Privacy Policy
Version 1.0 · Effective date: 23 May 2026 · Last updated: 23 May 2026
Verdeshell Technologies Private Limited (“Verdeshell”, “we”, “our”, “us”) operates the Verdeshell IM platform (“Service”). This Privacy Policy explains what data we collect, why we collect it, how we protect it, and what your rights are.
1. Who We Are
Data Controller / Data Fiduciary: Verdeshell Technologies Private Limited
Sector 58, Gurgaon, Haryana, India — 122011
Email: legal@verdeshell.com
General contact: connect@verdeshell.com
The Service is a multi-tenant B2B SaaS platform. Your organization (“Customer”) enters into a subscription agreement with us. Employees and agents of the Customer who access the platform are “Users” or “Data Principals.”
2. Data We Collect
2.1 Account and Identity Data
- Full name, email address, and hashed password — provided on registration or invite acceptance.
- Organization name, slug, GST / registration number — provided during onboarding.
- Role and permission assignments within your organization.
2.2 Operational Data
- Inventory movements — quantity, movement type (RECEIVE, ISSUE, TRANSFER, etc.), variant, source and target locations, unit cost, and the user who performed the movement.
- Stock balances — on-hand, reserved, and available quantity per variant per location.
- Scan events — identifier type (barcode, QR, RFID, NFC), scan timestamp, resolution status, device ID, and linked variant or asset.
- Audit records — scheduled and ad-hoc stock count results including expected vs. counted quantities.
- Orders and purchase orders — supplier/customer details, line items, status history.
- Supplier and customer contact records — contact name, email address, and phone number (optional), where provided by your organization.
- Device registrations — device name, type, and registration timestamp for scanning hardware.
2.3 Usage and Telemetry Data
- Usage events (scan count, device count) for subscription metering and billing.
- Error and exception logs — no personal data is included in log payloads; only user IDs and organization IDs are logged.
- Last login timestamp and failed login attempt counts.
2.4 Session and Authentication Data
- JWT access tokens (15-minute expiry) — stored in browser memory only, never in localStorage.
- Hashed refresh tokens — stored as httpOnly, Secure, SameSite cookies; the raw token is never persisted by us.
- Device hints provided at login (optional) — used to label active sessions.
2.5 Payment and Billing Data
- Invoice details, subscription plan, and payment status.
- Card and payment instrument data is processed exclusively by our payment processor (Razorpay) and is never stored on our servers.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing and operating the inventory management Service | Performance of contract |
| User authentication and session management | Performance of contract |
| Subscription billing and usage metering | Performance of contract / legal obligation |
| Sending system notifications (low stock, expiry warnings, unauthorized movements) | Legitimate interest / performance of contract |
| Push notifications to mobile devices (via FCM) | Consent (user enables push) |
| Generating analytics and KPI reports for your organization | Performance of contract |
| Fraud prevention and rate limiting | Legitimate interest |
| Improving the Service (anonymized, aggregated) | Legitimate interest |
We do not use your operational inventory data to train machine-learning models or to derive insights that are shared outside your organization without explicit consent.
4. Data Sharing and Third-Party Processors
We share your data only with processors acting on our documented instructions:
| Processor | Purpose | Data Transferred |
|---|---|---|
| Razorpay Software Pvt. Ltd. | Payment processing | Invoice amounts, billing contact |
| Google Firebase (FCM) | Push notification delivery | Device push tokens, notification payload |
| Cloud infrastructure provider | Hosting, storage, database | All Service data (encrypted at rest) |
| Sentry (error monitoring) | Error tracking | Stack traces, user IDs (no PII in request bodies — stripped before transmission) |
We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and user profile data | Duration of active subscription + 90 days after termination |
| Inventory movements and stock balances | Duration of active subscription + 90 days |
| Scan events | Rolling 12-month window; older records deleted by automated job |
| Audit records | Duration of active subscription + 90 days |
| Usage events (metering) | 24 months from creation |
| Authentication tokens (refresh) | 30 days from issuance; revoked immediately on logout or password change |
| Application logs | 30 days (rolling) |
| Payment and invoice records | 7 years (statutory requirement under Indian accounting law) |
Upon subscription termination, Customer data is retained for 90 days to allow data export, after which it is permanently deleted from all systems including backups.
6. Security Measures
- Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
- All tenant data is logically isolated using
org_idon every database row and enforced at the API layer. - Authentication uses short-lived JWT access tokens (15 min) with rotating refresh tokens; compromised refresh tokens trigger full session revocation.
- Passwords are hashed using BCrypt with a cost factor of 12; plain-text passwords are never stored.
- API rate limiting is applied at the IP level (auth endpoints) and org level (write APIs) to prevent brute-force attacks.
- Monitoring endpoints are bound to localhost only; no management surfaces are publicly exposed.
7. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data. Please see our GDPR & Data Subject Rights page for the full list and how to exercise them.
Organization administrators can export and manage user data through the platform. To request deletion or export of your personal data, email legal@verdeshell.com.
8. Cookies and Browser Storage
We use minimal browser storage:
- Session cookie (
vs_im_tenant_auth/vs_im_admin_auth) — httpOnly, Secure, SameSite=Lax. Holds an opaque refresh token. Cannot be read by JavaScript. Expires after 30 days or on logout. - Redux in-memory state — the JWT access token is held only in browser memory (not persisted to localStorage or cookies) and is lost on page refresh.
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
9. Children's Privacy
The Service is intended for business use only. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been submitted, contact us at legal@verdeshell.com.
10. Changes to This Policy
We will notify registered users by email and update the effective date above when making material changes. Continued use of the Service after the change date constitutes acceptance of the updated policy.
11. Contact Us
Verdeshell Technologies Private Limited
Sector 58, Gurgaon, Haryana, India — 122011
Privacy / Legal: legal@verdeshell.com
General: connect@verdeshell.com