Privacy Policy
Effective Date: 17 June 2026 Last Updated: 17 June 2026
This Privacy Policy explains how Srimatadevi Systems LLP ("we", "us", "our") collects, uses, stores, and protects personal data when you use Dhanafaa ("Service"). This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 (and rules thereunder).
By using the Service, you consent to the practices described here.
1. Who We Are
Srimatadevi Systems LLP is the Data Fiduciary for personal data processed through Dhanafaa.
- Registered Office: 3rd Floor, MVR Estates, #8-2-676/1/B/A/A/1&A, Besides Emerald Mithai, Road No. 13, Banjara Hills, Hyderabad – 500034, Telangana, India
- Grievance Officer Email: grievance@parasystemsai.com
- Support Email: support@parasystemsai.com
2. What Personal Data We Collect
2.1 Information You Provide
When you sign up and use the Service, you provide:
- Account information: Name, email address, phone number (optional), password (stored hashed, never in plain text).
- Business information: Business name, GSTIN (optional), legal entity type (proprietorship, partnership, Pvt Ltd, LLP), state.
- Marketplace connection metadata: Codes/identifiers for marketplaces you connect (e.g., Amazon, Flipkart, Meesho). We do not store passwords for these accounts; we use OAuth tokens or API keys you provide.
- Payment-related information: Payment is processed by Razorpay. We receive limited transaction metadata (subscription ID, plan, amount, timestamps). We do not store full card numbers, CVVs, or banking details.
- Communications: Support tickets, feedback, emails you send us.
2.2 Information We Receive from Connected Services
When you authorize a marketplace or gateway connection, we may receive:
- Order data: Order IDs, product SKUs, quantities, prices, dates, buyer state (for tax purposes), shipping addresses needed for marketplace operations.
- Settlement data: Settlement amounts, fees, TDS deducted, payout dates, payment reference numbers.
- Product/catalog data: Your product titles, descriptions, SKUs, pricing, fees.
- Returns data: Return IDs, reasons, refund amounts.
This data is fetched on your behalf and treated as your business data. We process it solely to provide the Service to you.
2.3 Information Collected Automatically
When you use the Service, we collect:
- Usage logs: IP address, browser type, device type, pages visited, timestamps, error logs.
- Cookies and local storage: For authentication sessions and user preferences. See Section 8.
3. Sensitive Personal Data
We do not collect sensitive personal data such as financial account numbers, biometric data, health data, sexual orientation, religious beliefs, or political opinions through normal use of the Service. Buyer addresses fetched from marketplaces (which may contain identifiable details) are handled as your business data and are not used by us beyond serving you.
4. How We Use Personal Data
We process personal data for the following purposes (lawful grounds in parentheses):
- Provide the Service — authenticate you, deliver features, sync data from connected sources (Performance of contract; your consent).
- Process payments and manage subscriptions (Performance of contract; legal obligation for tax invoicing).
- Customer support — respond to your questions, troubleshoot issues (Performance of contract; legitimate business interest).
- Service improvement — analyze usage to fix bugs, improve features (Legitimate business interest; aggregated/anonymized where possible).
- Communications — send service announcements, security alerts, billing notifications (Performance of contract; legal obligation).
- Marketing communications — send product updates, tips, offers (Your consent; you may opt out at any time).
- Legal compliance — comply with tax law, court orders, regulatory requests (Legal obligation).
- Fraud prevention and security — detect and prevent abuse, unauthorized access, financial fraud (Legitimate interest; legal obligation).
We do not:
- Sell your personal data to anyone.
- Use your personal data or business data to train third-party AI models.
- Share your business data with your competitors.
5. Who We Share Personal Data With
We share personal data only as needed to operate the Service:
| Recipient | Purpose | Location |
|---|---|---|
| Supabase (DB & Auth) | Storage of account data and operational data | Servers in India / region of nearest cluster |
| Vercel (Hosting) | Application hosting and edge delivery | Global edge network |
| Razorpay | Payment processing | India |
| Resend / Zoho Mail | Transactional email delivery | India / EU |
| Marketplaces & Gateways | OAuth/API connections you authorize | Per provider |
| Anthropic Claude API | Internal AI features (text summarization, suggestion generation) — only if/when used; no Your Data is used to train models | USA |
| Government authorities | Where legally compelled (e.g., tax authority order, court order) | India |
We require all processors to maintain confidentiality and security obligations consistent with this Policy and applicable law.
6. Cross-Border Transfers
Some processors are located outside India. Where we transfer personal data across borders, we do so only to jurisdictions not restricted under the DPDP Act, and we ensure the processor maintains data protection standards reasonably comparable to Indian standards.
7. Data Retention
We retain personal data only as long as necessary:
- Active accounts: For as long as your account is active.
- Cancelled or inactive accounts: Up to 90 days after cancellation or last activity, after which active records are permanently deleted. We send an automated email reminder 5 days before deletion to allow recovery or data export.
- Backups: May persist up to 12 months, in standard rotation.
- Tax invoices and financial records: Retained for the period mandated under Indian tax law (currently 8 years for GST records).
- Legal hold: If we receive a legal order or are required by law to preserve specific data, we will retain it for the duration of that obligation.
You can request earlier deletion (see Section 9).
8. Cookies and Local Storage
We use:
- Essential cookies for authentication (Supabase session cookies). The Service will not function without these.
- Local storage for user preferences (theme, layout) and short-lived tokens.
We do not use third-party advertising cookies or cross-site tracking pixels. If we add analytics in future, we will update this Policy and seek consent where required.
9. Your Rights Under the DPDP Act
As a Data Principal, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete personal data.
- Erase your personal data (subject to legal retention requirements).
- Withdraw consent for any processing based on consent. Withdrawal does not affect prior processing.
- Nominate another person to exercise your rights in the event of your death or incapacity.
- Grievance redressal — escalate complaints to our Grievance Officer.
To exercise any right, write to grievance@parasystemsai.com. We will respond within the timelines prescribed by law (currently within 30 days for most requests).
10. Grievance Officer
In compliance with the DPDP Act, 2023 and the IT Act, 2000:
Grievance Officer Srimatadevi Systems LLP 3rd Floor, MVR Estates, #8-2-676/1/B/A/A/1&A, Besides Emerald Mithai, Road No. 13, Banjara Hills, Hyderabad – 500034, Telangana, India Email: grievance@parasystemsai.com
We will acknowledge complaints within 24 hours and aim to resolve within 15 days.
If you are not satisfied with our response, you may escalate to the Data Protection Board of India as constituted under the DPDP Act.
11. Security
We implement reasonable technical and organizational measures, including:
- Encryption in transit (TLS) for all connections.
- Encryption at rest for sensitive data fields (passwords are hashed using bcrypt).
- Database-level row-level security (RLS) to isolate each customer's data.
- Access controls limiting employee access to personal data on a need-to-know basis.
- Regular security review of dependencies and infrastructure.
No system is perfectly secure. In the event of a personal data breach that is likely to result in significant harm, we will notify affected users and the Data Protection Board as required under the DPDP Act.
12. Children's Data
The Service is not intended for use by children under 18. We do not knowingly collect personal data of children. If we learn we have collected such data, we will delete it. If you believe we have collected a child's data, contact us at grievance@parasystemsai.com.
13. Third-Party Links
The Service may contain links to third-party websites (marketplaces, partners, blog posts). We are not responsible for their privacy practices. Review their privacy policies before sharing personal data with them.
14. Changes to This Policy
We may update this Policy. When we do, we will update the "Last Updated" date and, for material changes, give you reasonable notice (in-app or email). Your continued use of the Service after the effective date constitutes acceptance.
15. Contact Us
For privacy questions or to exercise your rights:
- Grievance Officer: grievance@parasystemsai.com
- General support: support@parasystemsai.com
- Mail: Srimatadevi Systems LLP, 3rd Floor, MVR Estates, #8-2-676/1/B/A/A/1&A, Besides Emerald Mithai, Road No. 13, Banjara Hills, Hyderabad – 500034, Telangana, India
By using Dhanafaa, you acknowledge that you have read and understood this Privacy Policy.