1. About This Policy
This Privacy Policy applies to SoniERP Technologies (“we”, “us”, “the Company”) and governs all personal data processed through the SoniERP platform — including our web application, mobile app, APIs, and WhatsApp integrations.
We are a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act). You — as our subscriber — are the Data Principal for your own data, and additionally act as a Data Fiduciary for your customers' data that you enter into our platform.
This policy is written in plain English to help you understand your rights. If you have any questions, contact our DPO at dpo@sonierp.in.
2. Information We Collect
We collect information you provide when you create an account or use SoniERP, including:
- · Identity data: owner name, email address, phone number, Aadhaar-based e-KYC (optional)
- · Business data: store name, address, GSTIN, BIS licence number, PAN (for TDS)
- · Transaction data: sales, purchases, HUID records, gold loan (Girvi) records, karigar jobs, ledger entries
- · Usage data: pages visited, features used, session duration, browser type, IP address (hashed)
- · Customer data: your customers' names, phones, purchase history — entered by you as the Data Fiduciary
- · Device data: device model, OS version (mobile app only), for bug diagnostics
What We Do NOT Collect
We never collect biometric data, financial credentials (bank passwords, card numbers), or any data unrelated to your jewellery business operations. We do not use cookies for tracking individuals across external websites.
3. Lawful Basis & Consent Management
Under the DPDP Act 2023, we process personal data on the following lawful bases:
Consent (Section 6, DPDP Act)
You provide free, specific, informed, and unambiguous consent when you register. Consent is recorded with timestamp and can be withdrawn at any time.
Legitimate Use (Section 7, DPDP Act)
Processing necessary for providing the contracted service, statutory GST compliance, and security/fraud prevention is considered “legitimate use” — no separate consent is required for these purposes.
Legal Obligation
Processing required by GST Act 2017, Income Tax Act 1961, BIS Hallmarking Regulations, RBI norms, and other applicable Indian law — we are legally required to process this data and cannot fulfil your service request without it.
Withdrawing Consent: You may withdraw non-essential consent at any time via Settings → Privacy → Manage Consents, or by emailing dpo@sonierp.in. Note: Withdrawal of consent for core service processing will result in account suspension as the service cannot be provided without it.
4. How We Use Your Information
We use your data exclusively to:
- · Deliver and maintain the SoniERP service
- · Generate GST invoices, GSTR-1/GSTR-3B reports, and e-Invoice IRN as required under GST Act 2017
- · Verify HUID codes against the BIS registry for hallmarking compliance
- · Send billing notifications and renewal reminders
- · Provide customer support and resolve disputes
- · Improve the product (aggregated, anonymised analytics only — never individual-level profiling)
- · Detect and prevent fraud, unauthorised access, and platform abuse
- · Comply with legal obligations under Indian law
We do not sell your data to third parties. We do not use your business data to train AI models. We do not serve you advertisements based on your business data.
5. Data Storage & Security
Your data is stored in infrastructure hosted within India. We implement the following protections:
- · AES-256 encryption at rest; TLS 1.3 in transit
- · Role-based access control (RBAC) — SuperAdmin, Admin, Manager, Staff, Viewer tiers
- · Automated backups every 6 hours with 30-day retention
- · ISO 27001-aligned security practices (certification in progress)
- · Quarterly Vulnerability Assessment & Penetration Testing (VAPT)
- · 72-hour breach notification as required by DPDP Act 2023 Section 8
For full security details, visit our Security page.
6. Cross-Border Data Transfers
India Data Residency — Primary Commitment
All your business data — inventory, transactions, customer records, GST data, HUID logs — is stored and processed exclusively within India (Railway.app / AWS Mumbai ap-south-1 region).
Limited transfers for service delivery: Certain service components involve international processing:
- · WhatsApp (Meta): Message content may be routed through Meta's global infrastructure. Only message content you explicitly send to customers is transferred.
- · Twilio: SMS delivery may route through international nodes. Only phone numbers and OTP codes are transferred.
These transfers are protected by Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) in compliance with DPDP Act 2023 cross-border provisions. We will not transfer your inventory, GST, HUID, financial, or customer data internationally under any circumstances.
7. GST & Compliance Data
SoniERP processes GSTIN numbers, invoice data, HSN codes, and e-Invoice IRN responses as required under the Central Goods and Services Tax Act, 2017. You remain the data principal for all tax-related data. We act as a data processor on your behalf when submitting to the NIC IRP (Invoice Registration Portal).
We do not store your NIC credentials. API tokens are encrypted and scoped per session.
HUID Data: Hallmark Unique Identification (HUID) codes verified through the BIS registry are processed for compliance only. These are stored encrypted and never shared with third parties beyond the BIS portal itself.
8. Cookie Policy
We use cookies and similar technologies on our website and web app. Here is exactly what we use:
| Cookie Type | Purpose | Duration | Consent Required |
|---|---|---|---|
| Essential | Authentication session, CSRF protection, load balancing | Session / 30 days | No (legally necessary) |
| Functional | Language preferences, dashboard layout, remembered filters | 1 year | No (legitimate interest) |
| Analytics | Page views, feature usage — anonymised (PostHog) | 1 year | Yes |
| Marketing | Retargeting on Google/Meta for website visitors only | 90 days | Yes |
You can manage your cookie preferences at any time via the cookie banner or by emailing dpo@sonierp.in.
9. Third-Party Integrations Disclosure
We integrate with the following third-party services. We have Data Processing Agreements (DPAs) with each:
Razorpay
PCI-DSS Level 1Purpose: Payment processing — subscription billing, UPI AutoPay
Data shared: Billing amount, merchant GSTIN, payment reference (NO card data stored by us)
View Razorpay Privacy Policy →WhatsApp Business API (Meta)
GDPR, DPDP compliantPurpose: Customer notifications — invoice delivery, loyalty reminders, OTP
Data shared: Customer phone number, message content (sent at your explicit instruction)
View WhatsApp Business API (Meta) Privacy Policy →Twilio
ISO 27001, SOC 2 Type IIPurpose: SMS OTP, fallback notifications
Data shared: Phone number, OTP message only (no PII beyond phone)
View Twilio Privacy Policy →Railway.app
SOC 2 Type II (in progress)Purpose: Backend infrastructure hosting
Data shared: Encrypted application data, container logs
View Railway.app Privacy Policy →AWS (Amazon Web Services)
ISO 27001, SOC 2 Type II, PCI-DSSPurpose: Database storage, file storage, backups
Data shared: All encrypted store data (Mumbai ap-south-1 region only)
View AWS (Amazon Web Services) Privacy Policy →NIC IRP (Invoice Registration Portal)
Government of IndiaPurpose: e-Invoice IRN generation — Government of India
Data shared: Invoice data required under GST e-invoicing mandate
View NIC IRP (Invoice Registration Portal) Privacy Policy →10. Data Retention Schedule
We retain data only as long as necessary for the stated purpose or as required by law:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| GST Invoices & Tax Records | 7 years | GST Act, 2017 — Section 36 |
| e-Invoice IRN Data | 7 years | CGST Act Rule 56 & NIC IRP mandate |
| BIS HUID Registry Logs | 5 years | BIS Hallmarking Regulations, 2021 |
| Gold Loan (Girvi) Records | 7 years | RBI Prudential Norms & Contract Act |
| Karigar Payment Records | 7 years | Income Tax Act, 1961 — Section 44AA |
| Customer Personal Data (active account) | Duration of subscription | DPDP Act 2023 — legitimate purpose |
| Customer Personal Data (closed account) | 90 days post-closure | DPDP Act 2023 — storage limitation |
| Staff Access Logs | 2 years | IT Act 2000 & internal security policy |
| Analytics Data (anonymised) | Indefinite | Not personal data — DPDP Act 2023 |
| Support Tickets | 3 years | Limitation Act, 1963 |
* After mandatory retention periods expire, data is securely deleted using NIST SP 800-88 compliant methods.
11. Your Rights as Data Principal (DPDP Act 2023)
Under India's Digital Personal Data Protection Act 2023, you have the following rights:
Right to Access (Section 11)
Request a summary of all personal data we hold about you and the purposes for which it is being processed. Response within 30 days.
Right to Correction (Section 12)
Request correction of inaccurate or incomplete personal data. We will update records within 15 days of verification.
Right to Erasure (Section 12)
Request deletion of your personal data when it is no longer necessary. Note: Data required by law (GST, BIS, Income Tax) cannot be deleted during the mandatory retention period.
Right to Grievance Redressal (Section 13)
Lodge a grievance with our DPO. We must respond within 30 days. If unresolved, you may escalate to the Data Protection Board of India.
Right to Nominate (Section 14)
Nominate another individual to exercise your data rights in the event of your death or incapacity. Submit nomination form to dpo@sonierp.in.
Right to Withdraw Consent
Withdraw consent for non-essential processing at any time. Withdrawal does not affect the lawfulness of prior processing.
To exercise any right, email our DPO at dpo@sonierp.in with subject line “DPDP Rights Request — [Your Right]”. We will verify your identity and respond within 30 days. No fees are charged for rights requests.
Escalation to Data Protection Board of India
If you are dissatisfied with our response, you have the right to file a complaint with the Data Protection Board of India (DPBI) once it is constituted under the DPDP Act 2023. Details will be updated at meity.gov.in.
12. Our Obligations as Data Fiduciary
As a Data Fiduciary under DPDP Act 2023, we are obligated to:
- · Collect only personal data that is necessary for the stated purpose (data minimisation)
- · Ensure accuracy of personal data and update it upon request
- · Implement reasonable security safeguards to prevent personal data breaches
- · Notify the Data Protection Board and affected individuals within 72 hours of discovering a breach
- · Erase personal data when it is no longer needed for the stated purpose
- · Appoint a Data Protection Officer and publish their contact details
- · Establish a Grievance Redressal Mechanism accessible to all Data Principals
13. Children's Privacy
SoniERP is a B2B business software platform intended exclusively for adults (18+) operating jewellery businesses. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected data from a minor, please contact dpo@sonierp.in immediately and we will delete it within 7 days of verification.
14. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email (to your registered address) and in-app notification at least 15 days before the changes take effect. Minor clarifications may be updated without notice. The “Last Updated” date at the top of this page always reflects the current version.
Continued use of SoniERP after the effective date of policy changes constitutes acceptance of the updated policy.
15. Contact & Data Protection Officer
Data Protection Officer (DPO)
- · Email: dpo@sonierp.in
- · Response: within 30 days
- · Postal: SoniERP Technologies,
Jaipur, Rajasthan 302001, India
Legal & General Queries
- · Email: legal@sonierp.in
- · Phone: +91 99999 99999
- · Security: security@sonierp.in