Privacy Policy

Last updated: March 31, 2026

1. Information We Collect

When you use ProcureTrail, we collect:

• Account information: Name, email address, username, organization name.
• Usage data: Actions performed within the application (for audit trail purposes).
• Business data: Purchase requisitions, purchase orders, goods receipts, asset records, and related documents you create.

2. How We Use Your Information

We use your information to:

• Provide and maintain the ProcureTrail service.
• Authenticate your identity and manage access.
• Generate audit trails as required for compliance.
• Send transactional emails (password resets, approval notifications).
• Respond to support requests.

3. Data Isolation

ProcureTrail is a multi-tenant application. Each organization's data is strictly isolated using row-level security. No organization can access another organization's data.

4. Data Storage

Your data is stored on secure servers. We use industry-standard encryption for data in transit (TLS/SSL). Database backups are performed daily and retained for 14 days.

5. Data Sharing

We do not sell, rent, or share your data with third parties. We may disclose information only if required by law or to protect our legal rights.

6. Data Export & Deletion

You may request a full export of your organization's data at any time. Upon termination of your account, we will retain your data for 90 days before permanent deletion, unless a longer retention period is required by law.

7. Cookies

ProcureTrail uses only essential cookies for authentication (JWT tokens). We do not use tracking cookies or third-party analytics.

8. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by email or through the application.

9. Contact

For privacy-related questions, contact us at kiren@oparc.in or +91 98458 10358.

10. Lawful Basis for Processing

We process your personal data under the Digital Personal Data Protection Act, 2023 (DPDP Act) on the following bases:

• Consent: You provide explicit consent when you create an account and accept this privacy policy. You may withdraw consent at any time by contacting us or deleting your account.
• Legitimate use: Processing necessary to provide the ProcureTrail service you have requested, including authentication, audit trail generation, and transactional communications.
• Legal obligation: Processing required to comply with applicable laws, including financial record-keeping and tax regulations.

11. Your Rights Under the DPDP Act

As a Data Principal under the DPDP Act, 2023, you have the following rights:

• Right to Access: You may request a summary of the personal data we process about you and the processing activities undertaken.
• Right to Correction: You may request correction of inaccurate or incomplete personal data. Update your profile directly in ProcureTrail or contact us.
• Right to Erasure: You may request deletion of your personal data, subject to any legal retention requirements. Organization admins can request full org data deletion.
• Right to Grievance Redressal: You may raise a complaint with our Grievance Officer (see Section 12). If unsatisfied with our response, you may approach the Data Protection Board of India.
• Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity, as provided under the DPDP Act.

To exercise any of these rights, contact our Grievance Officer at the details below. We will respond within 30 days of receiving your request.

12. Grievance Officer

In accordance with the DPDP Act, 2023, we have appointed a Grievance Officer to address your concerns regarding data processing:

• Name: Kiren Kumar
• Email: kiren@oparc.in
• Phone: +91 98458 10358
• Response time: We will acknowledge your grievance within 48 hours and resolve it within 30 days.

If you are not satisfied with the resolution, you may file a complaint with the Data Protection Board of India as established under the DPDP Act.

13. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Active account data: Retained for the duration of your subscription.
• Audit trail data: Retained for the duration of your subscription plus 1 year, or as required by applicable financial regulations.
• Post-termination: Upon account termination, your data is retained for 90 days to allow for data export, after which it is permanently deleted.
• Backup data: May persist in encrypted backups for up to 14 days after deletion from the primary database.
• Legal holds: Data subject to a legal hold or regulatory requirement will be retained until the hold is lifted, regardless of the above timelines.

14. Breach Notification

In the event of a personal data breach that is likely to cause harm to Data Principals:

• We will notify the Data Protection Board of India without unreasonable delay, and in any case within 72 hours of becoming aware of the breach.
• We will notify affected Data Principals (you and/or your organization administrator) without unreasonable delay, describing the nature of the breach, the data affected, and the steps we are taking to mitigate harm.
• We will provide guidance on steps you can take to protect yourself (e.g., changing passwords, monitoring accounts).