Privacy Policy

OnGravy Technologies Private Limited (in formation), CIN [CIN — to be assigned by MCA at incorporation] is the data fiduciary under the DPDP Act 2023. Our Grievance Officer is reachable at grievance@ongravy.com.

• Account data: name, email, phone, business name, GSTIN, role.
• Customer Data: transactions, vouchers, invoices, employees, salaries — everything you input or upload.
• Usage data: page views, feature usage, error logs (no input content).
• Device data: IP, user-agent, locale (for security and abuse-prevention only).

We do not collect: government IDs (Aadhaar/PAN of individuals beyond what you enter for your own filings), biometrics, browsing history outside OnGravy.

• Operate the service for you (legitimate use under DPDP §7).
• Generate AI-assisted suggestions when you invoke an AI feature.
• Detect fraud, abuse, and security incidents.
• Communicate service messages (billing, downtime, security).
• Comply with statutory retention (Companies Act §128, IT Act §44AA — 7 years).

We do not use Customer Data for advertising, profiling outside OnGravy, or sale to any third party.

To deliver the service we use the following processors. Full list with purposes is at /legal/dpa:

• Supabase (database, auth, storage) — Singapore region.
• Razorpay (subscription billing) — India.
• Anthropic, OpenAI, Google AI (AI features when you invoke them) — US/EU. Prompts you submit are sent; responses returned. None of these providers train on Customer Data per their API terms.
• Resend (transactional email) — US.
• Sentry (error monitoring, optional) — US/EU.
• Vercel (hosting) — global edge.

You can exercise any of the following at any time:

• Access — download all your data via Settings → Data Export, or GET /api/account/export.
• Correction — edit fields in-app or write to the Grievance Officer.
• Erasure — Settings → Account → Delete, or POST /api/account/delete. Audit-trail entries retained 7 years per legal exemption (DPDP §17).
• Grievance — email grievance@ongravy.com; we respond within 7 working days. Unresolved grievances may be escalated to the Data Protection Board of India.

Customer Data is stored encrypted at rest (AES-256, Supabase managed) and in transit (TLS 1.2+). Access is enforced via Supabase Row-Level Security policies — no service-role keys leave the server. Audit-trail entries are hash-chained so tampering is detectable. We perform a security audit annually and patch critical CVEs within 7 days.

Primary database: Singapore (Supabase ap-southeast-1). Backups: same region, encrypted. Cross-border transfers happen only to AI providers when you invoke a feature that uses them, and to Razorpay for billing. No transfer to a country DPDP §16 prohibits.

OnGravy is not intended for users under 18. We do not knowingly collect children’s personal data. If you believe we have, write to the Grievance Officer and we will erase it.

Material changes will be emailed to account owners 14 days in advance. Minor edits (typos, structural) are made in place with the “Last updated” date refreshed.

Grievance Officer: Pratik Revankar, grievance@ongravy.com
Postal address: [Registered office — to be confirmed at incorporation]
Response time: within 7 working days