Privacy Policy

1. Introduction

Asli One Global Private Limited ("Asli One," "we," "us," or "our"), with its registered office at 309/3, Yasmin Nagar, Vedhanarayanapuram, Chengalpattu 603111, Tamil Nadu, India, and its Dubai office operated by Sama Alnukhba Information Technology LLC, M58, Aswar Building, Business Bay, Dubai, UAE, is committed to protecting the privacy of our customers, users, and visitors.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Asli One ERP platform ("Service") available at asli.one, including our websites, applications, and APIs.

By using our Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account Registration Data: Name, email address, phone number, company name, job title, country, and billing address.
• Billing Information: Payment card details (processed securely through our payment providers — we do not store full card numbers), billing address, tax identification numbers.
• Business Data: All data you enter into the ERP system, including financial records, inventory data, employee information, customer records, transactions, invoices, and any other data created or uploaded through the Service ("Customer Data").
• Communications: Emails, chat messages, support tickets, and feedback you send to us.
• Survey and Form Responses: Information provided through surveys, registration forms, or trial sign-up forms.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, clicks, session duration, timestamps, and navigation patterns within the Service.
• Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
• Network Information: IP address, internet service provider, approximate geographic location (city/country level).
• Log Data: Server logs including access times, error logs, API call records, and authentication events.

2.3 Information from Third Parties

• Payment Providers: Transaction status, payment confirmation, and limited billing details from Stripe, Razorpay, or Network International.
• Authentication Services: If you use single sign-on (SSO), we receive your identity information from your identity provider.

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis
Providing and operating the Service	Contract performance
Processing payments and billing	Contract performance
Customer support and communication	Contract performance / Legitimate interest
Service improvement and analytics	Legitimate interest
Security monitoring and fraud prevention	Legitimate interest / Legal obligation
Legal and regulatory compliance	Legal obligation
Marketing communications (with consent)	Consent
AI-powered features (e.g., smart suggestions)	Contract performance / Consent

We do not sell your personal information to third parties. We do not use Customer Data for advertising purposes.

4. Cookies and Tracking Technologies

4.1 Types of Cookies We Use

• Essential Cookies: Required for the Service to function properly, including authentication tokens, session management, and security cookies. These cannot be disabled.
• Functional Cookies: Remember your preferences such as language, timezone, and display settings to provide a personalized experience.
• Analytics Cookies: Help us understand how visitors interact with our website and Service, including page views, navigation patterns, and feature usage. We use these to improve the Service.

4.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service. Most browsers allow you to block or delete cookies, but this may affect functionality.

4.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals. We will update this policy if we adopt a standard for responding to such signals in the future.

5. Data Sharing and Third-Party Services

5.1 Service Providers

We share data with the following categories of third-party service providers who process data on our behalf:

• Cloud Infrastructure: Amazon Web Services (AWS) — hosting, storage, and computing services. Data is stored in AWS me-south-1 (Bahrain) as the primary region.
• Payment Processing:
  • Stripe — Global payment processing. Stripe Privacy Policy
  • Razorpay — India payment gateway. Razorpay Privacy Policy
  • Network International — UAE/GCC payment gateway.
• Email Delivery: SendGrid — Transactional and notification emails. SendGrid Privacy Policy
• SMS and Verification: Twilio — SMS notifications and 2FA verification. Twilio Privacy Policy
• AI Services: Anthropic (Claude AI) — AI-powered features within the ERP. Prompts may contain anonymized or aggregated data; no personally identifiable Customer Data is shared without your explicit configuration.
• Communication: WhatsApp (Meta) — Invoice delivery and payment reminders (opt-in only).

5.2 Compliance and Regulatory

We may share data with government tax and regulatory authorities as required by law, including:

• ZATCA (Saudi Arabia) — e-invoicing compliance submissions.
• HMRC (United Kingdom) — Making Tax Digital (MTD) submissions.
• Tatmeen (UAE) — Pharmaceutical track and trace compliance.
• GST Network (India) — GST return filing.

5.3 Legal Disclosure

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, government investigation, or regulatory inquiry).

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. Data Storage and Security

6.1 Data Location

Your data is primarily stored on AWS infrastructure in the Middle East (Bahrain) region (me-south-1), with disaster recovery in the Asia Pacific (Mumbai) region (ap-south-1). Data may be processed in other regions as necessary for service delivery.

6.2 Security Measures

We implement comprehensive security measures to protect your data:

• Encryption at Rest: AES-256 encryption for all stored data using AWS Key Management Service (KMS).
• Encryption in Transit: TLS 1.3 for all data transmitted between your browser/app and our servers.
• Tenant Isolation: Schema-per-tenant, dedicated database, or dedicated instance isolation depending on your subscription plan.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA/TOTP), and principle of least privilege.
• Web Application Firewall: AWS WAF with OWASP rules, SQL injection protection, XSS prevention, and rate limiting.
• Audit Logging: Comprehensive logging of all data access and administrative actions.
• Per-Tenant Encryption Keys: Available for Enterprise plan customers, providing dedicated encryption keys through AWS KMS.
• Regular Security Assessments: Periodic vulnerability scans and security reviews.

6.3 Incident Response

In the event of a data breach, we will notify affected customers and relevant authorities within 72 hours of becoming aware of the breach, in accordance with applicable data protection laws.

7. Data Retention

• Active Accounts: Customer Data is retained for the duration of your active subscription.
• After Cancellation: Customer Data is retained for 30 days after account cancellation to allow for data export and potential reactivation. After 30 days, data is permanently deleted.
• Trial Accounts: Data from expired trial accounts is retained for 30 days after trial expiration, then permanently deleted.
• Backups: Encrypted backups may be retained for up to 90 days for disaster recovery purposes.
• Legal Obligations: Certain financial and tax records may be retained for up to 7 years as required by Indian and UAE law.
• Anonymized Data: Aggregated and anonymized data (which cannot identify you) may be retained indefinitely for analytics and service improvement.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 General Rights

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format. The Service provides built-in data export tools.
• Right to Restrict Processing: Request that we limit the processing of your personal data in certain circumstances.
• Right to Object: Object to processing of your personal data for marketing purposes or based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

8.2 GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR). We process data on the legal bases described in Section 3. For cross-border data transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

8.3 India (DPDP Act)

If you are located in India, your rights are governed by the Digital Personal Data Protection Act, 2023 (DPDP Act). You have the right to access, correct, and erase your personal data. You may nominate another person to exercise your rights in case of death or incapacity.

8.4 UAE (PDPL)

If you are located in the UAE, your rights are governed by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). You have the right to access, correct, restrict processing, and request deletion of your personal data.

8.5 Exercising Your Rights

To exercise any of these rights, please contact us at support@asli.one. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses (SCCs) for transfers from the EEA;
• Data processing agreements with all sub-processors;
• Encryption of data in transit and at rest;
• Compliance with local data protection laws in India (DPDP Act) and UAE (PDPL).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The "Effective Date" at the top of this page indicates when the policy was last updated. Continued use of the Service after the effective date of changes constitutes your acceptance of the updated policy.

12. Contact Information

For questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

Data Protection Officer
Asli One Global Private Limited
309/3, Yasmin Nagar, Vedhanarayanapuram,
Chengalpattu 603111, Tamil Nadu, India

Sama Alnukhba Information Technology LLC
M58, Aswar Building, Business Bay, Dubai, UAE

Email: support@asli.one
Phone (India): +91 755 817 1618
Phone (UAE): +971 55 805 2204