Privacy Policy

How we collect, use, store, and protect your data.

Effective Date: 23 March 2026

1. Introduction

This Privacy Policy explains how Neonflake Enterprises OPC Pvt Ltd (“Company”, “we”, “us”, or “our”), operating the Sumasu platform at sumasu.co, collects, uses, stores, shares, and protects your personal and business information.

We are committed to safeguarding your data and ensuring transparency in our data practices. This policy applies to all users of the Sumasu platform, including business owners, their team members, Chartered Accountants (CAs), and visitors who interact with the Lead Gen AI widget embedded on customer websites.

By using Sumasu, you consent to the collection and use of your information as described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

• Account registration details: business name, GSTIN, PAN, email address, phone number, city, state, and business type.
• User profile information: first name, last name, email, and role within your organisation.
• Financial and business data: invoices, bills, expenses, bank statements, customer and vendor records, item catalogues, HSN codes, and GST-related information.
• Documents: vendor bills, receipts, and other files uploaded for Document AI processing.
• Lead generation data: qualifying rules, pricing information, FAQs, and content you provide to train the Lead Gen AI widget.
• CA details: name, email, phone number, and firm name of Chartered Accountants you invite to the platform.
• Communications: messages sent through our contact form, support emails, or feedback.

2.2 Information Collected Automatically

• Device information: browser type, operating system, screen resolution, and device identifiers.
• Usage data: pages visited, features used, actions performed, token consumption patterns, and timestamps.
• IP address and approximate geolocation (city-level).
• Session data: login times, session duration, and device information for security purposes.
• Performance data: API response times and error rates for service monitoring.

2.3 Information from the Lead Gen Widget

When a visitor interacts with a Lead Gen AI widget embedded on your website, we collect:

• Chat conversation content (messages exchanged between the visitor and the AI).
• Contact details voluntarily provided by the visitor (name, phone, email).
• Structured requirements extracted by AI from the conversation.
• Lead score and label assigned by the AI.

Widget visitors are anonymous until they voluntarily provide identifying information during the chat. The widget does not use cookies or track visitors across websites.

2.4 Voice Data

If you use voice commands, we collect audio recordings that are transmitted to Sarvam AI for speech-to-text processing. Audio recordings are processed in real-time and are not stored permanently by Sumasu. Sarvam AI processes the audio to generate a text transcript, which is then used for intent processing.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Sumasu platform and its AI Workers.
• Process invoices, generate GST returns, reconcile bank statements, and produce financial reports.
• Qualify leads, score visitor interactions, and deliver real-time alerts.
• Generate personalised Business Advisor AI briefs using your business data and market signals.
• Process payments and manage subscriptions through Razorpay.
• Send transactional emails (invoices, alerts, notifications) through SendGrid.
• Deliver WhatsApp notifications (lead alerts, strategy briefs) through Twilio or Gupshup.
• Generate e-invoices (IRN) through the Masters India GSP integration.
• Provide customer support and respond to your enquiries.
• Monitor platform health, detect fraud, and ensure security.
• Comply with legal obligations, including GST and tax regulations.
• Analyse aggregate, anonymised usage trends to improve the platform (no individual data is shared).

4. Data Storage & Security

4.1 Storage Infrastructure

Your data is stored on DigitalOcean managed infrastructure located in the Bangalore (BLR1) region, India. We use PostgreSQL managed databases with encryption at rest, Redis for session management, and DigitalOcean Spaces (S3-compatible) for file storage.

All uploaded documents, generated invoices, reports, and PDFs are stored in private cloud storage accessible only through time-limited signed URLs (15-minute expiry).

4.2 Security Measures

We implement the following security measures to protect your data:

• All data transmitted between your browser and our servers is encrypted using TLS/SSL.
• Passwords are hashed using bcrypt with a minimum of 12 salt rounds; we never store passwords in plain text.
• Authentication uses JWT tokens stored in httpOnly cookies (never localStorage) with access tokens expiring every 15 minutes and refresh tokens every 7 days.
• All database queries include tenant isolation (company_id filtering) to prevent cross-company data access.
• Rate limiting is enforced on all endpoints to prevent abuse.
• Admin access requires IP whitelisting in addition to authentication.
• File uploads are validated for MIME type and restricted to 10MB maximum.
• Razorpay webhook signatures are verified using HMAC-SHA256 to prevent tampering.

5. Data Sharing & Third-Party Services

We do not sell your personal or business data to any third party. We share data with the following third-party service providers only to the extent necessary to deliver our services:

• Anthropic (Claude AI) — Processes natural language commands, extracts invoice fields, scores leads, generates reports, and powers all AI Worker functionality. Your business data is sent to Claude as part of prompts and is subject to Anthropic’s data processing terms.
• Sarvam AI — Processes voice commands in Indian languages for speech-to-text and text-to-speech conversion.
• Razorpay — Processes all payment transactions. Payment card details and banking information are handled directly by Razorpay and are never stored on our servers.
• SendGrid — Delivers transactional emails including invoice deliveries, CA notifications, and lead alerts.
• Twilio / Gupshup — Delivers WhatsApp notifications for lead alerts and business advisor briefs.
• Masters India — Generates e-invoice IRN numbers for applicable businesses. Invoice data is shared with the Masters India GSP for IRP validation.
• DigitalOcean — Hosts our infrastructure including servers, databases, and file storage, all within the Bangalore (BLR1) region.

Each third-party provider processes data in accordance with their own privacy policies and data processing agreements. We select providers that maintain appropriate security standards.

6. Data Retention

We retain your data as follows:

• Account and business data: Retained for as long as your account is active. Upon account deletion, data is permanently removed within 30 days, except where retention is required by law.
• Financial records (invoices, bills, GST returns): Retained for a minimum of 8 years as required under Indian tax and GST regulations, even if your account is deleted.
• Lead conversation transcripts: Retained for as long as your account is active and for 90 days after account deletion.
• Session and log data: Retained for 90 days for security and debugging purposes.
• Payment records: Retained as required by applicable financial regulations and Razorpay’s data retention policies.
• Voice recordings: Not permanently stored; processed in real-time and discarded after transcript generation.

7. Your Rights

As a user of Sumasu, you have the following rights:

• Access — You may request a copy of the personal and business data we hold about you.
• Correction — You may update or correct inaccurate information through your account settings or by contacting us.
• Deletion — You may request deletion of your account and all associated data by writing to hello@sumasu.co, subject to legal retention requirements.
• Data Portability — You may export your invoices, reports, and business data in standard formats (PDF, CSV) at any time through the Platform.
• Withdrawal of Consent — You may withdraw your consent to data processing at any time by discontinuing use of the Platform. Note that withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Objection — You may object to specific types of data processing by contacting us at hello@sumasu.co.

8. CA (Chartered Accountant) Access

When you invite a Chartered Accountant to your Sumasu account, the CA receives read-only access to your financial records, reports, journal entries, and GST summaries. The CA can add comments but cannot create, edit, or delete any records. CA access can be revoked at any time from your account settings. CA access does not consume tokens.

9. Cookies & Tracking

Sumasu uses essential cookies for authentication and session management. We use httpOnly cookies for JWT token storage (not localStorage). We do not use advertising cookies or third-party tracking pixels. The Lead Gen AI widget embedded on customer websites does not use cookies or track visitors across websites.

10. Children’s Privacy

Sumasu is a business platform designed for use by adults aged 18 and above. We do not knowingly collect personal information from children under the age of 18. If we become aware that a child under 18 has provided personal information, we will promptly delete such information.

11. Data Breach Notification

In the event of a data breach that compromises your personal or business data, we will notify affected users by email and in-app notification within 72 hours of discovering the breach. We will also notify the relevant regulatory authorities as required under applicable Indian data protection laws.

12. International Data Transfers

Some of our third-party service providers (such as Anthropic, SendGrid, and Twilio) may process data on servers located outside India. Where data is transferred internationally, we ensure that appropriate safeguards are in place, including contractual obligations on the providers to maintain equivalent levels of data protection.

Our primary infrastructure, including databases and file storage, is hosted in India (DigitalOcean Bangalore region).

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email and in-app notification at least 15 days before they take effect. Your continued use of Sumasu after the effective date constitutes acceptance of the updated policy.

14. Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the contact details of the Grievance Officer are:

The Grievance Officer shall acknowledge your complaint within 48 hours and resolve it within 30 days of receipt.

15. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us: