Privacy Policy
Last Updated: November 4, 2025 | Version 1.0
Compliant with GDPR (EU) and DPDP Act 2023 (India)
1. Introduction
Welcome to Kshiyarise ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy rights.
This Privacy Policy explains:
- What personal data we collect
- How we use your personal data
- Your rights regarding your data
- How we protect your data
- How to contact us
Important: By using our services, you agree to this Privacy Policy. If you do not agree, please do not use our services.
2. Personal Data We Collect
2.1 Information You Provide:
- Account Information: Email address, password (encrypted), name, phone number (optional)
- Organization Information: Organization name, industry, business type
- Communication: Messages you send us through contact forms or support
2.2 Information We Collect Automatically:
- Session Data: Login timestamps, session IDs, session duration
- Technical Data: IP address, browser type, device information, operating system
- Usage Data: Pages visited, features used, clicks, navigation patterns
- Cookies: See our Cookie Policy
2.3 Legal Basis for Processing (GDPR Article 6):
- Contract Performance: To provide our services (account creation, authentication)
- Consent: For marketing communications (you can withdraw anytime)
- Legitimate Interests: Security, fraud prevention, service improvement
- Legal Obligation: Compliance with laws, tax regulations, court orders
3. How We Use Your Personal Data
We process your personal data for the following purposes:
3.1 Service Delivery:
- Create and manage your account
- Authenticate your access
- Provide our POS platform services
- Process transactions
- Manage your organization and branches
3.2 Security & Fraud Prevention:
- Detect and prevent unauthorized access
- Monitor suspicious activities
- Verify your identity
- Prevent fraud and abuse
3.3 Communication:
- Send OTPs for verification
- Send important service updates
- Respond to your inquiries
- Send marketing emails (only if you opted in)
3.4 Compliance & Legal:
- Comply with legal obligations
- Enforce our Terms of Service
- Protect our rights and property
- Respond to legal requests
4. Your Privacy Rights
Under GDPR and DPDP Act 2023, you have the following rights:
4.1 Right to Access (GDPR Art. 15 / DPDP Sec. 11):
You can request a copy of your personal data. Go to Settings → Privacy → Download My Data
4.2 Right to Rectification (GDPR Art. 16 / DPDP Sec. 12):
You can update your personal data at any time through your profile settings.
4.3 Right to Erasure (GDPR Art. 17 / DPDP Sec. 13):
You can request account deletion. Go to Settings → Privacy → Delete My Account. Note: We provide a 30-day grace period during which you can cancel the deletion.
4.4 Right to Data Portability (GDPR Art. 20):
You can download your data in JSON format for transfer to another service.
4.5 Right to Object (GDPR Art. 21):
You can object to processing of your data for marketing purposes.
4.6 Right to Withdraw Consent:
You can withdraw your consent at any time. Go to Settings → Privacy → Manage Consents
4.7 Grievance Redressal (DPDP Sec. 14):
For complaints, contact our Grievance Officer: grievance@kshiyarise.com
5. Data Sharing and Third Parties
We DO NOT sell your personal data.
We may share your data with:
5.1 Service Providers (Data Processors):
- AWS (Amazon Web Services): Hosting and infrastructure (Data Processing Agreement in place)
- Email Service: For sending OTPs and notifications (AWS SES or SMTP provider with DPA)
- Payment Processor: For subscription payments (PCI-DSS compliant)
5.2 Legal Requirements:
We may disclose your data if required by law, court order, or to protect our rights.
5.3 Business Transfers:
If we merge with or are acquired by another company, your data may be transferred (you'll be notified).
6. International Data Transfers
Data Storage Location: AWS Asia Pacific (India) - ap-south-1
If we transfer data outside India/EU, we ensure:
- Standard Contractual Clauses (SCCs) are in place
- Adequate safeguards per GDPR Article 46
- Compliance with DPDP Act cross-border transfer requirements
7. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|
| Account Data | Duration of service + 30 days | Grace period for reactivation |
| Session Data | 7 days | Security and fraud detection |
| OTP Data | 10 minutes (then deleted) | Verification purpose only |
| Revoked Tokens | 30 days | Security audit trail |
| Audit Logs | 2 years | Legal compliance |
| Financial Records | 7 years | Tax and legal requirements |
| Deleted Accounts | 30 days grace + purge | Recovery option |
8. How We Protect Your Data
We implement industry-standard security measures:
8.1 Encryption:
- HTTPS/TLS for data in transit
- bcrypt for password hashing (cannot be reversed)
- SHA-256 for OTP hashing
- Encrypted database connections
8.2 Access Controls:
- Role-based access control (RBAC)
- Multi-factor authentication (OTP)
- Session management with 7-day expiry
- Refresh token rotation
8.3 XSS/CSRF Protection:
- Access tokens stored in memory (not cookies)
- HttpOnly cookies for refresh tokens
- SameSite cookie attributes
- Content Security Policy headers
8.4 Monitoring:
- 24/7 security monitoring
- Automated threat detection
- Regular security audits
- Penetration testing
9. Cookies and Tracking
We use cookies for:
- Essential Cookies: Authentication (refresh_token)
- Functional Cookies: Language preference (NEXT_LOCALE)
- Consent Tracking: Cookie consent status (cookie_consent)
For more details, see our Cookie Policy.
10. Children's Privacy
Our services are not directed to children under 18 years of age (or 16 in EU). We do not knowingly collect data from children. If you are a parent/guardian and believe your child has provided us with data, please contact us immediately.
11. Data Breach Notification
In the event of a data breach:
- GDPR (Art. 33): We'll notify supervisory authorities within 72 hours
- DPDP (Sec. 8.6): We'll notify the Data Protection Board of India
- User Notification: We'll inform affected users without undue delay
- Remediation: We'll take immediate steps to contain and remediate
12. Contact Us
Postal Address:
Kshiyarise Technologies Pvt. Ltd.
[Your Address]
[City, State, PIN]
India
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be notified via:
- Email notification to registered users
- Prominent notice on our website
- Request for re-consent if required
14. Supervisory Authorities
For EU Users:
You have the right to lodge a complaint with your local data protection authority. Find your authority: EDPB Members
For Indian Users:
Data Protection Board of India
Website: www.dataprotection.gov.in
15. Effective Date
This Privacy Policy is effective as of November 4, 2025 and applies to all users.