GDPR Policy

The General Data Protection Regulation (GDPR) is the European Union's data protection law that applies to organisations processing personal data of individuals in the European Economic Area (EEA). Sahayogi One Private Limited respects the principles of the GDPR and has implemented practices that align with its requirements.

While BoSS is primarily designed for Indian businesses, we recognise that some of our users, their customers, or their business contacts may be located in the EEA. This policy explains how we handle personal data in compliance with GDPR requirements.

This GDPR policy applies when:

• We process personal data of individuals located in the EEA
• Our customers use BoSS to manage data of their contacts or employees in the EEA
• We offer services to businesses with operations in the EEA

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

Under the GDPR, individuals in the EEA have the following rights regarding their personal data:

To exercise any of these rights, please contact our Data Protection Officer. We will respond to your request within 30 days as required by the GDPR.

The categories of personal data we may process include:

• Identity data: Name, job title, company name
• Contact data: Email address, phone number, business address
• Account data: Login credentials, role, permissions
• Usage data: Platform activity logs, feature usage patterns
• Technical data: IP address, browser type, device information
• Communication data: Support correspondence, feedback

We process personal data for the following purposes:

• Providing and maintaining the BoSS platform
• User authentication, authorisation, and access management
• Customer support and communication
• Platform improvement and analytics
• Billing and subscription management
• Legal compliance and fraud prevention
• Security monitoring and incident response

We do not sell personal data. We share personal data with third parties only when necessary for our service delivery, and always under appropriate contractual safeguards:

• Cloud infrastructure providers for hosting and data storage
• Communication service providers for email and notification delivery
• Payment processors for subscription billing

All third-party processors are bound by data processing agreements that comply with GDPR Article 28 requirements.

As an India-based company, transfers of EEA personal data to India constitute international transfers under the GDPR. We protect such transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary security measures including encryption and access controls
• Data minimisation — transferring only what is necessary for service delivery

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are determined by:

• The nature of the data and the purpose of processing
• Legal and regulatory retention requirements
• Legitimate business needs (e.g., audit trail requirements)

When data is no longer needed, it is securely deleted or anonymised.

We implement technical and organisational measures appropriate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with least-privilege principle
• Regular security assessments and vulnerability management
• Incident response procedures with breach notification capability
• Employee security awareness training

For more detail on our security practices, please refer to our ISO 27001 Compliance and Data Security pages.

We have designated a point of contact for all GDPR-related matters:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU/EEA member state where you reside, work, or where the alleged infringement occurred.

We encourage you to contact us first so we can address your concerns directly and resolve any issues promptly.