🔒 Compliance-first by design • Audit trails • Maker-checker • India-first hosting
privacy@naysainfotechindia.com security@naysainfotechindia.com
Naysa
Naysa Infotech India
ERP • Compliance • Platforms
✅ Enterprise-grade • 🧾 Audit-ready • 🇮🇳 India-first

Privacy Policy

This policy explains how Naysa Infotech India Pvt. Ltd. collects, uses, stores, and protects information across our enterprise SaaS platform (Travel ERP, Insurance CRM, FFMC/Forex, FinTech & Payments, Gift Cards & Rewards, B2B CRM, and White-Label solutions). Built for regulated ecosystems with role-based access, maker-checker approvals, and immutable audit trails.

🛡️ Responsible disclosure: security@naysainfotechindia.com 📮 Privacy: privacy@naysainfotechindia.com 🧑‍⚖️ Grievance: grievance@naysainfotechindia.com

Trust & Compliance Positioning

Aligned for enterprise audits & RFPs.

🏦 RBI-aligned 🧾 GST-ready 🩺 IRDAI-aware 🏛️ ROC-aware 🔐 Audit Trails ✅ Maker-Checker

Quick links

Annexures FAQs Contacts
⚠️

Important note

This Privacy Policy is a general statement of practices for Naysa’s platform. Customer-specific terms may be governed by contracts (including a Data Processing Agreement), product modules enabled, and applicable laws. Naysa primarily acts as a Data Processor; customers typically act as Data Controllers.

1. Introduction

Naysa Infotech India Pvt. Ltd. (“Naysa”, “we”, “us”) builds enterprise platforms for regulated and compliance-driven operations: Travel ERP, Insurance CRM, Forex/FFMC workflows, FinTech & Payments modules, Gift Cards & Rewards, B2B CRM, and White-Label systems. We design for traceability (audit logs), governance (maker-checker), and secure access (RBAC).

🔎 Traceability

Immutable audit trails & exception tracking.

✅ Governance

Maker-checker approvals and role separation.

🔐 Security

Encryption, access controls, monitoring.

2. Scope & roles (Controller vs Processor)

This policy applies to (a) visitors to our website, (b) business customers using our SaaS, (c) white-label partners, (d) API integrators, and (e) end-users whose data may be processed in customer instances.

Typical relationship: customers determine the purpose and means of processing (Controller), while Naysa provides the platform and processes data on customer instructions (Processor).

Client responsibility (especially for white-label)

  • Ensure lawful collection and notices to end-users.
  • Configure roles, permissions, and retention controls.
  • Maintain their own privacy policy for their end-users.

3. Data classification & handling standards

We encourage customers to classify data and apply controls proportionate to sensitivity. Naysa supports layered safeguards.

Category
Examples
Typical controls
Public
Marketing content, brochures
Standard web security
Internal
Operational metrics
RBAC + logging
Confidential
Client commercial data
Encryption + maker-checker
SPDI / Sensitive
KYC identifiers, sensitive PII (as applicable)
Least privilege + audit trail + secure deletion
Regulated financial
Transaction & reconciliation logs
Immutable logs + monitoring + retention controls

4. Information we collect

The data processed depends on modules enabled and customer configuration. Common categories include:

👤 Personal information

  • Name, email, phone (account/contact records)
  • Passenger/customer records (where applicable)
  • Insurance policyholder details (where applicable)
  • KYC identifiers (only if customer uses KYC module)

🏢 Business information

  • Company profile, GST, ROC related entries (as provided)
  • Operational data for workflows and approvals
  • Vendor/customer master data

💳 Financial & transaction data

  • Payment references, reconciliation logs
  • Ledger entries & settlement records
  • Forex transaction records (FFMC workflows, where enabled)

🖥️ Technical & usage data

  • IP address, device/browser info
  • Login timestamps and access logs
  • API logs and rate-limit telemetry

5. API governance & integrations

Naysa is API-first. Integrations (e.g., banks, payment gateways, KYC providers, GDS, SMS/email services) are enabled only upon customer authorization and configuration.

🔑 Secure access

Token-based auth, scoped permissions, key rotation practices.

📈 Rate limiting

Controls abusive patterns and ensures platform stability.

🧾 Auditability

API activity is logged for traceability and incident review.

6. Multi-tenant isolation & data segregation

Our platform supports multi-tenant deployments, including white-label configurations. Customer environments are logically separated to prevent cross-tenant access. Administrative privileges follow least-privilege principles and are monitored.

Typical isolation controls

  • Tenant-scoped access tokens and role-based permissions
  • Segregated identifiers and policy-based authorization checks
  • Audit logs for privileged actions

7. How we use information

⚙️ Provide & operate services

User access, workflows, approvals, reporting, integrations.

🧾 Compliance & audit trails

Maintain logs, approvals trails, exception tracking, MIS exports.

🛡️ Risk & fraud controls

Detect unusual patterns, enforce maker-checker where configured.

🧰 Support & improvements

Resolve issues, improve performance and reliability.

No sale of personal data: Naysa does not sell personal information to third parties. Any sharing is limited to customer-authorized integrations, service providers under contract, or lawful requirements.

8. Regulatory alignment (India-first)

Our controls are designed to support compliance expectations in regulated ecosystems. Depending on customer use-cases, relevant frameworks may include:

🇮🇳 IT Act & SPDI Rules

Reasonable security practices, safeguards for sensitive data.

🏦 RBI ecosystem

FinTech/forex operational controls (customer-dependent).

🩺 IRDAI ecosystem

Insurance data handling expectations (customer-dependent).

🧾 GST / Tax readiness

Logs and reports to support compliance workflows.

🏛️ Companies Act / ROC

Corporate master data workflows where enabled.

🌍 Cross-border safeguards

Transfers only with lawful agreements and protections.

Clarification: Naysa provides technology infrastructure and workflows. We do not represent that we operate as a bank, insurer, or FFMC unless separately licensed by the appropriate authority.

9. Security controls

We apply layered security controls aligned with enterprise expectations. Controls may vary by deployment model and customer configuration.

🔐 Encryption

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for stored data

👥 Access control

  • Role-based access control (RBAC)
  • Maker-checker approvals (where enabled)
  • Least privilege, access reviews

🧾 Auditability

  • Immutable activity logs (where configured)
  • Exception tracking and exportable audit packs

🧪 Testing & monitoring

  • Periodic vulnerability testing practices
  • Monitoring and alerting for key events

Business continuity & DR

Backups, restore workflows, and disaster recovery practices are maintained to support operational resilience. Customer-specific RTO/RPO commitments (if any) are defined in contracts.

10. Sharing, service providers & sub-processors

We may share information only as needed to provide services, comply with law, and support customer-authorized integrations.

We may share data with:

  • Infrastructure providers (hosting, storage, monitoring)
  • Communication providers (email/SMS) where configured
  • Payment gateways / banking partners (customer-authorized flows)
  • KYC providers / DigiLocker-like integrations (if enabled by customer)
  • Professional advisors and auditors under confidentiality
  • Authorities where legally required

Transparency: A current sub-processor list is available upon request.

11. Security incident response & notification

We maintain incident response procedures including triage, containment, and recovery. When required, we coordinate with customers to support investigation and lawful notifications.

🚨 Severity levels

Classify incidents to drive response priority.

🧑‍💻 Forensic support

Preserve logs, trace actions, and support review.

📣 Customer comms

Notification timelines can be defined in the DPA/contract.

12. Data Processing Agreement (DPA)

Enterprise customers may request a Data Processing Agreement (DPA). A DPA typically covers processing instructions, confidentiality, sub-processor controls, audit rights, incident notification, and data return/deletion at termination.

To request a DPA: email privacy@naysainfotechindia.com.

13. Data retention & deletion

We retain data as needed to provide services, meet contractual obligations, and comply with applicable legal requirements. Retention periods vary by module, workflow, and customer configuration.

Secure deletion principles

  • Access-controlled deletion workflows
  • Backup lifecycle policies
  • Data export and handover options (subject to contract)

14. User rights & requests

Depending on your relationship with Naysa (customer admin, end-user, visitor) and applicable laws, you may request access, correction, deletion (where applicable), or other actions.

🧑‍💼 Customer admins

Most requests should be routed via your organization’s admin/controller.

👤 End users

Contact your service provider (the customer/white-label brand) first.

If you need assistance, email grievance@naysainfotechindia.com. We aim to respond within 30 days.

15. Cookies & tracking

We use cookies and similar technologies primarily for essential site functionality and (where enabled) basic analytics. You can manage cookie preferences using the cookie banner controls.

🍪 Essential

Session, security, preferences.

📊 Analytics

Aggregate insights to improve the site.

🧩 Controls

Consent banner and preference storage.

16. Enterprise annexures

RFP-ready appendices for audits. Expand to view.

17. FAQs

Quick answers for enterprise procurement and audits.

18. Contact & grievance officer

For privacy queries, requests, or grievances, contact:

📮 Privacy

privacy@naysainfotechindia.com

🧑‍⚖️ Grievance

grievance@naysainfotechindia.com

Response target: 30 days

🛡️ Security

security@naysainfotechindia.com

Children’s privacy

Our services are intended for business use and are not directed to children. We do not knowingly collect information from children.

Policy updates

We may update this policy periodically. The “Last updated” date reflects the latest revision. Continued use indicates acceptance of updates, as applicable.

Need an RFP-ready privacy pack?

Ask for the DPA, sub-processor list, and exportable security controls summary.

📩 Request pack 🧾 Security questionnaire