Privacy Policy

We collect information you provide directly to us, including:

• Account Information: Name, email address, company name, and password when you create an account. • Usage Data: Information about how you use Serrét, including features accessed, actions taken, and time spent. • Customer Data: Information you input into the platform, such as customer records, sales data, and notes. • Communication Data: Information you provide when contacting support or participating in surveys. • Payment Information: Billing details processed securely through Stripe. We do not store full credit card numbers.

We use the information we collect to:

• Provide, maintain, and improve Serrét services • Process transactions and send related information • Send technical notices, updates, and security alerts • Respond to your comments, questions, and support requests • Analyze usage patterns to improve user experience • Detect, investigate, and prevent fraudulent transactions and abuse • Comply with legal obligations

Your data is stored securely using industry-standard practices:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256) • Infrastructure: We use Supabase and AWS infrastructure with SOC 2 compliance • Access Controls: Strict role-based access controls limit who can access your data • Backups: Regular automated backups with secure off-site storage • Monitoring: 24/7 security monitoring and incident response procedures

Your data is primarily stored in India (Mumbai region) with redundancy across secure data centers.

We do not sell your personal information. We may share data with:

• Service Providers: Trusted partners who help us operate our services (Stripe for payments, Resend for email, Supabase for infrastructure) • Legal Requirements: When required by law, court order, or government request • Business Transfers: In connection with a merger, acquisition, or sale of assets • With Your Consent: When you explicitly agree to share data with third parties

All service providers are contractually bound to protect your data and use it only for specified purposes.

You have the right to:

• Access: Request a copy of all personal data we hold about you • Correction: Request correction of inaccurate or incomplete data • Deletion: Request deletion of your personal data ("right to be forgotten") • Portability: Export your data in a machine-readable format • Restriction: Request restriction of processing in certain circumstances • Objection: Object to processing based on legitimate interests • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@serret.io or use the Data Hub in your account settings.

For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR):

• Legal Basis: We process data based on contractual necessity, legitimate interests, or consent • Data Protection Officer: Contact our DPO at dpo@serret.io • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority • International Transfers: Data transferred outside the EEA uses approved mechanisms (Standard Contractual Clauses)

For Australian users, we comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs):

• We only collect personal information that is reasonably necessary • We maintain the security of personal information • We allow access to and correction of personal information • We do not disclose personal information overseas without appropriate protections • You can make a privacy complaint to the Office of the Australian Information Commissioner (OAIC)

We use cookies and similar technologies to:

• Essential Cookies: Enable core functionality (authentication, security) • Analytics Cookies: Understand how you use Serrét (PostHog) • Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may affect functionality.

We retain your data for as long as your account is active or as needed to provide services. Specifically:

• Account Data: Retained until account deletion, then 30 days for recovery • Usage Logs: Retained for 90 days for security and debugging • Backups: Retained for 30 days after deletion • Legal Holds: May be retained longer if required by law

After deletion, data is securely erased from all systems within 90 days.

Serrét is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new policy on this page • Updating the "Last updated" date • Sending email notification for material changes

Your continued use of Serrét after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights, contact us:

Serrét Pty Ltd Email: privacy@serret.io DPO: dpo@serret.io

For general inquiries: hello@serret.io