256-bit Encryption
All data in transit and at rest is encrypted using AES-256 standards.
No Data Selling
We never sell, rent, or trade your personal or business data to third parties.
You Stay in Control
Access, correct, or delete your data anytime. We honour all requests within 30 days.
Overview
Smart ERP Pro ("we", "our", or "the Platform") is a Software-as-a-Service product operated by Smart ERP Pro Technologies Pvt. Ltd., a company incorporated under the laws of India. Our registered office is at 204, Business Hub, Sector 18, Gurugram, Haryana – 122015.
This Privacy Policy explains how we collect, use, store, and protect information about you when you use our platform, website, mobile applications, or any related services (collectively, "Services"). By using our Services, you agree to the terms described in this policy.
Data We Collect
We collect information in three ways: information you provide directly, information generated automatically as you use the platform, and information received from third parties.
Information You Provide
- Account Data: Name, work email address, phone number, company name, and job title when you register or request a demo.
- Business Data: Employee records, attendance logs, payroll figures, invoices, GST details, inventory data, and performance records you enter into the platform.
- Payment Data: Billing address and payment method details (processed securely via our PCI-DSS-certified payment partners; we do not store raw card numbers).
- Communication Data: Messages you send to us via support tickets, email, or chat.
- Identity Verification: PAN, GST Identification Number (GSTIN), or other regulatory identifiers required for compliance features.
Automatically Collected Data
- IP address, browser type, operating system, and device identifiers.
- Pages visited, features used, session duration, and click-stream data.
- Error logs and crash reports to help us fix bugs and improve reliability.
- Login timestamps and authentication activity for security monitoring.
Data from Third Parties
- If you log in via Google Workspace or Microsoft 365, we receive your name, email, and profile picture from those providers.
- Integration partners (e.g., HRMS, banking APIs) may share data as part of connected workflows you explicitly authorise.
| Data Category | Examples | Required? |
|---|---|---|
| Account Identity | Name, email, phone, company name | Required |
| Business Records | Employee data, payroll, invoices, inventory | Required for features |
| Compliance Identifiers | GSTIN, PAN, TAN | Required for GST features |
| Usage Analytics | Feature clicks, session data, error logs | Optional (opt-out available) |
| Cookies | Session tokens, preference cookies | Managed via consent banner |
How We Use Your Data
We use the data we collect strictly to operate, improve, and protect the Services you have subscribed to. We rely on the following legal bases under applicable law (including the Digital Personal Data Protection Act, 2023 and GDPR where applicable):
- Contract Performance: To create your account, process payments, generate reports, and deliver the core ERP functionality you have paid for.
- Legitimate Interests: To prevent fraud, monitor security, send important product updates, and analyse aggregated usage to improve the platform.
- Legal Obligation: To comply with Indian tax law (GST, TDS, PF), employment regulations, and lawful government orders.
- Consent: To send marketing communications or to place non-essential cookies — only where you have given explicit, revocable consent.
Specific Uses
- Authenticate users and enforce role-based access controls across your organisation.
- Generate payslips, e-Invoice JSON files, GST returns, and regulatory reports.
- Send transactional emails: invoices, payment receipts, attendance alerts, and leave approvals.
- Provide customer support and investigate reported issues.
- Train and improve our AI-assisted features using anonymised, aggregated data only.
- Conduct security audits and detect anomalous login behaviour.
Sharing & Disclosure
We do not sell your data. We share it only in the limited circumstances below, and only with parties bound by strict confidentiality obligations.
Service Providers (Sub-processors)
- Cloud Infrastructure: AWS (Mumbai region, ap-south-1) for server hosting and encrypted storage.
- Payment Processing: Razorpay / Stripe for PCI-DSS-compliant card transactions.
- Email Delivery: Amazon SES for transactional emails (invoices, OTPs, alerts).
- Analytics: Mixpanel (anonymised, aggregated product analytics with IP masking enabled).
- Support Ticketing: Freshdesk for managing customer support conversations.
Government & Regulatory Bodies
We may disclose data to the GST Portal (IRP), EPFO, ESIC, or other statutory authorities as required by Indian law to process your compliance filings. We may also respond to lawful court orders, summons, or regulatory investigations.
Business Transfers
If Smart ERP Pro is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify affected users and provide opt-out options as required by applicable law.
Cookies & Tracking
We use cookies and similar technologies to keep you logged in, remember your preferences, and understand how the platform is used so we can improve it.
| Cookie Type | Purpose | Duration | Can Opt Out? |
|---|---|---|---|
| Essential | Authentication, session management, CSRF protection | Session / 30 days | No (required) |
| Functional | Language preferences, dashboard layout settings | 1 year | Yes |
| Analytics | Feature usage patterns (anonymised via Mixpanel) | 90 days | Yes |
| Marketing | Retargeting ads on the public website only (not inside the app) | 30 days | Yes — consent required |
You can manage cookie preferences at any time via the Cookie Settings link in the platform footer, or by configuring your browser. Note that disabling essential cookies will prevent you from logging in.
Data Retention
We retain your data for as long as your account is active and as required by law. The table below outlines our standard retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & Profile Data | Duration of subscription + 90 days after cancellation | To support account recovery and final billing |
| Payroll & Financial Records | 8 years from financial year end | Companies Act 2013 & Income Tax Act requirement |
| GST Invoice Data | 8 years from date of filing | GST Act, 2017 statutory requirement |
| Employee Records | 5 years after employee exit | PF Act & labour law compliance |
| Support Conversations | 3 years | Quality assurance and dispute resolution |
| Security & Audit Logs | 2 years | Fraud detection and security investigations |
| Analytics & Usage Data | 13 months rolling | Year-on-year product improvement analysis |
After the applicable retention period, data is securely deleted or anonymised using NIST-compliant methods.
Security Measures
We take the security of your data seriously. Our security programme includes technical, organisational, and physical safeguards:
- Encryption in Transit: All data transferred between your browser and our servers uses TLS 1.3.
- Encryption at Rest: All databases and file storage are encrypted using AES-256.
- Access Controls: Role-based access, principle of least privilege, and mandatory MFA for all internal staff with database access.
- Penetration Testing: Annual third-party penetration tests conducted by CERT-In empanelled auditors.
- Vulnerability Management: Continuous automated scanning with a 24-hour SLA for critical CVEs.
- Data Backups: Daily encrypted backups with 30-day retention and quarterly restore testing.
- Incident Response: A documented IR plan with a 72-hour notification obligation for reportable breaches.
- SOC 2 Type II: We are currently undergoing SOC 2 Type II certification. ISO 27001 audit scheduled for Q4 2025.
Your Rights
Depending on your location, you may have the following rights regarding your personal data. We honour all valid requests within 30 calendar days.
| Right | What it means | How to exercise |
|---|---|---|
| Access | Obtain a copy of your personal data we hold | Settings → Privacy → Export My Data |
| Correction | Correct inaccurate or incomplete data | Settings → Profile, or email us |
| Deletion | Request erasure of your account and personal data (subject to legal retention obligations) | Settings → Privacy → Delete Account |
| Portability | Receive your data in a machine-readable format (JSON/CSV) | Settings → Privacy → Export My Data |
| Objection | Object to processing based on legitimate interests or for direct marketing | Email privacy@smarterppro.in |
| Restriction | Request we restrict processing while a dispute is resolved | Email privacy@smarterppro.in |
| Withdraw Consent | Withdraw consent for marketing emails or analytics cookies at any time | Unsubscribe link in emails or Cookie Settings |
To submit a privacy request, email privacy@smarterppro.in with "Privacy Request" in the subject line. We may ask you to verify your identity before processing. You also have the right to lodge a complaint with the Data Protection Board of India once operational.
Children's Privacy
Smart ERP Pro is a business software platform designed exclusively for use by organisations and adult professionals. We do not knowingly collect personal data from individuals under the age of 18.
If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at privacy@smarterppro.in and we will delete such information promptly.
Cross-Border Data Transfers
Our primary data infrastructure is hosted in India (AWS Mumbai, ap-south-1). In limited cases, data may be processed by sub-processors with servers outside India (for example, Mixpanel or Freshdesk). In all such cases, we ensure:
- Data Processing Agreements (DPAs) are in place with all sub-processors.
- Standard Contractual Clauses (SCCs) or equivalent safeguards apply to international transfers.
- We maintain a current register of all sub-processors, available on request.
- Sensitive business records (payroll, GST, employee PII) are never transferred outside India for primary processing.
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Send an in-app notification and email to all registered account administrators at least 14 days before the changes take effect.
- For significant changes, provide a summary of what has changed and why.
Your continued use of the Services after the effective date of any update constitutes acceptance of the revised policy. If you disagree with the changes, you may close your account before the effective date.
Previous versions of this policy are archived and available on request by emailing privacy@smarterppro.in.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out through any of the channels below. We aim to respond within 2 business days.
Gurugram, Haryana – 122015