Data Protection for BytesWrite

Effective: July 18, 2025
Companies Act, 2013
Copyright Act, 1957

1. Introduction

BytesWrite is committed to safeguarding the privacy, security, and availability of every byte of data entrusted to us. This policy explains what personal information we collect, why we collect it, how we secure it, and what rights you have over it—mirroring the high standards set by leading cloud ERP and CRM providers.

2. Scope & Roles

This statement applies to all cloud products, mobile applications, websites, and support services branded “BytesWrite.”

  • When we decide the purpose of processing (e.g., marketing our own services), we act as a controller.
  • When we process customer data inside our platform, we act as a processor, following our customers’ instructions.
  • This policy supplements, but does not replace, any Data Processing Addendum agreed with enterprise customers.

3. Principles We Live By

  • Lawfulness, fairness, transparency — we collect only what we need and explain why.
  • Purpose limitation — data is used solely for the legitimate business purpose specified at collection.
  • Data minimisation & accuracy — workflows and AI models are designed to hold the least data necessary and keep it up-to-date.
  • Security & confidentiality — multi-layer protection detailed in section 6.
  • Accountability — auditable logs, certifications, and annual privacy reviews align with global standards such as ISO 27001 and SOC 2 (in progress).

4. What Data We Collect

CategoryIdentificationAccount & UsageTransactionalContent You UploadSupport Interactions
Examples

Name, business email, phone, company

Login credentials, role, IP address, audit logs, feature usage telemetry

Subscription level, invoices, payment method tokens (handled by PCI-DSS certified processor)

Files, records, custom objects created in our ERP/CRM/CMS modules (customer controlled)

Chat transcripts, tickets, call recordings (with notice)

Data Collection Notice

We collect and process personal data in accordance with our Privacy Policy.

5. Legal Bases for Processing

We process personal data only when we have a valid legal basis under applicable data protection laws. These bases ensure that data handling is lawful, fair, and transparent:

  • Contract performance – provisioning the platform, providing support.
  • Legitimate interest – securing the service, preventing fraud, product improvement balanced with privacy impact assessments.
  • Consent – email marketing, cookies, and optional AI training datasets; consent is granular and can be withdrawn at any time.
  • Legal obligation – complying with export controls, tax, and regulatory reporting.

6. How We Use Personal Data

We use personal data to provide, maintain, and improve our services, including:

PurposeTypical Activities
Service Delivery

Authentication, role-based access, workflow execution

Analytics & AI

Aggregated usage metrics to optimise performance; ML models never expose identifiable output without consent

Security

Threat detection, MFA enforcement, zero-trust network segmentation

Communication

In-app notices, release notes, and, with consent, newsletters or event invitations

Compliance

Responding to data-subject requests and legal inquiries, maintaining audit trails

9. Advanced Security Measures

At BytesWrite Solution pvt Ltd, we implement industry-leading security practices to ensure that all personal and organizational data remains protected against unauthorized access, misuse, or disclosure. Our security framework includes robust technical safeguards, administrative controls, and incident response mechanisms, built with a forward-looking mindset, including preparedness for emerging threats.

9.1 Technical Safeguards

Security MeasureEncryption StandardsAccess Controls
Data Encryption
  • AES-Based Encryption: All sensitive data is encrypted using AES (Advanced Encryption Standard), ensuring strong protection for data at rest and during processing.
  • Secure Data in Transit: Communications between clients, servers, and APIs are encrypted using TLS protocols, protecting data integrity and confidentiality.
  • JWT Authentication: User sessions and access are secured with JWT (JSON Web Tokens), which are signed and encrypted to prevent unauthorized access or tampering.
  • Encrypted Cloud Infrastructure: Our infrastructure providers—MongoDB Atlas, AWS, and Vercel—offer built-in encryption and comply with leading industry standards for data security.
  • Role-Based Access Control (RBAC): Access is granted strictly based on job roles, adhering to the principle of least privilege.
  • Zero-Trust Architecture: We enforce continuous authentication and real-time validation, assuming no inherent trust between systems.
  • Privileged Access Management (PAM): Elevated privileges are strictly controlled, monitored, and periodically reviewed for administrative users.

9.2 Administrative Controls

Control MeasurePrivacy GovernanceIncident Response and Breach Handling
Data Access Policies
  • Privacy Impact Assessments (PIAs) are conducted before introducing new processing activities, ensuring risk is evaluated and mitigated proactively.
  • We conduct regular internal privacy audits and compliance reviews to ensure ongoing alignment with data protection laws and best practices.
  • All employees receive mandatory training on data privacy, information security, and secure handling practices as part of our onboarding and continuous learning processes.
  • Our Incident Response Team (IRT) operates under a documented plan with clearly defined roles and escalation procedures.
  • In the event of a personal data breach, we are committed to issuing notifications within 72 hours, as required under GDPR Article 33.
  • Forensic investigation protocols are in place to trace, analyze, and remediate any incidents with transparency and accountability.

8. International Data Transfers

Primary data centres are located in the EU and India; replicas may be stored in the same geographic region for resilience

Data Transfer Notice

We do not transfer personal data to countries outside of India, we care about your privacy.

9. Comprehensive Data Retention Framework

BytesWrite maintains a structured data retention policy aligned with legal, operational, and business needs. Customer data is retained for up to 7 years post-service, with financial records held for 10 years to meet tax and audit obligations. Employee and HR-related data are stored for up to 7 years after termination, while recruitment records are kept for 2 years. Technical data, including system logs, backups, and security incidents, are retained between 1 to 5 years depending on their purpose. All data is securely deleted once retention periods expire.

9.1 Retention Periods by Data Category

Data CategoryCustomer DataEmployee DataTechnical Data
Duration
  • Active Relationships: Duration of service agreement plus 7 years
  • Inactive Accounts: 3 years from last interaction
  • Financial Records: 10 years for accounting and tax purposes
  • Support Communications: 5 years for service quality assurance
  • Current Employees: Duration of employment plus 7 years
  • Former Employees: 7 years post-termination for legal compliance
  • Recruitment Data: 2 years for unsuccessful candidates
  • Performance Records: 5 years for reference and evaluation
  • System Logs: 2 years for security and performance analysis
  • Backup Data: 1 year with automatic deletion procedures
  • Security Incident Data: 5 years for investigation and prevention
  • Usage Analytics: 3 years for trend analysis and improvement

9.2 Data Deletion and Archival Policy

At BytesWrite Solution pvt Ltd, we take data minimization and lifecycle management seriously. In alignment with our retention periods (Section 5.1 of our Privacy Policy), we follow strict protocols to ensure that your personal data is not retained any longer than necessary.

9.2.1 Deletion from Active Systems

Once the defined retention period for any category of data expires, the respective data is automatically and permanently removed from our active production systems, including:

  • Application databases
  • CRM and communication platforms
  • Analytics dashboards
  • Employee management systems
Deletion Notice

This process is governed by automated cleanup scripts and monitored periodically to ensure compliance.

9.2.2 Archival in Encrypted Metadata Stores

To fulfill limited regulatory, audit, or legal obligations, minimal metadata may be securely archived in isolated storage. These archives:

  • Do not contain any active personal data
  • Are fully encrypted and read-only
  • Are only accessible to a limited number of authorized compliance personnel
  • Are retained solely for audit trails or legal defense purposes

Archived metadata typically includes:

  • Anonymized transaction references
  • System logs (non-identifiable)
  • Time-stamped deletion confirmations
Archival Notice

No archived data is ever used for analytics, profiling, or commercial purposes.

9.2.3 Full Erasure and No Retention Promise

Upon expiry of both active and archival timelines, all data is irreversibly purged from our systems, including:

  • Primary and backup databases
  • Cache and content delivery systems
  • Metadata repositories
Full Erasure Notice

At this point, BytesWrite no longer holds any form of your personal data, directly or indirectly. This ensures full compliance with the "right to erasure" (GDPR Article 17) and reinforces our commitment to data privacy and trust.

10. Fundamental Rights Under the DPDP Act

In accordance with the Digital Personal Data Protection (DPDP) Act, 2023, BytesWrite Solution pvt Ltd ensures that all data principals (individuals whose data is processed) retain meaningful control over their personal information. We have implemented robust mechanisms to honor and facilitate the exercise of the following fundamental rights:

Fundamental RightRight To InformationRight To CorrectionRight To Forgotten
Information

You have the right to request and receive clear, comprehensive details about the processing of your personal data.

If you believe that the data we hold about you is inaccurate, incomplete, or outdated, you may request us to correct or update it.

You have the right to request the erasure of your personal data when:

Your rights
  • The categories of personal data we process about you.
  • The purposes for which your data is used.
  • The legal basis for processing under applicable data protection laws.
  • The entities (if any) with whom your data has been shared, including any cross-border transfers.
  • The applicable retention periods for your data and the procedures for deletion or archival once that period has expired.
  • Correct factual inaccuracies or typographical errors.
  • Update outdated or obsolete information (e.g., contact details).
  • Supplement missing relevant data for completeness.
  • Verify and confirm the implementation of corrections made to your data across systems and services where applicable.
  • The data is no longer required for the purpose it was collected.
  • You withdraw consent where processing was based on it.
  • You object to processing, and there are no overriding legitimate grounds.
Our Deletion & Archival Approach

Once your erasure request is validated, we initiate a multi-phase deletion process as outlined in our Data Deletion and Archival Policy (Section 5.2 of our Privacy Policy). This includes immediate removal from active databases, followed by secure archival of metadata for compliance purposes, and finally, complete erasure from all systems within 35 days.

Exceptions: We may deny or defer erasure in specific scenarios where:
  • Retention is required by law (e.g., taxation, labor, or contractual obligations).
  • Data is part of a legal dispute, investigation, or regulatory hold.

11. Strategic Data Sharing And Disclosure

BytesWrite Solution pvt Ltd is committed to handling personal and organizational data with the utmost care, confidentiality, and transparency. We only share data when necessary to provide our services, operate efficiently, and comply with legal or contractual obligations. All sharing is governed by strict access controls, data processing agreements, and security best practices.

Sharing ContextInternal Data SharingThird Party Data Sharing
Info

To deliver seamless service and maintain operational efficiency, certain data may be shared internally within BytesWrite under strict access policies

We may share specific categories of personal or usage data with trusted third-party service providers, solely for the purpose of enabling core functionality, improving our services, and fulfilling legal or contractual obligations. These third parties are vetted for compliance and bound by contractual data protection agreements.

Why we share
  • Authorized Personnel: Data access is restricted to employees and contractors who require it to perform their duties, based on clearly defined roles and the principle of least privilege.
  • Cross-Department Collaboration: Limited data may be shared across departments (e.g., customer success, billing, compliance) to ensure a unified and personalized user experience.
  • Strategic Insights: Aggregated and anonymized data may be used for internal reporting, product improvement, and business intelligence.
  • Security & Compliance Operations: Internal security teams may process data to monitor for suspicious activity, investigate incidents, and maintain platform integrity.
  • Cloud Infrastructure & Database Hosting: Our applications and data are securely hosted using modern cloud platforms, including databases such as MongoDB, which provide enterprise-grade encryption, backup, and fault-tolerance.
  • Payment Processing: For managing subscription billing and secure financial transactions.
  • Marketing and Engagement Platforms: For customer communication, behavior analytics, and lifecycle management—used with consent where required.
  • Security and Monitoring Tools: For real-time threat detection, performance optimization, and compliance auditing.
Notice of Sharing

We do not sell or monetize personal data. Any data shared with third-party vendors is strictly purpose-bound and limited to what is essential for the execution of operational services. Access is restricted and governed by clearly defined use-cases.

While we ensure due diligence in selecting vendors—only engaging those who meet stringent quality and compliance standards after thorough internal evaluation and testing—any data breach or leak at the vendor’s end remains their sole responsibility and is subject to their internal security and compliance protocols.

We maintain full transparency with our stakeholders regarding the vendors and infrastructure partners we utilize. This information is communicated in advance, and we take the highest precautions to ensure that all selected vendors align with our data protection standards and values.

12. Cookies & Similar Technologies

We use strictly necessary cookies for login and session management, and optional analytics cookies with consent. Cookie banners follow GDPR and CCPA requirements.

For more details, please refer to our Cookies Policy.

13. Automated Decision-Making & Profiling

We use AI to provide sales suggestions or insights, but these AI decisions are explainable, not absolute, and users can override them.

14. Policy Updates And Amendments

At BytesWrite Solution Private Limited, we view our Privacy Policy as a dynamic governance instrument—one that evolves in response to regulatory shifts, operational developments, technological advances, and business priorities. While we are committed to keeping our users informed, we retain the right to amend this policy at our discretion to safeguard the integrity and scalability of our services.

14.1 Regular Policy Review Cycle

We conduct multi-tiered reviews of this Privacy Policy to ensure it remains compliant, current, and aligned with industry expectations:

Review CycleQuarterly ReviewsAnnual Comprehensive Audit
Policy Review
  • Monitoring of legal and regulatory changes (e.g., DPDP Act, GDPR, CCPA)
  • Assessment of platform and infrastructure updates (e.g., new features, third-party integrations)
  • Analysis of user feedback, grievances, and support trends
  • Benchmarking against leading industry practices and risk frameworks
  • Full end-to-end effectiveness evaluation of our privacy practices
  • Independent compliance gap analysis and internal audit
  • Stakeholder and legal counsel consultation
  • Development of a strategic privacy roadmap for the upcoming cycle

14.2 Policy Amendment and Notification Protocol

Our update process is designed to inform users without disrupting platform continuity or compromising operational agility.

Policy ChangesMaterial ChangesMinor or Operational Updates
Information

When updates involve a change in data usage, legal rights, or processing scope, we will:

For non-material amendments (e.g., clarifications, formatting, security adjustments), we may:

Updates
  • Provide a 30-day advance notice to affected users
  • Send email communications to registered users
  • Display a notification banner on relevant platform interfaces
  • Offer opt-out or consent renewal mechanisms, where applicable
  • Publish the updated policy directly on our website
  • Maintain detailed version history with change logs
  • Inform users at their next login or interaction
  • Allow a grace period for adaptation, if necessary
Note

Continued use of our services after any update constitutes acceptance of the revised Privacy Policy.

15. Contact Information

For any questions or concerns regarding this Agreement, please contact us at: support@byteswrite.com

Email Support

support@byteswrite.com

Support Portal

https://byteswrite.com/support

Escalation Path

Complex cases may be escalated to senior management or the DPO, subject to internal prioritization and materiality.

Response Timeline

We strive to respond to valid privacy-related requests within 72 business hours. Cause we care for our users and aim to address their concerns promptly.