Privacy Policy

Last updated: 21 May 2026. Effective: when this page goes live.

Who we are

IndusArth Technologies Pvt Ltd ("IndusArth", "we", "us") operates the TradeOps platform at app.indusarth.com. We help Indian manufacturers and traders run their procurement, sales, and accounting workflows. This policy explains what personal and business data we process when you sign up for TradeOps or your company is invited as a counterparty.

What we collect

From you, at signup

• Your name, work email, and password (stored only as an Argon2id hash — we never see the plaintext).
• Your company's legal name and (once you complete the company profile) GSTIN, PAN, registered address, and primary contact details.
• Your acceptance timestamp + IP address for the Terms of Service and this Privacy Policy.

From your use of the product

• Vendor / customer master data you create — names, addresses, contact emails, bank account details (the bank account number is encrypted at rest with AES-GCM).
• Transactional records you enter — RFQs, purchase orders, invoices, goods receipts, payments.
• An audit trail of state-changing actions (who did what, when) so disputes can be reconstructed.
• Session metadata — login times, IP addresses, browser user agents — for security investigations.

From the marketing site

• If you contact us through indusarth.com — for example to join the pilot or request the investor deck — we store the contact details and message you send us.
• Cloudflare may log request metadata (IP, country) for DDoS protection. We do not run third-party analytics or advertising trackers.

Why we collect it

• To run the service — issue logins, route data to the right tenant, send transactional emails.
• To comply with law — books of account under Companies Act 2013 § 128(5); GST records under CGST Act § 35; MSME aging tracking under MSMED Act § 15.
• To support you — when you write to [email protected] we may look at your data to debug a problem you've reported.
• To improve the service — aggregate, anonymised metrics about feature usage. We do not sell or use your business data to train models.

Who we share it with

We share your data only with the sub-processors strictly needed to operate the service:

• Google Cloud Platform (Mumbai / asia-south1 region) — primary hosting + database.
• Cloudflare — DNS, CDN, DDoS protection.
• ZeptoMail (Zoho) — transactional email delivery (signup verification, password resets, invitation links).
• Razorpay (when billing integration lands) — payment-gateway processing of subscription fees. Not active as of the date at the top of this page.

We don't sell your data. We don't share it with advertisers. We share only when compelled by Indian law (a court order, RBI / GST regulatory request, etc.) and only the minimum required.

Where it's stored

All TradeOps data sits on Google Cloud infrastructure in the Mumbai (asia-south1) region. Daily encrypted backups go to Google Cloud Storage in the same region. We don't transfer your data outside India.

How long we keep it

Different categories of data have different retention windows, driven by Indian law:

• Financial records (invoices, purchase orders, payments, GRNs) — 7 years from soft-deletion, satisfying Companies Act § 128(5) and CGST Act § 35.
• Operational records (vendor / customer master data, RFQs) — 2 years from soft-deletion.
• Personal contact data (vendor / customer contact persons) — 30 days from soft-deletion.
• Audit trail (event log of state changes) — kept as long as the underlying records, then purged.
• Marketing-site enquiries (emails you send us from indusarth.com) — kept until you ask us to remove them.

An automated nightly job enforces these windows. Backups are retained for 30 days; we will extend backup retention to match the legal floor before our first paying customer goes live.

Your rights under the DPDP Act 2023

As a Data Principal under India's Digital Personal Data Protection Act, 2023 you have the right to:

• Confirm what personal data we process about you (right to access).
• Correct inaccuracies in your personal data (right to correction).
• Request erasure of your personal data, subject to the legal-retention floors above (right to erasure).
• Withdraw consent for any optional processing.
• Nominate someone to exercise these rights on your behalf if you are unable.
• Raise a grievance with our Grievance Officer (below) or, if unresolved, with the Data Protection Board of India.

To exercise any of these rights, email [email protected]. We respond within 30 days.

Security

• Passwords stored as Argon2id hashes.
• Bank account numbers encrypted at rest (AES-GCM, per-environment master key).
• TLS in transit (Let's Encrypt certificates, HTTP Strict Transport Security).
• Multi-factor authentication available; required for tenants on the Trade plan.
• Row-level security at the database layer so one tenant cannot read another tenant's data.
• Daily encrypted backups; recovery procedures documented in our internal runbook.

We are working toward SOC 2 Type II attestation. No certification is claimed today.

Cookies

We use two strictly-necessary cookies on app.indusarth.com:

• tradeops_access — short-lived (15 min) access token.
• tradeops_refresh — refresh token (7 days).

Both are HttpOnly, Secure, SameSite=Lax. We do not set advertising or analytics cookies. The marketing site (indusarth.com) sets no application cookies.

Children

TradeOps is a B2B product not directed at children. We don't knowingly collect data from anyone under 18.

Changes to this policy

We'll post material changes here and email all account admins at least 14 days before they take effect. The "Last updated" date at the top reflects the latest change.

Grievance Officer

As required by the DPDP Act 2023 and the Information Technology Rules, 2011:

We respond within 30 days. Unresolved grievances may be escalated to the Data Protection Board of India.

← Back to indusarth.com · Terms of Service