About this Policy
We are ESURGENT PRIVATE LIMITED, doing business as DAAI BUSINESS SUITE (“Company”, “DAAI”, “we”, “us”, “our”) — a company incorporated in India with its registered office at 509 Pehel, Khoraj, Gandhinagar, Gujarat 382421, India. We operate the website https://daaisuite.com (the “Site”), an inbound ticketing & support system, and the DAAI Business Suite SaaS application that provides modules for HRM (employee management, leaves, payroll), CRM (sales and leads tracking), Bookkeeping (accounts & expenses) and Billing (client invoicing and subscription management) (collectively, the “Services”).
This Policy is read together with our Terms & Conditions and our Refund & Cancellation Policy, all of which are incorporated by reference. To the extent of any inconsistency, the Terms & Conditions shall prevail in matters of contractual liability, payment and termination; this Policy shall prevail in matters of data handling and privacy rights.
1. Contact Information
ESURGENT PRIVATE LIMITED
509 Pehel, Khoraj, Gandhinagar, Gujarat 382421, India
Phone: +91-9925277767
Email: hello@daaisuite.com
For privacy / data-rights requests, please write to hello@daaisuite.com from the email address registered with us and include sufficient information for us to verify your identity (see Section 21).
2. Definitions
- “Personal Data” — Any data about an individual who is identifiable by or in relation to such data, as defined under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).
- “Sensitive Personal Data” — Personal data of a sensitive nature, including but not limited to financial information (PAN, bank account, salary), government identifiers (Aadhaar, PAN, GSTIN, driving licence, passport), credentials, biometric data, and any category of data treated as sensitive under applicable law.
- “Customer Data” — Data, files, content or information that the Customer (or its Authorised Users) uploads, transmits, inputs, processes, generates or stores through the Services — including data relating to the Customer’s own employees, contractors, clients, vendors and end-users.
- “Data Principal” — The individual to whom Personal Data relates (the data subject under the DPDP Act).
- “Data Fiduciary” — Any person who, alone or in conjunction with others, determines the purpose and means of processing Personal Data (the controller).
- “Data Processor” — Any person who processes Personal Data on behalf of a Data Fiduciary.
- “Site”, “Services”, “Customer”, “you” — As defined in the Terms & Conditions.
3. Scope & Applicability
This Policy applies to:
- visitors to the Site (https://daaisuite.com) and any sub-domains or related properties;
- users of the ticketing / support system;
- prospective customers who submit forms, request demos, sign up for trials or otherwise interact with the Company;
- paying and trial subscribers of the DAAI Business Suite SaaS application;
- Authorised Users of a Customer’s account (such as the Customer’s admins, employees, contractors and end-users), to the extent we directly collect their personal data; and
- any other individual whose personal data is processed by the Company in connection with the Services.
This Policy does not apply to third-party services, websites, applications, payment gateways or integrations operated by other entities, even if accessible from or linked to the Services. Use of any such third party is governed by that third party’s own privacy policy.
4. Our Role — Data Fiduciary & Data Processor
Depending on the activity, the Company acts in different capacities under the DPDP Act:
| Activity | Our Role | You / the Customer’s Role |
|---|---|---|
| Website visits, ticketing, marketing forms, demo requests, support enquiries, billing of Subscribers | Data Fiduciary (we decide purpose and means) | Data Principal |
| Processing data that the Customer uploads or inputs into the application about its own employees, contractors, clients, vendors, leads or end-users (HRM / CRM / Bookkeeping / Payroll / Billing data) | Data Processor (we process on the Customer’s instructions) | Data Fiduciary — the Customer determines purpose and means and must obtain the necessary notices, consents and lawful basis from its own data principals |
| Aggregated, anonymised or statistical data derived from usage of the Services | Data Fiduciary (no longer personal data once truly anonymised) | — |
5. Information We Collect
5.1 Data collected on the website & ticketing system
When you visit the Site, submit a form, raise a ticket, request a demo or otherwise interact with the Company online, we may collect:
- Identifiers & contact data — Name, Email, Phone, Company name and details from forms or ticket submissions.
- Communication data — Subject, message, attachments, ticket history, correspondence with our team.
- Cookies and tracking data — Google Analytics, Meta Pixel and similar tools (see Section 6).
This data is used for: responding to enquiries, lead generation and marketing communication (where consent has been obtained), customer support, ticket resolution, fraud prevention, and Site improvement.
On the Site / ticketing system, we do not actively collect or process sensitive personal data (such as Aadhaar, bank details or salary data). If you submit such information voluntarily in a free-text field, we may delete or redact it during processing at our discretion.
5.2 Data collected on the DAAI Business Suite application
When the Customer uses the application, the Customer (and its Authorised Users) may enter or upload, among other things:
- Employee, contractor & user data — Name, Email, Phone, Address, designation, department, employment data and similar HR fields.
- Identifiers & KYC data — PAN, GSTIN, Aadhaar (where the Customer chooses to store it), family details, dependants, nominees and similar HR-compliance data.
- Financial & payroll data — Bank account details, salary data, components, deductions, advances, timesheet logs, leave balances, reimbursements.
- Accounting, CRM & billing data — Customer / vendor records, invoices, quotations, ledgers, expense entries, payment records, lead and sales data.
- Documents — Files, attachments and supporting documents uploaded to any module.
As stated in Section 4, the Customer is the Data Fiduciary in respect of all such data; the Company processes it solely as a Data Processor on the Customer’s instructions in order to provide the Services.
5.3 Subscription & payment data
For each paid subscription, we record subscription details such as transaction date, subscription plan and amount. Payment is processed via our payment provider (currently Cashfree Payments India Pvt Ltd) and other regulated payment processors we may engage from time to time.
5.4 Communication & support data
When you communicate with us (email, phone, chat, ticket, in-app message), we may retain a record of the communication, the channel used, time-stamps and the substance of the communication for quality, audit, compliance, training and dispute-resolution purposes.
6. Cookies & Tracking Technologies
We and selected third parties use cookies, pixels, beacons, tags, local storage, SDKs and similar tracking technologies (collectively, “Cookies”) on the Site and within the Services. Cookies help us recognise you, remember your preferences, deliver authenticated sessions, measure performance, prevent fraud and (subject to your consent where applicable) deliver marketing communications.
| Category | Purpose | Examples |
|---|---|---|
| Strictly necessary | Authentication, session, security, load balancing — cannot be disabled | Login session cookies, CSRF tokens |
| Performance & analytics | Measure traffic, page performance, error rates, feature usage | Google Analytics |
| Marketing & advertising | Measure campaign effectiveness, retargeting on permitted channels (only with consent where required) | Meta (Facebook) Pixel and similar advertising pixels |
| Functionality | Remember preferences, language, region, UI state | UI preference cookies |
You may control Cookies through your browser settings (block, restrict, delete). Disabling strictly-necessary Cookies will break authentication and core functionality of the Services. Where applicable law requires us to honour browser-level opt-out signals, we will do so to the extent technically feasible.
7. Log Data & Device Information
When you access the Site, ticketing system or application, our servers, hosting providers and third-party security services automatically collect log data, which may include:
- IP address (subject to anonymisation where feasible);
- device identifiers, operating system, browser type and version, language settings;
- referring/exit pages, URLs visited, click-stream events;
- date and time stamps of access and actions;
- session and authentication identifiers; and
- error reports and diagnostic information.
Log data is used for security, fraud prevention, debugging, capacity planning, audit trails and legal / regulatory compliance. Log data is retained for such periods as we consider reasonably necessary for these purposes and as may be required by applicable law (including, where applicable, the directions of the Indian Computer Emergency Response Team (CERT-In)).
8. How We Use Information
We use personal data to:
- provide, operate, host, maintain and improve the Services;
- process subscriptions, billing, payments, renewals, refunds and reconciliations;
- process payroll, invoicing and other transactions initiated by the Customer through the modules;
- authenticate users, secure accounts and detect or prevent fraud, abuse and security incidents;
- provide customer support, respond to enquiries and resolve tickets;
- send transactional, security, account and service notifications;
- send marketing communications using only the contact details provided directly by the Customer to the Company (and only where consent has been obtained, and subject to your right to opt out at any time);
- perform analytics, reporting and product research;
- comply with applicable laws, regulations, governmental orders, tax obligations, court orders and lawful requests of competent authorities;
- enforce these Terms, this Policy and any other applicable agreement, and to investigate breach or abuse;
- conduct internal audits, quality assurance and training.
9. Legal Basis for Processing (DPDP Act 2023)
We process personal data on one or more of the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Services and performing the subscription contract | Performance of contract / necessity for the subscription you have entered into |
| Marketing and promotional communications using contact details you provided to us | Your consent (withdrawable at any time) |
| Site analytics, marketing pixels, retargeting | Consent (where required) and our legitimate use of standard analytics tooling |
| Security, fraud prevention, abuse detection, audit logs | Legitimate use under the DPDP Act and our legal obligation to maintain reasonable security safeguards |
| Tax, accounting, payroll-statutory, compliance and regulatory recordkeeping | Compliance with legal obligations applicable to the Company and to the Customer |
| Responding to lawful requests from governmental, regulatory or judicial authorities | Compliance with legal obligation / “specified legitimate use” under the DPDP Act |
| Processing of Customer Data uploaded into the application | On behalf of and on the instructions of the Customer (Data Fiduciary), as Data Processor |
Withdrawal of consent will be honoured for the future, but does not affect the lawfulness of processing already carried out on the basis of the prior consent, and does not relieve us from retaining data where required by law.
10. Marketing & Promotional Communications
Where you have provided your contact details to us and have not opted out, we may send promotional emails, SMS, WhatsApp or telephone communications relating to new features, offers, events, surveys and similar marketing content. We may also use the Meta Pixel, Google Ads tags and similar technologies to deliver advertising on third-party platforms, subject to your consent and the applicable platform’s controls.
You may opt out of marketing communications at any time by:
- clicking the “unsubscribe” link in any marketing email;
- replying STOP / OPT-OUT to a marketing SMS or WhatsApp message;
- updating your communication preferences inside the Customer Admin Panel;
- writing to hello@daaisuite.com from the registered email address.
Opting out of marketing communications will not affect transactional, security, billing or service notifications, which are necessary for the operation of the Services. Outbound SMS and voice communications are routed through licensed telecom-service providers (such as MSG91) whose platforms are configured to follow the applicable Telecom Regulatory Authority of India (TRAI) commercial-communication regulations, including the National Customer Preference Register / DND framework, to the extent applicable to the relevant message category.
11. No Sale of Personal Data
We do not sell, rent, lease, trade or monetise your personal data. We do not transfer personal data to third parties for their own independent marketing or advertising purposes without your express consent.
12. Data Sharing & Sub-Processors
We may share personal data with the following categories of recipients, subject to appropriate confidentiality and data-handling obligations:
| Category | Examples | Purpose |
|---|---|---|
| Hosting & storage providers | Amazon Web Services (AWS, Mumbai), MongoDB Atlas (India region) | Hosting the application, the database and storage |
| Payment processors | Cashfree Payments India Pvt Ltd and other regulated payment processors we may engage | Processing subscription payments, refunds and reconciliations |
| Communication providers | Email, SMS, WhatsApp, push-notification and voice / OTP service providers (e.g. MSG91) | Transactional, OTP, support and (where consented) marketing communications |
| Analytics & advertising | Google Analytics, Meta Pixel and similar tools | Site analytics, performance monitoring, marketing measurement |
| Ticketing / support tools | Inbound support & helpdesk platforms | Receiving, routing and responding to tickets |
| Professional advisers | Auditors, lawyers, tax advisers, insurers, bankers | Audit, compliance, legal advice and risk management |
| Authorities | Government, regulatory, judicial, tax and law-enforcement authorities | Compliance with law, court orders, lawful requests, regulatory reporting (including CERT-In) |
| Successors | Acquirer, merger partner, asset purchaser, financing party in a corporate transaction | Continuation of services, due diligence and closing of a transaction |
Disclosure may also occur where required by government or regulatory authorities, court orders, or in connection with the prevention, investigation or prosecution of legal claims. We may engage additional sub-processors from time to time. Continued use of the Services after the publication of an updated sub-processor list constitutes acceptance.
13. Cross-Border Data Transfers
Personal data and Customer Data are primarily stored and processed in India (AWS Mumbai region and MongoDB Atlas India region). Where any sub-processor or service provider involves processing or storage outside India (for example, for global helpdesk or messaging infrastructure, regional backup, fraud-detection services or pixel-based advertising), such cross-border transfers will be carried out only:
- in compliance with the DPDP Act and any cross-border-transfer rules issued thereunder;
- subject to appropriate contractual safeguards with the recipient; and
- to jurisdictions that are not restricted by the Central Government for the purposes of personal data transfer under the DPDP Act.
If you access the Services from outside India, your data will be transferred to India and processed in accordance with this Policy.
14. Data Storage & Security
We implement commercially reasonable administrative, technical and physical safeguards designed to protect personal data, which currently include the following measures:
- Hosting in India — The application and the database are hosted in India (AWS Mumbai region and MongoDB Atlas India region).
- Transport-layer security — Data in transit between your browser / device and the Services is protected by industry-standard SSL / TLS encryption.
- Credential protection — Passwords are securely hashed before storage; we do not store user passwords in plaintext.
- Two-step verification for administrative access — Administrative log-in into the application requires verification of a one-time password (OTP) sent to the user’s registered email address, in addition to the password, as an additional layer of authentication control.
- Field-level encryption of sensitive identifiers — Sensitive identifier and financial fields stored in the application database — including Aadhaar number, PAN (employee, supplier and expense PAN), bank account number, IFSC code, PF / UAN / ESIC / insurance identifiers, cheque numbers and payment reference numbers — are encrypted at the field level using AES-256-GCM with a separate encryption key. Equivalent encryption is applied to the corresponding entries within the application’s change-log records.
- Encrypted database backups — Database backups are encrypted using AES-256-GCM with a per-tenant key derivation, and the file format includes an authenticity tag that is verified before any restore is performed. The backup encryption key is managed separately from other application keys.
- Restore controls — Restoring a database backup is a destructive operation and is gated behind an explicit administrator action with a two-pass safety check, including a mandatory pre-restore safety snapshot and a typed workspace-name confirmation step.
- Access on a need-to-know basis — Access to systems and personal data is restricted to authorised personnel on a role and need-to-know basis.
- Reasonable network controls — The Services rely on the network-level controls made available by our hosting providers (AWS and MongoDB Atlas) and on additional security-related configuration we maintain.
- Backups for operational continuity — Periodic backups are taken for operational continuity. Backup files are encrypted as described above and retained for an operational period; backups are not a substitute for the Customer’s own data-preservation arrangements.
- Sub-processor selection — We engage hosting, payment, communication and other service providers on the basis of the security and data-handling commitments they make available through their published service terms.
14.1 Account authentication & session security
- Modern password hashing — User passwords are protected at rest using industry-standard memory-hard hashing designed to resist offline attack. The Company does not store user passwords in plaintext at any point.
- Two-step verification at administrative log-in — Administrative log-in into the application requires verification of a one-time password (OTP) sent to the user’s registered email address, in addition to the password.
- Single-use, time-limited password-reset flow — Password resets require completion of an email-OTP step followed by use of a single-use, time-limited reset token; a reset session cannot be replayed and expires automatically.
- Minimal-claim session tokens — Authenticated session tokens carry only the minimum identity claims required to operate a session and do not embed password hashes or other secrets.
- Cryptographically random credentials — One-time passwords and any system-generated temporary credentials are produced using cryptographically secure random generators.
- Authentication-attempt throttling — Authentication endpoints are protected by layered throttling at both the network and the per-identity level to limit brute-force and credential-stuffing attempts.
14.2 Tenant isolation & API authorisation
- Authenticated API surface — Authenticated API routes enforce identity, scope and, where applicable, role-based permission checks before any data is returned or any state is modified.
- Cross-tenant access guard — Every API request that references a tenant or user identifier is checked against the caller’s ownership or administrative scope; requests that fall outside that scope are rejected before any data is read.
- Defence against mass-assignment — Account-update and profile-update operations accept only the specific fields the operation is intended to change. Credential fields, role fields, internal audit fields and other system-managed fields cannot be altered through general-purpose update endpoints.
- Controlled administrative access — Administrative accounts cannot be self-registered through the public API surface; administrative access is granted only by an existing administrator holding the relevant permission.
14.3 Payment & webhook integrity
- Server-side price validation — Subscription prices, plans and order amounts are validated server-side against the Company’s records before any payment is initiated. The price displayed at checkout cannot be altered from the browser.
- Webhook signature, timestamp & deduplication — Payment-gateway webhook deliveries are signature-verified, time-bound and deduplicated to prevent replay attacks or duplicate provisioning, and webhook acknowledgement is sent only after successful processing.
14.4 File access & network controls
- Authenticated, scoped file access — File downloads require authentication and are restricted to the requesting tenant’s own files; the file-upload area is not publicly browsable, and the file-access layer validates that each requested path resolves within the requester’s permitted scope.
- Cross-Origin Resource Sharing (CORS) restriction — Cross-origin requests to the API are restricted to a list of Company-controlled origins; authenticated requests from unrecognised origins are rejected at the network layer.
- Modern security headers — HTTP responses carry modern security headers, including HTTP Strict-Transport-Security (HSTS) with subdomain coverage, a strict referrer policy, and Permissions-Policy directives that disable browser capabilities the Services do not use (such as camera, microphone, geolocation and the in-browser Payment Request API).
The Company may update these security measures from time to time without notice. The Customer may request a high-level description of the then-current security measures by writing to hello@daaisuite.com.
15. Periodic Security Review
The Company conducts periodic in-depth security and code-quality reviews of the platform, including focused pre-deployment hardening passes covering authentication, authorisation, tenant isolation, payment integrity, file handling, input validation and security headers. The protections described in Section 14 are revisited in light of those reviews and tightened from time to time. The specific scope, methodology, frequency and findings of any such review are confidential to the Company and are not published; the Company will, however, cooperate with reasonable enterprise-customer security questionnaires under appropriate confidentiality commitments.
16. Security Limitations & Customer Responsibility
No method of transmission over the internet, electronic storage, encryption or security control is 100% secure. While we strive to use commercially acceptable means to protect personal data, we cannot and do not guarantee its absolute security.
You are responsible for:
- maintaining the confidentiality of your account credentials and any API keys, tokens or integration secrets;
- configuring user roles, permissions, password policies and multi-factor authentication on the accounts you control;
- ensuring that your own devices, networks and integrations are secure;
- not entering personal data into the Services that you are not lawfully entitled to process;
- promptly notifying us of any actual or suspected security incident, credential compromise or unauthorised access at hello@daaisuite.com.
The Company shall not be liable for any unauthorised access, alteration, loss, use or disclosure of personal data caused by factors outside our reasonable control, including the Customer’s failure to follow security best practices, third-party-provider failures, force majeure events or zero-day vulnerabilities — subject in all cases to the limitation of liability in our Terms & Conditions.
17. Data Retention & Deletion
| Data category | Retention period |
|---|---|
| Website & ticketing data (forms, tickets, marketing leads) | As long as necessary for support, lead-management, audit and marketing purposes, and thereafter for the period required by applicable law or pending claims |
| Customer application data (HRM, CRM, Bookkeeping, Billing, documents) | 90 days after the subscription ends, after which it is permanently deleted from active production systems (subject to backups below). Customers may, before the end of this 90-day window, request data export or earlier deletion (see Sections 19–20) |
| Backups | Operational backups are retained for a rolling period determined by our backup-rotation cycle, after which earlier backups are overwritten or destroyed in the ordinary course |
| Subscription, billing & tax records | Retained for the period required by the Income-tax Act, the GST law, the Companies Act and other applicable laws |
| Log data & security logs | Retained as reasonably required for security, audit, fraud-prevention and legal-compliance purposes, and for any longer period required by applicable law or pending investigation |
| Marketing data | Retained until consent is withdrawn or the contact is determined to be inactive, whichever is earlier |
Customers can request data deletion or data export at any time in accordance with Section 21. Some categories of data must be retained even after a deletion request to comply with legal obligations, resolve disputes, prevent fraud and enforce agreements; such data will be retained only for as long as required and then deleted or anonymised.
18. Aadhaar & Sensitive-Identifier Handling
The DAAI Business Suite application allows the Customer to store, at its option, Aadhaar numbers, PAN, GSTIN, bank account information, salary details, family/dependant details and similar sensitive identifiers about the Customer’s own employees, contractors and other data principals.
- The Customer is the Data Fiduciary for such data and is solely responsible for determining the lawful basis, obtaining the required notices/consents from its employees and complying with the DPDP Act, the Aadhaar Act and any UIDAI regulations.
- The Company processes such data only as a Data Processor, on the Customer’s instructions, to provide the modules selected by the Customer.
- The Company does not perform Aadhaar authentication or e-KYC on its own behalf; any authentication is initiated by the Customer or its chosen integrated authentication provider.
- Sensitive identifiers stored within the application — including Aadhaar, PAN, bank account number and similar fields — are protected by field-level AES-256-GCM encryption as described in Section 14, and access within the Customer’s workspace is governed by the Customer’s own role and permission configuration. The Company’s authorised personnel may access such data strictly to provide support, perform diagnostics, restore data or comply with law.
- The Customer must not enter Aadhaar or similar identifiers into the Site, ticketing system or any free-text channel outside the application’s intended fields.
19. Customer Application Data — Controller / Processor Allocation
With respect to all data the Customer (or any Authorised User) inputs, uploads or generates within the DAAI Business Suite application about the Customer’s own employees, contractors, vendors, customers, leads, clients and any other Data Principal:
- the Customer is the Data Fiduciary and decides the purpose, manner, lawful basis, retention and means of processing;
- the Company is the Data Processor and processes such data only on the Customer’s documented instructions to provide the Services;
- the Customer is solely responsible for issuing privacy notices and obtaining consents from its own data principals;
- the Customer is responsible for responding to data-principal requests (access, correction, deletion, withdrawal of consent, grievance) from its own data principals;
- the Company shall, on reasonable written request and subject to reasonable verification and (where applicable) professional-services fees, provide reasonable assistance to the Customer in responding to such requests and in demonstrating compliance.
Enterprise Customers may request a separate Data Processing Agreement (DPA) by writing to hello@daaisuite.com.
20. User Rights (DPDP Act 2023)
Subject to applicable law and verification of your identity, you have the following rights with respect to your personal data for which the Company acts as Data Fiduciary:
- Right of access — to a summary of the personal data we hold about you and the processing activities undertaken;
- Right of correction, completion, updating and erasure — to have inaccurate data corrected, incomplete data completed, outdated data updated and unnecessary data erased, subject to retention required by law;
- Right to withdraw consent — at any time, where processing is based on consent;
- Right to grievance redressal — to raise a grievance with the Grievance Officer (Section 31);
- Right to nominate — to nominate another individual to exercise these rights in the event of your death or incapacity (in accordance with the DPDP Act);
- Right to lodge a complaint with the Data Protection Board of India.
Where the Company acts as Data Processor (i.e., for Customer Data inside the application), please contact the Customer (your employer or the entity whose workspace you use); we will assist the Customer in responding to your request.
21. How to Exercise Your Rights
To exercise any of the rights set out in Section 20, please write to us at hello@daaisuite.com from the email address registered with us and include:
- your full name and, if applicable, your organisation;
- the email or account identifier registered with us;
- the specific right you wish to exercise and the data concerned;
- sufficient information for us to verify your identity (without collecting more data than necessary).
We will respond to verified requests within a reasonable time, in line with the timelines prescribed by the DPDP Act and rules thereunder. We may decline, in whole or in part, requests that are unverified, manifestly unfounded, repetitive, abusive, contrary to applicable law, contrary to the rights of others, or that would prevent us from complying with legal obligations.
22. Children’s Privacy
DAAI Business Suite is a B2B SaaS product intended for businesses and adult professional users. It is not designed for, or directed at, children under 18.
We do not knowingly collect personal data from children under 18 through the Site, ticketing system or application for our own purposes. If a Customer chooses to record information about a child (for example, as a dependant or nominee of an employee) within the application, the Customer — as the Data Fiduciary — is solely responsible for obtaining the verifiable consent of the child’s parent or lawful guardian as required by the DPDP Act and applicable law.
We do not perform behavioural tracking or targeted advertising directed at children. If you believe that we have inadvertently received personal data from a child without verifiable parental consent, please contact us at hello@daaisuite.com and we will take appropriate steps to delete such data.
23. Automated Decision-Making & Profiling
Some features of the Services may use automation, scoring, suggestion engines, machine-learning or generative-AI capabilities (for example, to suggest a category for an entry, summarise a document or surface insights). Such automated outputs are productivity aids, are not guaranteed to be accurate or complete, and do not constitute legal, tax, accounting, HR-compliance or other professional advice. All material decisions affecting individuals must be reviewed and validated by a human and the Customer; the Company does not, on its own behalf, make solely automated decisions that produce legal effects on Data Principals.
24. Third-Party Links & Integrations
The Services may contain links to third-party websites, applications, plug-ins or services, or integrate with third-party platforms chosen by the Customer (for example, payment gateways, accounting software, communication tools, file-storage services). Clicking on such links or enabling such integrations may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy practices, content or security. We encourage you to read the privacy policy of every third-party service you interact with.
25. CERT-In & Regulatory Cooperation
Where applicable to the Company and the Services, we endeavour to comply with the directions issued by the Indian Computer Emergency Response Team (CERT-In) under section 70B(6) of the Information Technology Act, 2000, including the CERT-In Directions dated 28 April 2022 and any subsequent directions. This includes cooperation with CERT-In in respect of reportable cyber security incidents and the maintenance of records and logs to the extent required by such directions. The specific manner of compliance and the timelines applicable to a given incident will be determined in accordance with the directions in force at the relevant time.
26. Data Breach Notification
In the event of a Personal Data Breach affecting your personal data, we will:
- take steps to contain and assess the incident in line with our incident-response approach;
- notify the Data Protection Board of India and other competent regulators (including CERT-In) to the extent required by applicable law;
- notify affected Data Principals where, and in the manner, required by the DPDP Act and the rules thereunder;
- where the Company acts as Data Processor in respect of Customer Data, notify the Customer (as Data Fiduciary) so that the Customer can comply with its own notification obligations.
Notification will include such information as is required by applicable law and may evolve as the Company’s investigation progresses.
27. Business Transfers & Successors
If the Company is involved in a merger, acquisition, restructuring, financing, asset sale, bankruptcy, insolvency, joint venture or similar corporate transaction, your personal data may be transferred to the successor, acquirer, financing party, transferee or other relevant entity as part of the transaction or due-diligence process, subject to appropriate confidentiality protections. We will continue to ensure the confidentiality of any such personal data and provide notice to the extent required by law before such data is transferred or becomes subject to a different privacy policy.
28. International Users
The Services are operated from India and primarily hosted in India. If you access the Services from any other region of the world with laws or other requirements governing personal-data collection, use or disclosure that differ from applicable laws in India, then through your continued use of the Services, you are transferring your data to India, and you expressly consent to have your data transferred to, processed and stored in India and subjected to this Policy, which is governed by Indian law.
29. Anonymised & Aggregated Data
We may derive anonymised, aggregated or statistical data from your use of the Services, in a form that cannot be reasonably linked back to an identifiable individual. Such data is no longer Personal Data and may be used for product analytics, performance benchmarking, capacity planning, research, marketing collateral and other lawful business purposes, without restriction.
30. Changes to This Policy
We reserve the right, at our sole discretion, to update, amend or modify this Policy at any time and for any reason. The latest version will always be published on the Site at https://daaisuite.com/privacy-policy with the “Last updated” date. Significant changes may be additionally notified by email or in-app alerts. Your continued use of the Services after any update constitutes acceptance of the revised Policy. Please review this Policy periodically.
31. Grievance Officer (India — DPDP Act Compliance)
In accordance with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000, the Company has designated a Grievance Officer to receive and address complaints relating to the processing of personal data.
Name / Designation: Grievance Officer, ESURGENT PRIVATE LIMITED
Email: hello@daaisuite.com
Address: 509 Pehel, Khoraj, Gandhinagar, Gujarat 382421, India
Phone: +91-9925277767
The Grievance Officer will acknowledge receipt of complaints within a reasonable time and endeavour to resolve them within the timelines prescribed by applicable law. If you are not satisfied with the Grievance Officer’s response, you may approach the Data Protection Board of India.
32. Full Contact Directory
For any privacy-related question, data-rights request, grievance or general enquiry, please use the channels below.
Registered Office
ESURGENT PRIVATE LIMITED
509 Pehel, Khoraj,
Gandhinagar, Gujarat 382421
India
Phone: +91-9925277767
Alt. Phone: +91-9227039905
Email Channels
General Inquiry / Privacy: hello@daaisuite.com
Product Info & Demo: welcome@daaisuite.com
Public Relations & Media: social@daaisuite.com