Oris Invoiceby ORIS Intelligence
Start free
🇮🇳 India home
India · IN

Privacy Policy

How we collect, use, store, and share personal information when you use Oris Invoice. Aligned with the local data-protection regime listed below.

Aligned with: DPDP Act 2023 + IT Rules 2011·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with DPDP Act 2023 + IT Rules 2011. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Who we are

Oris Invoice is operated by ORIS Intelligence Pvt Ltd ("we", "us", or "Oris"). For users resident in India, this Privacy Policy is governed by the Digital Personal Data Protection Act 2023 (DPDP Act) and the surviving portions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, that have not yet been notified as repealed.

The supervisory authority designated under the DPDP Act is the Data Protection Board of India (DPBI). The DPBI is being constituted at the time of this Policy; until it is fully operational, grievances may also be raised with the Ministry of Electronics and Information Technology (MeitY) under the existing IT Act 2000 framework. Submit either via privacy@orisinvoice.com — we forward to the appropriate authority once it is operational.

2. What personal data we collect

We collect: account identifiers (name, email, phone), organisation tax registration data (e.g. GSTIN, VAT, EIN), invoice and customer master data you input, payment transaction metadata, and standard system telemetry (IP, device, timestamps). We do not collect special-category or sensitive personal data unless you choose to upload it within an invoice description.

3. Lawful basis and purpose

Under the DPDP Act 2023 we process personal data on the basis of (a) consent — obtained at onboarding for account data and, separately, for optional analytics and marketing communications, which you may withdraw at any time; and (b) legitimate uses — including contract performance to deliver the invoicing service you subscribed to, legal obligation to comply with tax, anti-money-laundering and audit retention rules, and protecting the security and integrity of the service.

4. Sub-processors and international transfers

We rely on a vetted list of sub-processors (cloud hosting, email delivery, payment gateways, anti-fraud, error monitoring). The current list is available on request. For users resident in India, primary data storage is in AWS ap-south-1 (Mumbai, India). Cross-border transfers, where required, are limited to countries on the Central Government whitelist under Section 16 of the DPDP Act, or protected by standard contractual clauses.

5. Retention

We retain account and invoice data for the longer of (a) the duration of your subscription plus 30 days, or (b) the statutory retention period applicable to invoices in your jurisdiction (typically 5 to 10 years). Audit logs are retained for 7 years on an INSERT-only basis. Backups are retained for 35 days.

6. Your rights

Under DPDP Act 2023 + IT Rules 2011 you may have the right to: access your personal data; rectify inaccurate data; erase data (subject to statutory retention overrides); restrict or object to processing; receive your data in a portable format; and lodge a complaint with the Data Protection Board of India. Submit any rights request to privacy@orisinvoice.com — we respond within 30 calendar days.

7. Security

Data at rest is encrypted with AES-256-GCM. Bank account numbers, IFSC codes, customer tax IDs, and other sensitive fields are individually encrypted at the column level with KMS-managed keys. Access is governed by PostgreSQL Row-Level Security keyed on the org context. Audit logs are append-only. We maintain SOC 2 Type II controls and an ISO 27001-aligned ISMS.

8. Cookies and analytics

We use a minimal set of essential cookies for authentication and session integrity. Optional analytics cookies are disabled by default and require your explicit consent. We do not use cross-site tracking pixels or sell user data to advertising networks.

9. Children's data

Oris Invoice is a B2B service not directed at individuals under 16 (under 18 in some jurisdictions). We do not knowingly collect personal data from children. If you believe a child has submitted personal data through our service, contact us at privacy@orisinvoice.com and we will delete it.

10. Contact and updates

Privacy queries: privacy@orisinvoice.com. Data Protection Officer: dpo@orisinvoice.com. We post material changes to this Policy 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised Policy.