Privacy Policy

1. Introduction

Welcome to ORENX ("we," "us," or "our"). ORENX is an early-stage startup building a comprehensive inventory management and business ERP platform designed specifically for Indian businesses. Our Udyam Registration certificate is currently pending.

This Privacy Policy describes how we collect, use, process, and protect your personal data and business information when you access or use our website, web application, and related services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

2. Information We Collect

We collect various types of information to provide and improve our Services. The categories of information we collect include:

2.1 Personal Information

When you create an account and use our Services, we collect:

• Account Information: Full name, email address, phone number, and password (stored as a bcrypt hash)
• Organization Information: Business name, business type, GST number (optional), organization size, and industry
• Profile Information: Profile picture, role within the organization, and user preferences

2.2 Business Data

To provide inventory management and business ERP services, we store the following business data that you enter into the platform:

• Products and Inventory: Product details, SKUs, categories, stock levels, pricing, and inventory transactions
• Parties: Customer and supplier information, contact details, and transaction history
• Work Orders: Manufacturing and production order details, workflows, and status tracking
• Locations: Warehouse and storage location information, including addresses and zone configurations
• Units of Measurement (UOMs): Custom and standard units of measurement used in your business operations

2.3 Payment Information

When you subscribe to our paid plans, we collect and process payment-related information:

• Razorpay Identifiers: Razorpay customer ID, subscription ID, and payment ID
• Subscription Data: Plan details, billing cycle, subscription status, and renewal dates
• Coupon Usage: Applied discount codes and promotional offers

2.4 AI and Usage Data

When you interact with our AI-powered features, we collect:

• AI Interactions: Queries, prompts, and responses generated through our AI assistant features
• OCR Data: Images and documents uploaded for optical character recognition processing
• AI Logs: Processing logs, model responses, and interaction metadata for quality improvement
• Conversations: Chat history and conversational context with our AI systems

2.5 Technical Data

We automatically collect certain technical information when you use our Services:

• Authentication Tokens: JWT tokens and session identifiers for secure access
• OAuth Data: Google OAuth tokens and associated profile information (when using Google Sign-In)
• Device Information: Browser type, operating system, screen resolution, and device identifiers
• Usage Analytics: Pages visited, features used, click patterns, session duration, and interaction data

3. How We Use Your Information

We use the information we collect for the following purposes:

1. Service Provision: To provide, operate, and maintain our inventory management platform and all its features, including product tracking, party management, work orders, and reporting
2. Account Management: To create and manage your user account, authenticate your identity, and maintain your organization's workspace and team member access
3. Payment Processing: To process subscription payments, manage billing cycles, apply coupons and discounts, handle refunds, and maintain accurate financial records through our payment partner Razorpay
4. AI Features: To power our AI assistant, provide intelligent inventory insights, process OCR requests, generate business analytics, and continuously improve our AI models and algorithms
5. Communication: To send you important service updates, security alerts, billing notifications, feature announcements, and respond to your support inquiries and feedback
6. Analytics and Improvement: To analyze usage patterns, identify trends, measure feature adoption, diagnose technical issues, and improve the overall quality and performance of our Services
7. Security: To detect, prevent, and address fraud, unauthorized access, security breaches, and other potentially harmful or illegal activities
8. Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests under Indian law, including GST regulations and the Information Technology Act, 2000

4. AI Services and Data Processing

ORENX uses Google Cloud's Vertex AI platform to power our artificial intelligence features. Understanding how your data is processed by these services is important to us.

AI Capabilities

Our AI features leverage Vertex AI (Google Cloud) for the following capabilities:

• Natural Language Processing (NLP): Understanding and processing your text-based queries and commands
• Conversational AI: Powering our intelligent business assistant for inventory queries, insights, and recommendations
• Embeddings: Creating vector representations of your data for intelligent search and similarity matching
• Optical Character Recognition (OCR): Extracting text and data from uploaded images and documents such as invoices, purchase orders, and receipts

Data Processing Location

AI processing data is sent to Google Cloud's us-central1 region for processing. This means your AI-related queries and data may be transferred to and processed in data centers located in the United States.

AI Processing Necessity: The use of AI features is integral to providing our core service functionalities. By using AI-powered features within ORENX, you consent to the processing of your data as described above. You may choose not to use specific AI features, but this may limit your access to certain functionalities of the platform.

5. Payment Processing

We use Razorpay as our payment gateway for processing all subscription payments and financial transactions. Razorpay is PCI-DSS Level 1 compliant, which is the highest level of certification available in the payments industry.

What We Store

• Razorpay customer ID and subscription ID
• Payment transaction IDs and status
• Subscription plan details and billing cycle information
• Coupon codes and discount applications
• Payment history and invoice records

What Razorpay Handles

• Full credit/debit card numbers and CVV
• Bank account details for UPI and net banking
• Tokenized card information
• Payment authentication (3D Secure, OTP)

Payment Security

All payment transactions are encrypted and processed securely through Razorpay's infrastructure. We never have access to your complete payment card details. For more information about how Razorpay handles your payment data, please visit Razorpay's Privacy Policy.

6. Data Storage and Security

We take the security of your data seriously and implement multiple layers of protection to ensure your information remains safe.

Database Infrastructure

• Supabase PostgreSQL: All business data is stored in a managed PostgreSQL database hosted by Supabase
• Row Level Security (RLS): Database-level security policies ensure that users can only access data belonging to their organization
• Multi-Tenant Architecture: Each organization's data is logically isolated using organization-level access controls
• Security Definer Functions: Critical database operations use security definer functions to enforce strict access control at the database level

Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.3
• At Rest: Data stored in our databases is encrypted at rest using industry-standard encryption algorithms
• JWT Tokens: Authentication tokens are cryptographically signed and have limited expiration periods
• Password Hashing: User passwords are hashed using bcrypt with appropriate salt rounds, ensuring passwords are never stored in plain text

Authentication and Access Control

• Supabase Auth: We use Supabase's built-in authentication system for secure user authentication and session management
• Google OAuth: Optional Google Sign-In integration for convenient and secure authentication
• Role-Based Access Control (RBAC): Users are assigned roles (owner, admin, member) with granular permissions controlling access to features and data
• Protected Routes: All application routes and API endpoints are protected with authentication middleware
• API Security: All API requests require valid authentication tokens and are rate-limited to prevent abuse

7. Data Sharing and Third-Party Services

We do not sell, trade, or rent your personal information to third parties. We only share your data in the following limited circumstances:

Third-Party Service Providers

We share data with the following trusted service providers who assist us in operating our platform:

• Supabase: Database hosting, authentication services, and file storage
• Razorpay: Payment processing and subscription management
• Google Cloud (Vertex AI): AI/ML processing, natural language processing, and OCR services

Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests, including:

• Compliance with the Income Tax Act, 1961 and GST regulations
• Court orders, subpoenas, or legal processes
• Requests from law enforcement or government authorities
• Protection of our legal rights, property, or safety, or that of our users and the public

8. Data Retention Policy

We retain your information for as long as necessary to provide our Services and fulfill the purposes described in this Privacy Policy. Specific retention periods are as follows:

Data Deletion Process

When you request deletion of your account or specific data, we will remove or anonymize your information within 30 days, except for data that we are legally required to retain (such as financial records for tax compliance). You may request data deletion by contacting us at contact@orenx.in.

9. Your Rights Under DPDP Act 2023

Under the Digital Personal Data Protection (DPDP) Act, 2023, you have the following rights regarding your personal data:

• Right to Access: You have the right to obtain confirmation of whether we process your personal data and to access a summary of your data and the processing activities
• Right to Correction: You have the right to request the correction of inaccurate or incomplete personal data, and to update your information to ensure it is complete and up to date
• Right to Erasure: You have the right to request the deletion of your personal data, subject to legal retention requirements and legitimate business needs
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format
• Right to Withdraw Consent: You have the right to withdraw your consent for data processing at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal

To exercise any of these rights, please contact us at contact@orenx.in. We will respond to your request within 30 days of receiving it.

10. Cookies and Local Storage

ORENX uses cookies and browser local storage to enhance your experience and ensure the proper functioning of our Services.

What We Store Locally

• Authentication Tokens: JWT tokens stored in localStorage for maintaining your login session across page refreshes
• OAuth State: Temporary state parameters used during Google OAuth authentication flow to prevent CSRF attacks
• User Preferences: Theme settings, language preferences, sidebar state, and other UI customization choices

Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling cookies or clearing localStorage may affect the functionality of our Services, particularly authentication and session management. You may need to log in again if you clear your browser's stored data.

11. Children's Privacy

ORENX is a business-to-business (B2B) platform designed for business professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@orenx.in so we can take appropriate action.

12. International Data Transfers

While ORENX primarily serves Indian businesses, some of your data may be processed in international locations due to our use of third-party services:

• Supabase: Your business data is stored in Supabase data centers. The specific data center location depends on the project configuration and may include international regions
• Google Cloud (Vertex AI): AI processing is performed in the us-central1 (Iowa, United States) region

We ensure that any international data transfers are conducted in compliance with applicable data protection laws and that appropriate safeguards are in place to protect your information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will post the updated Privacy Policy on this page with a revised "Last Updated" date
• For significant changes that materially affect how we process your personal data, we will notify you via email at the address associated with your account
• We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

Related Policies

Please also review our other policies to understand how we operate: