Privacy Policy

1.1 Welcome to proqureX

This Privacy Policy outlines the data protection practices for the proqureX platform and associated services (collectively, the "Services"). proqureX is a Software-as-a-Service (SaaS) application designed to provide enterprises with advanced procurement and spend management solutions. The Services are owned and operated by Appziaa Softlabs Pvt Ltd, a company registered in India with its principal place of business at 124A/1, LGF, Shaheed Jeet Singh Marg, New Delhi 110016, India.

1.2 Purpose and Commitment

Appziaa Softlabs Pvt Ltd ("proqureX", "we", "us") is firmly committed to protecting the privacy and security of personal data. This policy is designed to be compliant with applicable data protection laws, including India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the EU General Data Protection Regulation 2016/679 (GDPR). It aims to provide clear, transparent, and easily accessible information about how we collect, use, process, and protect personal data, in accordance with our legal obligations and our dedication to building and maintaining customer trust.

1.3 Scope of this Policy

This Privacy Policy applies to the processing of digital personal data of the following individuals:

• Customers: The corporate or enterprise entities that enter into a contractual agreement with proqureX to use our Services.


• Authorised Users: The individual employees, contractors, or other representatives of our Customers who are authorised to access and use the proqureX platform under the Customer's subscription.


• Suppliers, Vendors, and Business Partners: Individuals who work for, or on behalf of, our Customers' suppliers and vendors, whose information is processed through the platform, including for display on our open commerce portal.


• Website Visitors: Individuals who visit our public-facing websites, such as proqurex.com, or interact with our marketing materials.

This policy applies to the processing of digital personal data within India and to processing outside of India if it is for the purpose of offering goods or services to individuals in India.

1.4 Definitions

To ensure clarity and consistency, this policy uses key terms as defined in India's DPDP Act and the EU's GDPR. These include:

• Personal Data: Any data or information relating to an identified or identifiable natural person.


• Processing: Any wholly or partially automated operation or set of operations performed on digital personal data, such as collection, storage, use, sharing, or erasure.


• Data Principal / Data Subject: The natural person to whom the Personal Data relates. We use "Data Principal" in the context of the DPDP Act and "Data Subject" in the context of the GDPR.


• Data Fiduciary / Data Controller: The entity that, alone or in conjunction with others, determines the purposes and means of the processing of personal data. We use "Data Fiduciary" for the DPDP Act and "Data Controller" for GDPR.


• Data Processor: The entity that processes personal data on behalf of the Data Fiduciary/Controller.


• Data Protection Board of India / Supervisory Authority: The independent public authority responsible for monitoring the application of data protection law.

2.1 The Importance of Roles

Under data protection laws like India's DPDP Act and the EU's GDPR, the allocation of responsibilities is determined by whether an organisation acts as a "Data Fiduciary" (or "Data Controller") or a "Data Processor". This distinction is critical in the context of B2B SaaS. proqureX operates in both capacities, and this section clarifies our role and responsibilities in each context.

2.2 proqureX as a Data Fiduciary / Data Controller

proqureX acts as a Data Fiduciary (under the DPDP Act) or a Data Controller (under the GDPR) when we determine the purposes and means of processing personal data for our own business operations. This occurs in the following specific circumstances:

• Customer Relationship Management: We process the business contact information (such as name, job title, work email, and phone number) of our Customers' representatives to manage contracts, handle billing, provide support, and maintain our business relationship.


• Marketing and Sales: We process personal data collected from our website, marketing campaigns, and industry events to communicate with prospective and existing Customers about our Services.


• Website Analytics: We process data from visitors to our website to analyse usage patterns and improve our online presence.


• Employee Administration: We process the personal data of our own employees for human resources and administrative purposes.

2.3 proqureX as a Data Processor

For the core functionality of our Services, proqureX acts as a Data Processor. When our Customers and their Authorised Users upload, input, or otherwise process data within the proqureX platform—such as purchase orders, invoices, vendor details, or expense reports that may contain personal data—our Customer is the Data Fiduciary/Controller. As the Data Fiduciary/Controller, our Customer has the primary responsibility for the data.

In our capacity as a Data Processor, proqureX:

• Processes this "Service Data" only on the basis of the documented instructions of our Customer, as stipulated in our service agreement and our Data Processing Agreement (DPA).


• Does not determine the purposes for which the Service Data is collected or the means by which it is processed.


• Assists the Customer in fulfilling their data protection obligations, such as responding to Data Principal/Subject Rights requests concerning the Service Data.

Under the DPDP Act, the Data Fiduciary is responsible for the compliance of its Data Processors. This clear delineation of roles is fundamental to a compliant B2B relationship.

2.4 Your Responsibilities as a Data Fiduciary / Data Controller

When using the proqureX Services, our Customers, as Data Fiduciaries/Controllers, are responsible for ensuring that the personal data they and their Authorised Users process within the platform is handled in compliance with applicable laws. This includes, but is not limited to, establishing a lawful basis for processing, providing necessary privacy notices, and responding directly to rights requests from their own personnel.

3.1 Data Minimisation and Purpose Limitation

proqureX is committed to the principles of data minimisation and purpose limitation as required by India's DPDP Act and the EU's GDPR. We collect and process only the personal data that is adequate, relevant, and strictly necessary to achieve the specified, explicit, and legitimate purposes outlined in this policy. We do not collect personal data aimlessly or for future, undefined purposes.

3.2 Data Processed as a Fiduciary / Controller

When acting as a Data Fiduciary/Controller, we process the following categories of personal data:

• Account and Contact Information: Name, work email address, phone number, job title, company name, and billing and payment details of our Customer's designated points of contact.


• Website and Marketing Data: IP addresses, device information, browser type, and data collected via cookies and similar technologies (as detailed in our separate Cookie Policy). We also collect information that individuals provide through our website forms, event registrations, or other marketing interactions.

3.3 Data Processed as a Processor (Service Data)

As a Data Processor, the specific personal data we process is determined and controlled by our Customers. This Service Data may include:

• Authorised User Profile Information: Names, employee IDs, work email addresses, job titles, and system roles of individuals authorised by the Customer to use the Services.


• Procurement and Spend Data: This is the core data processed through the platform and may incidentally contain personal data. Examples include names on purchase requisitions, contact details for vendor representatives, employee names on expense reports, and approver details within a workflow.


• Supplier and Vendor Information: Business contact information for supplier representatives (such as name, email, phone number), company details, and commercial information such as product catalogues and inventory details provided for display on our open commerce portal.

Note on Sensitive Data: Unlike the GDPR, the DPDP Act does not create a separate category for "sensitive personal data". All digital personal data is protected under the same procedures.

3.4 Data from Third-Party Integrations

When a Customer chooses to enable an integration with a third-party service, proqureX may access or receive data from that service on the Customer's behalf and at their explicit direction.

• Gmail Integration: With user authorisation, the platform may access email metadata and the body content of specific emails that the user actively chooses to link to a procurement transaction.


• Slack and Microsoft Teams Integrations: The platform may access messages, user profiles, and channel information when an Authorised User initiates a proqureX action from within these applications.


• Accounting and ERP Integrations (e.g., Tally, Microsoft Dynamics): To facilitate data synchronisation as configured by the Customer, the platform may access financial records, vendor master data, employee lists, and chart of accounts information from these systems.

3.5 Data Processed by Artificial Intelligence (Gemini API)

proqureX utilises large language models (LLMs) via the Google Gemini API to provide advanced AI-powered features.

• When an Authorised User engages with an AI feature, the user's prompt and relevant, contextual Service Data may be securely transmitted to Google's Gemini API for processing.


• We exclusively use Google's enterprise-grade, paid API services. According to Google's data privacy commitments for these services, the data we send is not used to train their generative models, is not reviewed by humans, and is processed under strict confidentiality and security protocols.

All processing of personal data by proqureX is grounded on a lawful basis as required by applicable law. The legal bases we rely upon differ depending on whether the processing is governed by India's DPDP Act or the EU's GDPR.

4.1 Lawful Bases under the DPDP Act (for processing of digital personal data in India)

The DPDP Act provides that personal data may be processed for a lawful purpose based on either the consent of the Data Principal or for certain "Legitimate Uses".

• Consent: This is the primary basis for processing under the DPDP Act. Before or at the time of collecting personal data, we will provide you with a notice detailing the data to be collected and the specific purpose of processing. Your consent must be free, specific, informed, unconditional, and unambiguous, given via a clear affirmative action. You may withdraw your consent at any time.


• Certain Legitimate Uses: The DPDP Act permits processing without consent for specified legitimate uses. This includes, but is not limited to:
  • For a specified purpose for which the Data Principal has voluntarily provided their personal data.
  
  
  • For the State and its instrumentalities to provide a benefit, service, licence, permit, or certificate.
  
  
  • For compliance with any law or court order in India.
  
  
  • For responding to a medical emergency or taking measures for an epidemic or disaster.
  
  
  • For purposes related to employment.
  
  

4.2 Lawful Bases under GDPR (for processing related to individuals in the EEA)

For data processing activities subject to the GDPR, we rely on the following lawful bases:

• Performance of a Contract (Article 6(1)(b) GDPR): This is the primary legal basis for processing Service Data to deliver the proqureX platform as stipulated in the service agreement with our Customer.


• Legitimate Interests (Article 6(1)(f) GDPR): We process certain personal data for our legitimate interests, such as improving our platform, ensuring security, and sending essential service communications.


• Consent (Article 6(1)(a) GDPR): We rely on consent for activities like sending marketing communications and placing non-essential cookies.


• Legal Obligation (Article 6(1)(c) GDPR): We process personal data where necessary to comply with a legal requirement, such as for tax and audit purposes.

This section translates our legal bases for processing into the practical, purpose-driven ways we use personal data to deliver and enhance our Services.

5.1 To Provide and Maintain the Service

• Account Management: To create and manage Customer accounts and Authorised User profiles.


• Transaction Processing: To execute procurement, spend management, and other workflows as initiated by our Customers.


• Integration Enablement: To connect the proqureX platform with third-party services as configured by the Customer.


• Customer Support: To respond to inquiries, diagnose technical problems, and provide assistance.

5.2 To Improve and Personalise the Service

• Analysing aggregated and anonymised usage patterns to identify popular features and opportunities for innovation.


• Using data to provide personalised experiences within the platform.

5.3 For Security and Compliance

• Security Monitoring: To monitor for, prevent, and respond to security incidents or malicious activity.


• Enforcement: To enforce our Terms of Service and other policies.


• Legal Compliance: To comply with applicable laws, regulations, and lawful requests from public authorities.

5.4 To Communicate with You

• Service Communications: To send important administrative and service-related announcements.


• Support Communications: To respond to your direct inquiries and support requests.


• Marketing Communications: Where we have obtained your explicit consent, to send you information about new features or other services.

6.1 Our Commitment to Confidentiality

proqureX does not sell personal data to third parties. We share personal data only in the limited circumstances described below, and always with appropriate contractual and security safeguards in place.

6.2 Engagement of Data Processors (Sub-processors)

• We engage a limited number of third-party service providers ("Data Processors" or "Sub-processors") to assist us in providing the Services, such as for cloud infrastructure hosting and payment processing.


• We conduct due diligence on all Data Processors to ensure they meet our standards for data protection.


• Under the DPDP Act, as a Data Fiduciary, we remain responsible for the actions of our Data Processors. We enter into legally binding contracts (Data Processing Agreements) with each Data Processor to ensure they meet our standards for data protection, in compliance with all applicable laws.


• We maintain a public list of our current Sub-processors (see Annex I). We will notify our Customers of any intended changes to this list, providing them with an opportunity to object.

6.3 Third-Party Integrations

Data is shared with third-party services integrated with proqureX only at the Customer's explicit direction. The use of data by these services is governed by their respective privacy policies.

6.4 Legal Disclosures and Business Transfers

We may be required to disclose personal data in response to a lawful request by public authorities. In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction, under protective commitments.

6.5 Sharing and Display of Supplier and Vendor Data

As an integral part of the procurement process, our Services facilitate communication and transactions between our Customers (the enterprises) and their suppliers. This involves sharing relevant transactional data, such as purchase orders, requests for quotation (RFQs), and invoice details, with these suppliers.

• Transactional Data Sharing: Data is shared with suppliers for the explicit purpose of fulfilling procurement workflows initiated by our Customers. For example, when a Customer issues a purchase order to a specific supplier through the proqureX platform, the necessary details of that order (which may include the name and contact information of the purchasing agent) are transmitted to that supplier.


• Open Commerce Portal: To enhance commerce and visibility, we also operate an Open Commerce Portal. With the consent of the supplier or vendor, we may display certain business information publicly on this portal. This information may include company name, product catalogues, inventory details, and business contact information to allow prospective buyers to connect. The purpose of this processing is to showcase vendor offerings to a wider audience.


• Onboarding Process: All suppliers interacting with the platform, whether provided by us or onboarded by our Customers, are subject to an onboarding process to ensure they understand their role and our data handling practices.

7.1 Cross-Border Data Flows and Data Residency

As a company headquartered in India, personal data processed by proqureX may be transferred to and processed in India and other countries where we or our Data Processors maintain operations. To provide our Services, all primary data generated on our platform is hosted within Google Cloud Platform's (GCP) data centre located in Delhi, India. To ensure faster content delivery and an improved user experience for our global user base, we utilise GCP's Content Delivery Network (CDN). This service caches copies of content at various edge locations around the world. Consequently, while our primary data storage is in India, data accessed via the CDN may be temporarily stored in a location closer to the end-user, which may be outside of India. We manage all such transfers in compliance with both India's DPDP Act and the EU's GDPR.

7.2 Transfers from India to Other Countries

The DPDP Act permits the transfer of personal data outside of India, except to countries or territories that are specifically restricted (or "blacklisted") by the Indian Central Government. As of the date of this policy, we will comply with any such list published by the government and ensure that any transfers from India are conducted in accordance with the DPDP Act's requirements.

7.3 Transfers from the EEA, UK, and Switzerland to India

For personal data transferred from the European Economic Area (EEA), UK, or Switzerland, we recognise that India has not received an "adequacy decision" from the European Commission. Therefore, we implement appropriate safeguards to protect this data:

• Standard Contractual Clauses (SCCs): Our primary legal mechanism for these transfers is the incorporation of the Standard Contractual Clauses (SCCs) approved by the European Commission into our Data Processing Agreement with our Customers.


• Supplementary Measures: In line with the "Schrems II" judgment, we conduct Transfer Impact Assessments and implement supplementary technical and organisational measures, such as strong encryption, to ensure the data remains protected.

8.1 Our Security Commitment

proqureX is dedicated to protecting the security, confidentiality, and integrity of the personal data we process. We implement and maintain appropriate technical and organisational measures, or "reasonable security safeguards," as required by India's DPDP Act and the EU's GDPR, to protect personal data against breaches.

8.2 Technical and Organisational Measures

Our security programme includes:

• Data Encryption: All data is encrypted in transit using TLS and at rest using advanced encryption standards like AES-256.


• Access Controls: We enforce the principle of least privilege and role-based access control (RBAC) to limit internal access to personal data.


• Security Audits and Testing: We conduct regular vulnerability scanning and penetration testing.


• Incident Response Plan: We have a comprehensive data breach response plan. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals/Subjects as required by law.

9.1 Storage Limitation Principle

In line with the storage limitation principle of India's DPDP Act and the EU's GDPR, we do not retain personal data for longer than is necessary for the purposes for which it was collected and processed.

9.2 Retention Periods for Fiduciary / Controller Data

• Customer Account Data: Retained for the duration of the contractual relationship and for up to seven years thereafter to comply with legal and tax obligations.


• Marketing Data: Retained for as long as we have the individual's consent, and reviewed periodically for inactivity.

9.3 Retention of Processor Data (Service Data)

The retention of Service Data is governed by our agreement with the Customer. We erase personal data when it is no longer needed for the specified purpose or upon a valid withdrawal of consent by the Data Principal. Our standard policy is as follows:

• Service Data is retained throughout the term of the Customer's active subscription.


• Upon termination, the Customer will have 30 days to export their data.


• Following this period, all Service Data will be permanently deleted from our active systems within 90 days.


• Residual copies may remain in secure, encrypted backup archives for up to 180 days before being overwritten.

proqureX is committed to upholding the rights granted to individuals under both India's DPDP Act and the EU's GDPR.

10.1 Rights under the DPDP Act (for Data Principals in India)

The DPDP Act grants Data Principals the following key rights:

• Right to Access Information: The right to obtain a summary of your personal data being processed and the processing activities undertaken.


• Right to Correction and Erasure: The right to request the correction of inaccurate or misleading personal data, the completion of incomplete data, the updating of outdated data, and the erasure of personal data that is no longer necessary for the purpose for which it was processed.


• Right of Grievance Redressal: The right to have a readily available means of grievance redressal for any issues related to the processing of your personal data.


• Right to Nominate: The right to nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

10.2 Duties of Data Principals under the DPDP Act

The DPDP Act also specifies certain duties for Data Principals, including not registering false or frivolous complaints and not furnishing false information.

10.3 Rights under the GDPR (for Data Subjects in the EEA)

If you are in the EEA, the GDPR grants you the following rights:

• The Right to be Informed


• The Right of Access


• The Right to Rectification


• The Right to Erasure ('Right to be Forgotten')


• The Right to Restrict Processing


• The Right to Data Portability


• The Right to Object


• Rights in relation to Automated Decision-Making and Profiling

10.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at: privacy@proqurex.com.

• We will respond to all legitimate requests in accordance with the timelines mandated by applicable law. We may need to request specific information from you to confirm your identity.


• If your request pertains to Service Data for which proqureX is a Data Processor, we will forward your request to our Customer (the Data Fiduciary/Controller), who is responsible for the substantive response.

proqureX is committed to protecting the privacy of children. Under the DPDP Act, an individual below the age of 18 is considered a child.

• We will only process the personal data of a child with verifiable consent from their parent or legal guardian.


• We will not undertake any processing that is likely to cause harm to a child.


• We do not engage in the tracking, behavioural monitoring of children, nor do we direct targeted advertising at children.

12.1 Right to Amendment and Changes to this Policy

proqureX reserves the right to amend, modify, or update this Privacy Policy at our discretion at any time to reflect changes in our practices, technology, legal requirements, or for any other reason. Any changes will be effective immediately upon posting the revised policy. We will post any changes on this page and, if the changes are significant, we will provide a more prominent notice, such as by sending an email notification or through an in-app alert. We encourage you to periodically review this policy to stay informed about how we are protecting your information.

12.2 How to Contact Us

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data protection practices, please contact us at:

Email: privacy@proqurex.com

Registered Address:

Appziaa Softlabs Pvt Ltd
124A/1, LGF, Shaheed Jeet Singh Marg,
New Delhi 110016,
India

12.3 Data Protection Officer (DPO)

proqureX has appointed a Data Protection Officer to oversee our compliance with this policy and applicable data protection laws. Our DPO can be reached at the contact details provided above.

12.4 Right to Lodge a Complaint

If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a competent supervisory authority. For individuals in India, this is the Data Protection Board of India. For individuals in the EU, this is the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

proqureX uses the following sub-processors to support the delivery of our Services. We have entered into compliant Data Processing Agreements with each of them.