Privacy Policy

1. Introduction & Scope

This Privacy Policy explains how Compreo Business Systems India Private Limited ("Compreo", "we", "us" or "our") collects, uses, shares and protects personal data when you access or use the Compreo Platform — our enterprise resource planning (ERP) and low-code product — together with its associated Customer Portal, Vendor Portal, Field-Sales Portal, websites, and mobile applications (collectively, the "Services"). It applies to visitors, registered users, customer and vendor representatives, and field personnel who interact with the Services. This Policy does not govern the underlying business records that our customers (acting as data controllers/data fiduciaries) choose to process within their own tenant of the Compreo Platform, for which the relevant customer's own privacy notice applies. By using the Services, you acknowledge the practices described in this Policy.

2. Who We Are

Compreo Business Systems India Private Limited is the entity responsible for the personal data processed in connection with our own websites, marketing, account administration and the operation of the Services, and acts as the data controller (under the EU General Data Protection Regulation, "GDPR") and Data Fiduciary (under India's Digital Personal Data Protection Act, 2023, the "DPDP Act") for that data. Our registered office is at [registered office address], [city], India. For privacy questions or to exercise your rights, contact us at privacy@compreo.ai. Our Grievance Officer / Data Protection Officer for the purposes of the DPDP Act is [grievance officer name], reachable at [grievance officer email] or [grievance officer phone].

Note on roles: Where we process personal data on behalf of a customer within their Compreo tenant (for example, employee, customer or vendor records the customer enters), we act as a data processor / Data Processor and the customer is the controller/Data Fiduciary. In those cases we process such data under our agreement with the customer and only on their documented instructions.

3. Information We Collect

We collect the following categories of personal data, depending on how you interact with the Services:

• Account & contact data. Identifiers and credentials you provide when an account is created for you or when you contact us, such as name, business email, phone number, job title, employer/organisation, username, and authentication details (for example, hashed passwords and multi-factor settings).
• Business & operational data you enter. Information you or your organisation input into the Platform and its portals in the course of using the Services — for example, purchase orders, vendor and customer records, approvals, attendance entries, and field-sales activity. Much of this is your organisation's content; where it includes personal data, we process it as described in Section 2.
• Usage & log data. Records of how the Services are used, including pages and screens viewed, features and modules accessed, actions taken (such as approvals, submissions and revisions), timestamps, referring URLs, and error and diagnostic logs.
• Device & app data. Technical information about the devices and software you use, such as IP address, browser type and version, operating system, device identifiers, app version, language settings, and crash data.
• Cookies & similar technologies. Information collected through cookies, local storage and similar technologies on our websites and web portals, as described in Section 6 and our Cookie Policy.

4. How We Use Your Information

We use personal data to provide, operate, maintain and secure the Services, including authenticating users, provisioning tenants, enabling the Customer, Vendor and Field-Sales portals, and processing the workflows you initiate. We use it to communicate with you about your account, service updates, support requests and security notices, and — where permitted — to send product or marketing communications you can opt out of. We also use it to improve and develop the Services through analytics and aggregated usage insights, to provide customer support and troubleshoot issues, and to monitor for, prevent and investigate fraud, abuse, security incidents and other prohibited activity. Finally, we use personal data to comply with our legal, regulatory, tax and contractual obligations and to establish, exercise or defend legal claims.

5. Legal Bases (GDPR) / Lawful Processing (DPDP)

Where the GDPR applies, we rely on one or more of the following legal bases: performance of a contract (to provide the Services and administer your account); our legitimate interests (to secure, improve and market our Services, where not overridden by your rights); your consent (for example, for certain cookies and marketing, which you may withdraw at any time); and compliance with a legal obligation. Where the DPDP Act applies, we process personal data on the basis of your consent or for certain legitimate uses recognised under the Act, and we provide notice of the purposes of processing as required. Where we act as a processor/Data Processor for a customer, that customer is responsible for establishing the appropriate legal basis or lawful ground for the processing they direct.

6. Cookies

Our websites and web-based portals use cookies and similar technologies to keep you signed in, remember your preferences, maintain session security, and understand and improve how the Services are used. Some cookies are strictly necessary for the Services to function, while others (such as analytics and preference cookies) are used only where permitted or with your consent. You can manage non-essential cookies through your browser settings or any consent tools we provide. For full details on the cookies we use and your choices, please see our Cookie Policy.

7. How We Share Your Information

We do not sell your personal data. We share it only in the following circumstances:

• Service providers and sub-processors. We engage trusted third parties to perform functions on our behalf — such as cloud hosting, infrastructure, email delivery, analytics, customer support and security tooling — who are bound by contractual obligations to protect personal data and process it only on our instructions.
• Hosting on Microsoft Azure. The Compreo Platform and its portals are hosted on Microsoft Azure. Microsoft acts as our hosting and infrastructure sub-processor and maintains its own security and compliance certifications for its data-centre and cloud services.
• Within your organisation. Personal data entered into the Platform may be visible to authorised users of the same customer tenant in accordance with the roles and permissions configured by your organisation's administrators.
• Legal, safety and corporate transactions. We may disclose personal data where required to comply with applicable law, regulation, legal process or enforceable governmental request; to enforce our terms; to protect the rights, property or safety of Compreo, our users or others; or in connection with a merger, acquisition, financing or sale of assets, subject to appropriate safeguards.

8. International Transfers

We are based in India and host the Services on Microsoft Azure; depending on the configured region and the location of our sub-processors, personal data may be processed or stored in countries other than the one in which you are located. Where personal data originating in the European Economic Area, the United Kingdom or Switzerland is transferred to a country that has not been recognised as providing an adequate level of protection, we put in place appropriate safeguards such as the European Commission's Standard Contractual Clauses and supplementary measures as needed. For transfers of personal data subject to the DPDP Act, we transfer data only in accordance with the requirements of that Act and any restrictions notified by the Government of India. You may contact us at privacy@compreo.ai for more information about the safeguards we apply.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, including to provide the Services, maintain your account, comply with our legal, tax and accounting obligations, resolve disputes and enforce our agreements. Retention periods vary according to the type of data, the purpose for which it is processed and applicable legal requirements. Where we process personal data on behalf of a customer, retention and deletion of that data within the customer's tenant are governed by our agreement with the customer and their instructions, including on termination of their subscription. When personal data is no longer required, we securely delete, anonymise or otherwise dispose of it in accordance with our retention practices.

10. Security

We maintain administrative, technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration and destruction — including encryption in transit, role- and permission-based access controls, network and application security controls, logging and monitoring, and the security capabilities of our Microsoft Azure hosting environment. While we work to safeguard your information, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for configuring user roles and permissions appropriately within your tenant. For more detail on our security program, please see our Security page.

11. Your Rights

Subject to applicable law, you have rights over your personal data. Under the GDPR these include the rights of access, correction (rectification), erasure, restriction of processing, data portability, and objection to certain processing, as well as the right to withdraw consent and to lodge a complaint with your local supervisory authority. Under the DPDP Act, these include the rights to access information about your personal data, to correction and erasure, to grievance redressal, and to nominate another individual to exercise your rights in the event of death or incapacity. To exercise any of these rights, contact us at privacy@compreo.ai or our Grievance Officer at [grievance officer email]; we will respond within the timeframes required by applicable law and may need to verify your identity first. Where Compreo acts as a processor/Data Processor on behalf of a customer, please direct your request to that customer (the controller/Data Fiduciary), and we will assist them as required.

12. Mobile App Permissions, Data & Account Deletion

Our mobile applications — including those supporting the Field-Sales Portal and attendance and approval workflows — may request certain device permissions to deliver their features. These typically include:

• Camera. To capture photos or scan documents and codes for field activities, attachments and verification, used only when you actively initiate the relevant function.
• Location. To support field-sales activities and attendance check-in, where your organisation has enabled these features; location is collected only as needed for those functions and in line with the configuration set by your organisation.
• Storage / files. To select, attach, download or cache documents and images used within the app.

You can grant or revoke these permissions at any time through your device's operating-system settings, though disabling a permission may limit related functionality. We collect mobile device & app data (such as app version, device identifiers and crash logs) as described in Section 3. You may request deletion of your account and associated personal data, including data collected through our mobile apps; for instructions and the request process, please see our Account & Data Deletion page. Note that some data may be retained where required for legal, security or legitimate business purposes as described in Section 9, and that data held within a customer's tenant is subject to that customer's control.

13. Children

The Services are designed for business and enterprise use and are not directed to children. We do not knowingly collect personal data from children below the age at which consent is required under applicable law (including as defined under the DPDP Act). If you believe a child has provided us with personal data, please contact us at privacy@compreo.ai and we will take appropriate steps to delete it. Where the DPDP Act applies, we will obtain verifiable consent and apply the additional protections required for the processing of children's personal data.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or legal and regulatory requirements. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice through the Services or by other means. We encourage you to review this Policy periodically. Your continued use of the Services after an update takes effect indicates your awareness of the revised Policy.

15. Contact Us

If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your personal data, please contact us:

Compreo Business Systems India Private Limited
[registered office address], [city], India
Privacy enquiries: privacy@compreo.ai
Grievance Officer / Data Protection Officer: [grievance officer name] — [grievance officer email] — [grievance officer phone]

If you are located in the European Economic Area, the United Kingdom or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority. If you are in India, you may raise a grievance with our Grievance Officer and, where applicable, with the Data Protection Board of India under the DPDP Act.

Related: Terms & Conditions · Cookie Policy · Security · Account & Data Deletion