Privacy Policy

Introduction

Welcome to Bizconnekt — Procure Connect Succeed!

Nexowave Technology Solutions Private Limited ("we", "us", or "our") operates the https://www.bizconnekt.com platform (hereafter referred to as "Service"). This Privacy Policy outlines our policies on the collection, use, and disclosure of information when you use our Service and the choices you have associated with that data. We use your data to provide and enhance the Service. By using the Service, you consent to the collection and use of information in accordance with this policy.

Consent and Data Fiduciary

Nexowave Technology Solutions Private Limited acts as the Data Fiduciary for the personal data processed through the Service, as defined under the Digital Personal Data Protection Act, 2023.

We process your personal data only after obtaining your consent, which is free, specific, informed, unconditional, and unambiguous, as required under the Digital Personal Data Protection Act, 2023 and other applicable law.

You may withdraw your consent at any time by contacting us at discover@bizconnekt.com. Upon withdrawal of consent, we will cease processing your personal data unless we are required to continue doing so for legal obligations or legitimate business purposes.

Where the Service is used by an organization (Customer), we rely on the Customer to obtain necessary consents from its Users and data subjects for the use of the Service. We process such personal data based on the Customer's authorization and applicable legal bases.

Definitions

SERVICE refers to the https://www.bizconnekt.com platform or any of its subdomains operated by Nexowave Technology Solutions Private Limited.

PERSONAL DATA is information about a living individual who can be identified from those data.

USAGE DATA is data collected automatically, generated either by the use of the Service or from the Service infrastructure itself.

COOKIES are small files stored on your device.

CUSTOMER means the organization or legal entity that subscribes to and administers the Service.

USER means an individual authorized by the Customer (such as an employee, contractor, or agent) to access and use the Service on the Customer's behalf.

CUSTOMER DATA means all data submitted to the Service by or on behalf of the Customer, including data entered by Users in the course of using the platform (e.g., invoices, purchase orders, contacts, and financial records).

DATA FIDUCIARY / DATA CONTROLLER is the entity that determines the purposes and means of processing personal data. Nexowave Technology Solutions Private Limited acts as Data Fiduciary / Data Controller for personal data it collects directly (such as account registration and billing data).

DATA PROCESSOR: For Customer Data processed on behalf of an organization using the Service, Nexowave acts as a Data Processor, processing such data solely on the instructions of the Customer.

DATA SUBJECT is any living individual who is the subject of Personal Data.

THE USER is the individual using our Service, as authorized by their organization (the Customer).

Information We Collect

We collect information to provide, maintain, and improve our Service. The information we collect depends on how you use the platform.

Personal Information You Provide

When you register for or use the Service, you provide us with information directly:

• Account Information — Name, email address, phone number, and business address used to create and manage your account.
• Business Details — Company name, GST number, industry type, and business registration information required for compliance and platform configuration.
• Financial Information — Bank account details and payment information, stored encrypted and used solely to process transactions and maintain financial records.
• Communications — Messages you send us, support requests, and business communications routed through the platform (e.g., emails sent via the Gmail or Outlook integration).

Information We Collect Automatically

When you access and use the Service, we automatically collect certain technical and activity data:

• Usage Information — How you use the platform, which features you access, workflows you complete, and time spent on different sections. Used to improve the Service and diagnose issues.
• Device Information — IP address, browser type and version, device type, and operating system. Used for security monitoring and compatibility.
• Platform Activity — Login times, actions taken within the platform, and business interactions. Used for audit trails, security monitoring, and compliance purposes.

Cookies and Tracking

We use cookies and similar tracking technologies to monitor activity on our Service. We use them to:

• Keep you logged in securely across sessions.
• Remember your preferences and settings.
• Understand how you use the platform to improve features.
• Monitor platform performance and diagnose issues.

You can control cookies through your browser settings, but disabling cookies may affect platform functionality including login persistence.

Use of Data

Bizconnekt, powered by Nexowave Technology Solutions Private Limited, uses the collected data to provide, maintain, protect, and improve the Service, to develop new services, and to protect us and our users.

Specifically, we use your data for:

• Service Delivery: Providing platform functionality, account management, and customer support.
• Compliance: Meeting legal obligations including GST, tax, and regulatory requirements.
• Security: Protecting the platform, detecting fraud, and preventing unauthorized access.
• Service Improvement: Improving platform performance and developing new features using anonymized usage data.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services to you and fulfill our obligations.
• Legal Obligation: Processing required to comply with GST, tax, and other applicable legal and regulatory requirements.
• Legitimate Interest: Processing for platform security, fraud prevention, and service improvement, where our interests are not overridden by your rights.
• Consent: Processing for optional features such as email integrations and marketing communications, which you may withdraw at any time.

Retention of Data

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy or as required to comply with legal obligations, resolve disputes, and enforce our agreements.

Specific Retention Periods

• Account Information: While your account is active, plus 3 years after account closure.
• Business Transaction Records: 7 years from the transaction date, as required by GST law and applicable tax regulations.
• Communication Records: 3 years from the last communication.
• Marketing Data: Until you withdraw consent.
• Security Logs: 2 years for security monitoring and audit purposes.

Soft Delete

When you or an administrator deletes a record within the platform (e.g., an invoice, email, or user), the record is marked as deleted (soft-delete) and hidden from normal use. The underlying data remains in the database and may be restored by an administrator. It is not immediately or automatically purged. If you require permanent deletion of your personal data, please contact us at discover@bizconnekt.com.

Audit Trail

Every Create, Update, and Delete action on a business record generates an immutable audit log entry that includes the action type, the affected record, the user who performed the action, their IP address, and a timestamp. Audit entries are retained for as long as necessary for compliance, legal obligations, fraud prevention, and accountability requirements. They are not deleted outside of legal data purge procedures.

International Data Transfers

Your personal information is primarily stored and processed in India using Indian data centers.

We may transfer information outside India only when:

• Required by applicable law or legal process.
• You have provided explicit consent for the transfer.
• Adequate protections are in place to safeguard your data in the destination jurisdiction.

Role of the Company — Controller vs Processor

Bizconnekt is a B2B SaaS platform used by organizations. Our role with respect to personal data differs depending on the context:

• Data Fiduciary / Controller: For personal data we collect directly — such as account registration details, contact information, and billing data — Nexowave Technology Solutions Private Limited is the Data Fiduciary / Data Controller.
• Data Processor: For Customer Data entered into the platform by organizations and their employees (e.g., invoices, purchase orders, supplier details, financial records), we act as a Data Processor. We process this data only on the instructions of the Customer (the subscribing organization) and do not use it for our own independent purposes.

Customer Data Ownership

All Customer Data remains the property of the Customer. We do not claim ownership over any data submitted by Customers or their Users through the Service.

We process Customer Data solely for the purpose of providing the Service in accordance with the Customer's instructions and our contractual obligations. Upon termination of a Customer's subscription, Customer Data may be exported or deleted as per the Customer's request.

Organization Control

If you access the Service through an organization (Customer), your account and data may be controlled by your organization's administrator. The organization may:

• Access, manage, and monitor your account and activity within the Service.
• Access, export, or delete data associated with your account.
• Restrict or terminate your access to the Service.
• Configure permissions, roles, and feature access on your behalf.

We are not responsible for the privacy or security practices of Customer organizations. Users should refer to their organization's internal policies for guidance on how their data is managed.

Disclosure of Data

• Disclosure for Law Enforcement: In response to valid requests by public authorities (e.g., a court or a government agency).
• Business Transaction: If we or our subsidiaries are involved in a merger, acquisition, or asset sale, your Personal Data may be transferred.
• Other cases: To our subsidiaries and affiliates, or with your consent in any other cases.

Security of Data

The security of your data is important to us, but no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Your Data Protection Rights Under GDPR

If you are a resident of the European Union (EU) and European Economic Area (EEA), you have certain data protection rights covered by GDPR. You have the right to:

• Access, update, or delete the information we hold about you.
• Have inaccurate or incomplete information rectified.
• Object to our processing of your Personal Data.
• Request that we restrict processing of your personal information.
• Data Portability: Receive a copy of your Personal Data in a portable, machine-readable format (CSV, JSON, or PDF) within 30 days of your request.
• Withdraw Consent: Withdraw consent at any time where we rely on your consent to process your personal information. Withdrawal takes effect within 24 hours and may affect certain platform features that depend on that consent.
• Correction: Request that inaccurate or incomplete information be corrected within 15 days.

How to Exercise Your Rights

1. Online: Use the privacy controls in your account dashboard.
2. Email: Contact our Data Protection Officer at privacy@bizconnekt.com.
3. Include: Your name, account details (registered email), and a specific description of your request.

Response Timeline: We will acknowledge your request within 3 business days and provide a complete response within 30 days. Complex requests may require additional time — we will notify you if this is the case.

Please note that we may ask you to verify your identity before responding to requests. We may not be able to provide the Service without some necessary data.

Your Rights under CalOPPA

According to CalOPPA, we agree to the following:

• Users can visit our site anonymously.
• Our Privacy Policy link includes the word "Privacy" and can easily be found on the homepage.
• Users will be notified of any privacy policy changes on our Privacy Policy page.
• Users can change their personal information by emailing us at discover@bizconnekt.com.

Do Not Track

We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

🔐 Google API Services User Data

Our application integrates with Google Gmail to enable outbound email features — specifically, sending business emails (invoices, orders, payments) on your behalf directly from your Gmail account.

OAuth Scopes Requested

We request the following Google OAuth permissions:

• gmail.send — used exclusively to send transactional business emails (such as invoices, purchase orders, payment reminders, and delivery notifications) that you explicitly initiate within the application. No emails are sent without your direct action.
• userinfo.email — used solely to identify and display the connected Gmail account within the application. No other profile data is accessed.

We do not request permission to read your inbox, access your existing emails, read message threads, or access your contacts or calendar. Our integration is send-only.

If you connect a Google Workspace account on behalf of your organization, you represent that you are authorized to grant such access on behalf of that organization.

What We Store

From the Google API, we store only:

• Your Gmail email address (to identify the connected account)
• Access and refresh tokens — encrypted at rest using AES-256-GCM and never stored in plain text

We do not read, copy, or store any data from your Gmail inbox, existing emails, contacts, or attachments.

Limited Use Disclosure

Bizconnekt's use of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically:

• We do not use Google data for advertising purposes.
• We do not sell or share Google data with third parties for advertising or profiling.
• We do not use Google data to build, improve, or train generalized AI or machine learning models.
• We only use Google data to provide and improve user-facing features within the application.
• We access only the minimum Google data necessary to provide the features you have enabled (least-privilege access).
• We do not allow humans to read Google user data unless explicitly required for security, support, or legal compliance purposes, and only with appropriate safeguards.
• Google user data (including your Gmail address and OAuth tokens) is never shared with or accessible to our analytics, error-tracking, or monitoring tools (including PostHog, Sentry, Google Analytics, or Cloudflare Analytics). These tools track general application usage and errors only.

User Control

You can:

• Disconnect your Google account at any time from within the application.
• Revoke access directly from your Google account permissions page.
• Request deletion of your stored Google credentials via our Data Deletion Request page or by contacting discover@bizconnekt.com.

When you disconnect within the application, we deactivate and mark your integration credentials as deleted in our systems and stop sending emails via your Gmail account. Your access token may remain valid at Google's servers until it naturally expires — to ensure immediate revocation, we recommend also revoking access from your Google account permissions page above.

Data Security

OAuth tokens are encrypted using AES-256-GCM before being written to the database. They are decrypted only at the moment of sending an email and are never logged or exposed in API responses.

🔷 Microsoft API Services (Office 365 / Outlook) User Data

Our application integrates with Microsoft Outlook (Office 365) to enable outbound email features — specifically, sending business emails (invoices, orders, payments) on your behalf directly from your Outlook account via the Microsoft Graph API.

OAuth Scopes Requested

We request the following Microsoft OAuth permissions:

• Mail.Send — to send emails on your behalf via the Microsoft Graph API
• User.Read — to read your profile email address so we can identify the connected account
• offline_access — to obtain a refresh token for uninterrupted service without requiring re-authorization on every use

We do not request permission to read your inbox, access your existing emails, read message threads, or access your calendar or contacts. Our integration is send-only.

If you connect a Microsoft 365 account on behalf of your organization, you represent that you are authorized to grant such access on behalf of that organization.

What We Store

From the Microsoft API, we store only:

• Your Outlook email address (to identify the connected account)
• Access and refresh tokens — encrypted at rest using AES-256-GCM and never stored in plain text

We do not read, copy, or store any data from your Outlook inbox, existing emails, contacts, calendar, or attachments.

Compliance with Microsoft API Policies

Our use of data obtained through Microsoft APIs complies with Microsoft's API Terms of Use and applicable data protection requirements. Specifically:

• We access only the minimum data necessary (least-privilege access) to provide the features you have explicitly enabled.
• We do not use Microsoft data for any secondary purposes, including advertising, profiling, or data enrichment.
• We do not transfer Microsoft user data to third parties except as required to provide the Service or comply with legal obligations.
• We do not use Microsoft user data to train or improve any artificial intelligence or machine learning models.
• We do not allow humans to read user email content unless explicitly required for support, security, or legal compliance purposes, and only with appropriate safeguards.
• We implement strict access controls to ensure that Microsoft user data is only accessible to authorized systems and personnel.

User Control

You can:

• Disconnect your Microsoft account at any time from within the application.
• Revoke access directly from your Microsoft account permissions page.
• Request deletion of your stored credentials by contacting discover@bizconnekt.com.

When you disconnect within the application, we deactivate and mark your integration credentials as deleted in our systems and stop sending emails via your Outlook account. Your access token may remain valid at Microsoft's servers until it naturally expires — to ensure immediate revocation, we recommend also revoking access from your Microsoft account permissions page above.

Organization and Administrator Control

If your account is managed by an organization (e.g., via Microsoft 365), your organization's administrator may control and manage access to the Service, including the ability to grant or revoke permissions.

• Administrators may restrict or disable integrations with Microsoft services.
• Administrators may access or export organizational data as permitted under their policies.

Data Security

OAuth tokens are encrypted using AES-256-GCM before being written to the database. They are decrypted only at the moment of sending an email and are never logged or exposed in API responses. We follow industry best practices including secure token storage and periodic access reviews to ensure continued compliance with Microsoft security standards.

Sent Email Records

When you use Bizconnekt to send business emails (e.g., emailing an invoice to a customer), we store a record of that sent email within the platform as part of your business communication history. This record includes:

• Sender and recipient email addresses
• Email subject
• Email body (HTML and plain text)
• Attachments (stored in cloud file storage; see Service Providers below)
• Sending timestamp and delivery status
• The business document the email was linked to (e.g., Invoice INV-001)

These records are retained as part of your business communication audit trail. They are linked to your tenant account and business unit and are not shared with third parties.

Deletion of email records follows the platform's soft-delete policy (see Data Retention below).

Analytics and Error Tracking

The tools below relate to platform usage and error tracking and are completely separate from any Google API, Gmail, or Microsoft data.

PostHog (Product Analytics)

We use PostHog to understand how users interact with the application — such as which features are used, navigation patterns, and usage frequency. PostHog collects anonymized event data. We do not send personally identifiable information (PII) such as names or email addresses to PostHog. Read the PostHog Privacy Policy.

Sentry (Error Tracking)

We use Sentry to capture application errors and diagnose issues. Session replay is disabled — we do not record user interactions or screen activity. The following safeguards are applied:

• PII transmission is disabled (sendDefaultPii: false)
• Authorization headers, cookies, and API keys are filtered before being sent to Sentry
• Passwords and tokens are scrubbed from URLs
• Local variable values are removed from stack traces

Read the Sentry Privacy Policy.

Google Analytics

Google Analytics tracks website traffic on our marketing site (bizconnekt.com). For more information, visit the Google Privacy Policy.

Cloudflare Analytics

Cloudflare analytics is operated by Cloudflare Inc. Read the Cloudflare Privacy Policy.

Marketing

S4Sourcing India

S4Sourcing India Private Limited is our exclusive sales and marketing partner for the Bizconnekt platform. S4Sourcing may reach out to you to provide information about our services, updates, and promotions. S4Sourcing is contractually obligated to protect your information and use it solely for these purposes.

Service Providers

We use the following third-party services to operate the platform. Each provider processes only the data necessary to perform their specific function and is contractually obligated to protect your information.

Razorpay (Payment Processing)

Subscription payments are processed by Razorpay. We transmit your company name, email address, and payment amount to Razorpay for the purpose of processing transactions. We store the resulting Razorpay order and payment IDs as transaction records. We do not store card numbers, CVVs, or bank account details — that information is handled exclusively by Razorpay and governed by their PCI-DSS compliance. Read the Razorpay Privacy Policy.

Zeptomail (Email Delivery)

When a user has not connected a personal Gmail or Outlook account, outbound emails are delivered via Zeptomail (by Zoho). Email content, recipient addresses, and attachments are transmitted to Zeptomail solely for the purpose of delivery. Read the Zoho Privacy Policy.

Amazon Web Services S3 (File Storage)

Uploaded files — including email attachments, company logos, profile pictures, and document attachments — are stored in Amazon S3 (ap-south-1 / Mumbai region). Files are accessed via secure signed URLs. Read the AWS Privacy Policy.

Pusher (Real-Time Notifications)

We use Pusher to deliver real-time in-app notifications (e.g., document approvals, activity updates). Pusher receives channel and event names but does not store message content. Read the Pusher Privacy Policy.

Data Security

We implement appropriate technical and organizational measures to protect your data. While no method of transmission over the Internet or method of electronic storage is 100% secure, we maintain the following controls:

• Data in transit is secured using TLS 1.2 or higher for all communication between your browser and our servers.
• Sensitive data is encrypted at rest using industry-standard encryption mechanisms (AES-256-GCM for credentials and OAuth tokens).
• Role-based access control (RBAC) ensures access is limited to authorized personnel and systems only.
• Secure authentication and session management mechanisms, including multi-factor authentication (MFA) for administrative access.
• Continuous monitoring, logging, and alerting for suspicious or unauthorized activity.
• Regular security updates and patch management for infrastructure and dependencies.

Access Control and Internal Security

Access to production systems is restricted to authorized personnel based on role and operational necessity. All access is logged, monitored, and periodically reviewed. Administrative access requires multi-factor authentication (MFA). We follow the principle of least privilege for all systems and personnel.

Employee Access Policy

Employees and contractors are subject to confidentiality obligations and are granted access to customer data strictly on a need-to-know basis — for support, security, or legal purposes only. Unauthorized access to customer data is prohibited and subject to disciplinary action.

Data Isolation

The platform operates on a multi-tenant architecture with logical data isolation, ensuring that each Customer's data is strictly segregated and inaccessible to other Customers. Tenant isolation is enforced at the application and database layer.

Security Testing and Audits

We conduct periodic security assessments, vulnerability scans, and penetration testing — internally or via qualified third-party providers. Identified vulnerabilities are prioritized and remediated based on severity. Our infrastructure is hosted on cloud providers with industry-standard physical and network security controls.

Data Backup and Recovery

We perform daily automated backups of critical application data, including databases and file storage. Backups are:

• Encrypted and securely stored.
• Retained for up to 30 days to support recovery scenarios.
• Maintained with redundancy across secure infrastructure.
• Periodically tested for integrity and recoverability.

In the event of data loss or system failure, we aim to restore critical services and data within commercially reasonable timeframes depending on the severity of the incident.

Service Availability

We target a 99.5% monthly uptime for the platform, on a best-effort basis. Uptime is calculated as total minutes in a calendar month minus downtime, divided by total minutes, excluding scheduled maintenance.

Downtime refers to periods when the platform is unavailable or materially degraded for all users, excluding:

• Scheduled maintenance (conducted during off-peak hours where feasible, with advance notice).
• Force majeure events beyond our reasonable control.
• Third-party service outages outside our control.

Security Incident Response

We maintain an internal incident response process covering detection, containment, investigation, and remediation. In the event of a confirmed data breach or security incident affecting your personal data, we will:

• Notify you within 72 hours of confirming the incident.
• Explain what information was involved and the steps we are taking to address it.
• Provide recommendations for protecting yourself.
• Notify relevant authorities as required under applicable law, including the Digital Personal Data Protection Act, 2023.

We will take appropriate steps to investigate, contain, and mitigate the incident and implement additional security measures to prevent recurrence.

Your Security Responsibilities

To help keep your account secure:

• Use strong, unique passwords for your account.
• Enable available security features (e.g., two-factor authentication when offered).
• Keep your registered contact information up to date.
• Report any suspicious activity on your account immediately to discover@bizconnekt.com.

Children's Privacy

Our Services are not intended for use by children under the age of 18. We do not knowingly collect personally identifiable information from children under 18. If you become aware that a child has provided us with Personal Data, please contact us immediately.

Grievance Redressal

In accordance with the Digital Personal Data Protection Act, 2023 and other applicable laws, you may contact our Grievance Officer for any concerns, complaints, or queries regarding the processing of your personal data:

Grievance Officer: Nexowave Technology Solutions Private Limited

Grievance Email: grievance@bizconnekt.com

We will acknowledge your grievance within 3 business days and work to resolve it within 30 days or within timelines prescribed under applicable law, whichever is sooner.

Escalation — Data Protection Board of India: If you are unsatisfied with our response to your grievance, you may file a complaint with the Data Protection Board of India through their official channels as established under the Digital Personal Data Protection Act, 2023.

Changes to This Privacy Policy

We may update our Privacy Policy to reflect changes in our practices, new legal requirements, or platform improvements. We will notify you of material changes by:

• Email to your registered address.
• Prominent notice on the platform.
• At least 30 days advance notice before the change takes effect.

Continued use of the platform after the effective date constitutes acceptance of the updated policy. You are advised to review this Privacy Policy periodically.

Data Processing Agreement

For enterprise customers, we may enter into a separate Data Processing Agreement (DPA) governing the processing of personal data on behalf of the Customer. To request a DPA, please contact legal@bizconnekt.com.