PRIVACY · v1.0.0 · UPDATED 6 MAY 2026

The privacy policy you can actually read.

TVM Sales is a B2B field-sales platform. We collect what's needed to verify visits and run your sales pipeline — nothing more — and we tell you exactly where each byte lives. This page is the source of truth; the version numbered above corresponds to the app build at com.thetvm.sales / v1.0.0.

TL;DR

📍 We collect GPS, photos, voice notes — only during your active workday.
🔒 TLS 1.3 in transit, encrypted volumes at rest, bcrypt for passwords.
🚫 No advertisers, no data brokers, no third-party analytics.
🗓 GPS pings auto-purge after 90 days. Other records persist with the pipeline.
🛂 You can ask your admin to delete your account; we'll honour it within 30 days.
👶 18+ only. Not designed for, marketed to, or used by children.

01 · Who we are

TVM Sales is built and operated by The Vihaan Methods (TVM), a private company. The platform is sold to organisations ("tenants") who deploy it to their own field-sales staff ("reps") and managers. If you're a rep using the app, your employer is the data controller of your work-related data; we are the data processor acting on their behalf.

Contact: [email protected] · Site: sales.thetvm.com

02 · What we collect

The app deliberately limits collection to what verifies a sales visit and runs the pipeline. The categories below mirror the Play Console "Data safety" form.

Category	What	Why / how
Account info	Name, work email, phone (optional), role (rep / manager / admin), tenant id	Created by your admin via the web dashboard. Reps cannot self-register.
Authentication	Bcrypt-hashed password, optional TOTP secret, JWT access + refresh tokens	Tokens stored in expo-secure-store on device; passwords never leave the server unhashed.
Precise location	GPS coordinates with accuracy radius	Captured at every check-in, every check-out, and at intervals during an active workday. Stops when you end your workday.
Approximate location	Cell-tower IDs + WiFi BSSID hashes	Used by the trust engine to flag spoofed GPS. WiFi BSSIDs are hashed before storage — we never see the network names.
Visit photos	Camera or gallery image + EXIF metadata (timestamp, GPS lat/lng if present)	Optional, attached to a visit. EXIF is read to detect timestamp / location mismatches with the check-in.
Voice notes	Audio captured during a visit (m4a)	Optional. Auto-transcribed locally on our infrastructure — not sent to any third-party speech service.
Workday activity	Workday start / end times, ping cadence, app interaction events	Used to compute trust score, generate manager alerts, and your personal stats.
Device info	Push notification token, app build version, OS version	Push token is required to deliver in-app notifications. Used only for delivery.
Lead + visit content	Client name, contacts, lead stage, value, notes, outcomes	The CRM data your tenant runs the pipeline on.

What we do NOT collect: messages from other apps, contacts list, browser history, biometrics, payment information, advertising IDs, microphone audio outside an explicit voice-note recording, camera feed outside an explicit check-in photo capture.

03 · Permissions we request, and why

Permission	Manifest entry	Status	Why we need it
Precise location	ACCESS_FINE_LOCATION	Required	Verifying check-ins are inside a client's geofence. The app stops capturing the moment you end your workday.
Approximate location	ACCESS_COARSE_LOCATION	Auto-granted alongside fine	Fallback when fine location is unavailable; never used as the primary source for check-in verification.
Camera	CAMERA	Required for check-in	Capturing a live proof-of-visit photo. The camera is invoked only when you tap the photo button.
Photo gallery (read)	READ_MEDIA_IMAGES	Optional	Letting you attach an existing photo if your camera is unavailable. Gallery uploads are flagged in the trust engine — your manager will see they were not live-captured.
Microphone	RECORD_AUDIO	Optional	Recording voice notes during a check-out. Only active while you hold the record button.
Internet	INTERNET	Required	Talking to the API at sales.thetvm.com over HTTPS.
Notifications	POST_NOTIFICATIONS (Android 13+)	Optional	Delivering in-app reminders (morning briefing, manager alerts).
Foreground service	FOREGROUND_SERVICE_LOCATION	Required for ping cadence	Keeps GPS sampling reliable while the app is in the background during a workday. Disabled outside workday hours.

04 · How we secure data — in transit and at rest

In transit

All API traffic between the app, web dashboard, and our servers uses HTTPS / TLS 1.3, terminated at Cloudflare and re-encrypted to the origin via a Cloudflare Tunnel (no public ingress port).
Web sessions use HttpOnly + Secure + SameSite=Lax cookies — JavaScript on a compromised page can't read your access token.
Mobile sessions use short-lived JWT access tokens (15 min) + rotating refresh tokens (7 days) stored in expo-secure-store (Android Keystore / iOS Keychain).

At rest

The primary database (PostgreSQL 16 + PostGIS) runs on encrypted volumes inside a private Synology NAS. The volume uses LUKS-equivalent block encryption; the encryption key is held in NAS firmware and never leaves the device.
Visit photos and voice notes are written to a Docker named volume on the same NAS, gated by an authenticated /uploads/* endpoint — the file path alone is not enough to read them.
Passwords are stored as bcrypt hashes (12 rounds). TOTP secrets are stored alongside; they enable but do not bypass password auth.
Refresh tokens are stored as SHA-256 hashes of the issued token; the plain token only exists on the user's device.

Backups

Database snapshots are taken nightly to a separate volume. Visit photos / voice notes inherit the same backup. Backup retention: 30 days. Backups are not transmitted off-site by default — talk to your admin if your tenant has off-site replication configured.

05 · Who we share data with

Not advertisers, not data brokers, not analytics aggregators. Period.

We share data with third parties only when one of these integrations is explicitly enabled by your tenant's admin:

Category	What	Why / how
Cloudflare	TLS termination + DDoS protection	Cloudflare sees encrypted traffic + IP addresses. Cannot read request bodies.
EduxenOS (TVM stack)	School directory sync + automatic trial-trigger on demo_done outcomes	Only client name + EduxenOS school ID + lead stage are sent. Off by default; per-tenant opt-in.
Meta WhatsApp Business API	Inbound message capture as quick-add leads	Only tenant-side phone numbers and message bodies that your team forwards in. Off by default.
SMTP provider (whichever your tenant configures)	Weekly summary emails, password resets	Only outbound; the provider does not see app data beyond the email body.
Expo Push (FCM + APNs under the hood)	In-app notifications	Token + notification body. We send the body; Expo+Apple+Google deliver it.
OpenStreetMap tile servers	Map rendering on the web dashboard	Tile URL templates only — no user data sent.

All voice-note transcription is performed on our own infrastructure using a self-hosted Whisper model. Audio never reaches Google, Microsoft, OpenAI, AWS Transcribe, or any third-party speech service.

06 · How long we keep data

Category	What	Why / how
GPS pings (background workday samples)	90 days	Auto-purged nightly by a scheduler job. Configurable per tenant via RETENTION_DAYS_PINGS env.
Visits + photos + voice notes + transcripts	Indefinitely (or until tenant deletion)	Required for sales-pipeline history and dispute resolution. Deleted with the visit / client / tenant.
Leads + lead events	Indefinitely (or until tenant deletion)	Same as above — pipeline history must persist.
Audit logs	Indefinitely	Anti-fraud + compliance trail. Cannot be edited; only redacted via account-deletion flow.
Auth tokens (refresh)	7 days	Auto-rotated on every refresh; old refresh tokens are revoked.
Auth tokens (access JWT)	15 minutes	Short-lived to limit exposure on token theft.
Workday + attendance records	Indefinitely	HRMS-style record; required for many tenants' payroll workflows.

07 · Your rights

Under GDPR-style frameworks (including India's Digital Personal Data Protection Act, 2023), you have the right to:

Access the personal data we hold about you. As a rep this is mostly visible in the app; managers and admins have richer views in the web dashboard.
Correct inaccurate data. Edit the relevant record (your client, your lead, your visit) inside the app, or ask your admin.
Delete your account and the data tied to it. Email [email protected] from your work email; we route deletion requests through your tenant's admin (since they're the data controller). Audit log entries that name you may be retained in pseudonymised form for compliance.
Object to processing. If you believe a specific use of your data is unjustified, raise it with your admin or contact us directly.
Data portability. CSV export from every report on the web dashboard; on request we can provide raw JSON for an entire tenant.
Withdraw consent for optional permissions (camera, photos, microphone, notifications) any time via your device settings. Required permissions (location during workday) are tied to your job — discuss with your employer if you need to opt out.

We respond to verified requests within 30 days.

08 · Children's privacy

TVM Sales is a B2B tool for adult sales professionals. We do not knowingly collect data from anyone under 18. If a tenant accidentally provisions an under-18 account, the admin can remove it via the web dashboard; if you believe we hold data on a minor, contact us and we will delete it.

09 · Changes to this policy

We update this policy when we add data, integrations, or permissions. Material changes are announced in-app at next launch and via email to admins. The version + last-updated date at the top of this page reflect the current copy. Older versions are archived on request.

10 · Contact us

Questions, requests, or breach reports go to [email protected]. Mark [Privacy] in the subject for fastest routing.

This page corresponds to TVM Sales v1.0.0, last updated 6 May 2026. Use the version number when filing questions so we can match the policy to what was running on your device.