, tasks, time entries, invoices, timesheets, and the metadata that links them.
• Files you upload (logos, invoice PDFs, timesheet attachments).

2.3 Integration data (Google + Microsoft)

When you connect a Google or Microsoft account, we receive an OAuth access token and refresh token. With your consent we then read:

• Gmail: message metadata (sender, recipients, subject, date), message snippets, and message bodies for the threads we backfill (30 days on initial connect, ongoing 15-minute sync thereafter). Scope used: gmail.readonly.
• Google Calendar: event metadata (title, attendees, start/end time, RSVP status) and the events you create / edit / cancel through FARIS. Scope used: calendar.events.
• Microsoft Graph: the same shape — message and event metadata + bodies. Scopes used: Mail.Read, Calendars.ReadWrite.

2.4 Operational data

• Request logs (IP, user agent, path, status code) retained for 30 days for security and abuse-prevention.
• Activity / event log — a tenant-scoped audit stream of CRUD actions you take inside FARIS.

2.5 Billing data

If you upgrade to the paid Pro plan, payment processing is handled by Stripe. We do not store card numbers. Stripe returns a customer ID + subscription status that we associate with your tenant.

3. How we use your data

• Provide the service: render dashboards, generate invoices, auto-link emails to clients, send reminders.
• Surface intelligence inside the product: suggest time entries from calendar events, draft AR follow-up emails, flag stale projects, send weekly recap emails. All processing is deterministic and runs server-side in our own AWS account.
• Communicate with you: service emails (AR follow-up drafts you approve, weekly recap), account-related notifications, security alerts.
• Improve the product: aggregated, anonymized usage metrics. We do not use the content of your emails, calendar, or workspace data to improve a generic model or to train any machine-learning system.

4. Google API Services User Data — Limited Use compliance

FARIS' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve user-facing features of FARIS that are prominent in the application's user interface.
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features that are visible to you, and only with your consent.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data unless: (a) we have your affirmative consent, (b) it is necessary for security reasons (e.g., investigating abuse), (c) it is required by law, or (d) the data has been aggregated and anonymized for internal operations.

5. Who we share data with

We share data only with the processors required to run the service:

• Amazon Web Services (AWS) — hosting, DynamoDB storage, Lambda compute, S3 file storage. Region: ap-south-1.
• Cognito — identity federation for sign-in.
• Stripe — payment processing for Pro plan subscriptions.
• Resend — transactional email delivery (AR follow-ups you approve, weekly recap, account notifications).
• Google and Microsoft — for OAuth and for the read APIs you consented to.

We do not sell user data. We do not share user data with advertising networks.

6. Storage, encryption, and retention

• OAuth tokens (Google + Microsoft) are encrypted at rest using AES-256-GCM with a per-deployment key managed via AWS SSM.
• Workspace data is stored in a tenant-scoped DynamoDB table. Every database operation is enforced at the SDK wrapper layer — cross-tenant access is structurally impossible.
• Request logs are retained for 30 days, then purged.
• Workspace data is retained for the lifetime of your account. On account deletion (see §7) it is purged within 30 days.

7. Your rights

• Access + export — request a JSON export of all your tenant's data from Settings → Danger Zone, or by emailing us.
• Disconnect integrations — revoke any connected Google or Microsoft account at any time from Settings → Integrations. The OAuth tokens are deleted immediately. Email and calendar data already ingested remains in your workspace until you delete it explicitly.
• Delete your account — full tenant purge from Settings → Danger Zone, or by emailing us. Completed within 30 days.
• Object, restrict, or correct — email us at i@shehzadshaikh.com.
• Revoke Google access directly with Google at myaccount.google.com/permissions.

8. Children

FARIS is not directed at children under 16, and we do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it.

9. International transfers

Our primary infrastructure is in AWS ap-south-1 (Mumbai). Some processors (Stripe, Resend, Cognito) operate from other regions. By using FARIS you consent to these transfers.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-app and emailed to the tenant owner. The "Last updated" date at the top reflects the current version.

11. Contact

Privacy questions, data access, or deletion requests: i@shehzadshaikh.com.