Compliance Standards: EU GDPR 2016/679 · UK GDPR · CCPA/CPRA · LGPD (Brazil) · India DPDP Act 2023 · Singapore PDPA · Pakistan PDPB
1. What Personal Data We Collect
1.1 Data You Provide
- Account registration: name, email, company name, country, phone number, password (stored as a one-way hash — never in plaintext)
- Billing: billing address (payment card data is processed exclusively by Paddle.com and never stored by Us)
- Business records: customer details, supplier details, transactions, and inventory data entered into the platform
- Support communications: messages sent to our support team
- CRM / lead form: name, email, company, phone, country, and notes submitted via website forms
1.2 Data Collected Automatically
- Usage data: features used, pages visited, session duration, clickstream events
- Device and technical data: IP address, browser type, operating system, referring URL
- Cookies and tracking: see Section 10 (Cookie Policy)
- Log data: server access logs retained for 90 days for security monitoring
2. Legal Basis for Processing (GDPR / UK GDPR)
| Processing Purpose | Legal Basis (GDPR Art. 6) | Details |
|---|
| Provide and maintain the platform | Art. 6(1)(b) — Contract | Required to fulfil Your Subscription |
| Process payments via Paddle.com | Art. 6(1)(b) — Contract | Required for billing |
| Respond to support requests | Art. 6(1)(f) — Legitimate Interests | Providing customer service |
| Improve platform features | Art. 6(1)(f) — Legitimate Interests | Analysing anonymised usage patterns |
| Send product/marketing emails | Art. 6(1)(a) — Consent | You may withdraw at any time |
| Comply with legal obligations | Art. 6(1)(c) — Legal Obligation | Tax, accounting, regulatory law |
| Detect fraud and security threats | Art. 6(1)(f) — Legitimate Interests | Protecting users and the platform |
3. Automated Decision-Making and Profiling
We do not make decisions about You solely based on automated processing that produce legal or similarly significant effects. Our AI Business Insights feature (Enterprise plan) generates suggestions and forecasts for informational purposes only — no automated decisions with legal effect are made without human review.
If this changes in the future, We will update this Policy and, where required by GDPR Art. 22, obtain Your explicit consent.
4. Data Sharing and Disclosure
We do not sell Your personal data.
We may share data with the following categories of recipients:
- Paddle.com — payment processing; receives billing address and transaction data as independent data controller
- Cloud infrastructure providers — host the platform and Customer Data (bound by DPAs with GDPR-equivalent protection)
- Email delivery services — for transactional emails (invoices, resets, notifications)
- Analytics providers — receive only anonymised, aggregated usage data
- Legal and regulatory authorities — if required by court order, regulation, or to protect Our legal rights
- Business transfers — in the event of a merger, acquisition, or sale of assets (You will be notified in advance)
Sub-Processor Commitment
We maintain a current list of all third-party sub-processors who process Customer Data on Our behalf. This list is available upon request at legal@bizoraerp.com. We will provide at least 30 days' notice of any new sub-processor or material change.
5. Data Processing Agreement (DPA)
If You are a business customer and applicable data protection law requires a Data Processing Agreement (e.g., you are located in the EU/EEA, UK, or process EU personal data), You may request Our standard DPA at legal@bizoraerp.com. The DPA governs Our processing of personal data on Your behalf as Data Processor, and incorporates the EU Standard Contractual Clauses (SCCs).
6. International Data Transfers
| Transfer | Safeguard Mechanism |
|---|
| EU/EEA → Pakistan | EU Standard Contractual Clauses (SCCs) incorporated in our DPA |
| UK → Pakistan | UK International Data Transfer Agreement (IDTA) |
| Brazil → Pakistan | LGPD Art. 33 — contractual clauses equivalent to LGPD standards |
| India → Pakistan | India DPDP Act 2023 cross-border transfer provisions |
| Singapore → Pakistan | Singapore PDPA — data transfer contractual obligations |
| All jurisdictions → Cloud providers | DPAs with EU SCCs ensure equivalent protection |
7. Data Retention
| Data Category | Retention Period |
|---|
| Account and profile data | Duration of Subscription + 6 months post-termination |
| Customer Data (ERP records) | Duration of Subscription + 30-day export window; then securely deleted |
| Financial transaction records | 7 years (Pakistan tax law; EU VAT compliance) |
| Support communications | 3 years from last communication |
| Marketing consent records | Until consent withdrawn + 3 years |
| Server access logs | 90 days |
| GDPR rights request records | 5 years (to demonstrate compliance) |
| CCPA rights request records | 24 months |
8. Your Rights — by Jurisdiction
8.1 EU / UK / EEA (GDPR and UK GDPR)
- Right of Access (Art. 15): Receive a copy of all personal data We hold about You
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of Your personal data in certain circumstances
- Right to Restriction (Art. 18): Request We restrict processing in certain circumstances
- Right to Data Portability (Art. 20): Receive Your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing for direct marketing or on legitimate-interest grounds
- Right to Lodge a Complaint: Lodge a complaint with your national Data Protection Authority (DPA)
8.2 California (CCPA / CPRA)
- Right to Know: Request disclosure of categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information (subject to exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do NOT sell personal information. No opt-out button is required.
- Right to Non-Discrimination: We will not discriminate against You for exercising CCPA rights
- Response time: 45 days (extendable by a further 45 days with notice)
8.3 Brazil (LGPD)
- Right of access, correction, deletion, portability, and information about third-party sharing
- Right to revoke consent at any time
- Right to object to processing based on illegitimate grounds
- Right to lodge a complaint with the ANPD
- Response time: 15 days as required by LGPD Art. 19
8.4 India (DPDP Act 2023)
- Right to access information about personal data processed
- Right to correction and erasure of inaccurate or unnecessary personal data
- Right to grievance redressal
- Right to nominate a person to exercise rights in the event of death or incapacity
8.5 Singapore (PDPA)
- Right of access and correction of personal data held by Us
- Right to withdraw consent, subject to legal or contractual restrictions
- Right to data portability (where applicable under PDPA amendments)
To exercise any of the above rights, submit a request to
legal@bizoraerp.com. We will acknowledge within 72 hours and respond within the applicable statutory deadline. There is no charge for exercising your rights.
9. Data Security
- Encryption in transit: all data transmitted over HTTPS using TLS 1.2+
- Encryption at rest: AES-256 encryption for all stored data
- Access controls: role-based access controls; principle of least privilege
- Regular security assessments and vulnerability scanning
- Personnel training: all staff handling personal data receive data protection training
Personal Data Breach Notification
- Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33 / UK GDPR)
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights
- Notify Enterprise Customers within 24 hours of confirmed breach detection
- Maintain a breach register as required by GDPR Art. 33(5)
10. Cookie Policy
| Cookie Type | Purpose | Can Be Disabled |
|---|
| Strictly Necessary | Authentication, session management, security — required for core platform function | No |
| Functional | Remember preferences (timezone, language, billing toggle) — improve user experience | Yes |
| Analytics | Understand how visitors use the website; all data is aggregated and anonymised | Yes |
| Marketing | Targeted communications — only activated with your explicit opt-in consent | Yes (requires opt-out) |
Do Not Track (DNT): Our website honours Do Not Track (DNT) signals sent by browsers. When a DNT signal is detected, We disable non-essential analytics and marketing cookies automatically for that session.
11. Children's Privacy
The Services are not directed at children under 16 (or 13 where jurisdiction requires). We do not knowingly collect personal data from children. If We discover We have inadvertently collected data from a child, We will delete it immediately. Parents or guardians who believe their child's data has been collected may contact legal@bizoraerp.com.
12. Changes to This Policy
We may update this Policy from time to time. We will post the updated Policy at www.bizoraerp.com/privacy and notify You by email or in-app notification at least 30 days before significant changes take effect.
13. Data Protection Officer / Contact
| Role | Details |
|---|
| Data Controller | Bizora Technologies (Pvt) Ltd — Registered in Pakistan |
| DPO / Legal Email | legal@bizoraerp.com |
| General Contact | info@bizoraerp.com |
| GDPR Supervisory Authority | Your national DPA (e.g., ICO in UK, CNIL in France, BfDI in Germany) |
| ANPD (Brazil) | https://www.gov.br/anpd |
| PDPC (Singapore) | https://www.pdpc.gov.sg |
| Response Commitment | GDPR: 30 days | CCPA: 45 days | LGPD: 15 days | India DPDP: 30 days |