Data Protection

Privacy Policy

We are committed to protecting the privacy and security of your personal and business data. Here's exactly how we collect, use, and safeguard it.

Effective Date: 01 January 2025  ·  Last Updated: 28 June 2025

256-bit Encryption

All data in transit and at rest is encrypted using AES-256 standards.

No Data Selling

We never sell, rent, or trade your personal or business data to third parties.

You Stay in Control

Access, correct, or delete your data anytime. We honour all requests within 30 days.

Section 01

Overview

Smart ERP Pro ("we", "our", or "the Platform") is a Software-as-a-Service product operated by Smart ERP Pro Technologies Pvt. Ltd., a company incorporated under the laws of India. Our registered office is at 204, Business Hub, Sector 18, Gurugram, Haryana – 122015.

This Privacy Policy explains how we collect, use, store, and protect information about you when you use our platform, website, mobile applications, or any related services (collectively, "Services"). By using our Services, you agree to the terms described in this policy.

Plain Language Summary: We collect only what we need to run the platform for you. We use your data to provide and improve our services. We never sell it. We protect it with industry-leading security. You can ask us to delete it at any time.
Section 02

Data We Collect

We collect information in three ways: information you provide directly, information generated automatically as you use the platform, and information received from third parties.

Information You Provide

  • Account Data: Name, work email address, phone number, company name, and job title when you register or request a demo.
  • Business Data: Employee records, attendance logs, payroll figures, invoices, GST details, inventory data, and performance records you enter into the platform.
  • Payment Data: Billing address and payment method details (processed securely via our PCI-DSS-certified payment partners; we do not store raw card numbers).
  • Communication Data: Messages you send to us via support tickets, email, or chat.
  • Identity Verification: PAN, GST Identification Number (GSTIN), or other regulatory identifiers required for compliance features.

Automatically Collected Data

  • IP address, browser type, operating system, and device identifiers.
  • Pages visited, features used, session duration, and click-stream data.
  • Error logs and crash reports to help us fix bugs and improve reliability.
  • Login timestamps and authentication activity for security monitoring.

Data from Third Parties

  • If you log in via Google Workspace or Microsoft 365, we receive your name, email, and profile picture from those providers.
  • Integration partners (e.g., HRMS, banking APIs) may share data as part of connected workflows you explicitly authorise.
Data Category Examples Required?
Account Identity Name, email, phone, company name Required
Business Records Employee data, payroll, invoices, inventory Required for features
Compliance Identifiers GSTIN, PAN, TAN Required for GST features
Usage Analytics Feature clicks, session data, error logs Optional (opt-out available)
Cookies Session tokens, preference cookies Managed via consent banner
Section 03

How We Use Your Data

We use the data we collect strictly to operate, improve, and protect the Services you have subscribed to. We rely on the following legal bases under applicable law (including the Digital Personal Data Protection Act, 2023 and GDPR where applicable):

  • Contract Performance: To create your account, process payments, generate reports, and deliver the core ERP functionality you have paid for.
  • Legitimate Interests: To prevent fraud, monitor security, send important product updates, and analyse aggregated usage to improve the platform.
  • Legal Obligation: To comply with Indian tax law (GST, TDS, PF), employment regulations, and lawful government orders.
  • Consent: To send marketing communications or to place non-essential cookies — only where you have given explicit, revocable consent.

Specific Uses

  • Authenticate users and enforce role-based access controls across your organisation.
  • Generate payslips, e-Invoice JSON files, GST returns, and regulatory reports.
  • Send transactional emails: invoices, payment receipts, attendance alerts, and leave approvals.
  • Provide customer support and investigate reported issues.
  • Train and improve our AI-assisted features using anonymised, aggregated data only.
  • Conduct security audits and detect anomalous login behaviour.
We will never use your data to: build advertising profiles, sell to data brokers, train third-party AI models without your consent, or make automated decisions that significantly affect you without human review.
Section 04

Sharing & Disclosure

We do not sell your data. We share it only in the limited circumstances below, and only with parties bound by strict confidentiality obligations.

Service Providers (Sub-processors)

  • Cloud Infrastructure: AWS (Mumbai region, ap-south-1) for server hosting and encrypted storage.
  • Payment Processing: Razorpay / Stripe for PCI-DSS-compliant card transactions.
  • Email Delivery: Amazon SES for transactional emails (invoices, OTPs, alerts).
  • Analytics: Mixpanel (anonymised, aggregated product analytics with IP masking enabled).
  • Support Ticketing: Freshdesk for managing customer support conversations.

Government & Regulatory Bodies

We may disclose data to the GST Portal (IRP), EPFO, ESIC, or other statutory authorities as required by Indian law to process your compliance filings. We may also respond to lawful court orders, summons, or regulatory investigations.

Business Transfers

If Smart ERP Pro is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify affected users and provide opt-out options as required by applicable law.

Your data stays in India. All primary servers are located in AWS Mumbai (ap-south-1). Backup replication uses AWS Hyderabad (ap-south-2). We do not transfer personal data outside India except where explicitly required by a service provider listed above, and in all such cases, appropriate safeguards are in place.
Section 05

Cookies & Tracking

We use cookies and similar technologies to keep you logged in, remember your preferences, and understand how the platform is used so we can improve it.

Cookie Type Purpose Duration Can Opt Out?
Essential Authentication, session management, CSRF protection Session / 30 days No (required)
Functional Language preferences, dashboard layout settings 1 year Yes
Analytics Feature usage patterns (anonymised via Mixpanel) 90 days Yes
Marketing Retargeting ads on the public website only (not inside the app) 30 days Yes — consent required

You can manage cookie preferences at any time via the Cookie Settings link in the platform footer, or by configuring your browser. Note that disabling essential cookies will prevent you from logging in.

Section 06

Data Retention

We retain your data for as long as your account is active and as required by law. The table below outlines our standard retention periods:

Data Type Retention Period Reason
Account & Profile Data Duration of subscription + 90 days after cancellation To support account recovery and final billing
Payroll & Financial Records 8 years from financial year end Companies Act 2013 & Income Tax Act requirement
GST Invoice Data 8 years from date of filing GST Act, 2017 statutory requirement
Employee Records 5 years after employee exit PF Act & labour law compliance
Support Conversations 3 years Quality assurance and dispute resolution
Security & Audit Logs 2 years Fraud detection and security investigations
Analytics & Usage Data 13 months rolling Year-on-year product improvement analysis

After the applicable retention period, data is securely deleted or anonymised using NIST-compliant methods.

Section 07

Security Measures

We take the security of your data seriously. Our security programme includes technical, organisational, and physical safeguards:

  • Encryption in Transit: All data transferred between your browser and our servers uses TLS 1.3.
  • Encryption at Rest: All databases and file storage are encrypted using AES-256.
  • Access Controls: Role-based access, principle of least privilege, and mandatory MFA for all internal staff with database access.
  • Penetration Testing: Annual third-party penetration tests conducted by CERT-In empanelled auditors.
  • Vulnerability Management: Continuous automated scanning with a 24-hour SLA for critical CVEs.
  • Data Backups: Daily encrypted backups with 30-day retention and quarterly restore testing.
  • Incident Response: A documented IR plan with a 72-hour notification obligation for reportable breaches.
  • SOC 2 Type II: We are currently undergoing SOC 2 Type II certification. ISO 27001 audit scheduled for Q4 2025.
In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and relevant authorities within 72 hours of becoming aware, in line with our obligations under the Digital Personal Data Protection Act, 2023.
Section 08

Your Rights

Depending on your location, you may have the following rights regarding your personal data. We honour all valid requests within 30 calendar days.

Right What it means How to exercise
Access Obtain a copy of your personal data we hold Settings → Privacy → Export My Data
Correction Correct inaccurate or incomplete data Settings → Profile, or email us
Deletion Request erasure of your account and personal data (subject to legal retention obligations) Settings → Privacy → Delete Account
Portability Receive your data in a machine-readable format (JSON/CSV) Settings → Privacy → Export My Data
Objection Object to processing based on legitimate interests or for direct marketing Email privacy@smarterppro.in
Restriction Request we restrict processing while a dispute is resolved Email privacy@smarterppro.in
Withdraw Consent Withdraw consent for marketing emails or analytics cookies at any time Unsubscribe link in emails or Cookie Settings

To submit a privacy request, email privacy@smarterppro.in with "Privacy Request" in the subject line. We may ask you to verify your identity before processing. You also have the right to lodge a complaint with the Data Protection Board of India once operational.

Section 09

Children's Privacy

Smart ERP Pro is a business software platform designed exclusively for use by organisations and adult professionals. We do not knowingly collect personal data from individuals under the age of 18.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at privacy@smarterppro.in and we will delete such information promptly.

Section 10

Cross-Border Data Transfers

Our primary data infrastructure is hosted in India (AWS Mumbai, ap-south-1). In limited cases, data may be processed by sub-processors with servers outside India (for example, Mixpanel or Freshdesk). In all such cases, we ensure:

  • Data Processing Agreements (DPAs) are in place with all sub-processors.
  • Standard Contractual Clauses (SCCs) or equivalent safeguards apply to international transfers.
  • We maintain a current register of all sub-processors, available on request.
  • Sensitive business records (payroll, GST, employee PII) are never transferred outside India for primary processing.
Section 11

Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Send an in-app notification and email to all registered account administrators at least 14 days before the changes take effect.
  • For significant changes, provide a summary of what has changed and why.

Your continued use of the Services after the effective date of any update constitutes acceptance of the revised policy. If you disagree with the changes, you may close your account before the effective date.

Previous versions of this policy are archived and available on request by emailing privacy@smarterppro.in.

Section 12

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out through any of the channels below. We aim to respond within 2 business days.

Data Protection Officer
Anil Verma
Privacy Email
Support Helpline
Registered Office
204 Business Hub, Sector 18,
Gurugram, Haryana – 122015
Grievance Redressal: If you are not satisfied with our response to a privacy complaint, you may escalate to the Data Protection Board of India (once constituted under the DPDPA, 2023) or approach the appropriate civil court in Gurugram, Haryana.

Privacy-first ERP for your entire business

Your data belongs to you. See how Smart ERP Pro keeps your operations secure while connecting every department.

Book a Free Demo Sign In