Privacy Policy

1. Who we are and what this policy covers

BizFlow360 is operated by Labhyansh Infotech Pvt Ltd. We provide business-management software (an ERP) used by merchants to run their sales, purchases, inventory, production and accounting.

This policy applies to the BizFlow360 SaaS platform at biz.labhyansh.com, the marketing site bizflow360.in, and all related integrations (including the Shopify connector).

For data about a merchant's customers and vendors, the merchant is the data controller and BizFlow360 is the data processor. Every merchant's data lives inside its own tenant boundary; we never pool, merge or share data across merchants.

2. The data we collect

We collect only the data needed to run the service. Specifically:

• Merchant user accounts — username, email, hashed password, contact number, role. Provided by the merchant at signup.
• Customer records — name, email, phone, billing/shipping address, GSTIN (for B2B customers), order history. Entered by the merchant, or imported from connected sales channels (e.g. Shopify orders).
• Vendor records — name, email, phone, address, GSTIN, contact persons. Entered by the merchant.
• Operational data — invoices, purchase orders, inventory, goods-receipt notes, dispatch notes, payments, reports.
• Technical data — IP address, browser, log timestamps, anonymous usage metrics (used only to operate and improve the service).

We do not collect demographic data, behavioural profiles, marketing preferences or any data we do not need for the merchant's operational flow.

3. How we use the data

Customer and vendor data is used solely to operate the service for the merchant:

• Generating GST-compliant invoices (name, address and GSTIN are used to calculate place-of-supply tax splits).
• Matching incoming orders to existing customer records (email is the primary match key).
• Producing dispatch notes and shipping documents (address, phone).
• Recording payments and accounts-receivable balances.
• Reporting and analytics inside the merchant's own tenant.

We do not sell, rent, lease or otherwise transfer personal data to third parties. We do not use this data for marketing, advertising, profiling or automated decision-making.

4. Encryption

• In transit — TLS 1.2 or higher is enforced everywhere; HTTP requests are redirected to HTTPS. Certificates are issued by Let's Encrypt.
• At rest — application databases run on AES-256-encrypted persistent disks. Third-party OAuth access tokens (e.g. Shopify) are additionally encrypted with Fernet (AES-128-CBC + HMAC-SHA256), and the encryption key is stored only in the application environment, never in the database.
• Backups — daily encrypted snapshots, retained per policy.

5. Access control

• Tenant isolation — every database read and write is automatically scoped to a single tenant by a centralised security listener. Cross-tenant reads are limited to platform-admin endpoints and are audit-logged.
• Role-based access (in-app) — merchant users are assigned roles (admin, sales, purchase, warehouse, vendor, etc.) and only see data their role requires.
• Staff access — internal access to production systems is limited to named individuals on a need-to-know basis, authenticated by SSH keys; no shared accounts.
• Authentication — merchant logins use bcrypt-hashed passwords with a forced password change on first login. Session tokens (JWT) are signed and short-lived.

6. Logging and monitoring

BizFlow360 maintains an activity log recording create/update/delete events on customer, vendor, order, invoice, inventory and user records — who did what, when, on which entity. Logs do not contain plaintext passwords, OAuth tokens or full card numbers.

7. Retention and deletion

• Merchant data is retained while the merchant uses the service.
• Shopify privacy webhooks are wired — when Shopify sends customers/redact we anonymise and soft-delete matching customer records; when it sends shop/redact (48 hours after uninstall) we delete the sales-channel connection and destroy the stored OAuth token. customers/data_request events are logged and acted on within the required window.
• Statutory records (for example, Indian GST invoices) are retained for the legally required period as the merchant's own accounting records.
• On request, a merchant can have their account closed and personal data deleted within 30 days, subject to legal retention obligations.

8. Your rights

If you are an end customer of a merchant who uses BizFlow360, the merchant is the controller of your data. Requests to access, rectify, port or delete your personal data should be sent to the merchant in the first instance; we will assist the merchant in fulfilling those requests.

Where you have a direct relationship with us (for example, as a BizFlow360 user), you may write to info.bizflow360@gmail.com to exercise rights of access, rectification, deletion, portability or objection.

9. Sub-processors

We use the following sub-processors to operate the service:

• Google Cloud Platform — compute, storage and encrypted persistent disks.
• Shopify — when a merchant connects a Shopify store, order and product data flows from Shopify; we are a processor for that data.
• Let's Encrypt — TLS certificate issuance only; no personal data shared.
• GoDaddy — DNS for the bizflow360.in marketing domain; no merchant data.

We do not share personal data with any other third party.

10. Incident response

If a security incident is detected, we follow a written incident-response process: containment, investigation, notification, remediation. Affected merchants are notified by email within 72 hours of confirmation, with a description of the incident, the data affected and recommended actions. Regulatory notifications are made where required by applicable law.

11. Vulnerability reporting

We welcome responsible disclosure. Please report any security issue to info.bizflow360@gmail.com with steps to reproduce. We will acknowledge receipt within two business days.

12. Changes to this policy

We will update this policy when our practices change or as required by law. Material changes will be communicated to merchants by email and posted on this page. The "Effective" date at the top reflects the current revision.

13. Contact

For any privacy question or request, contact:

Labhyansh Infotech Pvt Ltd
Email: info.bizflow360@gmail.com
Phone: +91 85951 51521 · +91 120 313 1251