Privacy Policy
Effective 1 January 2026 · Last updated 1 January 2026
We respect your privacy. This Policy explains what personal data we collect, why we collect it, how we use and protect it, and the choices you have. It applies to Avatar Technologies's Aurex ERP platform, our website at https://aurexerp.com, and any related services.
For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDPA"), Avatar Technologies acts as the Data Fiduciary for personal data of our customers (Workspace Owners, Admins, and other users). When our customers upload personal data of their own customers (jewellery shop end-customers) into the Service, our customer is the Data Fiduciary and we act as the Data Processor. See our separate Data Processing Addendum for that arrangement.
1. What we collect
1.1 Information you give us
- Account details — name, email, password (hashed), phone (optional), business name, role.
- Billing details — legal entity name, GSTIN, PAN, billing address, billing email, billing phone.
- Payment details — handled by our payment partner (Razorpay). We do not store full card numbers, CVV, or net-banking credentials.
- Communications — when you email support, fill out a form, or chat with us, we keep that record.
1.2 Information we collect automatically
- Usage data — pages visited, actions taken, timestamps, device/browser type, approximate location (city-level from IP).
- Log data — IP address, user agent, request paths, error traces.
- Cookies & similar technologies — see our Cookie Policy.
1.3 Information from your Workspace
The data your business records in Aurex ERP — customer entries, supplier ledgers, invoices, inventory tags, weight slips, repair tickets, etc. — is your business's data. We process this data on your instructions to provide the Service. We don't use it for our own purposes, don't sell it, and don't share it with anyone except the sub-processors listed in the DPA.
2. Why we use your data and the legal basis
| Purpose | What we use | Legal basis (DPDPA) |
|---|---|---|
| Create and operate your Workspace | Account + business details | Necessary to perform the contract |
| Process payments and issue tax invoices | Billing details | Necessary to perform the contract + legal obligation (GST law) |
| Send service notices, renewal reminders, security alerts | Email + phone | Necessary to perform the contract |
| Provide customer support | Account + communications | Consent / legitimate use |
| Improve the Service (aggregated analytics) | Usage data, anonymised | Legitimate use |
| Marketing emails about new features | Consent — opt-out anytime | |
| Detect fraud, abuse, security incidents | Log data | Legitimate use |
| Comply with law, court orders, regulators | As required | Legal obligation |
We do not use your data to train third-party AI models. We do not sell your personal data. We do not share it with advertising networks for cross-context behavioural advertising.
3. Who we share data with
We share personal data only with the following categories of third parties, and only to the extent necessary:
- Cloud infrastructure — to host the Service (e.g. Supabase, Vercel, AWS).
- Payment processors — Razorpay, for subscription payments.
- Email and notification providers — for transactional and marketing email (e.g. Resend).
- Analytics — privacy-respecting product analytics (no cross-site tracking).
- Professional advisors — accountants, lawyers, auditors under confidentiality.
- Government / regulators — when required by law, court order, or to protect rights and safety.
Each sub-processor we use is bound by a written agreement requiring at least the same level of privacy protection we provide. The current list is in the DPA.
4. International transfers
We try to keep your data in India where possible. Some sub-processors may host or replicate data outside India (for example, parts of our cloud infrastructure may run in Singapore or the United States). When that happens, we rely on contractual safeguards and the recipient country's data protection regime to ensure equivalent protection.
5. How long we keep data
| Data | Retention |
|---|---|
| Active account data | For as long as your Workspace is active |
| Cancelled Workspace — primary data | 30 days read-only, then deleted |
| Cancelled Workspace — backups | Up to 90 days from cancellation |
| Aurex tax invoices issued to you | Minimum 8 years (Indian tax law) |
| Server logs | 30 days, rolling |
| Support emails | 3 years from last contact |
| Marketing email opt-out records | Indefinite, to honour your choice |
6. Your rights
Under DPDPA and applicable Indian law, you have the right to:
- Access — confirm whether we hold your personal data and get a copy.
- Correction & erasure — fix inaccurate data or ask us to delete data we no longer need.
- Withdraw consent — for processing based on consent (e.g. marketing emails) at any time.
- Nominate — designate another individual who can exercise your rights in case of your death or incapacity.
- Grievance redressal — raise a complaint with our Grievance Officer (Section 9). If unresolved, you may approach the Data Protection Board of India.
- Portability — export your data through the in-app export tools at any time.
To exercise any of these rights, email privacy@aurexerp.com. We'll respond within 30 days. We may need to verify your identity before acting.
7. How we protect your data
See our Security page for details. In summary:
- TLS 1.2+ encryption in transit; encryption at rest for our database.
- Multi-tenant row-level isolation — your data is logically separated per Workspace.
- Role-based access controls; passwords stored with bcrypt hashing.
- Audit logs for sensitive actions (rate changes, invoice edits, payments, settings).
- Regular backups, monitored infrastructure, restricted production access.
No system is perfectly secure. If we ever discover a personal-data breach that is likely to result in significant harm to you, we'll notify you and the Data Protection Board as required by DPDPA.
8. Children
The Service is intended for businesses and is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a child has provided us personal data, email us and we'll delete it.
9. Grievance Officer
As required under DPDPA and the Information Technology (Intermediary Guidelines) Rules, our designated Grievance Officer is:
[Name of Grievance Officer]
Email: grievance@aurexerp.com
Phone: +91 99999 99999
Address: F7, Savitri Arcade, Karwar, Karnataka 581301, India
We aim to acknowledge complaints within 24 hours and resolve them within 15 days.
10. Changes to this Policy
We may update this Privacy Policy from time to time. If a change is material, we'll notify you by email or in-app notice at least 30 days before it takes effect. The "Last updated" date at the top of this page always shows the current version.
11. Contact
For privacy questions or to exercise any of your rights:
Avatar Technologies
F7, Savitri Arcade, Karwar, Karnataka 581301, India
Privacy: privacy@aurexerp.com
Legal: legal@aurexerp.com