Basil ERP — Privacy Policy

1. Introduction and Scope

Basil ERP ("Basil", "we", "us", or "our") is a cloud-based retail management software platform accessible at basil.ind.in and through associated mobile applications. This Privacy Policy governs the collection, use, storage, sharing, and protection of personal and business data submitted by individuals and businesses ("Users", "you") who access or use the Basil platform.

By accessing our website or using our services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our platform immediately.

This policy applies to all users of Basil including shop owners, their employees, trial users, and channel partners. It covers data collected through our website, mobile applications, lead forms, and any communication channels including WhatsApp and email.

2. Information We Collect

2.1 Information You Provide Directly

• Account registration details: business name, owner name, mobile number, email address, city, and PIN code.
• Business information: shop type, number of products, billing preferences, and GST registration number (if applicable).
• Product and inventory data: item names, categories, purchase prices, selling prices, stock quantities, and barcode information that you enter into the platform.
• Billing and transaction data: sales records, purchase records, customer names, and payment amounts recorded during use.
• Payment information: subscription payment details processed through our payment gateway partners. We do not store full card numbers or UPI credentials directly.
• Support communications: messages, complaints, feedback, and requests submitted to our support team.

2.2 Information Collected Automatically

• Device information: device type, operating system, browser type, and screen resolution.
• Usage data: features accessed, pages visited, session duration, click patterns, and error logs.
• Location data: approximate city-level location based on IP address. We do not collect precise GPS coordinates unless explicitly enabled.
• Log files: server logs including IP address, timestamps, and referral URLs.
• Cookies and tracking: session cookies for authentication, analytics cookies for usage tracking, and marketing pixels for ad performance (including Meta Pixel for Facebook and Instagram advertising).

2.3 Information from Third Parties

• Payment gateway partners (such as Razorpay or similar) may share transaction status and partial payment details for subscription management.
• Meta (Facebook/Instagram) may share lead information from our ad campaigns, including name and phone number submitted through Lead Forms.
• Channel partners (CAs, resellers) who introduce clients to Basil may share basic business contact details.

3. How We Use Your Information

3.1 To Provide and Improve the Service

• Creating and managing your Basil account and subscription.
• Enabling core platform features: billing, inventory tracking, profit reports, and low-stock alerts.
• Storing your business data securely and making it accessible across your authorised devices.
• Diagnosing technical issues, bugs, and performance problems.
• Improving platform features based on anonymised usage patterns.

3.2 For Communication

• Sending transactional messages: account creation confirmations, payment receipts, subscription renewal reminders.
• Sending product updates, new feature announcements, and onboarding guidance via WhatsApp, email, or SMS.
• Responding to support requests and follow-up queries.
• Sending promotional communications to trial users and leads — you may opt out at any time.

3.3 For Marketing and Analytics

We use aggregated, anonymised data to understand platform performance and customer behaviour. We run targeted advertising on Meta (Facebook and Instagram) using customer lists and lookalike audiences. We do not sell your personal data to any third party. We do not use your business transaction data (your sales, pricing, inventory) for any purpose other than providing you the Basil service.

4. Data Storage and Security

All Basil data is stored on cloud servers located in India or in jurisdictions with adequate data protection standards. We implement:

• All data in transit encrypted using TLS/SSL (HTTPS).
• Data at rest encrypted using industry-standard AES-256 encryption.
• Access to production databases restricted to authorised engineering personnel only.
• Regular automated backups retained for a minimum of 30 days.
• Passwords stored using salted one-way cryptographic hashing. We do not store plaintext passwords.
• Access logs maintained and reviewed for unusual activity.

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

5. Data Sharing and Disclosure

We do not share your personal or business data with any third party except in the following circumstances:

• Service providers: We share limited data with trusted vendors who help us operate the platform — including cloud hosting providers, payment processors, email/SMS delivery services, and customer support tools. These vendors are bound by confidentiality obligations.
• Channel partners: If you were referred to Basil by a channel partner (such as a CA or reseller), that partner may be informed of your subscription status for commission calculation purposes only. They do not receive access to your business transaction data.
• Legal requirements: We may disclose data if required by applicable law, court order, or government authority, including under the Information Technology Act, 2000 and applicable Indian regulations.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity. We will notify users of such a transfer.
• With your consent: We may share data in any other circumstance with your explicit prior consent.

6. Legal Basis for Processing

We process your personal data only when we have a valid legal basis:

• Contract: Account creation, subscription management, and core platform features are necessary to perform our contract with you.
• Consent: Analytics cookies, marketing communications, and optional features are processed based on your consent. You may withdraw consent at any time.
• Legitimate interest: Fraud prevention, security, platform improvement, and anonymised analytics serve our legitimate interests while respecting your rights.
• Legal obligation: We retain payment and GST-related data as required by financial regulations.

7. Your Rights as a User

As a user of Basil, you have the following rights with respect to your personal data:

• Access: You may request a copy of the personal data we hold about you.
• Correction (Rectification): You may request correction of inaccurate or incomplete data.
• Deletion (Erasure): You may request deletion of your account and associated personal data. Note that certain data may be retained for legal or regulatory compliance purposes.
• Portability: You may request an export of your business data (inventory, sales records) in a machine-readable format before account deletion.
• Right to object: You may object to processing based on legitimate interests, including profiling and direct marketing. We will cease such processing unless we demonstrate compelling legitimate grounds.
• Restriction of processing: You may request that we restrict processing where the accuracy is contested, processing is unlawful, or we no longer need the data.
• Opt-out of marketing: You may opt out of promotional communications at any time by replying STOP to any message or contacting us at support@basil.ind.in.
• Withdrawal of consent: You may withdraw consent for data processing at any time. This will not affect the lawfulness of processing prior to withdrawal.

Grievance redressal (India): Under the Digital Personal Data Protection Act, 2023, you may approach our Grievance Officer or the Data Protection Board of India for redressal of your grievances.

To exercise any of these rights, contact us at support@basil.ind.in or use the self-service options at basil.ind.in/data-privacy. We will respond within 30 working days.

8. Data Protection Contact

For privacy-related inquiries, data subject requests, or to contact our data protection contact, email support@basil.ind.in. We will direct your request to the appropriate person. Under the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address your concerns.

9. International Data Transfers

Basil data may be stored and processed in India, the European Union, or other jurisdictions where our service providers operate. We ensure that any cross-border transfers comply with the Digital Personal Data Protection Act, 2023 and applicable Indian regulations. Our service providers are bound by contractual obligations to protect your data.

10. Subprocessors

We use the following categories of subprocessors to operate our platform. Each is bound by data processing agreements:

• Cloud infrastructure: Amazon Web Services (AWS) — data storage and compute
• Payment processing: Razorpay (India), Stripe (EU/international)
• Email/SMS delivery: SMTP providers, AWS SES, and SMS gateways
• Analytics: Vercel Analytics (when consent given)
• Advertising: Meta (Facebook/Instagram) Pixel (when consent given)
• Customer support: Email and support tools

We do not sell your personal data. For an updated list of subprocessors, contact support@basil.ind.in.

11. Cookies Policy

Basil uses cookies and similar tracking technologies to operate the platform and improve user experience:

• Essential cookies: Required for login sessions, security tokens, and basic platform functionality. These cannot be disabled.
• Analytics cookies: Used to understand how users interact with our platform (e.g., Google Analytics). These collect anonymised usage data.
• Marketing pixels: Meta Pixel and similar tracking scripts that help us measure ad campaign effectiveness and build retargeting audiences.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to use the core Basil platform.

12. Data Retention

• Active account data is retained indefinitely while your subscription is active.
• Upon account deletion, personal data is deleted within 60 days. Business transaction data may be retained in anonymised form for analytics purposes.
• Payment records and GST-related transaction data may be retained for up to 7 years to comply with Indian financial regulations.
• Support communication records are retained for 2 years.
• Backup copies may persist for up to 90 days after deletion before being permanently removed from all backup systems.

13. Children's Privacy

Basil is a business software platform intended for use by adults operating retail businesses. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a minor has provided personal information, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify users via email or a prominent notice within the Basil platform at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

The current version of this Privacy Policy is always available at basil.ind.in/privacy-policy.

15. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023.

Any disputes arising in relation to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Mumbai, India.