Pravah ("Data Fiduciary") collects and processes personal data to operate its all-in-one business management platform for Indian businesses of every size — from solo founders to growing agencies. This policy explains what we collect, why, how long we keep it, and the rights you (the "Data Principal") have under the Digital Personal Data Protection Act, 2023.

1. What we collect

Account data: name, email, phone, hashed password, OAuth provider IDs.
Business data: organisation name, GSTIN, PAN (when provided), bank account / UPI details (for payouts), invoice and proposal content, client contacts.
Usage data: pages viewed, features used, IP address, device and browser identifiers (via PostHog and Sentry, as applicable).
Communications: WhatsApp / email / SMS sent on your behalf via our integrations (Meta, Resend, MSG91).
Sensitive identifiers (Aadhaar, PAN) are processed only when you initiate eSign or KYC flows and are encrypted at rest.

2. Why we process it (lawful purposes)

To provide, secure, and improve the Service.
To bill, collect taxes, and issue invoices.
To meet legal and regulatory obligations (GST, TDS, IT Rules 2021).
To prevent fraud and abuse.
With consent, to send marketing communications (you can opt out anytime).

3. Sharing

We share personal data only with:

Sub-processors who help operate the Service (Neon — database hosting, Cloudflare R2 — storage, Resend — email, MSG91 — SMS, Meta — WhatsApp, Razorpay — payments, Sentry — error monitoring, PostHog — product analytics, Upstash — rate limiting, Vercel — application hosting). All sub-processors are bound by data-processing agreements.
Tax and law-enforcement authorities when legally required.

4. Data location and retention

Primary data is stored in India / Singapore region of our cloud providers. Backups may be stored in geographically redundant regions.
Account data is retained while your account is active. After deletion, data is retained for a 30-day grace window (to allow recovery) and then permanently deleted, except where law requires longer retention (e.g. GST records: 6 years).
Audit logs of sensitive-data reads are retained for 12 months.

5. Your rights as a Data Principal

Under the DPDP Act 2023 you may:

Access a copy of your personal data — Settings → Privacy → Export.
Correct inaccurate data — directly in Settings or by writing to us.
Erase your account and personal data — Settings → Privacy → Delete account.
Withdraw consent for marketing — Settings → Notifications.
Nominate another individual to exercise these rights on your behalf — write to us.
File a grievance with our Grievance Officer (footer + /grievance), or with the Data Protection Board of India.

Authenticated users can manage these rights at /settings/privacy.

6. Security

HTTPS/TLS in transit; encryption at rest for sensitive identifiers.
Strict CSP with per-request nonces and HSTS preloaded.
Two-factor authentication (TOTP) available for all users; required for owner / admin on Business plan.
Distributed rate-limiting on auth + APIs.
Regular dependency upgrades and Sentry-based error monitoring.

7. Children

Pravah is not directed to children under 18 and we do not knowingly collect their personal data. If you believe a child has provided personal data, contact us and we will erase it promptly.

8. Cookies and tracking

We use first-party cookies for authentication and session state. PostHog (product analytics) is loaded only when explicitly enabled and uses identified-only profiles — no cross-site tracking.

9. Changes to this policy

We may update this policy. Material changes will be announced via email or in-app notice at least 30 days in advance.

10. Contact

Data Protection Officer: dpo@pravah.app
Grievance Officer: see /grievance

Privacy Policy