Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your full name, email address, phone number (optional), chosen password, and organization name. If you are added by an administrator, they provide your name, email, assigned role, and department.

1.2 ERPRev Credentials

To connect the Service to your ERPRev ERP system, you provide your ERPRev account URL, API key, and API secret. These credentials are encrypted at rest using AES-256-GCM symmetric encryption with a deterministic key derived from server secrets and are used solely to retrieve data from your ERPRev system via read-only API calls. We never store these credentials in plaintext.

1.3 Business Data from ERPRev

Once connected, the Service retrieves business data from your ERPRev system, which may include: product and inventory records, sales transactions, customer names and contact details, financial records (invoices, receipts, quotations), employee and payroll information, supplier data, raw material records, and service records. This data is cached in your tenant-isolated MariaDB schema to provide fast dashboard performance and is synchronized on a configurable schedule (default: every 10 minutes).

1.4 Usage Data

We automatically collect information about how you interact with the Service, including: pages and tabs visited, features used, filters applied, drill-down actions performed, AI insight requests, session duration and frequency, browser type and version, device type, IP address, and general location (city/country level derived from IP).

1.5 Security Data

For security purposes, we collect and log: login timestamps, authentication events (success/failure), two-factor authentication enrollment status, active session details (device, IP, user agent), and account activity audit trails.

1.6 Payment Information

When you subscribe to a paid plan, payment information (credit card number, billing address) is collected and processed directly by our payment processors (Stripe and/or Paystack). We receive only a transaction confirmation, the last four digits of your card, card brand, and billing country. We never have access to your full payment card details.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service — Retrieve, cache, and display your ERPRev business data in interactive dashboards; compute intelligence scores; generate alerts, forecasts, and anomaly detections.
• Generate AI Insights — When you request AI analysis, relevant business data context is sent to our AI provider to generate on-demand insights. Only the data necessary for the specific analysis is transmitted, and it is not used to train AI models.
• Authenticate and Secure — Verify your identity, manage sessions, enforce role-based access controls, and detect unauthorized access attempts.
• Communicate — Send transactional emails (account verification, password resets, security alerts), morning briefings, weekly digest reports, and service notifications based on your notification preferences.
• Process Payments — Manage your subscription billing and payment history through our payment processors.
• Improve the Service — Analyze aggregated, anonymized usage patterns to improve features, performance, and user experience.
• Enforce Terms — Investigate potential violations of our Terms of Use and comply with legal obligations.

3. Data Storage & Security

We implement comprehensive security measures to protect your data. For full details, see our Security Policy. Key measures include:

• Encryption at Rest — ERPRev API credentials are encrypted using AES-256-GCM with deterministic keys derived from server secrets. Passwords are hashed using bcrypt with automatically generated salts.
• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Tenant Isolation — Each customer's business data is stored in a separate, isolated MariaDB schema (tenant_{org_id}). No cross-tenant data access is possible.
• Authentication Security — JWT tokens are delivered via HttpOnly, Secure, SameSite cookies to prevent XSS-based token theft. Optional TOTP-based two-factor authentication adds an additional layer of security.
• Access Controls — Role-based access control (RBAC) with four tiers (Admin, Manager, Analyst, Viewer) and granular per-tab and per-feature permissions.
• Rate Limiting — API endpoints are rate-limited to prevent brute-force attacks and abuse.

4. Third-Party Services

We share limited data with the following third-party service providers, each operating under their own privacy policies:

4.1 Stripe

Stripe processes credit card and bank payments for our subscription billing. They receive your payment card details, billing address, email, and transaction amounts. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy

4.2 Paystack

Paystack processes payments for customers in supported African markets. They receive your payment details, billing information, and transaction amounts. Paystack is PCI-DSS compliant. Paystack Privacy Policy

4.3 AI Provider

When you use the AI insights feature (branded as ERPRev AI Engine), contextual business data is sent to our AI provider's API via server-side streaming to generate analysis and recommendations. Important protections:

• Data is transmitted only when you explicitly request an AI insight — never automatically.
• Only the minimum data necessary for the specific analysis is sent (not your entire database).
• Per our AI provider's API terms, data sent via the API is not used to train AI models.
• No personally identifiable customer information (email, phone) is included in AI prompts; only aggregated business metrics and anonymized transaction summaries.

4.4 Email Service Provider

We use SMTP-based email delivery for transactional emails (password resets, security alerts, morning briefings, weekly digests). Your email address and name are shared with our email service provider solely for delivery purposes.

4.5 Webhooks (User-Configured)

If you configure webhook integrations (e.g., Slack, WhatsApp, Telegram, custom URLs) in your Settings, alert and notification data will be sent to the endpoints you specify. You are responsible for the privacy and security of data sent to your configured webhook URLs.

5. Cookies & Tracking Technologies

We use the following cookies:

We also use localStorage in your browser to store non-sensitive preferences including: visible tab configuration, tooltip display preference, filter selections, language, and auto-refresh settings. This data never leaves your browser and is not transmitted to our servers (preferences are also synced to your account on our backend for cross-device consistency).

We do not use third-party tracking cookies, advertising cookies, or analytics services that track you across other websites. We do not participate in ad networks or sell data to advertisers.

6. Data Retention

We retain your data according to the following schedule:

• Account Data — Retained for the duration of your subscription plus 30 days after termination to allow data export.
• Business Data (ERPRev sync) — Retained in your tenant database for a configurable period (default: 365 days). Admin users can adjust retention settings from the Data Retention section in Settings.
• Audit Logs — Retained for a configurable period (default: 180 days) for security and compliance purposes.
• Cache Data — Memcached tier expires after 11 minutes. MariaDB cache has a configurable retention period (default: 90 days). Expired entries purged daily.
• Session Data — Active sessions expire after the configured JWT expiry period (default: 8 hours). Session records are retained in audit logs.
• Payment Records — Transaction records are retained for 7 years to comply with accounting and tax regulations.

When data is deleted, it is permanently removed from our active systems. Encrypted backup copies may persist for up to 30 additional days before being overwritten.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

7.1 Under GDPR (EU/EEA Residents)

• Right of Access — Request a copy of the personal data we hold about you.
• Right to Rectification — Request correction of inaccurate personal data.
• Right to Erasure — Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to Restrict Processing — Request that we limit how we process your data.
• Right to Data Portability — Receive your personal data in a structured, machine-readable format (CSV or JSON).
• Right to Object — Object to processing of your data for certain purposes.
• Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent.

7.2 Under POPIA (South African Residents)

• Right to be notified of data collection and its purpose.
• Right to request access to and correction of personal data.
• Right to request deletion of personal data.
• Right to object to processing for direct marketing purposes.
• Right to lodge a complaint with the Information Regulator.

7.3 Under CCPA (California Residents)

• Right to know what personal information is collected and how it is used.
• Right to request deletion of personal information.
• Right to opt out of the sale of personal information.
• Right to non-discrimination for exercising your rights.

We do not sell personal information. We never have and never will sell your personal data or business data to third parties.

To exercise any of these rights, contact us at privacy@erprevpromax.com. We will respond to verified requests within 30 days (or as required by applicable law).

8. International Data Transfers

Your data may be processed in countries other than where you reside. When we transfer data internationally, we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and contractual obligations with our sub-processors requiring equivalent data protection standards.

When AI insights are requested, data is transmitted to our AI provider's servers for processing. This transfer is governed by our AI provider's data processing agreements and is limited to the specific data necessary for the requested analysis.

9. Children's Privacy

The Service is designed for business professionals and is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@erprevpromax.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last updated" date at the top of this page; (b) send a notification email to the address associated with your account; and (c) display a notice within the Service. We encourage you to review this page periodically to stay informed about how we protect your data.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us:

• Data Protection Inquiries: privacy@erprevpromax.com
• General Support: support@erprevpromax.com
• Security Issues: security@erprevpromax.com
• Website: www.erprevpromax.com