1. Introduction
This Privacy Policy explains how RamLalla Technologies ('we', 'us', 'our'), operating the PragatiCRM service, collects, processes, uses, stores, and protects personal data. We are committed to responsible data handling in accordance with India's Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, and CERT-In Directions, 2022.
PragatiCRM is a SaaS platform. Our subscribing businesses ('Clients') are Data Fiduciaries under the DPDPA. We are a Data Processor — we process personal data only on documented instructions from our Clients to deliver the service. We do not determine the purpose of processing of the personal data of the Client's customers.
By using the Service, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please discontinue use of the Service and contact us for data deletion.
| Term | Definition |
|---|---|
| 'Service' | PragatiCRM — the cloud-based business management platform at pragaticrm.in |
| 'RamLalla Technologies' | RamLalla Technologies, Bokaro, Jharkhand — 827001, India |
| 'Client' | The subscribing business entity that uses the Service |
| 'Client Data' | All data entered into the Service by the Client — customer records, invoices, products, transactions |
| 'Personal Data' | Any data that identifies or can identify an individual natural person |
| 'Data Fiduciary' | The Client — they determine the purpose of processing their customers' data |
| 'Data Processor' | RamLalla Technologies — we process data on behalf of the Data Fiduciary (Client) |
2. Data We Collect
2.1 Account and Registration Data
When a Client subscribes to PragatiCRM, we collect:
- Business name and registered address
- Contact person name, designation, email address, and phone number
- GSTIN — stored for billing and GST invoice issuance purposes
- Login credentials — email address and password. Passwords are one-way hashed using bcrypt and are never stored or accessible in plain text
- Two-factor authentication (2FA) data — TOTP secret keys, stored encrypted. Recovery codes are hashed.
2.2 Client Business Data
This is the data Clients enter into the Service to run their business. Clients own this data entirely.
- Customer and supplier records: names, company names, GSTIN (AES-256 encrypted at rest), PAN (AES-256 encrypted at rest), addresses, email addresses, phone numbers
- Transaction data: quotations, sales orders, invoices, credit notes, purchase orders, payments, service tickets, AMC contracts
- Product and inventory data: product names, HSN codes, prices, cost prices, stock quantities, batch numbers, serial numbers
- Financial data: GST amounts, payment records, outstanding balances, credit limits
- Operational data: location information, stock movement records, delivery details
GSTIN and PAN are encrypted at rest. Customer and supplier GSTIN and PAN numbers are encrypted using AES-256 encryption before being stored in the database. Even in the event of a database breach, these fields are not accessible in plain text. Decryption occurs only in application memory after authorised access.
2.3 Technical and Usage Data
- IP addresses — collected for security monitoring, login attempt analysis, and fraudulent access detection
- Browser type, version, and operating system
- Pages accessed, timestamps, HTTP status codes, and error logs
- Session activity data — used to enforce the 30-minute automatic session timeout
- Failed login attempt records — retained for 90 days for fraud detection and IP blocking
3. How We Use Your Data
3.1 Service Delivery
- Provisioning, operating, and maintaining the Client's CRM instance
- Processing transactions, generating GST-compliant invoices and PDFs
- Sending transactional notifications: invoice confirmations, payment receipts, overdue reminders, AMC renewal alerts, low stock alerts
- Generating GSTR-1 exports, customer account statements, and financial reports
- Running automated scheduled tasks: batch expiry checking, recurring invoice generation, backup execution
3.2 Security and Legal Compliance
- Detecting and preventing unauthorised access, login brute-force attacks, and account abuse
- Maintaining immutable audit trails required under MCA Rule 3(1), Companies Act 2014
- Retaining security and access logs for a minimum of 180 days in Indian jurisdiction as required by CERT-In Directions, 2022
- Responding to lawful requests from Indian government authorities under the IT Act, 2000 or the DPDPA, 2023
3.3 Service Improvement
- Analysing anonymised, aggregated usage patterns to improve the Service
- We do not use individually identifiable Client Data or the personal data of the Client's customers for product improvement
- We do not sell, rent, lease, or trade Client Data to any third party for any purpose whatsoever
3.4 Communications
- Sending administrative communications: security alerts, scheduled maintenance notices, subscription renewal reminders
- Sending product updates and new feature announcements — Clients may unsubscribe from these at any time without affecting Service access
4. AI-Powered Features and Data Processing
AI features require explicit consent under DPDPA 2023. AI features in PragatiCRM are disabled by default for every new Client. They activate only after the Client's administrator explicitly consents through the Settings panel.
4.1 AI Features and What Data They Use
| Feature | What it does | Data sent to AI | Data NOT sent to AI |
|---|---|---|---|
| Dashboard Digest | Generates 4–6 specific business insights every morning | Aggregated revenue figures, order counts, margin percentages, overdue totals, stock level summaries | Customer names, GSTIN, PAN, contact details, individual invoice contents |
| Sales Coach | Interactive guidance assistant for the sales team | Pipeline metrics: open quotation count, conversion rate, revenue totals, overdue count | Customer names, specific invoice amounts, contact details |
| GSTR Assistant | Reviews monthly GST data for issues before filing | Invoice totals by GST rate, HSN code distribution, B2B vs B2C totals | Customer GSTIN, individual transaction details |
| Revenue Forecasting | Projects next 3 months of revenue based on historical patterns | Monthly revenue aggregates — totals only | No individual transaction or customer data |
| OCR Invoice Scan | Photograph a supplier bill → auto-extract into purchase entry | Image content only — no customer PII, no GSTIN | No names, no financial totals from other documents |
4.2 Consent — How It Works
- AI features are disabled by default for every new Client — no AI processing occurs without activation
- The Client's administrator enables AI consent from: Admin panel → Settings → Data Privacy → Enable AI-powered features
- On enabling, a clear summary of what data will be sent to the AI is shown before confirmation
- Consent is recorded with: user ID, timestamp, IP address, and session ID — stored in the audit log
- Consent may be revoked at any time from the same Settings page — AI features deactivate immediately
- Revoking consent does not delete historical AI-generated insights already stored in the system
4.3 Third-Party AI Provider
AI processing is performed by Anthropic, Inc. (USA) via their Claude API. Anthropic processes data under their Privacy Policy. Anthropic does not use API inputs for model training under their standard API agreement. We maintain a Data Processing Agreement (DPA) with Anthropic.
One Anthropic API key is used across all PragatiCRM Clients. Each Client's data is strictly isolated at the database level — separate PostgreSQL databases per Client. It is architecturally impossible for one Client's data to appear in another Client's AI results.
5. Legal Basis for Processing
| Legal basis | What it covers |
|---|---|
| Contractual necessity | Processing required to fulfil our obligations under the Terms of Service: provisioning the CRM, generating invoices, sending notifications, maintaining backups |
| Legal obligation | MCA Audit Trail (Rule 3(1) Companies Act 2014), security log retention (CERT-In Directions 2022), financial records retention (7 years under Indian financial regulations) |
| Legitimate interests | Security monitoring, login fraud prevention, IP blocking, anonymised service improvement analytics — balanced against the rights and interests of individuals |
| Explicit consent | AI feature processing as described in Section 4. Optional marketing communications. Consent may be withdrawn at any time. |
6. Data Storage, Security, and Retention
6.1 Where Data Is Stored
All Client Data is stored on cloud servers operated by excloud.in, located in India. We do not transfer Client Data outside India, except for AI processing as described in Section 4.3. Security logs, backup files, and all other data remain in Indian jurisdiction at all times, satisfying the CERT-In Directions, 2022 requirement.
6.2 Security Measures
| Security measure | Implementation details |
|---|---|
| Encryption in transit | TLS 1.2 and TLS 1.3 enforced for all data transmission. HTTP is redirected to HTTPS. |
| Encryption at rest | AES-256 encryption for sensitive fields (GSTIN, PAN). Database volumes are encrypted. |
| Access control | Role-based access — five portals, each role sees only authorised data. |
| Authentication | Two-factor authentication (TOTP) mandatory for Admin and Accounts Manager roles. |
| Login security | Progressive delay after failed attempts: increasing to 120 seconds after attempt 5. IP permanently blocked after 5 failed attempts. |
| Session management | Automatic 30-minute inactivity session timeout. Sessions invalidated server-side on logout. |
| Backups | Daily encrypted database backup to the Client's designated Google Drive account. 7-day rolling retention on server. |
| Log retention | Security and access logs retained for minimum 180 days on Indian servers — CERT-In Directions 2022 compliant. |
| MCA Audit Trail | Immutable audit log of all financial data changes. Cannot be disabled under any circumstance. |
| Firewall | UFW firewall: only ports 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS) are open. Database ports blocked externally. |
6.3 Data Retention Policy
| Data type | Retention period | Basis |
|---|---|---|
| Client Data — active subscription | Duration of the subscription | Service delivery requirement |
| Client business data (invoices, customers, inventory) | 30-day read-only export window after termination, then permanently deleted | Yours to retain afterward — CGST Act §36 (6 yrs), Companies Act 2013 (8 yrs). We do not keep it for you. |
| Pragati Digital's subscription records (our invoices to you, your payments to us) | 6–8 years | CGST Act §36, Companies Act 2013 — our own statutory obligation |
| Security and access logs | 180 days minimum | CERT-In Directions, 2022 |
| Failed login records | 90 days | Fraud detection and IP management |
| AI-generated insights (Dashboard Digest) | 24 hours — auto-expires | Operational — refreshed nightly |
| AI-generated forecasts | 7 days — auto-expires | Operational — refreshed weekly |
| MCA Audit Trail records | Indefinite — cannot be deleted | MCA Rule 3(1) Companies Act 2014 |
Data loss after closure is irreversible. Once your account is closed and Client Data is permanently deleted from our servers, it cannot be recovered. RamLalla Technologies is not liable for any data loss resulting from the Client's failure to export data before initiating account closure or before the 30-day export window expires.
7. Data Sharing and Third Parties
We share Client Data only where strictly necessary to operate the Service. We never share Client Data for advertising, marketing, or commercial profiling purposes.
| Third party | Purpose | Data shared | Location |
|---|---|---|---|
| excloud.in | Cloud infrastructure hosting | All Client Data is stored on their servers | India |
| Anthropic, Inc. | AI feature processing (consent required) | Aggregated business metrics only — no PII, no GSTIN, no customer names | USA (API calls only) |
| Email delivery provider | Transactional email notifications | Email address, invoice reference, amount, notification type | India preferred |
| Google (Drive API) | Database backups | Encrypted database dump file — sent to the Client's own Google account | Client's own Google account |
| Payment gateway provider | SaaS subscription billing (our revenue) | Subscriber name, email, subscription amount — not Client's customer data | India |
7.1 Legal Disclosures
We may disclose Client Data when required by: a valid court order or legal process under Indian law; a competent authority exercising powers under the IT Act, 2000, DPDPA, 2023, or other applicable Indian law; or to protect the rights, property, or safety of RamLalla Technologies, our Clients, or the public. We will notify the affected Client of any such request as promptly as possible, unless legally prohibited from doing so.
8. Your Rights Under the DPDPA, 2023
To exercise any right, contact contact@pragatidigital.in. We will acknowledge within 3 business days and respond substantively within 30 days.
| Right | What it means | How to exercise |
|---|---|---|
| Right to information | Know what personal data we hold and how it is processed | Email contact@pragatidigital.in — subject: 'Data Information Request' |
| Right to correction | Request correction of inaccurate or incomplete personal data | Update directly in your admin panel, or email contact@pragatidigital.in |
| Right to erasure | Request deletion of your account and all business data stored in PragatiCRM. Once processed, your business data is permanently deleted from our servers — typically within 30 days. We do not retain your business data after account closure. Export your data first — you are required under Indian law to retain your own financial records for 6 years (CGST Act, Section 36) and 8 years (Companies Act, 2013); that obligation is yours once you leave. Separately, we retain records of our own transactions with you for these same statutory periods, as required for our own compliance. | Admin panel → Settings → Data Privacy → Request Data Deletion |
| Right to grievance redressal | File a complaint about how we have handled your personal data | Email hello@pragatidigital.in — we respond within 30 days |
| Right to nominate | Nominate another person to exercise your DPDPA rights in event of death or incapacity | Written request to contact@pragatidigital.in with supporting documentation |
| Right to withdraw consent | Withdraw consent for AI data processing at any time | Admin panel → Settings → Data Privacy → AI Consent → Revoke Consent |
9. Breach Notification
In the event of a personal data breach affecting Client Data, RamLalla Technologies will:
- Take immediate containment action to stop the breach and preserve evidence
- Notify affected Clients within 72 hours of becoming aware of the breach, as required under CERT-In Directions, 2022
- Report to the relevant Data Protection Board as required under DPDPA, 2023 rules
- Provide Clients with: the nature of the breach, the data affected, likely consequences, and steps taken or proposed
- Maintain a breach register documenting all incidents, actions taken, and outcomes
10. Cookies
PragatiCRM uses session cookies to maintain your authenticated state across page navigations within the application. These are essential cookies — the Service cannot function without them.
We do not use advertising cookies, cross-site tracking cookies, third-party analytics, or any cookie that identifies individual users outside the scope of the current session. We do not use cookies to track users across websites.
11. Children's Privacy
The Service is intended exclusively for use by businesses and adults aged 18 years or above in India. We do not knowingly collect or process personal data of individuals under 18. If we become aware that personal data of a minor has been collected, we will delete it promptly. Contact contact@pragatidigital.in if you believe this has occurred.
12. Changes to This Policy
We may update this Privacy Policy as the Service evolves or as regulations change. For material changes, we will:
- Notify all active Clients via email at least 30 days before the changes take effect
- Display a prominent notice in the admin panel for 14 days before and after the effective date
- Update the 'Effective Date' at the top of this document
Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes.
13. Grievance Officer
Grievance Officer — designated under the IT Act, 2000 and DPDPA, 2023. All privacy complaints, data access requests, and data deletion requests should be directed to the Grievance Officer in the first instance.
| Detail | Information |
|---|---|
| Name | Anmol Tiwary |
| Designation | Founder, RamLalla Technologies |
| hello@pragatidigital.in | |
| Privacy-specific email | contact@pragatidigital.in |
| Physical address | RamLalla Technologies, Bokaro, Jharkhand — 827001, India |
| Acknowledgement time | Within 5 business days |
| Resolution time | Within 30 days of receipt |
14. Contact
| Channel | Detail |
|---|---|
| General | hello@pragatidigital.in |
| Privacy and data requests | contact@pragatidigital.in |
| Support | contact@pragatidigital.in |
| Registered address | RamLalla Technologies, Bokaro, Jharkhand, India — 827001 |
© 2026 RamLalla Technologies | Privacy Policy v2.0 | Effective 1 June 2026 | pragaticrm.in/privacy