Privacy
Privacy Policy
Effective 17 May 2026
We treat your data with the same care we'd want for our own. This policy explains, in plain language, what we collect and why — without legalese gymnastics. If anything is unclear, write to privacy@appsuite.in.
01Who we are
Qurobix Technologies Private Limited ("Qurobix", "we", "us", "our") operates AppSuite, our SaaS platform, and related services available at appsuite.in and tenant subdomains (e.g. your-company.appsuite.in). In this document, "AppSuite" refers to the product; "Qurobix" refers to the legal entity that provides it.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and what rights you have.
We are a data controller for personal data we collect about visitors to our marketing website and our own customers (the entity that signs up). We are a data processor for personal data that our customers store in their tenant — for that data, the customer is the controller and our role is to process it strictly under their instructions.
02What we collect
Information you give us directly
- Account information: name, work email, mobile, company, role.
- Authentication data: hashed password, OTP codes (stored hashed, short-lived), session tokens.
- Billing information: billing address, GST details. Card data is handled by our PCI-DSS payment processor — we never store full card numbers.
- Support content: tickets, emails, screenshots you send us.
Information we collect automatically
- IP address, browser, device fingerprint (for security and abuse prevention).
- Aggregated usage metrics (page views, feature usage) — without identifying you to third parties.
- Cookies and similar technologies — strictly necessary cookies for login, plus optional analytics if you consent.
Information from your employer (if you are an end user)
- If your employer uses AppSuite, they upload information such as employee ID, designation, salary, leave balance, attendance records, etc. Your employer is the controller of this data. Direct privacy requests about this data to your employer first.
03Why we process your data
We process personal data only for specific, defined purposes:
- Provide the service — authentication, multi-tenant isolation, feature delivery.
- Communicate with you — service announcements, security alerts, billing notices.
- Security & abuse prevention — rate limiting, anomaly detection, audit logging.
- Improve the product — aggregated, de-identified analytics on feature usage.
- Comply with law — tax invoices, court orders, statutory record-keeping.
We do not sell your data. We do not use customer data to train AI models. We do not share data with advertisers.
04Legal bases (GDPR / DPDPA)
Where GDPR or India's DPDPA applies, our legal bases are:
- Contract — we need to process your data to deliver the service you signed up for.
- Legitimate interest — security, fraud prevention, product improvement.
- Consent — for optional analytics cookies, marketing emails to prospects.
- Legal obligation — for tax records, court-ordered disclosures, statutory retention.
You can withdraw consent at any time without affecting the lawfulness of processing before the withdrawal.
05Who we share data with
We share personal data only with the categories of recipients below, and only for the purposes described:
- Cloud infrastructure (AWS, Hostinger): hosting, storage, backup. Bound by data-processing agreements.
- Email & SMS providers (Resend, Twilio, MSG91): transactional messages only. No marketing.
- Payment processors (Stripe / Razorpay): billing only.
- Analytics (optional, consent-based): if you accept analytics cookies, anonymised usage data flows to a privacy-respecting analytics provider.
- Authorities: if required by valid legal process. We push back on overbroad requests and notify customers where legally permitted.
We never sell data. We never share it with advertisers or data brokers. Period.
06Cross-border data transfers
Our default data centre for Indian customers is in Mumbai (AWS ap-south-1). Backups are replicated to a second region within India.
EU customers can opt for data hosting in Ireland (eu-west-1) on Scale and Enterprise plans. Where data leaves the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
07How long we keep your data
- Live tenant data: for the lifetime of your subscription.
- Backups: 30 days (point-in-time recovery), then permanently destroyed.
- Audit logs: per plan (Starter 30 days, Growth 12 months, Scale 7 years, Enterprise custom).
- Billing records: 8 years to meet Indian tax law.
- Marketing prospect data: 24 months from last interaction, unless you unsubscribe earlier.
When you delete your account, we destroy live data immediately and backups within 30 days. You can request a written deletion certificate.
08Your rights
Subject to applicable law, you have the right to:
- Access — get a copy of your personal data.
- Rectify — correct inaccurate data.
- Erase — ask us to delete data we hold about you (subject to legal retention).
- Restrict / object — limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Withdraw consent — for processing we do under consent.
- Lodge a complaint — with your data protection authority.
To exercise these rights, write to privacy@appsuite.in. We respond within 30 days. If you are an end user of a customer tenant, please raise the request with your employer first — we will assist them in fulfilling it.
09How we protect your data
Encryption in transit (TLS 1.3) and at rest (AES-256). Argon2id password hashing. Short-lived access tokens with refresh-token rotation. RBAC with least privilege. Audit logging. Annual third-party VAPT. Continuous dependency and container scanning. See our Security page for the full inventory.
If a breach affecting your data occurs, we notify you within 24 hours of confirmation, alongside the regulator where applicable.
10Cookies
We use the smallest set of cookies that lets the product work.
- Strictly necessary: session cookies, CSRF protection, language preference. Cannot be disabled.
- Functional: remembering your theme choice, sidebar collapsed state. Cleared when you log out.
- Analytics (optional): only set if you accept the cookie banner. Anonymised, no advertising IDs.
You can change your cookie preferences any time via the cookie banner footer link.
11Children
AppSuite is a workplace tool — we don't knowingly collect data from anyone under 18. If you believe we have, write to privacy@appsuite.in and we will delete it.
12Changes to this policy
If we make material changes, we notify customer admins via email at least 14 days before changes take effect. Historical versions are kept on file and can be requested.
13Contact our DPO
Data Protection Officer
Qurobix Technologies Pvt Ltd
3rd Floor, Indiranagar 100ft Road
Bengaluru — 560038, Karnataka, India
Email: dpo@appsuite.in · Privacy: privacy@appsuite.in
Questions? Email legal@appsuite.in or write to Qurobix Technologies Pvt Ltd, Indiranagar, Bengaluru — 560038, India. AppSuite is a SaaS product of Qurobix Technologies Pvt Ltd.