Legal

Privacy Policy

Last updated: 2026-06-22

This is a template pending legal review. It is provided for general informational purposes and should be reviewed by qualified legal counsel before being relied upon.

This Privacy Policy explains how Pravaha Infinity Private Limited (“Pravaha”, “we”, “us”, “our”), the operator of API Sathi (the “Service”), collects, uses, discloses and safeguards personal data. We act as a Data Fiduciary in respect of our own account and billing data, and as a Data Processor in respect of verification inputs you submit on behalf of the individuals (“Data Principals”) whose data you process. This Policy is aligned with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable Information Technology Rules.

1. Data We Collect

  • Account data: name, business/legal name, email, phone, password hash, role, and organisation details you provide on signup.
  • KYC and business-verification inputs: identifiers such as PAN and GSTIN that you submit to verify your own business, and verification inputs (for example, a PAN, Aadhaar reference, bank account, or document image) that you submit through our APIs to be verified. These verification inputs are processed transiently to fulfil the call and are passed to the relevant upstream provider.
  • Usage and technical logs: API call metadata (timestamps, product, vendor used, latency, status, sale and cost amounts, request/response sizes), IP address, and user agent, used for billing, security and analytics.
  • Payment metadata: we process recharges through Razorpay. We receive payment metadata (order/payment identifiers, status, GST details). We do not collect or store full card numbers; card data is handled by Razorpay as a PCI-DSS compliant payment processor.

2. Purpose of Processing

We process personal data to: provide and operate the Service; authenticate API keys and authorise charges; route calls to upstream providers and return normalized results; maintain the wallet ledger and generate GST-compliant invoices; detect and prevent fraud, abuse and security incidents; comply with legal, tax and regulatory obligations; and improve and support the Service. We process verification inputs only to fulfil the specific call you initiate.

3. Verification Inputs and Upstream Providers

Verification inputs you submit are processed transiently to fulfil the requested call and are passed to the relevant upstream verification provider who performs the lookup against the applicable source or registry. We retain call metadata and may retain redacted records for billing, audit and dispute resolution, but we do not use verification inputs for any purpose other than fulfilling your call. You are responsible, as the Data Fiduciary for the individuals whose data you submit, for obtaining the consent and lawful basis required under the DPDP Act.

4. No Selling of Data

We do not sell personal data. We disclose data only to: upstream verification providers (to fulfil your calls), our payment processor (Razorpay), service providers acting under contract on our behalf (such as hosting and communications), and authorities where required by law.

5. Data Retention

We retain account and billing data for as long as your account is active and thereafter as required to comply with tax, accounting and legal obligations (typically up to eight years for invoice and financial records under Indian law). Per-call telemetry is retained for a limited operational window (currently up to 180 days) for analytics and dispute resolution, after which it is deleted or aggregated. Verification inputs are not retained beyond what is necessary to fulfil the call and resolve disputes.

6. Your Rights

Subject to the DPDP Act and applicable law, Data Principals have the right to: access a summary of their personal data and the processing activities; seek correction, completion or updating of inaccurate data; seek erasure of data no longer necessary; nominate another individual to exercise rights in the event of death or incapacity; and raise a grievance. To exercise these rights, contact our Grievance Officer below. Where you submitted an individual’s data to us as a Data Fiduciary, requests from that individual may be directed to you, and we will assist you as a processor.

7. Security Measures

We implement reasonable technical and organisational security measures, including encryption in transit (TLS), hashing of credentials and API keys (argon2id), least- privilege access controls, secrets stored in a managed vault rather than in plaintext, network segmentation, audit logging, and monitoring. No method of transmission or storage is fully secure; we cannot guarantee absolute security, but we will notify affected persons and the Data Protection Board as required by law in the event of a personal-data breach.

8. Children’s Data

The Service is intended for businesses and is not directed at children. We do not knowingly process the personal data of children except where lawfully submitted by you with verifiable consent of a parent or lawful guardian, and never for tracking, behavioural monitoring or targeted advertising.

9. Grievance Officer

In accordance with the DPDP Act and the Information Technology (Intermediary Guidelines) Rules, the contact details of our Grievance Officer are:

Grievance Officer

Name: [To be appointed]

Email: grievance@apisathi.in

Pravaha Infinity Private Limited, Jaipur, Rajasthan, India

We will acknowledge grievances promptly and endeavour to resolve them within the timelines prescribed by applicable law.

10. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Service or by email. The “Last updated” date above reflects the latest revision.

11. Contact

For privacy questions, write to grievance@apisathi.in or see our Contact & Grievance page.