1. Introduction
This Privacy Policy ("Policy") describes how TRISX Technologies Private Limited ("Company," "Subcidys," "we," "us," or "our") collects, uses, stores, shares, and protects personal data of users ("User," "you," or "your") of the Subcidys platform, website, and mobile application (collectively, the "Services").
This Policy is framed in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 and rules made thereunder, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to the extent applicable, and other relevant Indian laws.
By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please do not use the Services.
2. Definitions
- "Personal Data" — means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.
- "Data Fiduciary" — means Subcidys/TRISX Technologies Private Limited, which determines the purpose and means of processing Personal Data.
- "Data Principal" — means the individual to whom the Personal Data relates (i.e., you, or where applicable, your authorized representatives or employees).
- "Processing" — means any operation performed on Personal Data, including collection, storage, use, sharing, and deletion.
- "Consent Manager" — refers to any entity registered with the Data Protection Board for managing consent, where applicable.
3. Categories of Personal Data We Collect
We collect the following categories of information, depending on how you use the Services:
3.1 Identity and Business Information
- Full name, email address, phone number, date of birth
- Business/entity name, nature of business, GST registration number
- Permanent Account Number (PAN)
- Business registration documents (e.g., Udyam, GST certificate, incorporation certificates)
- Owner, director, partner, and authorized signatory details
- Employee information added by Users for payroll, access control, or invoicing purposes
3.2 Financial and Transactional Information
- Invoices, quotations, purchase orders, sales orders, and accounting entries created on the platform
- Bank account details (account number, IFSC, account holder name) provided for settlement or display on invoices
- UPI IDs and payment links generated through integrated payment gateways
- Payment status, transaction references, and reconciliation data
- Receivables, payables, cash flow records, and bookkeeping data entered or generated on the platform
3.3 Documents and Files
Documents uploaded by Users, including invoices, contracts, identity proofs, and supporting business documents.
3.4 Technical and Usage Information
- Device information (device type, operating system, browser type)
- IP address and approximate location derived therefrom
- Cookies and similar tracking technologies (see our Cookie Policy)
- Log data, usage analytics, feature interaction data, and crash reports
- Communication logs (emails, WhatsApp messages, support chats) sent through or to the platform
3.5 AI Interaction Data
- Prompts, queries, and inputs provided to AI-powered features (e.g., AI Financial Assistant, AI Bookkeeping, AI Copilot)
- Outputs generated by such AI features and associated usage history
3.6 Optional Information
- Precise or approximate location data, where you enable location services
- Profile photographs or business logos, where uploaded voluntarily
4. How We Collect Personal Data
- Directly from you — when you register, complete your profile, create invoices, upload documents, or contact support.
- Automatically — through cookies, device identifiers, server logs, and analytics tools when you use the Services.
- From third parties — including payment gateways, banks, NBFCs, credit bureaus, GSTN, and other integrations you authorize us to connect with.
- From communication channels — including WhatsApp Business API and email service providers used for sending invoices and notifications.
5. Purpose of Processing
We process Personal Data for the following purposes, consistent with the DPDP Act's requirement of using data only for lawful, specified, and consented purposes:
- To create and manage your account and provide access to the Services
- To generate invoices, quotations, purchase orders, sales orders, and accounting records
- To facilitate GST filing, e-invoicing, and e-way bill generation through integration with GSTN and authorized service providers
- To enable payment collection via UPI, cards, net banking, bank transfer, AutoPay mandates, and payment links through integrated payment gateways
- To send invoices, reminders, and notifications via email and WhatsApp, where you have provided consent
- To provide AI-powered features such as AI Financial Assistant, AI Bookkeeping, AI Cash Flow Forecasting, and AI Copilot
- To detect, prevent, and investigate fraud, unauthorized access, and security incidents
- To comply with applicable legal, regulatory, and tax obligations, including those under RBI guidelines where embedded finance features are availed
- To improve, maintain, and develop the Services, including through analytics and product research
- To communicate with you regarding updates, support, and (where consented) marketing
- To facilitate credit assessment and embedded financing products, where you opt in to such features and consent to sharing data with lending partners and credit bureaus
6. Legal Basis for Processing
We process your Personal Data on the basis of:
- Your consent, given freely, specifically, and after being informed of the purpose of processing, in accordance with Section 6 of the DPDP Act;
- Performance of the contract between you and Subcidys for provision of the Services;
- Compliance with legal obligations, including under tax, GST, and financial regulations;
- Certain "legitimate uses" recognized under the DPDP Act, such as for purposes of employment, responding to a medical emergency, or where you have voluntarily provided data for a specified purpose.
We use cookies, web beacons, and similar technologies to operate the Services, remember preferences, and analyze usage. Details regarding the types of cookies used, their purposes, and how you can manage your preferences are set out in our separate Cookie Policy, which forms part of this Privacy Policy by reference.
Subcidys does not sell your Personal Data. We may share Personal Data with the following categories of recipients, strictly for the purposes described in this Policy:
8.1 Payment and Financial Partners
- Payment gateways, for processing UPI, card, net banking, and AutoPay transactions
- Banks and NBFCs, where you avail or apply for embedded credit, invoice financing, or other lending products
- Credit bureaus, solely where you provide explicit consent for credit assessment (see our Credit Bureau Consent)
8.2 Tax and Regulatory Bodies
- GSTN and authorized GST Suvidha Providers (GSPs), for e-invoicing, e-way bill generation, and GST return filing
- Government authorities and regulators, where required by law, court order, or lawful request
8.3 Communication Service Providers
- WhatsApp Business API providers, for sending invoices, payment links, and notifications, where you or your customers have consented
- Email service providers, for transactional and (where consented) marketing communications
8.4 Technology and Infrastructure Partners
- Cloud infrastructure providers, for hosting and storage of data
- AI service providers (including large language model APIs), for providing AI-powered features, subject to our AI Usage & AI Disclaimer Policy
- Analytics and monitoring service providers, for performance and security monitoring
8.5 Corporate Transactions
In the event of a merger, acquisition, restructuring, or sale of assets involving Subcidys/TRISX Technologies Private Limited, Personal Data may be transferred to the successor entity, subject to equivalent protections.
8.6 Legal Requirements
We may disclose Personal Data where required to comply with applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Subcidys, our Users, or the public.
9. Cross-Border Data Transfers
Personal Data may be stored or processed on servers located within or outside India, including through cloud infrastructure and AI service providers. We will ensure that any cross-border transfer of Personal Data complies with the requirements of the DPDP Act, including any restrictions notified by the Central Government from time to time.
10. Data Retention
We retain Personal Data for as long as necessary to fulfil the purposes outlined in this Policy, including to comply with legal, accounting, tax, and regulatory record-keeping requirements (such as those under GST law, which may require retention of records for a minimum period as prescribed by law). Detailed retention periods for specific categories of data are set out in our Data Retention Policy.
11. Data Security
We implement reasonable security practices and procedures, including administrative, technical, and physical safeguards, designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures are described further in our Information Security Policy and Cyber Security Policy.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We encourage you to use strong passwords and to contact us immediately if you suspect any unauthorized access to your account.
12. Your Rights as a Data Principal
Under the DPDP Act, you have the following rights in respect of your Personal Data, subject to applicable exceptions:
- Right to access information about your Personal Data and the processing activities undertaken
- Right to correction and updating of inaccurate or incomplete Personal Data
- Right to erasure of Personal Data that is no longer necessary for the purpose for which it was processed, subject to legal retention requirements
- Right to grievance redressal, including the right to register a complaint regarding processing of your Personal Data
- Right to nominate another individual to exercise these rights on your behalf in the event of death or incapacity
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal
To exercise any of these rights, you may contact our Grievance Officer / Data Protection contact at the details provided in Section 17 below.
13. Children's Data
The Services are intended for use by businesses and individuals who are at least 18 years of age and capable of entering into a legally binding contract under the Indian Contract Act, 1872. We do not knowingly collect Personal Data from children. Please refer to our Children's Privacy Policy for further details.
14. AI Features and Data Usage
Where you use AI-powered features such as the AI Financial Assistant, AI Bookkeeping, AI Cash Flow Forecasting, or AI Copilot, the inputs you provide and certain account/business data may be processed by third-party AI model providers to generate outputs. We take reasonable measures to limit the data shared with such providers to what is necessary, and to use providers that offer appropriate data protection commitments.
Please refer to our AI Usage & AI Disclaimer Policy for further details on how AI outputs are generated and the limitations you should be aware of.
15. Third-Party Links and Services
The Services may contain links to or integrations with third-party websites, applications, or services (such as banks, payment gateways, NBFCs, or GSTN portals). This Policy does not apply to such third-party services, and we encourage you to review their respective privacy policies.
16. Updates to this Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes through the Services or via email, and the "Last Updated" date at the top of this Policy will be revised accordingly. Continued use of the Services after such updates constitutes acceptance of the revised Policy.
17. Grievance Officer and Contact Information
In accordance with the Information Technology Act, 2000 and the DPDP Act, the contact details of our Grievance Officer are as follows:
Grievance Officer / Data Protection Contact
For further details on our grievance redressal process and timelines, please refer to our Grievance Redressal Policy.
18. Governing Law
This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the jurisdiction of the courts at Bengaluru, Karnataka, India, subject to the Arbitration Clause set out in our Terms & Conditions.
📋 DPDP Act Compliance
For the detailed DPDP Act Compliance Notice (Section 5 notice) and our User Consent Policy describing how we collect, record, and manage your consent under the Digital Personal Data Protection Act, 2023, please refer to:
View DPDP Compliance & Consent Policy