Not legal advice. This page is a templated baseline aligned with Default — see /legal/<country>/privacy for jurisdiction-specific policy. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.
1. Who we are
Oris Invoice is operated by ORIS Intelligence Pvt Ltd ("we", "us", or "Oris"). This Privacy Policy is the global fallback. Country-specific Privacy Policies at /legal/<country>/privacy apply to users resident in those jurisdictions and take precedence over this page.
2. What personal data we collect
We collect: account identifiers (name, email, phone), organisation tax registration data (GSTIN, VAT, EIN, etc.), invoice and customer master data you input, payment transaction metadata, and standard system telemetry (IP, device, timestamps). We do not collect special-category or sensitive personal data unless you choose to upload it within an invoice description.
3. Lawful basis and purpose
We process personal data on the basis of (a) contract performance — to deliver the invoicing service you subscribed to; (b) legal obligation — to comply with tax, anti-money-laundering, and audit retention rules; (c) legitimate interest — to secure the service and prevent abuse; and (d) consent — for non-essential analytics and marketing communications, which you may withdraw at any time.
4. Sub-processors and international transfers
A current list of sub-processors is published at /legal/sub-processors with name, purpose, jurisdiction, and transfer basis. Cross-border transfers, where required, rely on adequacy decisions or Standard Contractual Clauses recognised by the relevant supervisory authority.
5. Retention
We retain account and invoice data for the longer of (a) the duration of your subscription plus 30 days, or (b) the statutory retention period applicable to invoices in your jurisdiction (typically 5 to 10 years). Audit logs are retained for 7 years on an INSERT-only basis. Backups are retained for 35 days. Statutory retention overrides any earlier deletion request.
6. Your rights
Depending on the jurisdiction in which you are resident, you may have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data. Submit any rights request to privacy@orisinvoice.com — we respond within the statutory window applicable to your jurisdiction (typically 30 days).
7. Security
Data at rest is encrypted with AES-256-GCM. Bank account numbers, IFSC codes, customer tax IDs, and other sensitive fields are individually encrypted at the column level with KMS-managed keys. Access is governed by PostgreSQL Row-Level Security keyed on the org context. Audit logs are append-only. We maintain SOC 2 Type II controls and an ISO 27001-aligned ISMS.
8. Cookies and analytics
We use a minimal set of essential cookies for authentication and session integrity. Optional analytics cookies are disabled by default and require your explicit consent through our Consent Management Platform.
9. Automated decision-making
Where we use automation to derive account-level signals (plan-fit recommendations, fraud-risk indicators), the output is informational and never produces legal or similarly significant effects on you without human review. You may request information about the logic involved by writing to privacy@orisinvoice.com (GDPR Art. 22 / CPRA equivalent).
10. Children's data
Oris Invoice is a B2B service not directed at individuals under 16 (under 13 in jurisdictions where COPPA applies; under 18 in some others). We do not knowingly collect personal data from children.
11. Contact and updates
Privacy queries: privacy@orisinvoice.com. Data Protection Officer: dpo@orisinvoice.com. We post material changes to this Policy 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance.