Privacy Policy

1. Introduction & Scope

This Privacy Policy describes how DeeRef Labs Private Limited (“Company”, “we”, “us”, or “our”), operating as FlowVerify, collects, uses, shares, and protects your personal information when you use our website (www.flowverify.co), our application (app.flowverify.co), and related services (collectively, the “Service”).

This policy applies to all users of the Service, including account holders, signers who receive signature requests, and visitors to our website. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Phone number (optional)
• Company/organization name (optional)
• Password (stored as a cryptographic hash, never in plain text)
• Profile information you choose to provide

2.2 Document Data

When you use our electronic signature services, we process:

• Documents you upload for signature
• Signature field data and configurations
• Recipient information (names and email addresses)
• Signed documents and completion certificates
• Audit trail data (timestamps, IP addresses, actions taken)

2.3 Aadhaar eSign Data

When signers use the Aadhaar eSign feature:

• Aadhaar number is transmitted directly to the eSign service provider for OTP verification. FlowVerify does not store Aadhaar numbers.
• A masked Aadhaar reference may be retained in the audit trail for legal compliance.
• The digital certificate generated by the eSign process is attached to the signed document.
• No biometric data is collected, stored, or processed by FlowVerify.

2.4 Payment Information

Payment processing is handled by Razorpay, our third-party payment processor. We do not store credit card numbers, bank account details, or UPI IDs on our servers. We retain only transaction IDs, plan details, and billing history for accounting and support purposes.

2.5 Usage & Device Information

We automatically collect:

• IP address and approximate location
• Browser type and version
• Operating system
• Device type
• Pages visited, features used, and time spent
• Referral source and search terms

2.6 OAuth & Third-Party Login Data

If you sign in using Google or Microsoft OAuth, we receive your name, email address, and profile picture from the identity provider. We do not receive or store your third-party account password.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide electronic signature, document tracking, template management, audit trail generation, and related services.
• Account Management: To create and manage your account, process billing and payments, and handle customer support requests.
• Authentication & Security: To verify your identity, prevent unauthorized access, detect fraud, and maintain the security of our platform.
• Communication: To send transactional emails (signature requests, status updates, reminders), service announcements, and security alerts.
• Service Improvement: To analyze usage patterns (using aggregated, anonymized data) to improve our platform's performance, features, and user experience.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Audit Trails: To maintain legally compliant audit trails that record signer actions, timestamps, and authentication details for each signed document.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing the signature service, managing your account).
• Legitimate Interest: Processing for our legitimate business interests, such as improving our services, preventing fraud, and ensuring platform security, where these interests are not overridden by your rights.
• Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications). You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with legal obligations (e.g., tax record retention, responding to lawful government requests).

5. Data Sharing & Third-Party Disclosure

We do not sell, rent, or share your personal information with third parties for marketing purposes. We may share information in the following limited circumstances:

• Service Providers: We share data with trusted third-party service providers who assist in operating our platform, including:
  • Cloud hosting and infrastructure providers
  • Razorpay (payment processing)
  • eSign service provider (for Aadhaar eSign functionality)
  • Google and Microsoft (for OAuth authentication and cloud storage integrations)
  • Dropbox (for cloud storage integration)
  • Email delivery services (for transactional emails and notifications)
  • Analytics providers (Google Analytics via Google Tag Manager)
  All service providers are bound by data processing agreements and are required to protect your data.
• Document Recipients: When you send a document for signature, recipient names and email addresses are shared with other signers as necessary for the signing process. Document content is accessible only to designated recipients.
• Legal Requirements: When required by law, court order, subpoena, or to protect our legal rights, safety, or property.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with continued privacy protection for your data.
• With Your Consent: When you explicitly authorize sharing of specific information.

6. International Data Transfers

Our servers and service providers may be located in jurisdictions outside your country of residence. When we transfer personal data internationally, we implement appropriate safeguards including standard contractual clauses (SCCs), data processing agreements, and ensuring that receiving parties maintain adequate data protection standards. For transfers from the EEA, we rely on adequacy decisions by the European Commission or SCCs as appropriate.

7. Data Retention & Deletion

We retain your data as follows:

• Account Data: Retained for as long as your account is active. After account deletion, we retain minimal data for up to 90 days for recovery purposes, after which it is permanently deleted.
• Documents & Signed Files: Retained according to your plan's document retention policy. Enterprise customers may configure custom retention periods.
• Audit Trails: Retained for a minimum of 7 years to comply with legal and regulatory requirements for electronic signature records.
• Billing Records: Retained for a minimum of 8 years as required by Indian tax laws.
• Usage Logs: Anonymized and aggregated after 12 months. Raw logs are deleted after 24 months.

8. Your Rights Under GDPR

If you are located in the EEA, you have the following rights under the General Data Protection Regulation:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Right to Data Portability: Request your data in a structured, machine-readable format.
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Your Rights Under Indian Law

Under the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), you have the right to:

• Access your personal data held by us.
• Request correction of inaccurate or deficient personal data.
• Withdraw consent for the collection and processing of your sensitive personal data. Note that withdrawal of consent may impact our ability to provide the Service.
• File a grievance regarding the handling of your personal data with our Grievance Officer.

We implement reasonable security practices and procedures as required by the SPDI Rules to protect your sensitive personal data or information.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. In compliance with the Children's Online Privacy Protection Act (COPPA) and applicable Indian laws, if we become aware that we have collected personal data from a child under 18 without appropriate consent, we will take immediate steps to delete that information. If you believe a child has provided us with personal data, please contact us at [email protected].

11. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate our website, maintain your login session, analyze website usage, and improve our services. Cookies we use include:

• Essential cookies: Required for authentication and core functionality (accessToken, refreshToken).
• Analytics cookies: Used to understand website usage via Google Analytics and Google Tag Manager.
• Marketing cookies: May be used for advertising measurement and attribution.

For detailed information about the cookies we use, please refer to our Cookie Policy.

12. Third-Party Services

Our Service integrates with or uses the following third-party services:

• Aadhaar eSign Provider: For Aadhaar-based electronic signature verification. Aadhaar data is transmitted directly to the eSign provider and is not stored by FlowVerify.
• Razorpay: For payment processing. Payment card data is handled entirely by Razorpay and is subject to their privacy policy.
• Google: For OAuth sign-in and Google Drive integration.
• Microsoft: For OAuth sign-in and OneDrive integration.
• Dropbox: For cloud storage integration.
• Google Analytics / Tag Manager: For website analytics and usage tracking.

Each third-party service has its own privacy policy governing its use of your data. We encourage you to review their privacy policies.

13. Data Security Measures

We implement comprehensive security measures to protect your data:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit.
• Access Controls: Role-based access control (RBAC) ensures only authorized personnel can access user data, and all access is logged.
• Authentication: Support for multi-factor authentication (MFA) to secure user accounts.
• Infrastructure: Hosted on secure cloud infrastructure with regular security audits and vulnerability assessments.
• Monitoring: Continuous security monitoring and incident response procedures.
• Employee Training: All team members receive data protection and security awareness training.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or through a prominent notice on our Service prior to the change becoming effective. The “Last updated” date at the top of this page indicates when this policy was last revised. Your continued use of FlowVerify after any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us: