Privacy Policy
What data we collect, why we collect it, how long we keep it, and what you can do about it. This policy covers the PTAS AI website, the DocPro APIs, Finsuite products, and any consulting work we do together.
Last updated: October 15, 2024Table of Contents
- Who We Are & Scope
- Information We Collect
- Document Data & Customer Content
- How We Use Your Information
- Legal Basis for Processing
- How We Share Information
- Cookies & Similar Technologies
- Data Security
- Data Retention
- International Data Transfers
- Your Rights & Choices
- Children’s Privacy
- Changes to This Policy
- Contact & Grievance Information
The short version:
We collect what we need to run the business, secure the platform, and deliver what you signed up for. Your documents and customer content stay yours. We do not sell personal data. We do not train our AI on your data without explicit written consent. If anything below conflicts with a signed Data Processing Agreement, the DPA wins.
1. Who We Are & Scope
PTAS AI is the product and brand operated by Pritasha Solutions Private Limited (“Company”, “PTAS AI”, “we”, “us”, or “our”), incorporated under the Companies Act, 2013, with a registered office at N.H. 11, Dohar Kalan, Narnaul, Haryana — 123001, India.
This Privacy Policy explains how we handle personal data across the following touchpoints:
- The ptasai.com website and any subdomains
- DocPro APIs and the agentic document extraction platform
- PTAS Finsuite — AP Automation, Vendor Management, and GST Compliance
- Consulting, custom software engineering, and managed services engagements
- Sales conversations, support channels, and marketing communications
For the purposes of GDPR, we act as a data controller for personal data we collect directly (visitors, leads, contacts at customer organisations). For document content and customer data you push through DocPro or Finsuite, we act as a data processor under your instructions.
2. Information We Collect
2.1 Information You Give Us
When you fill in a contact form, book a demo, sign a proposal, or email us:
- Identity: name, job title, employer, work email, phone
- Business context: company size, industry, the problem you are trying to solve
- Account credentials: for customers with platform access, the username and hashed password
- Contractual data: billing details, GSTIN or VAT number, addresses for invoicing
- Communications: the content of emails, support tickets, and call notes
2.2 Information We Collect Automatically
When you visit the website or use the platform, our servers log technical data so the product works and stays secure:
- Device & browser: browser type, OS, screen size, language
- Network: IP address, approximate location (city level), ISP
- Usage: pages viewed, referrer, time on page, clicks, API endpoints called
- Cookies: the identifiers described in Section 7
2.3 Information From Third Parties
We sometimes get information about you from other sources. Specifically:
- Identity providers: if you sign in with Google or Microsoft, we receive the email and name they share
- Payment processors: transaction confirmation from Razorpay, Stripe, or our banking partners — we do not store full card numbers
- Enrichment tools: publicly available business data (LinkedIn profile, company size) used to qualify leads
- Referrals: if someone introduces us, the basic context they share about you
3. Document Data & Customer Content
This section matters most for customers running documents through DocPro or operating data inside Finsuite. The short version: your documents are yours, we process them on your instructions, and we do not use them for anything you did not sign for.
3.1 What Counts as Customer Content
- Invoices, receipts, bank statements, ID documents, contracts, and custom paperwork you upload to DocPro
- Vendor records, GL postings, GST returns, and reconciliation data inside Finsuite
- API payloads, extracted fields, confidence scores, and audit logs tied to your tenant
- Source code, system access, and business data shared during a consulting engagement
3.2 How We Process It
For customer content, we are a processor. That means:
- We process content only to deliver the service you contracted for
- We follow documented instructions in your Service Agreement or SOW
- Access is restricted to engineers who need it to operate or support the service
- Every access is logged and reviewable on request
AI model training. We do not use your customer content to train, fine-tune, or improve our shared AI models — unless you give us explicit written consent in a Service Agreement or addendum. When consent is given, the scope, duration, and security controls are spelled out in writing before any data is used.
3.3 Where It Lives
By default, customer content is hosted in the cloud region you select on AWS, Azure, or Google Cloud. Regional data residency in India, the EU, or the US is available on request. For regulated workloads, we deploy DocPro on-premise or in air-gapped environments so the data never leaves your perimeter.
4. How We Use Your Information
We use personal data for the following purposes:
- Service delivery: running the platform, processing documents, posting AP transactions, filing GST returns, executing project work
- Account management: authenticating users, sending operational notices, billing
- Support: responding to tickets, debugging issues, and following up on incidents
- Security: detecting fraud, abuse, and unauthorised access; protecting our infrastructure
- Product improvement: aggregated, de-identified analytics on how features are used — never customer content
- Sales & marketing: answering enquiries, sharing case studies, and sending product updates you can unsubscribe from at any time
- Legal & compliance: meeting tax, audit, anti-money-laundering, and regulator-reporting obligations
We do not sell personal data. We do not rent contact lists. We do not push notifications dressed up as product news when they are really ads.
5. Legal Basis for Processing
If GDPR or equivalent regulation applies to you, the legal basis for each processing activity is:
- Contract: processing required to deliver the services described in your agreement
- Legitimate interest: running a secure platform, preventing abuse, and growing the business in a way that respects your data
- Consent: marketing emails, optional analytics cookies, and any use of your content for AI training — always opt-in, always revocable
- Legal obligation: tax filings, statutory record-keeping, and responses to lawful authority requests
Where consent is the basis, you can withdraw it at any time. Withdrawing consent does not affect processing already carried out under the previous consent.
6. How We Share Information
We share personal data only when there is a real reason to, and only with parties under appropriate contracts:
6.1 Service Providers (Sub-processors)
We work with vendors that help us run the platform. Each one is bound by a written agreement covering security, confidentiality, and data protection. The current categories include:
- Cloud infrastructure: AWS, Microsoft Azure, Google Cloud
- Email & communications: Google Workspace, transactional email providers
- Customer support tooling: ticketing and chat platforms
- Payments & billing: Razorpay, Stripe, and our banking partners
- Analytics: privacy-respecting product analytics for the website and platform
A current sub-processor list is available on request. Customers under a DPA are notified before we add a new sub-processor that handles their data.
6.2 Legal & Regulatory Disclosures
We disclose personal data when we are legally required to — for example, in response to a court order, a tax notice, or a regulator’s lawful request. Where the law allows, we will notify you before disclosure so you have a chance to object.
6.3 Business Transfers
If PTAS AI is involved in a merger, acquisition, or sale of assets, personal data may transfer with the business. We will publish a notice and, where required, ask for fresh consent before the new entity changes how the data is used.
6.4 With Your Explicit Direction
If you ask us to integrate with a third-party system — an ERP, a vendor portal, a tax engine — we will send the relevant data to that system on your instruction. The receiving system’s privacy practices are its own.
7. Cookies & Similar Technologies
The PTAS AI website uses a small set of cookies. We try to keep the list short.
7.1 What We Use
- Strictly necessary: session, security, and load-balancing cookies. The site does not work without these.
- Preference: remembers language, region, or layout settings you have chosen.
- Analytics: aggregated traffic data so we can see which pages help people and which fall flat. We do not track individuals across the web.
- Marketing: only set if you accept them — for remarketing on platforms like LinkedIn and Google.
7.2 Your Choices
You can refuse non-essential cookies from the consent banner on first visit, change your settings later, or block cookies in your browser. Blocking strictly necessary cookies will break parts of the site.
For the platform (DocPro and Finsuite), we use functional cookies and tokens to keep you signed in and to secure each session. There is no advertising tracking inside the product.
8. Data Security
We follow ISO/IEC 27001-aligned practices. That is not a slogan — it is a working set of controls covering:
- Encryption: TLS 1.2+ in transit, AES-256 at rest for customer content
- Access control: role-based access, MFA on production, least-privilege defaults
- Network security: private subnets, secrets management, WAF on public endpoints
- Logging & monitoring: centralised audit logs, anomaly detection, automated alerts
- Vulnerability management: dependency scanning, patching cadence, periodic third-party penetration tests
- People controls: background checks, signed NDAs, and security training for every employee and contractor
- Incident response: a documented playbook, an on-call rota, and notification timelines aligned with GDPR, DPDPA, and your DPA
No system is unbreakable. Anyone telling you otherwise is selling something. What we commit to is a serious, auditable security posture and honest communication if something goes wrong.
9. Data Retention
We do not keep data forever. Retention timelines depend on the category:
- Marketing leads: up to 24 months after the last meaningful interaction, then deleted or anonymised
- Customer account data: for the life of the contract, plus 90 days for offboarding
- Document content processed by DocPro: per the retention setting in your tenant — defaults to 30 days unless you configure longer or shorter
- Audit logs: 12 months by default, longer where regulation requires it
- Billing & tax records: 8 years, as required under Indian tax law
- Support correspondence: 24 months after the ticket closes
At the end of an engagement, customer content is exported in a portable format on request, then deleted from production and backups according to a documented schedule. Backups roll over within 35 days.
10. International Data Transfers
PTAS AI operates from India, with cloud regions and customers in multiple jurisdictions. Personal data may move across borders to deliver the service.
When that happens, we rely on lawful transfer mechanisms:
- Standard Contractual Clauses (SCCs) for transfers from the EEA, UK, and Switzerland
- Adequacy decisions where the destination country has one
- Data Processing Agreements with every sub-processor, mirroring the same protections
If you need data to remain in a specific region, say so before the engagement starts. We can pin DocPro and Finsuite to India, the EU, or US regions, or deploy on-premise where regulation demands it.
11. Your Rights & Choices
Depending on where you live — mainly the EU/UK under GDPR, California under CCPA/CPRA, and India under the DPDPA, 2023 — you have rights over your personal data. We honour them regardless of jurisdiction:
- Right of access
- Ask what personal data we hold about you and get a copy.
- Right to rectification
- Ask us to correct anything inaccurate or incomplete.
- Right to erasure
- Ask us to delete your personal data where there is no legitimate reason to keep it.
- Right to restrict processing
- Pause our use of your data while we investigate a complaint or correction.
- Right to data portability
- Get your data in a structured, machine-readable format and move it elsewhere.
- Right to object
- Object to processing based on legitimate interest, including direct marketing.
- Right to withdraw consent
- Withdraw any consent you previously gave — for marketing, analytics, or AI training.
- Right not to be subject to automated decisions
- Decisions with legal or similarly significant effect are not made by AI alone in our products.
- Right to lodge a complaint
- With your local supervisory authority (e.g. ICO, CNIL, the Data Protection Board of India).
To exercise any of these rights, email connect@ptasai.com. We respond within 30 days. For customer accounts under a DPA, the same rights flow to the data subjects of the controller, and we will help you respond to their requests as part of our processor obligations.
12. Children’s Privacy
PTAS AI is a B2B platform. Our products are sold to businesses for use by adults in a professional capacity. We do not knowingly collect personal data from anyone under 18.
If you believe a minor has provided us with personal data, email connect@ptasai.com and we will delete it.
13. Changes to This Policy
We update this policy when the law changes, our practices change, or we launch features that touch personal data in a new way. The current version always lives at ptasai.com/privacy-policy, with the “Last updated” date at the top of the page.
Material changes — new categories of data, new purposes, new sub-processors handling regulated content — are notified by email to active customers and via a banner on the site at least 30 days before they take effect.
Where a signed Data Processing Agreement conflicts with this Policy, the DPA wins for that customer.
14. Contact & Grievance Information
For privacy questions, data subject requests, or anything else this policy raises:
Company Details
- Legal Entity
- Pritasha Solutions Private Limited
- Brand / Product
- PTAS AI
- Privacy Email
- connect@ptasai.com
- Website
- https://ptasai.com
- Registered Address
- N.H. 11, Dohar Kalan, Narnaul, Haryana — 123001, India
Data Protection Officer
- Designation
- Data Protection Officer
- connect@ptasai.com
- Subject line
- DPO Request — [your topic]
- Response Time
- Within 30 days for GDPR requests; sooner where practical
Grievance Redressal Officer (India)
- Designation
- Grievance Officer
- connect@ptasai.com
- Statutory Response
- Acknowledgement within 48 hours; resolution within 15 days, per the IT Rules, 2021
About the company. PTAS AI is a global technology and business-process platform built around agentic document extraction, finance operations software, and engineering services. We are certified by Startup India (DPIIT) for innovation and scalability, and our security and quality practices align with ISO/IEC 27001 and ISO 9001.
Questions about your data?
If something here is unclear, or you need a Data Processing Agreement before signing an SOW, write to us. We answer privacy questions in plain language, not legalese.