Business HQ — Privacy Policy
1. Who this applies to
This policy applies to Clients (the businesses we invite), their Authorized Users (e.g., staff), and visitors who interact with us. Where you enter personal data about your own customers or employees into Business HQ, you are the Data Fiduciary for that data and Uplyft processes it on your behalf and instructions.
2. Data we collect
a) Account & contact data — name, business name, email, phone, login credentials, role, and communications with us.
b) Business data you enter — the records you and your Authorized Users create in Business HQ: finance/GST and accounting records, inventory, CRM contacts and deals, staff and roles, and niche-module data. This may include personal data about your customers, vendors, and staff. You control and are responsible for this data.
c) Payment data — collected and processed by Razorpay. We receive limited transaction metadata (e.g., success/failure, mandate status, plan, amount). We do not store full card numbers or bank credentials.
d) AI interaction data — prompts and content you submit to AI Features (Ava, AI employees). Where you use your own AI provider key, that content is sent to your chosen provider (e.g., Anthropic) under your provider account.
e) Usage & technical data — log data, device/browser information, IP address, and product analytics used to operate, secure, and improve the Service.
f) Cookies — see Section 8.
3. How we use data
We use personal data to:
provide, operate, and maintain Business HQ and your tenant;
authenticate users and enforce roles and access;
process subscriptions and billing (via Razorpay);
provide support, onboarding (done-for-you), and communicate service and account notices;
power AI Features you choose to use;
monitor, secure, debug, and improve the Service;
comply with legal, tax, and accounting obligations; and
enforce our Terms and prevent fraud or misuse.
We process data on lawful bases recognised under the DPDP Act, principally consent and the legitimate uses / necessity to provide a service you requested, and to meet legal obligations.
4. Hosting & sub-processors
Business HQ relies on the following third parties, who process data on our behalf:
Sub-processor Purpose Notes
Supabase Database (Postgres), authentication, storage India / global cloud hosting; each tenant isolated
Razorpay Payment processing & subscription mandates Handles payment/bank data directly
Netlify Frontend hosting / delivery Serves the web application
Anthropic AI model for AI Features Used when a Client uses AI; if you supply your own key, usage runs under your provider account
Each sub-processor maintains its own privacy and security terms. We aim to engage providers with appropriate safeguards.
5. Data isolation & security
Tenant isolation. Each Client's data is logically isolated. We use Postgres Row-Level Security (RLS) and access controls so that one tenant cannot access another tenant's data.
Access controls. Access to production data is limited to what is needed to operate and support the Service.
Encryption in transit and reliance on our hosting providers' security posture for data at rest.
Backups. We (via Supabase) maintain backups to support recovery.
No system is perfectly secure; we cannot guarantee absolute security, but we take reasonable technical and organizational measures appropriate to the risk.
In the event of a personal data breach, we will act in accordance with our obligations under the DPDP Act, including notifying the Data Protection Board and affected persons where required.
6. Data retention & deletion
We retain account and business data for as long as your account is active and as needed to provide the Service.
After cancellation or termination, data is handled per the Refund & Cancellation Policy: an export window is provided, after which Client Data is scheduled for deletion from active systems (residual copies may persist in backups for a limited period before being overwritten).
We may retain limited records (e.g., invoices, tax records) where required by Indian law.
7. Your rights under the DPDP Act
Subject to the DPDP Act and its rules, you may:
access a summary of your personal data and how it is processed;
request correction, completion, or updating of inaccurate data;
request erasure of your personal data where no longer needed or where consent is withdrawn;
withdraw consent (which may limit or end your ability to use the Service);
nominate another individual to exercise your rights in case of death or incapacity; and
raise a grievance with us (Section 10) and, if unresolved, approach the Data Protection Board of India.
To exercise rights, email admin@uplyft.in. We may verify your identity before acting. Where the personal data belongs to your customers/employees (data you entered), please direct such requests to the relevant Client, whom we will support as processor.
8. Cookies & tracking
We use strictly necessary cookies for login/session management and may use limited analytics cookies to understand usage and improve the Service. You can control cookies through your browser; disabling essential cookies may break functionality.
9. Children
Business HQ is a B2B tool not intended for children (persons under 18). We do not knowingly collect personal data of children through the Service. Clients must not use the Service to knowingly process children's data without lawful consent as required by the DPDP Act.
10. Grievance / contact officer
For privacy questions, requests, or grievances, contact:
Grievance Officer — Uplyft
Email: admin@uplyft.in · Phone: +91 8296995163
Bangalore, Karnataka, India
We aim to acknowledge and respond within the timelines required under applicable law.
11. International transfer
Data may be stored or processed on cloud infrastructure located in India and/or other countries via our sub-processors. Where data is transferred outside India, we rely on our providers' safeguards and process such transfers consistent with the DPDP Act and any restrictions notified by the Government of India.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by a reasonable means (email or in-product notice). The "Last updated" date reflects the latest version.