PragatiCRM
  • Features
    ⚡All features 🧾GST Invoicing 🔗Tally Integration 🏪Customer Portal 📋MCA Audit Trail
  • Pricing
  • Industries
    🏭Manufacturing 📦Wholesale Trading 💎Jewellers & Gold 💊Pharma Distribution 🏗️Construction 🛒Retail 🍱FMCG & Food 🚗Auto & Spare Parts
    🔧Service & AMC
  • Resources
    ⚖️vs Zoho ⚖️vs Vyapar
    📖GSTR-1 Filing Guide 📖E-Invoice IRN Guide
  • About
Book Demo WhatsApp
Home › Privacy Policy

Privacy Policy

Effective Date: 1 June 2026  |  Version 2.0  |  Applicable law: DPDPA 2023, IT Act 2000, CERT-In Directions 2022

Effective Date
1 June 2026
Version
2.0
Data Processor
RamLalla Technologies
Grievance Officer
Anmol Tiwary, Founder
Jurisdiction
Bokaro, Jharkhand, India

1. Introduction

This Privacy Policy explains how RamLalla Technologies ('we', 'us', 'our'), operating the PragatiCRM service, collects, processes, uses, stores, and protects personal data. We are committed to responsible data handling in accordance with India's Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, and CERT-In Directions, 2022.

PragatiCRM is a SaaS platform. Our subscribing businesses ('Clients') are Data Fiduciaries under the DPDPA. We are a Data Processor — we process personal data only on documented instructions from our Clients to deliver the service. We do not determine the purpose of processing of the personal data of the Client's customers.

By using the Service, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please discontinue use of the Service and contact us for data deletion.

TermDefinition
'Service'PragatiCRM — the cloud-based business management platform at pragaticrm.in
'RamLalla Technologies'RamLalla Technologies, Bokaro, Jharkhand — 827001, India
'Client'The subscribing business entity that uses the Service
'Client Data'All data entered into the Service by the Client — customer records, invoices, products, transactions
'Personal Data'Any data that identifies or can identify an individual natural person
'Data Fiduciary'The Client — they determine the purpose of processing their customers' data
'Data Processor'RamLalla Technologies — we process data on behalf of the Data Fiduciary (Client)

2. Data We Collect

2.1 Account and Registration Data

When a Client subscribes to PragatiCRM, we collect:

  • Business name and registered address
  • Contact person name, designation, email address, and phone number
  • GSTIN — stored for billing and GST invoice issuance purposes
  • Login credentials — email address and password. Passwords are one-way hashed using bcrypt and are never stored or accessible in plain text
  • Two-factor authentication (2FA) data — TOTP secret keys, stored encrypted. Recovery codes are hashed.

2.2 Client Business Data

This is the data Clients enter into the Service to run their business. Clients own this data entirely.

  • Customer and supplier records: names, company names, GSTIN (AES-256 encrypted at rest), PAN (AES-256 encrypted at rest), addresses, email addresses, phone numbers
  • Transaction data: quotations, sales orders, invoices, credit notes, purchase orders, payments, service tickets, AMC contracts
  • Product and inventory data: product names, HSN codes, prices, cost prices, stock quantities, batch numbers, serial numbers
  • Financial data: GST amounts, payment records, outstanding balances, credit limits
  • Operational data: location information, stock movement records, delivery details

GSTIN and PAN are encrypted at rest. Customer and supplier GSTIN and PAN numbers are encrypted using AES-256 encryption before being stored in the database. Even in the event of a database breach, these fields are not accessible in plain text. Decryption occurs only in application memory after authorised access.

2.3 Technical and Usage Data

  • IP addresses — collected for security monitoring, login attempt analysis, and fraudulent access detection
  • Browser type, version, and operating system
  • Pages accessed, timestamps, HTTP status codes, and error logs
  • Session activity data — used to enforce the 30-minute automatic session timeout
  • Failed login attempt records — retained for 90 days for fraud detection and IP blocking

3. How We Use Your Data

3.1 Service Delivery

  • Provisioning, operating, and maintaining the Client's CRM instance
  • Processing transactions, generating GST-compliant invoices and PDFs
  • Sending transactional notifications: invoice confirmations, payment receipts, overdue reminders, AMC renewal alerts, low stock alerts
  • Generating GSTR-1 exports, customer account statements, and financial reports
  • Running automated scheduled tasks: batch expiry checking, recurring invoice generation, backup execution

3.2 Security and Legal Compliance

  • Detecting and preventing unauthorised access, login brute-force attacks, and account abuse
  • Maintaining immutable audit trails required under MCA Rule 3(1), Companies Act 2014
  • Retaining security and access logs for a minimum of 180 days in Indian jurisdiction as required by CERT-In Directions, 2022
  • Responding to lawful requests from Indian government authorities under the IT Act, 2000 or the DPDPA, 2023

3.3 Service Improvement

  • Analysing anonymised, aggregated usage patterns to improve the Service
  • We do not use individually identifiable Client Data or the personal data of the Client's customers for product improvement
  • We do not sell, rent, lease, or trade Client Data to any third party for any purpose whatsoever

3.4 Communications

  • Sending administrative communications: security alerts, scheduled maintenance notices, subscription renewal reminders
  • Sending product updates and new feature announcements — Clients may unsubscribe from these at any time without affecting Service access

4. AI-Powered Features and Data Processing

AI features require explicit consent under DPDPA 2023. AI features in PragatiCRM are disabled by default for every new Client. They activate only after the Client's administrator explicitly consents through the Settings panel.

4.1 AI Features and What Data They Use

FeatureWhat it doesData sent to AIData NOT sent to AI
Dashboard DigestGenerates 4–6 specific business insights every morningAggregated revenue figures, order counts, margin percentages, overdue totals, stock level summariesCustomer names, GSTIN, PAN, contact details, individual invoice contents
Sales CoachInteractive guidance assistant for the sales teamPipeline metrics: open quotation count, conversion rate, revenue totals, overdue countCustomer names, specific invoice amounts, contact details
GSTR AssistantReviews monthly GST data for issues before filingInvoice totals by GST rate, HSN code distribution, B2B vs B2C totalsCustomer GSTIN, individual transaction details
Revenue ForecastingProjects next 3 months of revenue based on historical patternsMonthly revenue aggregates — totals onlyNo individual transaction or customer data
OCR Invoice ScanPhotograph a supplier bill → auto-extract into purchase entryImage content only — no customer PII, no GSTINNo names, no financial totals from other documents

4.2 Consent — How It Works

  • AI features are disabled by default for every new Client — no AI processing occurs without activation
  • The Client's administrator enables AI consent from: Admin panel → Settings → Data Privacy → Enable AI-powered features
  • On enabling, a clear summary of what data will be sent to the AI is shown before confirmation
  • Consent is recorded with: user ID, timestamp, IP address, and session ID — stored in the audit log
  • Consent may be revoked at any time from the same Settings page — AI features deactivate immediately
  • Revoking consent does not delete historical AI-generated insights already stored in the system

4.3 Third-Party AI Provider

AI processing is performed by Anthropic, Inc. (USA) via their Claude API. Anthropic processes data under their Privacy Policy. Anthropic does not use API inputs for model training under their standard API agreement. We maintain a Data Processing Agreement (DPA) with Anthropic.

One Anthropic API key is used across all PragatiCRM Clients. Each Client's data is strictly isolated at the database level — separate PostgreSQL databases per Client. It is architecturally impossible for one Client's data to appear in another Client's AI results.

5. Legal Basis for Processing

Legal basisWhat it covers
Contractual necessityProcessing required to fulfil our obligations under the Terms of Service: provisioning the CRM, generating invoices, sending notifications, maintaining backups
Legal obligationMCA Audit Trail (Rule 3(1) Companies Act 2014), security log retention (CERT-In Directions 2022), financial records retention (7 years under Indian financial regulations)
Legitimate interestsSecurity monitoring, login fraud prevention, IP blocking, anonymised service improvement analytics — balanced against the rights and interests of individuals
Explicit consentAI feature processing as described in Section 4. Optional marketing communications. Consent may be withdrawn at any time.

6. Data Storage, Security, and Retention

6.1 Where Data Is Stored

All Client Data is stored on cloud servers operated by excloud.in, located in India. We do not transfer Client Data outside India, except for AI processing as described in Section 4.3. Security logs, backup files, and all other data remain in Indian jurisdiction at all times, satisfying the CERT-In Directions, 2022 requirement.

6.2 Security Measures

Security measureImplementation details
Encryption in transitTLS 1.2 and TLS 1.3 enforced for all data transmission. HTTP is redirected to HTTPS.
Encryption at restAES-256 encryption for sensitive fields (GSTIN, PAN). Database volumes are encrypted.
Access controlRole-based access — five portals, each role sees only authorised data.
AuthenticationTwo-factor authentication (TOTP) mandatory for Admin and Accounts Manager roles.
Login securityProgressive delay after failed attempts: increasing to 120 seconds after attempt 5. IP permanently blocked after 5 failed attempts.
Session managementAutomatic 30-minute inactivity session timeout. Sessions invalidated server-side on logout.
BackupsDaily encrypted database backup to the Client's designated Google Drive account. 7-day rolling retention on server.
Log retentionSecurity and access logs retained for minimum 180 days on Indian servers — CERT-In Directions 2022 compliant.
MCA Audit TrailImmutable audit log of all financial data changes. Cannot be disabled under any circumstance.
FirewallUFW firewall: only ports 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS) are open. Database ports blocked externally.

6.3 Data Retention Policy

Data typeRetention periodBasis
Client Data — active subscriptionDuration of the subscriptionService delivery requirement
Client business data (invoices, customers, inventory)30-day read-only export window after termination, then permanently deletedYours to retain afterward — CGST Act §36 (6 yrs), Companies Act 2013 (8 yrs). We do not keep it for you.
Pragati Digital's subscription records (our invoices to you, your payments to us)6–8 yearsCGST Act §36, Companies Act 2013 — our own statutory obligation
Security and access logs180 days minimumCERT-In Directions, 2022
Failed login records90 daysFraud detection and IP management
AI-generated insights (Dashboard Digest)24 hours — auto-expiresOperational — refreshed nightly
AI-generated forecasts7 days — auto-expiresOperational — refreshed weekly
MCA Audit Trail recordsIndefinite — cannot be deletedMCA Rule 3(1) Companies Act 2014

Data loss after closure is irreversible. Once your account is closed and Client Data is permanently deleted from our servers, it cannot be recovered. RamLalla Technologies is not liable for any data loss resulting from the Client's failure to export data before initiating account closure or before the 30-day export window expires.

7. Data Sharing and Third Parties

We share Client Data only where strictly necessary to operate the Service. We never share Client Data for advertising, marketing, or commercial profiling purposes.

Third partyPurposeData sharedLocation
excloud.inCloud infrastructure hostingAll Client Data is stored on their serversIndia
Anthropic, Inc.AI feature processing (consent required)Aggregated business metrics only — no PII, no GSTIN, no customer namesUSA (API calls only)
Email delivery providerTransactional email notificationsEmail address, invoice reference, amount, notification typeIndia preferred
Google (Drive API)Database backupsEncrypted database dump file — sent to the Client's own Google accountClient's own Google account
Payment gateway providerSaaS subscription billing (our revenue)Subscriber name, email, subscription amount — not Client's customer dataIndia

7.1 Legal Disclosures

We may disclose Client Data when required by: a valid court order or legal process under Indian law; a competent authority exercising powers under the IT Act, 2000, DPDPA, 2023, or other applicable Indian law; or to protect the rights, property, or safety of RamLalla Technologies, our Clients, or the public. We will notify the affected Client of any such request as promptly as possible, unless legally prohibited from doing so.

8. Your Rights Under the DPDPA, 2023

To exercise any right, contact contact@pragatidigital.in. We will acknowledge within 3 business days and respond substantively within 30 days.

RightWhat it meansHow to exercise
Right to informationKnow what personal data we hold and how it is processedEmail contact@pragatidigital.in — subject: 'Data Information Request'
Right to correctionRequest correction of inaccurate or incomplete personal dataUpdate directly in your admin panel, or email contact@pragatidigital.in
Right to erasureRequest deletion of your account and all business data stored in PragatiCRM. Once processed, your business data is permanently deleted from our servers — typically within 30 days. We do not retain your business data after account closure. Export your data first — you are required under Indian law to retain your own financial records for 6 years (CGST Act, Section 36) and 8 years (Companies Act, 2013); that obligation is yours once you leave. Separately, we retain records of our own transactions with you for these same statutory periods, as required for our own compliance.Admin panel → Settings → Data Privacy → Request Data Deletion
Right to grievance redressalFile a complaint about how we have handled your personal dataEmail hello@pragatidigital.in — we respond within 30 days
Right to nominateNominate another person to exercise your DPDPA rights in event of death or incapacityWritten request to contact@pragatidigital.in with supporting documentation
Right to withdraw consentWithdraw consent for AI data processing at any timeAdmin panel → Settings → Data Privacy → AI Consent → Revoke Consent

9. Breach Notification

In the event of a personal data breach affecting Client Data, RamLalla Technologies will:

  • Take immediate containment action to stop the breach and preserve evidence
  • Notify affected Clients within 72 hours of becoming aware of the breach, as required under CERT-In Directions, 2022
  • Report to the relevant Data Protection Board as required under DPDPA, 2023 rules
  • Provide Clients with: the nature of the breach, the data affected, likely consequences, and steps taken or proposed
  • Maintain a breach register documenting all incidents, actions taken, and outcomes

10. Cookies

PragatiCRM uses session cookies to maintain your authenticated state across page navigations within the application. These are essential cookies — the Service cannot function without them.

We do not use advertising cookies, cross-site tracking cookies, third-party analytics, or any cookie that identifies individual users outside the scope of the current session. We do not use cookies to track users across websites.

11. Children's Privacy

The Service is intended exclusively for use by businesses and adults aged 18 years or above in India. We do not knowingly collect or process personal data of individuals under 18. If we become aware that personal data of a minor has been collected, we will delete it promptly. Contact contact@pragatidigital.in if you believe this has occurred.

12. Changes to This Policy

We may update this Privacy Policy as the Service evolves or as regulations change. For material changes, we will:

  • Notify all active Clients via email at least 30 days before the changes take effect
  • Display a prominent notice in the admin panel for 14 days before and after the effective date
  • Update the 'Effective Date' at the top of this document

Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes.

13. Grievance Officer

Grievance Officer — designated under the IT Act, 2000 and DPDPA, 2023. All privacy complaints, data access requests, and data deletion requests should be directed to the Grievance Officer in the first instance.

DetailInformation
NameAnmol Tiwary
DesignationFounder, RamLalla Technologies
Emailhello@pragatidigital.in
Privacy-specific emailcontact@pragatidigital.in
Physical addressRamLalla Technologies, Bokaro, Jharkhand — 827001, India
Acknowledgement timeWithin 5 business days
Resolution timeWithin 30 days of receipt

14. Contact

ChannelDetail
Generalhello@pragatidigital.in
Privacy and data requestscontact@pragatidigital.in
Supportcontact@pragatidigital.in
Registered addressRamLalla Technologies, Bokaro, Jharkhand, India — 827001

© 2026 RamLalla Technologies  |  Privacy Policy v2.0  |  Effective 1 June 2026  |  pragaticrm.in/privacy

Sections

  1. Introduction
  2. Data We Collect
  3. How We Use Data
  4. AI Features
  5. Legal Basis
  6. Storage & Security
  7. Data Sharing
  8. Your Rights (DPDPA)
  9. Breach Notification
  10. Cookies
  11. Children's Privacy
  12. Policy Changes
  13. Grievance Officer
  14. Contact

Related legal documents

  • Terms of Service →
  • MCA Audit Trail →
PragatiCRM
A product ofRamLalla Technologies

The complete sales and operations CRM for Indian businesses.

GST CompliantIndian ServersTally Compatible

Pragati CRM™ is an enterprise product by RamLalla Technologies. Udyam: UDYAM-JH-XX-XXXXXXX

Product
  • All features
  • Pricing
  • GST Invoicing
  • Tally Integration
  • Customer Portal
  • MCA Audit Trail
  • Book Demo
Industries
  • Manufacturing
  • Wholesale Trading
  • Pharma Distribution
  • Jewellers & Gold
  • Construction
  • Retail
  • FMCG & Food
  • Service & AMC
Compare
  • vs Zoho
  • vs Vyapar
  • vs Marg ERP
  • vs MyBillBook
Blog
  • GSTR-1 Filing Guide
  • E-Invoice IRN Guide
Contact
  • WhatsApp
  • hello@pragatidigital.in
  • About us
© 2026 RamLalla Technologies. Pragati CRM™ is a trademark of RamLalla Technologies.
Privacy PolicyTerms of ServiceSitemapRefund Policy