Privacy Policy
Legal entity: Saha Software Services (Proprietorship). Brand: MyOwnERP. GSTIN: 19BHVPS0113B1ZE. Last updated: 19 April 2026.
We provide a multi-tenant ERP platform that helps businesses manage invoices, payments, KYC verification, GST compliance, and bank reconciliation. We collect only what is needed to provide the service and keep records for compliance. We do not sell personal data.
Data we collect
- Account data: name, email, phone, business name, country of operation, and team member details.
- Business identity data: PAN, GSTIN, Aadhaar (last 4 digits only), bank account details, and business registration documents.
- Customer data our clients provide: recipient name, phone/email, invoice metadata, payment amounts, due dates, party master data, and optional notes.
- Bank statement data (if you opt in to Account Aggregator): structured transaction records (date, amount, narration, UTR, balance) fetched only with your explicit consent.
- Messaging data: WhatsApp/SMS/email content sent through us, delivery/read receipts, and basic profile info returned by Meta (e.g., display name, phone).
- Operational data: login and audit logs, device/browser info, IP address, and error traces used for security and support.
- Payments: we do not store card/bank details; gateways (Razorpay, Cashfree) process them directly under PCI-DSS compliance.
How we use data
- Provide ERP functions: invoicing, GST e-Invoice generation, payment collection, payouts, bank reconciliation.
- Verify identity through KYC providers (PAN, Aadhaar OVSE, GSTIN verification, DigiLocker).
- Deliver invoices, payment links, KYC verification links, and support notifications via WhatsApp, SMS, and email.
- Auto-reconcile bank transactions against your invoices using UTR/amount/narration matching.
- File GST returns (GSTR-1, GSTR-3B) and generate e-Invoice IRN through authorized GST Suvidha Provider (WhiteBooks).
- Provide customer support, security monitoring, audits, and meet legal/tax requirements.
- Improve reliability and detect abuse (spam, fraud, unauthorized access).
Data residency and cross-border processing
Your data is stored in the country you specify during signup. We use Cloudflare's regional D1 databases and R2 storage to ensure physical data residency:
- India tenants: Data stored in India (Mumbai/Hyderabad regions) — compliant with RBI Master Directions and DPDPA 2023.
- UAE tenants: Data stored in Middle East region — compliant with UAE Personal Data Protection Law.
- Singapore tenants: Data stored in APAC region — compliant with Singapore PDPA.
- UK/EU tenants: Data stored in EU region — compliant with UK GDPR/EU GDPR.
- US tenants: Data stored in US region.
Your data does NOT leave the chosen region except when: (a) you explicitly request export, (b) required by applicable law in your jurisdiction, or (c) sent to authorized sub-processors listed below for service delivery.
Account Aggregator (India only — bank reconciliation feature)
If you opt to use our automated bank reconciliation feature:
- We use Setu as our Technical Service Provider (TSP), partnered with RBI-licensed Account Aggregators (OneMoney, Finvu, Anumati).
- You provide explicit consent through the AA's secure consent screen — consent is granular, time-bound, and revocable.
- We fetch only transaction data from your linked bank accounts (no balance, no fixed deposits, no investments) for the consent period only.
- Data is fetched once per day in periodic mode — you can revoke consent at any time.
- Bank statement data is stored encrypted (AES-256-GCM) in India-only Cloudflare D1 database, restricted to AS-IN jurisdiction.
- Auto-deleted within 30 days of consent expiry, revocation, or your written request.
- We are NOT a Financial Information User (FIU) ourselves; we operate via Setu's regulated TSP framework.
KYC verification
- We use Surepass for PAN, Aadhaar (OVSE), GSTIN, and DigiLocker-based identity verification.
- Aadhaar verification follows UIDAI's Offline Verification (OVSE) framework — we do NOT store the full 12-digit Aadhaar number, only the last 4 digits and demographic details (name, DOB, masked address).
- PAN and GSTIN verification responses are stored for audit and compliance.
- All KYC API calls happen server-to-server over TLS 1.2+; no biometric data is collected or stored.
Sub-processors
We use the following authorized third-party processors. A current list is maintained on this page.
| Function | Provider | Data shared | Region |
|---|---|---|---|
| Cloud infrastructure | Cloudflare | All app data, encrypted | Per tenant region |
| Payment gateway | Razorpay | Transaction details, payer details | India |
| Payment gateway (backup) | Cashfree | Transaction details, payer details | India |
| KYC verification | Surepass | PAN, Aadhaar (OVSE), GSTIN | India |
| Bank statement (AA) | Setu (TSP) | Bank transactions (with consent) | India |
| GST e-Invoice + filing | WhiteBooks (GSP) | Invoice data, GSTIN | India |
| Email delivery | AWS SES | Email content, recipient | AWS region (per tenant) |
| WhatsApp messaging | Meta Platforms | Message content, phone numbers | Global (Meta infrastructure) |
| SMS | SMSCountry | SMS content, phone numbers | India |
| Language/Translation | Bhashini (Govt of India) | Text content (translation) | India |
| AI assistance | Anthropic (Claude) | Document text (no PII), via CF Gateway | US (routed via Cloudflare) |
We do not sell personal data. We share only with processors needed to run the service or when required by law. All processors are bound by data protection terms.
Retention
- Account and billing records: kept while your account is active and for any legally required retention period (typically 8 years for tax records under Indian law).
- Invoice and transaction records: retained for the legally mandated period in your jurisdiction (e.g., 8 years in India under Companies Act).
- Bank statement data (Account Aggregator): deleted within 30 days of consent expiry, revocation, or your written request.
- KYC records: retained for the duration of the customer relationship plus 5 years (per RBI/PMLA guidelines for India).
- Message content and delivery logs: typically retained up to 180 days for support and audit unless you request deletion sooner (subject to legal holds).
- Security logs: retained for 90 days to detect and investigate misuse.
Security
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted using AES-256-GCM (Cloudflare D1, R2 default).
- API credentials and secrets are stored encrypted in dedicated credential vaults (AES-GCM with rotated root keys).
- HTTPS enforced with HSTS, Strict CSP, and Cloudflare WAF protection.
- Role-based access controls (RBAC), comprehensive audit trails, and least-privilege access for support staff.
- Multi-factor authentication required for all admin/staff access.
- Regular security audits, penetration testing, and dependency vulnerability scanning.
- Backups with restricted access in the same data residency region; no card data is stored by us.
Your rights under DPDPA 2023 (India) and equivalent laws
If you are an Indian resident under the Digital Personal Data Protection Act 2023 (or under GDPR/UK GDPR/UAE PDPL/Singapore PDPA equivalent), you have the right to:
- Access: Receive a copy of all personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
- Withdraw consent: Revoke consent for any data processing activity at any time, including Account Aggregator linkage.
- Portability: Receive your data in a machine-readable format.
- Object: Object to processing for marketing or analytics.
- Lodge complaint: File a grievance with the Data Protection Board of India (or your local data protection authority).
To exercise any of these rights, email [email protected]. We will verify your identity and respond within 30 days.
Data Protection Officer
For DPDPA-related queries, grievances, or data subject requests:
Data Protection Officer: Apurba Krishna Saha
Email: [email protected]
Address: 742/266, Subashpally, Ward No. 16, Suri, Birbhum, West Bengal — 731101, India
Data breach notification
If we discover a personal data breach affecting your data:
- We will notify you within 72 hours of confirmed discovery.
- Notification will be sent via email and via in-app banner on your tenant dashboard.
- We will report to the Data Protection Board of India (and equivalent authorities in your jurisdiction) where required by law.
- We will provide steps you can take to protect yourself and a remediation plan.
Children's data
MyOwnERP is a B2B service intended for businesses. We do not knowingly collect personal data of children under 18. If we discover such data has been collected, it will be deleted immediately.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and in-product notice at least 30 days before taking effect. Continued use of the service after changes constitutes acceptance.
Contact
General queries: [email protected]
Privacy/data requests: [email protected]
Data Protection Officer: [email protected]
Phone/WhatsApp: +91-8942904842
Address: Holding No. 742/266, Subashpally, Ward No. 16, Suri, Birbhum, West Bengal — 731101, India