Privacy Policy — DawaiDesk

Plain-English summary: We collect only what's needed to run the Service. We never sell your data. We don't share it with advertisers. You can export or delete it at any time. Full details below.

1. Who We Are

DawaiDesk ("we", "us", "our") operates the cloud platform at https://dawaidesk.online. For privacy matters contact support@dawaidesk.online or WhatsApp +91-94140-51577. This policy is published in compliance with the Information Technology Act, 2000, the IT (Reasonable Security Practices) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

2. Information We Collect

a) Account & Business Information

Name, email address, phone number of the account owner and users you add
Company name, GSTIN, PAN, Drug License number, business address
Login credentials (passwords are stored hashed using industry-standard algorithms — we never see your plaintext password)
Two-factor authentication secrets (encrypted at rest)

b) Business Data You Enter

Products, batches, expiry dates, manufacturers, HSN codes
Customers, suppliers, medical representatives, their contact details
Invoices, purchase bills, payments, ledger entries
Documents you upload (logos, signatures, bulk import files)

c) Usage & Technical Data

IP address, browser type, device type, operating system
Pages accessed, features used, timestamps
Error logs and crash reports (via Sentry)
For MR Portal users with explicit permission: geolocation coordinates when logging field visits

d) Payment Information

We do not store credit card or bank account numbers. Payments are processed by our payment partners (e.g., Razorpay). Only transaction references and amounts are retained.

3. How We Use Your Information

Provide the Service: run your account, show invoices, calculate GST, generate reports.
Communications: send account verification emails, billing notices, security alerts, and product updates. You can opt out of non-essential emails.
Support: respond to your queries and troubleshoot issues.
Security: detect fraud, prevent abuse, and comply with legal requests.
Improvement: analyse aggregate usage patterns (de-identified) to prioritise features.

4. What We Never Do

We do not sell your data to third parties.
We do not share your customer lists, sales data, or business records with advertisers.
We do not use your business data to train machine learning models.
We do not read your invoices or ledgers except when you explicitly request support.

5. When We Share Information

We share limited data only with:

Infrastructure providers (e.g., DigitalOcean) who host our servers under contractual confidentiality.
Email provider (Resend) to deliver transactional emails.
Payment processor (Razorpay) to handle subscription billing.
Error monitoring (Sentry) for crash reports — these are sanitised to exclude Customer Data where feasible.
Government authorities when legally compelled by a valid court order or statutory demand from Indian authorities.

All processors are contractually bound to use your data only to provide services to us.

6. Data Security

All traffic to DawaiDesk is encrypted using TLS 1.2+ (HTTPS).
Passwords are hashed with strong one-way algorithms (werkzeug/scrypt).
Databases are backed up regularly and stored encrypted at rest.
Master admin accounts require mandatory two-factor authentication (TOTP).
Login attempts are rate-limited to prevent brute-force attacks.
Internal access to production systems is restricted and logged.

No system is 100% secure. You are responsible for choosing a strong password and keeping your 2FA device safe.

7. Data Retention

We retain your Customer Data for as long as your account is active.
After you terminate your account, data is retained for 30 days to allow export, then permanently deleted from active systems.
Anonymised backups may persist for up to 180 days for disaster-recovery purposes.
Invoices and financial records may be retained longer where required by Indian tax law.

8. Your Rights (under DPDP Act, 2023)

You have the right to:

Access — request a copy of the personal data we hold about you.
Correction — update inaccurate information (most is editable from your dashboard).
Deletion — request erasure of your personal data, subject to statutory retention obligations.
Portability — export your data in CSV/Tally XML format.
Grievance redressal — escalate concerns to our Grievance Officer.

To exercise these rights, email support@dawaidesk.online. We respond within 30 days.

9. Cookies

We use only essential cookies required for authentication (session tokens) and security (CSRF tokens). We do not use third-party advertising or tracking cookies. Optional analytics are anonymised and do not identify individual users.

10. Children's Privacy

DawaiDesk is a B2B product and is not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe we have such data, please contact us for immediate removal.

11. Cross-Border Data

Your data is primarily hosted in India (DigitalOcean Bangalore region). Limited operational data (email delivery, error logs) may transit through servers outside India with contractually protected safeguards. We do not transfer personal data to countries prohibited by the Government of India.

12. Changes to This Policy

We will notify you of material changes via email and in-app banner at least 15 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Grievance Officer

Grievance Officer, DawaiDesk

Email: support@dawaidesk.online

WhatsApp: +91-94140-51577

We acknowledge complaints within 48 hours and aim to resolve them within 30 days, as per Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.