Privacy Policy
Last updated: 2026-04-30. This is a template — replace with lawyer-reviewed copy before launch.
1. Who we are
Sillro is operated by Palcron (palcronai@gmail.com). For privacy questions, write to the email above. We act as the Data Fiduciary (DPDPA, India) / Data Controller (GDPR, EU) for the data described below.
2. Data we collect
- Account data: email, name, hashed password, role.
- Tenant data: company name, GSTIN, address, branding.
- Operational data: opportunities, designs, BOMs, orders, invoices — what you create using Sillro.
- Usage data: page views, feature events, error reports (PostHog + Sentry; see Sub-processors).
- Customer data you upload (your end-customer's name, phone, address). You are the Data Fiduciary for this; we are the Data Processor.
3. How we use it
- To operate the service.
- To send service emails (no marketing emails without opt-in).
- To improve the product (aggregated, de-identified usage).
4. Retention
We keep your data for as long as your account is active. After you close your account, we hold a 30-day grace period for accidental closure, then permanently delete. Audit log entries are retained for the life of the service and for at least 7 years (statutory requirement for India tax records); automated purging of older audit entries is not yet implemented.
5. Your rights
- Access:Download a JSON export of all your data via Settings → Data & privacy → Download my data (workspace owner only).
- Erasure:Delete your account via Settings → Data & privacy → Delete account. Subject to the 30-day grace window, during which the owner can cancel.
- Correction: Edit any field via the relevant page in the app, or contact us.
- Portability: The JSON export is machine-readable.
6. Sub-processors
We use the following sub-processors. Each holds an executed DPA.
- Vercel — hosting (United States, EU edge locations).
- Supabase — Postgres database, file storage (Singapore region for India tenants by default).
- Sentry — error monitoring (US/EU); PII-redacting beforeSend hook configured.
- PostHog — product analytics (EU instance).
- Razorpay — payment processing (India).
7. Security
Encryption at rest (Supabase default), TLS 1.3 in transit, bcrypt-hashed passwords with mandatory ≥32-char JWT_SECRET in production, multi-tenant isolation via Prisma proxy + Postgres Row-Level Security, audit log for every mutating action, daily backups with point-in-time recovery.
8. Contact
palcronai@gmail.com