AAayu

Privacy notice

Last updated: 2026-05-09· Compliant with India's DPDP Act 2023.

What we collect

When you use Aayu we collect the data you give us — names, emails, project details, BOQs, IPCs, vendor records, attendance punches, drawings, OCR'd documents — plus operational metadata: IPs, user-agent strings, audit logs, and rate-limit state. We do not collect payment card data; Razorpay handles that on their hosted page.

How we use it

Strictly to provide the service: render dashboards, run approval chains, generate invoices, file e-way bills, send notifications. We don't sell data, we don't train third-party models on your project data, and we don't use it for advertising.

Where it lives

Postgres + S3-compatible object storage, hosted in India. Backups are encrypted at rest. Email goes through your configured SMTP / Resend / SES; we don't process the bodies. Optional integrations (Razorpay, NIC IRN, Tally, GSTN) are documented in /settings/integrations — switching them on shares only what each integration explicitly needs.

Your rights under DPDP

  • Access: any admin can self-serve a tenant export from /settings/privacy.
  • Correction / erasure: admins can edit any record; tenant deletion is a support request.
  • Grievance: write to privacy@aayu.app — we acknowledge in 48h.
  • Withdraw consent: cancel your subscription from /settings/billing; data retains for 90 days then is hard-deleted.

Sub-processors

Razorpay (billing), NIC e-invoice / e-way (Govt of India), Sentry (errors, optional), the SMTP / transactional email provider you configure, and your chosen S3 provider. We'll publish a sub-processor list under /security when SOC 2 is signed off.

Cookies

First-party only: an Auth.js session cookie + a small UI-preference cookie. No analytics or tracking pixels by default. If your firm enables Web Vitals reporting (off by default in production builds), we send anonymous timing metrics to your configured Sentry DSN — never to us.

Changes

Material changes get a banner across the app and an email to billing-email-of-record 14 days before they take effect. Older versions live in git history.

Questions? privacy@aayu.app.