Data Governance & Security Charter
Privacy Policy
Last Updated: May 21, 2026 | Enterprise Revision 5.0
STATUTORY COMPLIANCE NOTICE
This Privacy Policy governs the processing of digital personal data across vyaparies.com, associated subdomains, and the Khata Bahi digital ledger system. Vyaparies Technologies operates strictly as a Pure B2B2C Software-as-a-Service (SaaS) Utility. We are explicitly NOT an “E-commerce Operator” or “Marketplace Facilitator.” This document establishes structural risk allocations designed to insulate the personal assets, savings, and property of the Sole Proprietor.
1. STATUTORY CLASSIFICATION: FIDUCIARY VS. PROCESSOR
To ensure absolute regulatory compliance and protect the structural integrity of our software, data processing obligations are legally bifurcated:
A. The Data Fiduciary Pipeline (B2B Vendor Registration)
The Company acts as a Data Fiduciary exclusively concerning the operational business data (KYC, billing, Udyam registration) collected directly from business operators (“Vendors”) during account creation. We determine the purpose of processing this specific metadata solely to facilitate SaaS subscriptions and platform access.
B. The Data Processor Pipeline (B2C End-Consumer Data)
The Company acts strictly as an automated, technical Data Processor concerning any end-consumer personal data, buyer names, payment tallies, or health/financial logs entered by the Vendor into their storefront or conversational ledger. The Vendor is the exclusive, principal Data Fiduciary for their store's consumer data logs. The Company executes zero manual evaluation, verification, or ownership over end-consumer transactions.
2. DPDP-PROTECTION: TRANSIENT BUFFER ISOLATION FOR NLP PARSING
The Platform's Khata Bahi engine utilizes a specialized natural language processing (NLP) entry parser to transform raw conversational inputs into structured accounting tables.
VOLATILE PIPELINE EXCLUSION: The Vendor explicitly acknowledges that conversational strings containing unstructured personal, medical, or financial identifiers are routed inside a short-lived transient system buffer. Once the mathematical weights convert the unstructured string into clear numbers within the isolated store ledger, the raw unstructured text is immediately purged or permanently anonymized.
Because the Company does not build or archive persistent records of these raw text inputs, the Vendor assumes 100% legal liability for securing verifiable, itemized consumer consent before typing data into our conversational UI. The Vendor fully indemnifies the Sole Proprietor against any DPDP Act statutory fines arising from un-consented merchant entries.
3. ITEMIZED DATA COLLECTION & TELEMETRY MONITORING
In compliance with the granular itemization standards of the DPDP Act, 2023, we process the following categories of data:
| Data Category | Specific Elements | Lawful Basis & Purpose |
|---|---|---|
| Vendor KYC & SaaS Billing | Legal entity name, proprietorship verified counterparts, email, phone, and Razorpay tokenized arrays. | Explicit B2B Consent to maintain SaaS access and fulfill software licensing obligations. |
| End-Consumer Payment Routing | UPI Intent payload metadata (timestamps, routing success/fail parameters). We do NOT collect bank account numbers, PINs, or card details. | Technical Processing. |
| Telemetry & Anti-Abuse Tracking | IP addresses, API request volumes, device fingerprinting, and interaction velocity. | Legitimate Security Interest. Monitored strictly to prevent IP scraping, reverse-engineering, and DDoS attacks. |
4. EXTERNAL DISCLOSURES & FINTECH ISOLATION
- SaaS Billing (Razorpay): Vendor subscription billing data is shared securely with Razorpay. The Company does not store raw credit card numbers.
- P2P UPI Intent Isolation: In strict compliance with 2026 NPCI directives, end-consumer payments are hardcoded as direct P2P UPI Intent payloads. Zero consumer transactional cash or financial credentials touch our databases. We are completely isolated from interbank chargebacks, NPCI escrow audits, and bank-level consumer disputes.
- Cloud Sovereignty: Encrypted Next.js routing caches and database snapshots are housed in local cloud regions (AWS/GCP) physically located within India, satisfying absolute data sovereignty mandates.
- PMLA & Law Enforcement Handover: Under the Prevention of Money Laundering Act (PMLA), 2002, the Company reserves the absolute right to bypass standard privacy constraints and voluntarily hand over a Vendor's IP logs, access timestamps, and database snapshots directly to Indian Law Enforcement Agencies (Cyber Cell, ED, RBI) without a prior court order if the platform suspects the storefront is facilitating financial crimes or hawala routing.
5. DATA PORTABILITY & STRICT 30-DAY EXIT PROTOCOL
The Company explicitly disclaims any “Vendor Lock-in” practices. However, to maintain unassailable system hygiene, strict exit procedures apply upon account termination or subscription lapse:
The 30-Day Export Window:
Upon account cancellation, suspension, or verified termination, the Vendor is granted a strict 30-day grace period to utilize manual CSV/Excel export utility tools within their dashboard to extract their Khata Bahi ledger and customer logs.
Upon the expiration of this 30-day window, the Company's automated systems will permanently purge, overwrite, or cryptographically shred the Vendor's isolated database instance. Post-purge data recovery is mathematically impossible.
6. SYSTEMIC ACCURACY & TAX AUDIT INDEMNITY
- Data Backup Liability Shift: Cloud storage provided by the Platform is strictly for SaaS operational optimization. The Vendor bears 100% legal and operational responsibility for maintaining independent offline backups of their store data. The Company holds zero liability for database corruption or synchronization failures.
- GST & Income Tax Immunity: The Khata Bahi ledger engine is an uncertified mathematical aid. If a Vendor faces scrutiny, audits, or penalties from the Income Tax Department or GST authorities due to NLP categorization discrepancies, the Vendor explicitly agrees that Vyaparies Technologies accepts zero liability for tax penalties or computational negligence.
7. ENTERPRISE SECURITY, ANTI-ABUSE, & BREACH REPORTING
Anti-Scraping & IP Protection: Telemetry data is actively monitored to protect the Company's intellectual property. Any deployment of automated bots, scraping algorithms, API rate-limit bypassing, or attempts to reverse-engineer the NLP parser weights will be classified as severe technical abuse, triggering the Instant Takedown Right and immediate, permanent deletion of the offending account without data export privileges.
72-Hour Statutory Breach Protocol: In the highly unlikely event of a verified systemic data leak compromising Vendor Fiduciary Data, the Company will notify the Data Protection Board of India (DPBI) and affected Vendors within 72 hours of technical confirmation, deploying immediate cryptographic lockdown measures.
8. PRIVACY DISPUTES, LIABILITY CAP, & SATNA ARBITRATION
The 3-Month Liability Matrix
Should any Vendor claim damages related to data loss, privacy breaches, or SaaS platform downtime, the absolute maximum aggregate liability of Vyaparies Technologies and its Sole Proprietor shall be strictly capped at the total SaaS subscription fees paid by that Vendor in the three (3) months immediately preceding the claim. Liability to non-paying End-Consumers is absolutely capped at INR 0.00.
Binding Arbitration (B2B Data Disputes)
Any operational controversy, privacy complaint, or breach of contract claim raised by a commercial Vendor against the Company shall bypass civil courts and be resolved exclusively through private binding arbitration under the Arbitration and Conciliation Act, 1996. The seat, venue, and sole jurisdiction for this arbitration shall be strictly locked to Satna, Madhya Pradesh, India, presided over by a Sole Arbitrator appointed by the Company.
9. STATUTORY GRIEVANCE REDRESSAL MECHANISM
In compliance with the IT Act (Intermediary Guidelines) and the DPDP Act, 2023, data principals seeking to exercise their right to access, correct, or erase data, or report an AUP violation, must contact the designated Grievance Officer:
Officer: Grievance Redressal Officer & Data Protection Liaison
Entity: Vyaparies Technologies (Sole Proprietorship)
Jurisdictional Seat: Satna, Madhya Pradesh, India
Designated Channel: support@vyaparies.com
Mandatory Timelines: Access requests or content complaints will be acknowledged within 24 hours and addressed within 15 days. Complex regulatory data audit requests or consumer identity removals will be fully processed within a maximum 30-day window.