Legal

Privacy Policy

How Procupy collects, uses, shares, and protects your personal data — written to be clear and aligned with India's DPDP Act.

Last updated 16 June 2026
On this page

Effective date: 16 June 2026

This Privacy Policy explains how Procupy ("Procupy", "we", "us", or "our") collects, uses, discloses, and safeguards personal data when you use our website, web application, vendor portal, and mobile app (together, the "Services"). We've written it to be aligned with India's Digital Personal Data Protection Act, 2023 (the "DPDP Act"). By using the Services, you agree to the practices described here.

Plain-language summary

We collect the data we need to run your procurement workflows — account details, the content you create (like RFQs, auctions, POs, and invoices), and basic usage and device data. We don't sell your personal data. You can access, correct, or delete your data by writing to hello@procupy.com.

Who we are

Procupy provides an India-first procurement platform for reverse auctions, vendor management, and procure-to-pay. For data you submit into the platform as part of your organisation's account (your "workspace content"), your organisation is the data fiduciary and Procupy acts as a data processor on its behalf. For data we collect directly — for example, when you visit our marketing site or contact us — Procupy is the data fiduciary.

Data we collect

We collect the following categories of data, and only what we need to deliver the Services:

  • Account & profile data — name, work email, organisation, role, and authentication data such as hashed passwords and two-factor settings.
  • Workspace content — the procurement data you create or upload: requisitions, RFQs, auctions and bids, vendors, contracts, purchase orders, goods receipt notes, invoices, and related documents.
  • Vendor data — when you onboard vendors (including via quick-join), we process the contact and business details needed to invite them and run sourcing events.
  • Usage & log data — pages and features used, actions taken, timestamps, and audit-trail events, used to operate, secure, and improve the Services.
  • Device & technical data — IP address, browser or app version, and device identifiers (for the mobile app, used to deliver push notifications).
  • Communications — messages you send us by email, the contact form, or during a demo, and our replies.
  • Payment-related data — billing contact and plan details. We do not store full card numbers; any card processing is handled by our payment processor.

How we use your data

We process personal data for these purposes, each with a lawful basis under the DPDP Act (your consent, or the performance of our agreement with you and our legitimate, certain uses):

  • Provide the Services — authenticate you, run your workflows, and deliver the features you ask for.
  • Security & integrity — detect and prevent fraud, abuse, and unauthorised access, and maintain audit trails.
  • Support & communication — respond to your queries and send essential service notices.
  • Improvement & analytics — understand how the Services are used so we can make them better; where feasible we use aggregated or de-identified data.
  • Legal & compliance — meet our legal obligations and enforce our Terms of Service.
  • Marketing — send product updates or offers where you've opted in; you can unsubscribe at any time.

Cookies and similar technologies

We use a small number of cookies and similar technologies. Strictly necessary cookies keep you signed in and protect against cross-site request forgery — for example, the HttpOnly session and refresh cookies described on our security page. We may also use privacy-respecting analytics to understand site usage. We do not use cookies to sell your data. You can control non-essential cookies through your browser settings; disabling strictly necessary cookies may break sign-in.

How we share data

We do not sell your personal data. We share it only in these limited cases:

  • Within your organisation — workspace content is visible to authorised users in your organisation according to their roles and permissions.
  • With vendors you invite — the information needed to run a sourcing event is shared with the vendors your organisation invites.
  • Service providers (sub-processors) — vetted providers who host our infrastructure, send email or push notifications, process payments, or provide analytics, all under contractual confidentiality and data-protection obligations.
  • Legal reasons — when required by law, regulation, or valid legal process, or to protect rights, safety, and the integrity of the Services.
  • Business transfers — if Procupy is involved in a merger, acquisition, or asset sale, data may transfer as part of that transaction, subject to this policy.

We can provide prospective Enterprise customers with our current list of sub-processors and hosting details during diligence.

Data retention

We keep personal data only as long as needed to provide the Services and for the legitimate or legal purposes described above. Workspace content is retained for the life of your organisation's account; after termination we retain it for a limited wind-down period to allow export, then delete or anonymise it, subject to any legal retention requirements (for example, tax and invoicing records). You can request earlier deletion as described below.

How we protect your data

We apply technical and organisational safeguards including multi-tenant data isolation, encryption in transit (TLS), role-based access control, two-factor authentication, scoped API keys, and audit logging. Read more on our security page. No method of transmission or storage is perfectly secure, but we work hard to protect your data and to notify affected parties and authorities of any personal-data breach as required by law.

Your rights

Subject to the DPDP Act and other applicable law, you have the right to:

  • Access — request a summary of the personal data we process about you.
  • Correction & updating — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data where it's no longer needed and no legal basis requires us to keep it.
  • Withdraw consent — withdraw consent at any time where processing is based on consent.
  • Grievance redressal — raise a complaint with our grievance contact, and, if unresolved, with the Data Protection Board of India.
  • Nominate — nominate another individual to exercise your rights in the event of death or incapacity, as provided under the DPDP Act.

If your data is part of an organisation's workspace, we may direct certain requests to that organisation (the data fiduciary) and support them in responding.

Children's data

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we'll delete it.

International transfers

We may process and store data on infrastructure that, depending on configuration, is located in or outside India. Where data is transferred across borders, we do so consistent with applicable law and under appropriate safeguards. Enterprise customers can discuss data-residency options with us.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we'll update the effective date above and, where appropriate, notify you. Your continued use of the Services after an update means you accept the revised policy.

Grievance officer & contact

For any privacy question, request, or grievance — including to exercise your rights — contact our grievance contact at hello@procupy.com. We aim to acknowledge requests promptly and respond within the timelines required by applicable law. You can also reach us via our contact page.

Legal & trust

Terms of service

The terms that govern your use of Procupy.

Security at Procupy

Isolation, encryption, RBAC, 2FA, and audit trails.