Privacy Policy | OneFinOps

This Privacy Policy explains how VentureSpin Private Limited (CIN: U62099TS2025PTC205120; registered office: B-209, 2nd Floor, The Platina, Kondapur Road, Gachibowli, Hyderabad, Telangana, India - 500032), referred to as “VentureSpin”, “we”, “us” or “our”, processes personal data in connection with the OneFinOps platform (the “Service”) and the onefinops.com marketing website (the “Site”). VentureSpin is the operator of OneFinOps.

We process personal data lawfully, fairly and transparently in compliance with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), the Information Technology Act, 2000 and, where applicable, the EU General Data Protection Regulation (the “GDPR”). For Customer accounts, VentureSpin acts as a Data Processor under the DPDP Act (or Processor under the GDPR); the Customer is the Data Fiduciary (or Controller). For visitors to the Site and prospective customers, VentureSpin acts as the Data Fiduciary.

1. Definitions

In this Policy, the following capitalised words have the meanings below. Capitalised terms not defined here have the meanings given in the Terms of Service and the Data Processing Addendum.

“Customer” means a paying customer of the Service, identified in an Order Form, sign-up flow or account record.
“Customer Personal Data” means Personal Data that VentureSpin processes on behalf of a Customer in connection with the Service, in its role as Data Processor.
“Data Fiduciary” has the meaning given in the DPDP Act and corresponds to “Controller” under the GDPR.
“Data Principal” has the meaning given in the DPDP Act and corresponds to “Data Subject” under the GDPR.
“Data Processor” has the meaning given in the DPDP Act and corresponds to “Processor” under the GDPR.
“Data Protection Board” means the Data Protection Board of India established under the DPDP Act.
“DPDP Act” means the Digital Personal Data Protection Act, 2023, as amended.
“GDPR” means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
“OneFinOps” means the financial operations platform operated by VentureSpin and offered as the Service.
“Personal Data” means information that relates to an identified or identifiable natural person, as defined in the DPDP Act and (where applicable) the GDPR.
“Service” means the OneFinOps cloud-based financial operations platform.
“Site” means onefinops.com and its subdomains.
“Sub-processor” means a third party engaged by VentureSpin to process Personal Data in connection with the Service.
“VentureSpin” means VentureSpin Private Limited (CIN: U62099TS2025PTC205120), referred to as “we”, “us” or “our”.

2. Information we collect

Information you provide directly:

Account information: name, work email, work phone number, employer name, GSTIN, PAN, designation.
Communications: messages you send to us through chat, email, support tickets, sales calls, demo requests, webinar registrations.
Marketing preferences: newsletter subscriptions and content preferences.

Information collected automatically when you use the Service or Site:

Device and connection data: IP address, user-agent, operating system, browser, language preference.
Usage data: pages viewed, features used, clickstream, time spent, session identifiers.
Cookies and similar technologies: see our Cookie Policy for the full list.
Audit-trail data: user actions inside the Service (logins, edits, approvals, filings) for security, debugging and compliance evidence.

Information you authorise us to collect from third-party systems:

ERP and accounting integrations: invoice data, vendor masters, ledgers, GST data (Tally, Zoho Books, SAP, NetSuite, QuickBooks and similar).
Government portals: GSTN, Income Tax e-filing, MCA21, TRACES, e-Way Bill, through your authorised credentials or APIs.
Payment and KYC providers: for billing and merchant onboarding.

Information we receive from third parties:

Resellers, system integrators or partners who refer you to us.
Public sources (LinkedIn, MCA, GST portal) for prospect research.

3. How we use information

We use Personal Data to:

Provide the Service: account creation, authentication, processing returns and reconciliations, generating filings, syncing with ERP and government systems, sending reminders, providing support.
Operate the Service securely: preventing abuse, detecting fraud, monitoring uptime, maintaining audit trails, responding to security incidents.
Improve the Service: analytics on feature usage, debugging, training internal models on aggregated and de-identified data.
Communicate with you: service announcements, security notifications, billing notices, invoices, ticket updates. These are operational messages and cannot be opted out of while you have an active account.
Marketing: newsletters, product updates, event invitations and sales outreach. You can opt out of marketing email at any time using the unsubscribe link or by emailing privacy@onefinops.com.
Comply with law: responding to lawful requests from regulators, courts and law-enforcement authorities; tax filings; record-keeping; sanctions screening.

Lawful bases under the DPDP Act and GDPR include consent (for marketing), performance of a contract (for the Service), compliance with legal obligations, and legitimate interests (for security, fraud prevention and business operations), balanced against your privacy rights.

We do not sell Personal Data. We share it only with:

Sub-processors: vendors that process data on our behalf to deliver the Service (cloud infrastructure, email delivery, analytics, error monitoring, customer-support tooling, billing). A current list is available at /legal/sub-processors on request.
Customer-authorised recipients: when you instruct us to push or pull data to or from a third-party system through an integration you have configured.
Professional advisors: accountants, auditors, lawyers, insurers, bound by confidentiality.
Acquirers: in connection with a merger, acquisition, financing or sale of all or substantially all of our assets, subject to standard confidentiality protections.
Authorities: when required by law, regulation, court order or to protect rights, property or safety. We will challenge requests we believe to be overbroad or unlawful and, where legally permitted, notify the affected Customer in advance.

5. International transfers

Customer Data is hosted on infrastructure located in India. Some Sub-processors may process limited operational data (telemetry, error logs, support tickets) outside India. Where Personal Data leaves India or the EEA, we rely on transfer mechanisms that are valid under applicable law, including, where required, standard contractual clauses, supplementary measures and customer-specific transfer impact assessments.

6. Data retention

We keep Personal Data only as long as necessary for the purposes for which it was collected:

Account and Customer Data: for the duration of your subscription, plus 30 days for export, after which production data is deleted; backup copies are purged on a rolling 90-day cycle.
Audit logs: minimum 12 months, longer where required by law (e.g., the Income-tax Act and GST law mandate up to 8 years for certain records).
Marketing data: until you unsubscribe or after 24 months of inactivity, whichever is earlier.
Support tickets and call recordings: 24 months from closure.

We may retain anonymised, aggregated data indefinitely for analytics and service-improvement purposes.

7. Security

We implement administrative, technical and organisational measures designed to protect Personal Data, including encryption in transit and at rest, role-based access control, multi-factor authentication for privileged access, vulnerability management, monitoring and logging, vendor risk assessment, and an incident-response programme. See our Security Policy for details. No system can be guaranteed perfectly secure; we will notify affected Customers and the Data Protection Board promptly when notification is required.

8. Your rights

Under the DPDP Act, every Data Principal has the right to:

Access and correct their Personal Data.
Erase Personal Data that we no longer need.
Withdraw consent where processing is based on consent.
Nominate another individual to exercise rights on their behalf in case of death or incapacity.
Lodge a grievance with our Data Protection Officer; if unresolved, escalate to the Data Protection Board.

Under the GDPR, EU/EEA-based Data Principals additionally have rights to portability, restriction of processing, objection (including to direct marketing) and to lodge a complaint with their supervisory authority.

To exercise any of these rights, contact privacy@onefinops.com. We will respond within the timelines required by applicable law (and in any case within 30 days). If you are exercising rights under a Customer’s account, we will route the request to the Customer (the Data Fiduciary), who is responsible for the underlying processing.

9. Children’s data

The Service is not directed to children under 18. We do not knowingly process Personal Data of children. If you become aware that a child has provided us with Personal Data, contact privacy@onefinops.com and we will take reasonable steps to delete it.

10. Cookies and similar technologies

The Site and Service use cookies and similar technologies to authenticate you, remember preferences, analyse usage and (with consent where required) deliver marketing. See our Cookie Policy for the categories used, their purposes and how to manage them.

11. Changes to this Policy

We will update this Policy from time to time. Material changes will be announced by email to the account owner and posted on this page at least 30 days before they take effect, unless required sooner by law or to address a security risk.

12. Contact us

For privacy questions, requests under the DPDP Act or GDPR, or to reach our Data Protection Officer:

Email: privacy@onefinops.com
Post: Data Protection Officer, VentureSpin Private Limited, B-209, 2nd Floor, The Platina, Kondapur Road, Gachibowli, Hyderabad, Telangana, India - 500032.

We aim to respond to every privacy request within 7 working days, and to resolve substantive requests within 30 days.