This Privacy Policy explains how ERP ("we", "us") collects, uses, and protects information when you use our Service.
1. Who we are
ERP is operated from Pakistan. We are the "data controller" for the account-level information of our customers (the workspace owner and team users). The customer is the data controller for the business data they store inside their workspace (their customers, suppliers, inventory, etc.) — we act as the "data processor" for that data.
2. What we collect
2.1 Information you give us directly
- Account info: business name, your name, email, phone (optional), workspace subdomain, business type, plan selection;
- Authentication: password (stored hashed using industry-standard bcrypt), 2FA secret if you enable two-factor authentication;
- Billing info: for paid plans — transaction receipts, payment method details processed by our payment gateways;
- Support requests: the content of any emails or messages you send to support.
2.2 Information collected automatically
- Usage data: pages visited inside your workspace, features used, error logs;
- Device data: browser type, operating system, IP address, device fingerprint (used for the optional device-lock security feature);
- Cookies: session cookies for keeping you logged in (see Cookies section);
- Audit log: every login, logout, and key action (invoice created, voucher posted, etc.) is logged in your workspace for security and compliance.
2.3 Information YOU upload (business data)
Anything you enter inside your workspace — customer records, products, invoices, accounting entries, attachments, etc. We process this on your behalf as a data processor. We do not analyse it for marketing or any purpose other than running your workspace.
3. How we use your information
We use the information we collect to:
- Provide, maintain, and improve the Service;
- Authenticate you and secure your account;
- Process payments and prevent fraud;
- Send transactional emails (welcome, expiry reminders, low-pool alerts, password resets);
- Respond to support requests;
- Generate aggregated, anonymised statistics to understand product usage (no individual identification);
- Comply with legal obligations (tax records, lawful requests from Pakistani authorities).
We do not sell your personal data. We do not use your business data to train AI models or share it with advertisers.
4. How we store & protect your data
- Database isolation. Every workspace gets its own dedicated MySQL database — your data is never in the same table as anyone else's;
- Encryption in transit. All connections use TLS 1.2+ (HTTPS only);
- Encryption at rest. Database connection credentials and backup archives are encrypted at rest using AES-256;
- Backups. We take nightly off-site backups, encrypted, retained for 30 days;
- Access controls. Only authorised platform staff can access systems, and only for the minimum necessary purposes (e.g., debugging a specific support issue). All access is logged;
- Patching. We keep our infrastructure and dependencies patched against known vulnerabilities.
5. Third-party services we use
We rely on a small set of vetted infrastructure providers. They process limited data strictly to enable the Service:
- Hostinger — application hosting, MySQL databases;
- Backblaze B2 / AWS S3 — encrypted backup storage;
- SMTP / email providers — transactional email delivery (welcome, alerts);
- Payment gateways (when activated) — payment processing only.
Each provider has their own privacy policy. We choose providers that maintain enterprise-grade security and respect customer data privacy.
6. Your rights
You have the right to:
- Access the personal information we hold about you;
- Correct inaccurate information (most via the in-app settings);
- Export a copy of your workspace data;
- Delete your account and have your data removed (subject to legal retention requirements for finance/tax records);
- Object to certain processing — though most processing is essential to providing the Service you signed up for;
- Withdraw consent for optional features (e.g. marketing emails) at any time.
To exercise these rights, email contact{{ $host }} from the account email on file. We respond within 30 days.
7. Cookies
We use only essential cookies:
- Session cookie — keeps you logged in. Expires when you log out or after 2 hours of inactivity;
- XSRF token — protects against cross-site request forgery attacks.
We do not use tracking cookies, advertising cookies, or third-party analytics scripts that track you across the web.
8. Data retention
While your workspace is active, we retain your data indefinitely so you can use it. When your subscription ends:
- Read-only access for 30 days (in case you change your mind);
- Then your tenant database is permanently deleted;
- Backups containing your data are retained for an additional 30 days then deleted from off-site storage;
- Account billing records may be retained for up to 7 years to comply with Pakistani tax law.
9. International data transfers
Your primary database is hosted in [data center region — currently the same region as your account]. Backups are stored on Backblaze B2 / AWS S3 servers which may be located outside Pakistan. We rely on these providers' security and data-protection commitments.
10. Children
The Service is intended for use by businesses and adults aged 18 or older. We don't knowingly collect personal information from anyone under 18. If we learn we have, we delete it immediately.
11. Changes to this policy
We may update this Privacy Policy as our practices evolve. We'll notify you by email or in-app notice for material changes at least 30 days before they take effect.
12. Contact
Privacy questions or to exercise your rights:
- Email: contact{{ $host }}
- Subject line: "Privacy Request"
See also our Terms of Service and Refund Policy.