PayTrova

Privacy Policy

Effective Date: March 5, 2026 | Last Updated: March 5, 2026

Privacy Policy Overview

This Privacy Policy describes how Jenria Infotech LLP (ACV-9592)("PayTrova", "Company", "we", "us", or "our") collects, uses, shares, and protects your personal information when you use our invoicing, payment, and business management platform (the "Service"). Our Service is accessible at paytrova.com.

We are committed to transparency about our data practices. This policy applies to all users of our Service, including visitors to our website, registered users, and administrators who manage their business through our platform. By using PayTrova, you acknowledge that you have read and understood this Privacy Policy.

Key Points: We collect only the data necessary to provide our services. We never sell your personal information. We use strong security measures — including encryption in transit (TLS) and at rest (AES-256) — to protect your data, though no method of transmission or storage can be guaranteed completely secure. You have rights over your personal data under the DPDP Act, 2023.

Scope of This Policy

This Privacy Policy applies to:

  • The PayTrova website and application at paytrova.com
  • Our APIs and integration services
  • The client portal for viewing invoices and making payments
  • PDF generation and document storage services
  • Communications with our support team
  • Marketing communications (with your consent)

This policy does not apply to:

  • Third-party websites linked from our Service
  • Services provided by other companies, even if integrated with PayTrova
  • Information you choose to share with your clients through our platform (you control that data)
Data Controller Information

For the purposes of data protection laws, the data controller responsible for your personal information is:

Jenria Infotech LLP (ACV-9592)

221, Nandanvan Society, Canal Road, Vadodara, Vadodara, Gujarat 390008, India

Data Protection Contact: [email protected]

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act), we determine the purposes and means of processing your personal data. We are responsible for ensuring that your data is processed in compliance with applicable Indian data protection laws, including the DPDP Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('SPDI Rules').

Information We Collect

We collect information in the following ways:

1. Information You Provide Directly

When you create an account, use our services, or communicate with us:

  • Account Registration: Name, email address, password, organization name
  • Business Information: GSTIN, PAN, bank details, address
  • Client & Vendor Data: Names, emails, addresses, GSTIN, payment terms
  • Financial Data: Invoice amounts, payment records, tax calculations, product/service details
  • Payment Information: Billing name, billing address, payment method details (processed by Razorpay; we do not store full card numbers)
  • Support Communications: Messages, attachments, feedback you provide
  • Multi-Factor Authentication: TOTP secrets (encrypted), WebAuthn credentials

2. Information Collected Automatically

When you access or use our Service, we automatically collect:

  • Device Information: Browser type and version, operating system, device type, screen resolution, language settings
  • Network Information: IP address, approximate geographic location (city/country level), Internet Service Provider
  • Usage Information: Pages visited, features used, time spent, clicks, scrolls, navigation paths
  • Authentication Logs: Login timestamps, authentication methods used, session tokens
  • Performance Data: Page load times, errors encountered, API response times

3. Information from Third Parties

We may receive information from:

  • Payment Processor: Razorpay provides transaction status, payment confirmations, and fraud scores
  • Tax Verification Services: GST verification APIs provide business registration details
  • Email Providers: Delivery status and bounce notifications for transactional emails
Data Categories and Retention

The following table summarizes the categories of personal data we collect, their purposes, and retention periods:

CategoryData CollectedPurposeRetention
Account InformationName, email, password hash, profile settingsAccount creation, authentication, service deliveryDuration of account + 30 days
Contact InformationEmail address, phone number (optional)Communications, support, security alertsDuration of account + 30 days
Payment InformationBilling name, card last 4 digits, transaction historyPayment processing, invoicing, fraud preventionUp to 8 years (Companies Act 2013 §128); up to 10 years where income-tax reassessment rules apply
Business InformationOrganization name, GSTIN, PAN, bank details, addressService delivery, invoice generation, tax complianceDuration of account + 30 days
Invoice & Financial DataInvoices, quotes, credit/debit notes, payment records, client detailsService delivery, GST compliance, financial reportingGST records: 6 years (CGST Act §36); Books of account: 8 years (Companies Act §128); Income-tax: 6–10 years (Rule 6F / §149)
Usage DataFeature usage, session data, actions performedService improvement, analytics, debugging90 days (rolling)
Security LogsAuthentication attempts, access logs, security eventsSecurity monitoring, incident response, compliance1 year
Device InformationBrowser type, OS, device identifiers, screen resolutionService optimization, security, compatibility90 days (rolling)
Communication RecordsSupport tickets, emails, chat transcriptsCustomer support, service improvement3 years
How We Use Your Information

We use your personal information for the following purposes:

Service Delivery and Operations

  • Creating and managing your account
  • Authenticating your identity and authorizing access
  • Generating invoices, quotes, credit notes, and other financial documents
  • Processing payments through Razorpay
  • Calculating GST and maintaining tax compliance
  • Generating PDF documents and storing them securely
  • Providing client portal access for invoice viewing and payments

Security and Fraud Prevention

  • Detecting and preventing unauthorized access and security threats
  • Monitoring for suspicious activities and potential abuse
  • Implementing and enforcing our security policies
  • Investigating security incidents and conducting forensic analysis
  • Verifying payment transactions and preventing fraud

Communications

  • Sending service-related notifications (e.g., payment confirmations, invoice reminders)
  • Responding to your support requests and inquiries
  • Providing important updates about changes to our Service or policies
  • Sending renewal reminders and subscription status updates
  • Marketing communications (only with your consent, and you can opt out anytime)

Service Improvement and Analytics

  • Understanding how users interact with our Service
  • Identifying areas for improvement and new features
  • Conducting research and analysis to enhance user experience
  • Troubleshooting technical issues and debugging
  • Measuring the effectiveness of our features

Legal and Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Responding to lawful requests from government authorities
  • Establishing, exercising, or defending legal claims
  • Maintaining records required by financial and tax regulations
  • Enforcing our Terms of Service and other agreements
Legal Basis for Processing

Under applicable Indian law, we process your personal data based on the following lawful purposes:

Consent (DPDP Act, Section 6)

Processing based on your free, specific, informed, and unambiguous consent, obtained at the time of registration or when you opt into specific features.

Legitimate Uses (DPDP Act, Section 7)

Processing necessary for performance of a contract (service delivery), compliance with Indian law (GST, Income Tax Act), responding to medical emergencies, and employment-related purposes.

Legal Obligation

Processing required under Indian statutes such as the Income Tax Act 1961, GST Act 2017, Prevention of Money Laundering Act 2002, and Companies Act 2013.

Voluntary Provision

Processing of data you voluntarily provide during support interactions, feedback, or optional profile enhancements.

Third-Party Service Providers

We share your information with carefully selected third-party service providers who assist us in operating our Service. These providers are contractually obligated to protect your data and use it only for the specified purposes.

ProviderPurposeData SharedLocation
RazorpayPayment processingName, email, billing address, transaction detailsIndia
DigitalOcean SpacesFile storage (invoices, PDFs, attachments)Generated documents, uploaded filesConfigurable region (India / EU / UK / US)
Google AnalyticsWebsite analyticsUsage patterns, anonymized demographicsUnited States
SMTP ProviderTransactional email deliveryEmail addresses, email contentVaries by configuration

All third-party providers are bound by data processing agreements and are required to maintain appropriate security measures. We conduct due diligence on our providers and regularly review their privacy and security practices.

When We Share Your Information

We never sell your personal information. We only share data as described below and with appropriate safeguards in place.

We may share your information in the following circumstances:

  • Service Providers: With third-party vendors who perform services on our behalf (see table above), under strict contractual terms.
  • Payment Processor: With Razorpay to process your payments. By using our Service, you consent to sharing your payment information with Razorpay pursuant to their Privacy Policy.
  • Legal Requirements: When required by law, court order, subpoena, or government request, or when necessary to protect our rights, property, or safety.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets. We will notify you before your information is transferred and becomes subject to a different privacy policy.
  • With Your Consent: When you have given us explicit permission to share your information for a specific purpose.
  • Within Your Organization: With other administrators in your PayTrova organization who have appropriate permissions.
  • Aggregated Data: We may share aggregated, anonymized data that cannot be used to identify you.
Data Security

We implement comprehensive security measures to protect your personal information. Our security program is designed to align with industry best practices and recognized frameworks.

Technical Security Measures

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • Encryption at Rest: Sensitive data (API keys, SMTP passwords, backup credentials) is encrypted using AES-256-GCM
  • Multi-Factor Authentication: We support TOTP and WebAuthn/Passkeys for additional account security
  • Operation MFA: Sensitive operations require additional authentication verification
  • Role-Based Access: Granular permission system with 26 permission keys

Organizational Security Measures

  • Access Controls: Role-based access controls limit data access to authorized personnel only
  • Audit Logging: All significant actions are logged for accountability and compliance
  • Incident Response: We maintain documented incident response procedures
  • Vendor Management: Third-party vendors are assessed for security practices

Compliance Alignment

Our security practices are designed to align with:

  • DPDP Act, 2023: Digital Personal Data Protection Act compliance
  • IT Act, 2000: Information Technology Act and SPDI Rules compliance
  • PCI DSS: Payment Card Industry Data Security Standard (through Razorpay)
  • RBI Guidelines: Reserve Bank of India Payment Aggregator Guidelines
  • OWASP: Open Web Application Security Project best practices

While we implement robust security measures, no system is completely secure. We will notify you promptly of any security breach that affects your personal information, as required by applicable law.

Cross-Border Data Transfers

PayTrova hosts its application and primary database in India. Uploaded files and generated documents are stored in cloud object-storage regions selected for performance and availability, some of which may be outside India. Where data is stored or transferred outside India (e.g., to cloud storage or analytics providers), we ensure compliance with the DPDP Act, 2023 provisions on cross-border data transfer.

Transfer Safeguards

  • Data is transferred only to countries or territories notified by the Central Government under Section 16(1) of the DPDP Act, or to jurisdictions that provide adequate protection
  • All data processors outside India are bound by contractual obligations to maintain the same level of data protection
  • We do not transfer data to countries restricted by the Central Government under the DPDP Act

Data Storage Location

Your primary business data (invoices, clients, financial records) is processed and stored in our application and database infrastructure hosted in India (DigitalOcean, Bangalore region). Uploaded files and generated documents (e.g. invoice PDFs, receipts, exports) are stored in the cloud object-storage region configured for your organization, which may be located in India or another jurisdiction; the active storage region is always shown in your in-app Data Privacy dashboard. Certain auxiliary services (analytics, email delivery) may involve limited data processing outside India, subject to the safeguards described above.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

Retention Periods

  • Account Data: Retained for the duration of your account plus 30 days after deletion request
  • Financial Records: Retained for up to 8 years (the longest applicable statutory period under Companies Act 2013 §128), and up to 10 years where income-tax reassessment rules apply (Income Tax Rule 6F / §149). GST records specifically: 6 years from the annual-return due date (CGST Act §36).
  • Security Logs: Retained for 1 year for security monitoring and incident investigation
  • Usage Analytics: Retained for 90 days in identifiable form, then aggregated
  • Support Communications: Retained for 3 years for service quality and dispute resolution

Account Deletion

When you request account deletion:

  • Your account is immediately deactivated
  • Personal data is deleted within 30 days
  • Backups containing your data are overwritten within 90 days
  • Some data may be retained longer if required by law or for legitimate business purposes (e.g., transaction records for GST compliance)
Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal (the individual whose data is being processed):

  • Right to Access Information (Section 11): You may request a summary of your personal data being processed, the processing activities undertaken, and the identities of all Data Processors and Data Fiduciaries with whom your data has been shared. You can download a machine-readable copy (CSV) of your organization data through the Data Export feature in your dashboard.
  • Right to Correction and Erasure (Section 12): You may request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of data that is no longer necessary for the purpose it was collected.
  • Right of Grievance Redressal (Section 13): You have the right to have any grievance addressed within a reasonable time. We will acknowledge your grievance within 48 hours and provide a resolution within 30 days.
  • Right to Nominate (Section 14): You may nominate any individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

Data Protection Board of India

If you are not satisfied with our resolution of your grievance, you may file a complaint with the Data Protection Board of India established under Section 18 of the DPDP Act.

Grievance Officer

For data-rights requests or grievances under the DPDP Act, 2023, contact our designated Grievance Officer:

Name: Ketan Aagja

Designation: Grievance Officer

Email: [email protected]

Phone: +91 93133 57493

Address: D1-221, Nandanvan Society Nr. Abhilasha Crossing, New Sama Road

(Include "DPDP Grievance" in the subject line.)

We respond to data-rights requests within 30 days; grievances are resolved within the 90-day statutory maximum (DPDP Rules 2025, Rule 14).

Account & Organization Deletion

When an organization is deleted from PayTrova, the following process applies:

  • Account Closure: When you close your account, access is removed immediately and your data is retained securely (frozen), not automatically erased. If the closure was a mistake, or in case of a compromised or unauthorised closure, you can contact support to have your organization restored.
  • Data Export: Before closing, you can download a complete copy of your organization data in CSV/JSON format (a commonly used, machine-readable format) from the Danger Zone or the Data & Privacy page — including invoices, clients, products, payments, expenses, bills, vendors, payroll and people records, and audit logs.
  • Permanent Deletion: Permanent, irreversible deletion of all data — including files in cloud storage — is carried out on a verified erasure request (or once the applicable statutory retention period has lapsed). There is no automatic timed deletion.
  • Statutory Retention: We recommend downloading your data before closing, as you may be legally required to retain tax records — GST records for 6 years (CGST Act §36), books of account for 8 years (Companies Act 2013 §128), and income-tax records for 6–10 years (Income Tax Rule 6F / §149). We retain such records for the applicable statutory period and erase them thereafter.
How to Exercise Your Rights

To exercise any of your privacy rights, you may:

  • Email Us: Send your request to [email protected]
  • Account Settings: Access, update, or delete certain information directly through your PayTrova account settings
  • Unsubscribe: Click the unsubscribe link in any marketing email

Request Processing

  • We will verify your identity using reasonable measures
  • We will respond within the timeframe required by applicable law (typically 30 days)
  • Requests are free of charge, except for manifestly unfounded or excessive requests
Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on our Service. For detailed information about the cookies we use and how to manage them, please refer to our Cookie Policy.

Types of Cookies

  • Essential Cookies: Required for authentication, security, and basic functionality
  • Functional Cookies: Remember your preferences
  • Analytics Cookies: Help us understand usage patterns and improve our Service
Children's Privacy

PayTrova is not intended for individuals under the age of 18. Under the DPDP Act, 2023, processing of personal data of children (persons below 18 years) requires verifiable consent from a parent or lawful guardian. We do not knowingly collect personal data from children. If we become aware that personal data of a child has been processed without verifiable parental consent, we will take steps to erase such data promptly. We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top. For material changes, we will provide prominent notice. Your continued use of our Service constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, please contact us:

Jenria Infotech LLP (ACV-9592)

221, Nandanvan Society, Canal Road, Vadodara, Vadodara, Gujarat 390008, India

General Inquiries: [email protected]

Privacy Requests: [email protected] (Subject: "Privacy Request")

Website: paytrova.com

Response Times

  • General inquiries: Within 2 business days
  • Privacy requests: Within 30 days (as required by law)
  • Security concerns: Priority response within 24 hours

For payment-related grievances, you may also contact Razorpay at razorpay.com/grievances.