This Privacy Policy explains how Prakhar Bhaarat Enterprises ("PBE," "we," "us"), operating through its development arm Prakhar Bhaarat Tech Studio ("PBTS"), collects, uses, stores, and protects information through the AgencySync platform (the "Portal") and the public-facing AgencySync website at this domain (the "Website"). By using the Website or Portal, you agree to the practices described herein.
1. Who We Are
AgencySync is developed by Prakhar Bhaarat Tech Studio (PBTS), under the entity Prakhar Bhaarat Enterprises (PBE), registered in India. For the purposes of applicable data protection law, PBE is the Data Controller for data collected through the Website (waitlist, contact forms) and the Data Processor for agency and client data entered into the Portal by our customers.
2. Information We Collect
2.1 Website Visitors (No Account Required)
When you visit the public Website, we may collect:
- Waitlist Signup: Your email address, submitted voluntarily through the early-access form. Stored in our
waitlisttable with a unique constraint to prevent duplicates. - Contact Form: Your name, email address, and message text (max 5,000 characters). Stored in our
contact_messagestable. - Exchange Purchases: If you purchase services on the AgencySync Exchange without an account, we collect your email address (via Razorpay), the listing(s) purchased, payment amount, and Razorpay Payment ID. We do not collect or store your credit card number, UPI PIN, or bank account details — all payment instrument data is handled exclusively by Razorpay.
2.2 Agency Accounts (Portal Users)
When an agency registers and uses the Portal, we collect and process:
- Account Data: Agency name, owner email address, password (hashed via bcrypt by Supabase Auth — we never store plaintext passwords), and a system-generated UUID.
- Branding & Settings: Agency logo (uploaded to secure storage), primary brand color, appearance configuration (light/dark mode preferences), and domain name.
- Team Member Data: Email addresses, user IDs, and assigned roles (Owner, Admin, Member) of staff invited to the agency.
- Client Records: Client name, email, phone number, GST number (optional), active status, and portal login credentials. These are entered by agency staff, not collected directly from clients by us.
- Financial Data: Invoice numbers, line items (description, quantity, rate), amounts in INR, due dates, notes, payment status, Razorpay Payment IDs, and Razorpay Payment Link URLs. We do not store card numbers, CVVs, or bank account details.
- Communication Data: Messages exchanged between agency staff and clients via the built-in real-time chat. Messages include text content, sender type (agency/client), sender ID, and read-receipt timestamps.
- AI-Generated Data: Client health scores (Green/Yellow/Red sentiment ratings), health reasons, scope creep alerts, AI-generated proposals, and invoice line item suggestions — all generated from conversation data using the agency's own AI provider key.
- Email Configuration: IMAP/SMTP server hostnames, port numbers, and email address. The email password is encrypted with AES-256-CBC before storage and decrypted only at the moment of authentication with the mail server.
- AI Provider Credentials (BYOK): The API key for the agency's chosen AI provider (OpenAI, Anthropic, Google, or OpenRouter) is encrypted with AES-256-CBC before storage. Decrypted only at runtime to process AI requests. We never log, cache, or transmit these keys to any party other than the chosen provider.
- Subscription & Billing: Selected plan (Pro/Pro+/Ultra), billing cycle (monthly/annual), add-on selections, subscription status, and renewal dates.
- Exchange Listings: Service name, description, pricing, live portfolio URL, and uploaded portfolio PDF path — published voluntarily by the agency to the B2B Exchange.
- Client Reports: Uploaded report files and parsed data, with agency-controlled visibility settings (show results, show CSV).
2.3 Client Portal Users
Clients who log in to an agency's branded portal access their own data only. We process:
- Client login credentials (email + password, hashed via Supabase Auth).
- Invoice viewing and payment interactions.
- Chat messages sent to the agency.
- Shared client reports (only those the agency has made visible).
2.4 Information We Do NOT Collect
- Credit card numbers, CVVs, UPI PINs, or bank account details (handled entirely by Razorpay).
- Email message content — the integrated webmail (SnappyMail) accesses your mail server in real-time via IMAP/SMTP. We never copy, index, or store email messages, attachments, or contacts on our infrastructure.
- Biometric data, location data, or device fingerprints.
3. How We Use Your Information
- Service Delivery: To operate the Portal — managing agencies, clients, invoices, chat, analytics, and the Exchange marketplace.
- AI Processing: To provide AI-powered features (health scores, scope creep detection, proposal generation, inline text editing). Data is sent to the AI provider selected and credentialed by the agency (BYOK model). We do not use a shared AI key — each agency's data goes only to the provider they configure.
- Payment Processing: To create Razorpay payment orders, verify payment completion, and record transaction references.
- Communication: To deliver real-time chat messages between agency staff and their clients, and to route admin support messages to the PBTS team.
- Waitlist & Contact: To respond to early-access requests and contact form inquiries.
- Security: To authenticate users, enforce row-level security policies, encrypt sensitive credentials, and prevent unauthorized access.
4. Third-Party Services & Data Sharing
We share data only with the following categories of service providers, and only to the extent necessary to deliver the platform:
4.1 Supabase (Infrastructure Provider)
Supabase hosts our database, authentication system, file storage, and real-time messaging infrastructure. All agency and client data resides in our Supabase project. Supabase acts as a Data Processor under our instructions. Supabase's own privacy policy governs their infrastructure practices.
4.2 Razorpay (Payment Processor)
Razorpay processes all payments on the platform — both agency subscription payments and Exchange marketplace purchases. When a payment is initiated, Razorpay receives the order amount, currency, and receipt ID from our server. The buyer's payment instrument details (card, UPI, net banking) are collected and processed entirely by Razorpay. We receive only a Payment ID and order status in return. Razorpay is PCI-DSS compliant.
4.3 AI Providers (Agency-Configured, BYOK)
When an agency enables AI features, conversation data (chat messages, invoice descriptions) is sent to the AI provider the agency has selected and credentialed:
- OpenAI (gpt-4o-mini) — via
api.openai.com - Anthropic (Claude 3 Haiku) — via
api.anthropic.com - Google Gemini (Gemini 2.5 Flash) — via
generativelanguage.googleapis.com - OpenRouter (Gemini Flash) — via
openrouter.ai
Each agency uses their own API key (BYOK). We do not maintain a shared key. Data sent to AI providers is subject to the respective provider's data processing terms. We recommend agencies review their chosen provider's policies. AI features are entirely opt-in — agencies that do not configure an AI key will not have any data sent to external AI services.
4.4 Google Fonts
The Website loads the Inter typeface from Google Fonts (fonts.googleapis.com). This results in your browser making requests to Google's CDN, which may log IP addresses per Google's privacy policy. No personally identifiable information is transmitted by us.
4.5 SnappyMail (Embedded Webmail)
The integrated webmail client (SnappyMail v2.38.2) runs within the Portal and connects directly to the agency's configured IMAP/SMTP mail server. Email data transits between the browser and the mail server. We do not intercept, store, or index any email content.
4.6 No Sale of Data
We do not sell, rent, or trade personal information to any third party. We do not use your data for advertising, profiling, or cross-platform tracking.
5. Data Security
5.1 Encryption
- Passwords: All user passwords (agency staff and clients) are hashed using bcrypt via Supabase Auth. We never store or have access to plaintext passwords.
- Email Credentials: IMAP/SMTP passwords are encrypted with AES-256-CBC using a unique initialization vector (IV) per encryption operation, before being stored in the database.
- AI API Keys: Encrypted identically to email credentials (AES-256-CBC with per-operation IV). Decrypted only at runtime for API calls.
- Transport: All data in transit is encrypted via HTTPS/TLS. Supabase enforces TLS on all database and API connections.
5.2 Multi-Tenant Data Isolation
AgencySync is a multi-tenant platform. Data isolation between agencies is enforced at the database level using PostgreSQL Row-Level Security (RLS) policies. Every table containing agency or client data includes RLS policies that restrict access based on the authenticated user's agency membership. This means:
- Agency A cannot access Agency B's clients, invoices, messages, or settings — even if they manipulate API requests.
- Clients can only access their own invoices, messages, and reports within their assigned agency.
- File storage (logos, PDFs) is partitioned by agency ID with storage-level RLS policies.
5.3 Session Management
User sessions are authenticated via JWT tokens issued by Supabase Auth, stored server-side in PHP sessions (not in browser cookies or localStorage). Tokens have a configurable expiration and are automatically refreshed. Sessions expire after 24 hours of inactivity.
6. Data Retention
- Active Accounts: All data is retained for the duration of the agency's active subscription.
- Trial Expiry: When a free trial expires, the agency's data is preserved but access is blocked until the agency upgrades to a paid plan.
- Waitlist & Contact Data: Retained until you request deletion or until we determine the data is no longer needed for its original purpose.
- Exchange Orders: Transaction records (buyer email, payment ID, amount) are retained for financial audit and legal compliance purposes.
- Chat Messages: Retained for the duration of the agency's active subscription. Messages are not automatically purged.
7. Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your personal data, subject to legal retention obligations.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing of your data for specific purposes.
- Withdrawal of Consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at the address provided in Section 11.
8. Cookies & Local Storage
- Session Cookies: We use PHP session cookies (httpOnly) to maintain your authenticated session. These are strictly necessary and cannot be opted out of while using the Portal.
- Theme Preferences: A
themecookie stores your light/dark mode preference. Asm_themecookie syncs your theme to the webmail client. - Exchange Cart: The shopping cart on the Exchange marketplace is stored in your browser's
localStorage(key:agencysync_cart). This data remains on your device and is never transmitted to our server until checkout. - No Tracking Cookies: We do not use advertising cookies, analytics trackers, or third-party tracking pixels on the Website or Portal.
9. Children's Privacy
AgencySync is a B2B platform designed for professional agency use. We do not knowingly collect data from individuals under the age of 18. If you believe a minor has submitted data through our platform, contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Website or Portal after changes constitutes acceptance of the revised policy.
11. Contact Us
For privacy-related inquiries, data access requests, or complaints:
Prakhar Bhaarat Enterprises (PBE)
Development: Prakhar Bhaarat Tech Studio (PBTS)
Email: Contact Form
Website: agencysync.in