Public Beta

Data Protection Policy (DPDP)

Effective Date: 20 February 2026 · Version v1.0-2026-02

This Data Protection Policy describes how Plus Ultra Innovation (the "Data Fiduciary"), operating the ProcureOne Ultra platform, processes personal data of natural persons ("Data Principals") in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000.

1. Role

Plus Ultra Innovation is the Data Fiduciary within the meaning of DPDP §2(i). Razorpay, Resend, and our cloud storage provider act as Data Processors under contract.

2. Lawful Processing & Consent

We process personal data only on lawful grounds:

  • Consent (§6): free, specific, informed and unambiguous, captured at registration and at each payment checkout. We store the timestamp, policy version and IP at the moment of consent.
  • Legitimate uses (§7): performance of the procurement contract, compliance with law, employment-related purposes (for Plus Ultra staff), and to provide any subsidy, benefit, service, certificate or licence by the State.

3. Notice Provided at Collection

Before collecting your data, we tell you (a) what data is collected, (b) the purpose, (c) how to withdraw consent, (d) how to lodge a grievance, and (e) how to complain to the Data Protection Board of India.

4. Data Principal Rights (DPDP §11–§14)

  • Right to information about processing — this Policy.
  • Right to access & export — one-click JSON export at /privacy while logged in.
  • Right to correction — via profile page.
  • Right to erasure — type DELETE_MY_ACCOUNT at /privacy; account erased; all JWTs revoked; operational data deleted within 30 days subject to tax / accounting retention.
  • Right to grievance redressal — contact the Grievance Officer below; 7-working-day SLA.
  • Right to nominate a person to exercise rights on death / incapacity.

5. Children & Persons with Disabilities (§9)

We do not knowingly collect data of children below 18. Our platform is intended for businesses and adult representatives only. If we discover such data has been collected, it is erased immediately.

6. Reasonable Security Safeguards (§8)

  • bcrypt password hashing; JWT with server-side revocation on logout / reset / delete.
  • HMAC-SHA256 webhook signature verification with 5-minute replay window.
  • Role-based access control + horizontal-IDOR mitigation on tender reads.
  • Upload MIME + extension whitelist (blocks executable types).
  • Append-only audit_logs capturing payment lifecycle, auth events, DPDP requests.
  • Encryption-at-rest on the database and object storage.
  • Quarterly internal security review; annual third-party penetration test (post-launch).

7. Personal Data Breach Notification (§8(6))

If a personal-data breach occurs, we will notify the Data Protection Board of India and affected Data Principals "in such form and manner as may be prescribed", typically within 72 hours of becoming aware, including remedial steps taken.

8. Data Retention

Active account: retained for the life of the account.
Post-erasure: operational data deleted within 30 days.
Tax / GST records: retained as required by the Income Tax Act, 1961 (8 years) and the CGST Act, 2017 (6 years).
Audit logs: retained for the longer of (a) 6 years or (b) statutory requirement.

9. Cross-Border Transfers (§16)

Where a Data Processor operates servers outside India, transfers occur only to jurisdictions notified by the Central Government and under contractual safeguards (standard contractual clauses, equivalent-protection commitments).

10. Significant Data Fiduciary Obligations (§10)

If notified by the Central Government as a Significant Data Fiduciary, we will appoint a Data Protection Officer based in India, an independent data auditor, and conduct periodic Data Protection Impact Assessments. Current status: not notified.

11. Grievance Officer (§13)

Amrapali Sawant
Grievance Officer · Plus Ultra Innovation
H. No. 903, Manpada, Near Suresh Kirana Stores, Thane, Maharashtra — 400607
Email: sawant.ds@gmail.com
Response SLA: 7 working days

12. Right to Approach the Data Protection Board of India (§14)

If unsatisfied with our response, you may lodge a complaint with the Data Protection Board of India once it is constituted by the Central Government under §18 of the DPDP Act.

13. Updates

This Policy will be updated when the law, our processing activities, or our processors change. The version and effective date appear at the top of this page. Users will be re-prompted to consent on material changes.


This is launch-ready boilerplate generated for review by qualified legal counsel. For any clarification, write to sawant.ds@gmail.com.

Made with Emergent