Privacy Policy
Effective Date: March 2026 Last Updated: March 2026
SoneaLabs ("we," "us," "our") operates the Tijara platform ("Platform," "Service") accessible at usetijara.com and related mobile-optimized web interfaces. SoneaLabs is an independently operated brand based in Mumbai, India.
This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you access or use our Service.
We are committed to protecting your privacy in accordance with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 of India, and we additionally respect the data protection expectations of users in the United Arab Emirates under Federal Decree-Law No. 45 of 2021 ("UAE PDPL") and other applicable laws in jurisdictions where our users operate.
By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
The data controller responsible for your personal data is:
SoneaLabs Operated from Mumbai, Maharashtra, India Email: harsh@sonealabs.com Website: usetijara.com
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at the email address above.
2. Personal Data We Collect
2.1 Account Data
When you register for the Platform, we collect:
- Full name
- Email address
- Phone number
- WhatsApp number (if provided)
- Password (stored as a salted hash — we never store plaintext passwords)
- Organization name and details
- Role within your organization
2.2 Organizational and Trade Data
When you use the Platform, you and your team create and manage:
- Deal records (counterparties, line items, costs, margins, statuses)
- Contact records (company names, contact persons, addresses, phone numbers, email addresses)
- Financial records (invoices, payments, exchange rates, amounts, bank references)
- Document uploads (bills of lading, certificates, invoices, contracts)
- Letter of Credit records (amounts, charges, amendments, discrepancies)
- CEPA eligibility checks and certificate records
- Container and shipment tracking data
2.3 Financial and Banking Data
The Platform allows you to store banking details for contacts (bank name, account number, IBAN, SWIFT/BIC). This data is encrypted at rest using AES-256 encryption with per-record initialization vectors. We do not use banking data for any purpose other than displaying it to authorized users within your organization.
2.4 Payment and Billing Data
When you subscribe to a paid plan, payment processing is handled entirely by our third-party billing provider, Lemon Squeezy (operated by Lemon Squeezy LLC). We do not collect, store, or process your credit card number, debit card number, or other payment instrument details. We receive and store only:
- Subscription status and plan details
- Billing cycle dates
- Transaction identifiers
- Invoice history from the billing provider
2.5 Technical and Usage Data
When you access the Platform, we automatically collect:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and features used
- Time and date of access
- Referring URL
- Session duration and interaction patterns
2.6 Communication Data
When you contact us via email or WhatsApp for support, we retain the content of those communications to resolve your inquiry and improve our Service.
3. How We Use Your Data
We process your personal data for the following purposes:
3.1 Service Delivery
- Providing and maintaining the Platform and its features
- Creating and managing your account and organization
- Processing and displaying your trade, financial, and operational data
- Generating invoices, reports, and analytics
- Sending transactional communications (account verification, password resets, subscription confirmations)
Legal basis: Performance of our contract with you (Terms of Service).
3.2 Platform Improvement
- Analyzing usage patterns to improve features and user experience
- Identifying and fixing bugs, errors, and performance issues
- Developing new features based on aggregate usage data
Legal basis: Legitimate interest in improving our Service.
3.3 Communication
- Responding to support inquiries
- Sending service-related announcements (maintenance windows, feature updates, security alerts)
- Sending product updates and tips (you may opt out at any time)
Legal basis: Legitimate interest and, for marketing communications, your consent.
3.4 Security and Compliance
- Detecting, preventing, and investigating fraud, abuse, and security incidents
- Maintaining audit logs for data integrity and compliance
- Enforcing our Terms of Service
Legal basis: Legitimate interest in protecting the Platform and compliance with legal obligations.
3.5 Billing and Subscription Management
- Managing your subscription, plan limits, and billing status
- Processing upgrades, downgrades, and cancellations
Legal basis: Performance of our contract with you.
4. Data Sharing and Third-Party Processors
We do not sell, rent, or trade your personal data. We share personal data only with the following categories of third-party processors, and only to the extent necessary for the stated purposes:
4.1 Infrastructure and Hosting
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (via AWS) | Database hosting, authentication, file storage | All platform data | AWS cloud regions |
| Vercel | Application hosting, edge delivery | Request metadata, IP addresses | Global edge network |
4.2 Analytics
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| PostHog | Product analytics, session replay | Usage events, device info, IP (anonymizable) | EU/US cloud |
| Google Analytics | Website traffic analysis | Page views, device info, IP (anonymized) | Google Cloud |
| Vercel Analytics | Performance monitoring | Page load metrics, device info | Vercel infrastructure |
4.3 Communications
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Resend / Loops | Transactional and product emails | Email address, name | US cloud |
| WhatsApp Business API (Meta) | Invoice delivery, payment reminders, digest notifications | Phone number, message content | Meta infrastructure |
4.4 Billing
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Lemon Squeezy | Subscription billing, payment processing | Email, name, payment instrument (processed by Lemon Squeezy, not us) | US |
4.5 Legal and Regulatory Disclosure
We may disclose personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a governmental request.
5. International Data Transfers
Our Platform serves users primarily in the GCC region, India, and Pakistan. Your data may be processed in jurisdictions outside your country of residence, including the United States and the European Union, through our third-party processors listed above. Where personal data is transferred across borders, we ensure that appropriate safeguards are in place, including:
- Contractual obligations on processors to protect your data
- Reliance on processors who maintain industry-standard security certifications (SOC 2, ISO 27001)
- Ensuring that the receiving jurisdiction provides an adequate level of data protection, or that appropriate contractual safeguards are in place
6. Data Security
We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption at rest: Sensitive financial data (bank details) is encrypted using AES-256 with per-record initialization vectors and key identifiers.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Authentication: User authentication is managed via Supabase Auth with secure session tokens. Passwords are salted and hashed using bcrypt.
- Row-Level Security: Database-level access controls ensure that users can only access data belonging to their organization.
- Role-Based Access Control: Organizational data access is restricted based on user roles (owner, admin, member, viewer).
- Audit Logging: Critical operations (deal creation, payment recording, status changes) are logged with timestamps and user identifiers.
While we strive to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you the Service. Specifically:
- Account data: Retained while your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except as required by law or for legitimate business purposes (such as fraud prevention or dispute resolution).
- Organizational and trade data: Retained while your organization account is active. The organization owner may request deletion of all organizational data.
- Billing records: Retained for a minimum of 5 years from the date of the transaction, as required for tax and financial compliance.
- Analytics data: Usage analytics are retained in aggregate form. Individual session data is retained for up to 12 months.
- Communication records: Support communications are retained for up to 24 months.
- Backup data: Automated database backups are retained for up to 30 days and are then permanently deleted.
8. Cookies and Tracking Technologies
8.1 What We Use
The Platform uses cookies and similar technologies for the following purposes:
| Type | Purpose | Duration |
|---|---|---|
| Essential cookies | Authentication, session management, security | Session / 30 days |
| Analytics cookies | PostHog event tracking, Google Analytics | Up to 12 months |
| Performance cookies | Vercel performance metrics | Session |
| Preference cookies | Language selection, theme preference | 12 months |
8.2 Your Choices
Most web browsers allow you to control cookies through their settings. You may disable non-essential cookies; however, doing so may impair certain Platform functionality. We do not use cookies for third-party advertising.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete personal data.
- Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Request your data in a structured, commonly used, machine-readable format.
- Right to object: Object to our processing of your personal data for specific purposes.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time.
To exercise any of these rights, contact us at harsh@sonealabs.com. We will respond to your request within 30 days.
If you are located in the UAE, your rights under the UAE PDPL are additionally respected, including the right to be informed of the legal basis for data processing and the right to lodge complaints with the UAE Data Office.
If you are located in India, your rights under the Information Technology Act, 2000 and its associated rules are respected.
10. Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Platform at least 14 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
SoneaLabs Operated from Mumbai, Maharashtra, India Email: harsh@sonealabs.com Website: usetijara.com