Privacy Policy
Last updated: April 3, 2026
1. Introduction & Scope
Westbridge Inc. ("Westbridge," "we," "us," or "our") is the data controller responsible for the personal data processed through Westbridge ERP (the "Service"), our website at westbridgetoday.com, and any related communications, applications, or services we operate.
This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information. It applies to all individuals who visit our website, create an account, subscribe to the Service, or otherwise interact with us. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
This Privacy Policy does not apply to any third-party websites, applications, or services that may be linked from or integrated with the Service. We encourage you to review the privacy practices of any third-party service before providing your personal information.
2. Information We Collect
We collect personal information through three primary channels: directly from you, automatically through your use of the Service, and from third parties.
2a. Information You Provide Directly
- Account Information: When you create an account, we collect your name, email address, company name, job title, phone number, country, and time zone.
- Billing Information: Payment details (such as credit card number, billing address, and VAT identification number) are collected and processed by our payment provider, Paddle. We do not directly store your full payment card details on our servers.
- Customer Data: Any business data you enter, upload, or generate within the Service, including but not limited to invoices, purchase orders, inventory records, employee records, accounting entries, and customer relationship management data (collectively, "Customer Data"). You are the data controller of your Customer Data; we process it on your behalf as a data processor.
- Communications: When you contact our support team, submit feedback, participate in surveys, or otherwise communicate with us, we collect the content of those communications along with associated metadata.
- Team Member Information: If you invite team members to your organization within the Service, we collect their name, email address, and assigned role as provided by the account administrator.
2b. Information Collected Automatically
- Usage Data: We collect anonymized and aggregated product usage analytics through PostHog, including pages visited, features used, click paths, session duration, and interaction patterns. This data helps us improve the Service.
- Device & Browser Information: We automatically collect your IP address, browser type and version, operating system, screen resolution, language preference, and referring URL.
- Log Data: Our servers automatically record information about each request, including timestamps, request method, endpoint accessed, response status code, and request duration.
- Cookies & Similar Technologies: We use essential cookies and similar technologies to authenticate sessions, prevent cross-site request forgery, and remember your preferences. See Section 10 for full details.
- Performance & Error Monitoring: We use Sentry to collect error reports and performance data, which may include stack traces, browser environment details, and the sequence of user actions leading to an error.
2c. Information From Third Parties
- Paddle: Our payment provider may share transaction confirmation, subscription status, billing country, and tax identifiers with us to manage your subscription.
- Single Sign-On (SSO) Providers: If you choose to authenticate through a third-party SSO provider, we receive your name, email address, and profile picture as authorized by your SSO settings.
- ERPNext: If you connect an existing ERPNext instance to the Service, we may receive data from that instance as necessary to provide the integration functionality you have configured.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service: To create and manage your account, authenticate your identity, deliver the features and functionality of the Service, and provide technical support.
- Processing Payments: To process subscription payments, issue invoices, manage billing cycles, handle refunds, and comply with tax obligations through our payment provider, Paddle.
- Communications: To send you transactional emails (such as account verification, password resets, billing receipts, and service alerts), respond to support requests, and provide product updates.
- Improvement & Analytics: To analyze usage patterns, diagnose technical issues, measure feature adoption, conduct A/B testing, and improve the performance, reliability, and usability of the Service.
- Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues. This includes monitoring for unauthorized access, enforcing rate limits, and maintaining audit logs.
- AI Features: The Service includes AI-powered features (such as Bridge AI) that process your queries and relevant business context to generate responses. Your data processed by AI features is used solely to provide the requested functionality and is not used to train, fine-tune, or improve any machine learning models, whether by Westbridge or by our AI sub-processor (Anthropic).
- Legal Obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including tax reporting, data protection obligations, and responding to lawful subpoenas or court orders.
- Marketing: To send you marketing communications about new features, product updates, promotions, or events only with your prior opt-in consent. You may withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) to process your personal data:
- Performance of a Contract: Processing is necessary to perform our contract with you, including providing the Service, managing your account, processing payments, and delivering customer support.
- Legitimate Interests: Processing is necessary for our legitimate interests, provided those interests are not overridden by your data protection rights. Our legitimate interests include improving the Service, ensuring security, preventing fraud, conducting analytics, and communicating with you about your account.
- Consent: Where we rely on your consent (for example, for marketing communications or optional analytics), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
- Legal Obligation: Processing is necessary to comply with a legal obligation to which we are subject, such as tax reporting, regulatory compliance, and responding to lawful requests from public authorities.
5. How We Share Your Information
We share your personal information only in the following circumstances and only to the extent necessary:
Sub-Processors
We engage the following categories of sub-processors to deliver the Service:
- Paddle — Payment processing, subscription management, tax compliance, and invoicing.
- Resend — Transactional and marketing email delivery.
- Anthropic — AI query processing for Bridge AI features. Anthropic processes data under a zero-retention API agreement and does not use your data for model training.
- Sentry — Application error monitoring and performance tracking.
- PostHog — Product analytics and feature usage tracking.
- Cloud Infrastructure Providers — Hosting, storage, database management, and content delivery. All infrastructure providers maintain SOC 2 Type II or equivalent certifications.
Legal Requirements
We may disclose your personal information if required to do so by law or in good faith belief that such disclosure is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud, protect the personal safety of users or the public, or respond to a lawful request by public authorities (including national security or law enforcement).
Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
What We Do Not Do
To be clear about our practices:
- We do not sell your personal data to any third party, for any purpose, under any circumstance.
- We do not share your data with advertisers or ad networks.
- We do not use your data to train AI or machine learning models.
- We do not share Customer Data between different customers. Each organization's data is logically isolated.
6. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The following retention periods apply:
- Account Data: Retained for the duration of your active subscription plus 30 days after cancellation or termination to allow for reactivation and to resolve any outstanding matters.
- Customer Data: Upon account cancellation or termination, your Customer Data is available for self-service export for 30 days. After the 30-day period, Customer Data is permanently deleted from our production systems and purged from backups within 90 days.
- Billing Records: Retained for 7 years in accordance with applicable tax and accounting regulations.
- Audit Logs: System and security audit logs are retained for 2 years to support security investigations, compliance requirements, and dispute resolution.
- Analytics Data: Aggregated and anonymized analytics data (which cannot be used to identify any individual) may be retained indefinitely to inform long-term product development.
- Support Communications: Records of support interactions are retained for 3 years after the last communication to provide consistent support and for quality assurance.
- Marketing Consent Records: Records of your marketing consent (or withdrawal thereof) are retained for the period your consent is valid plus 3 years to demonstrate compliance with applicable consent requirements.
7. Data Security
We implement and maintain appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of your personal information. These measures include, but are not limited to:
- Encryption at Rest: All data at rest is encrypted using AES-256 encryption.
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
- Password Security: User passwords are hashed using bcrypt with a minimum of 12 salt rounds. We never store passwords in plaintext.
- Access Control: We enforce role-based access control (RBAC) throughout the Service. Access to production systems is restricted to authorized personnel on a need-to-know basis.
- Multi-Factor Authentication: MFA is available for all user accounts and is required for administrative access to production systems.
- Infrastructure Security: Our infrastructure is hosted in SOC 2 Type II certified data centers with physical access controls, redundant power, and network security measures.
- Continuous Monitoring: We employ continuous monitoring of our systems for security anomalies, unauthorized access attempts, and potential vulnerabilities.
- Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law.
- Employee Access: All employee access to systems containing personal data is logged and auditable. Employees are bound by confidentiality obligations and receive regular security training.
- Penetration Testing: We conduct regular penetration testing and vulnerability assessments of our systems and applications to identify and remediate potential security issues.
While we take reasonable measures to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
8. International Data Transfers
Your personal information may be transferred to, stored in, and processed in countries other than the country in which it was collected. These countries may have data protection laws that differ from the laws of your country.
Where we transfer personal data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) — including the UK International Data Transfer Addendum where applicable — to ensure that appropriate safeguards are in place to protect your personal data.
For transfers to jurisdictions outside the EEA, UK, and Switzerland, we implement appropriate safeguards as required by applicable data protection laws, which may include binding corporate rules, approved codes of conduct, or other recognized transfer mechanisms. You may request a copy of the safeguards we have put in place by contacting us at privacy@westbridgetoday.com.
9. Your Rights
Depending on your location and applicable law, you may have certain rights with respect to your personal information. We are committed to honoring these rights regardless of where you reside, to the extent practicable.
Rights Available to All Users
- Access: The right to request a copy of the personal information we hold about you.
- Correction: The right to request correction of inaccurate or incomplete personal information.
- Deletion: The right to request deletion of your personal information, subject to certain exceptions (such as legal retention obligations).
- Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format.
- Objection: The right to object to our processing of your personal information in certain circumstances.
- Restriction: The right to request that we restrict the processing of your personal information in certain circumstances.
Additional Rights Under GDPR (EEA, UK, Switzerland)
- Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
- Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection law.
- Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in solely automated decision-making that produces legal effects.
Additional Rights Under CCPA/CPRA (California Residents)
- Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting your personal information, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request deletion of the personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information. As such, there is no need to opt out. If our practices change in the future, we will provide a "Do Not Sell My Personal Information" mechanism.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights, including by denying you goods or services, charging you a different price, or providing a different level of quality.
- Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
- Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.
How to Exercise Your Rights
You may exercise your rights through the following methods:
- Self-Service Export: You can export your Customer Data and account information at any time through the data export feature available in your account settings.
- Email: Submit a request to privacy@westbridgetoday.com. Please include sufficient information for us to verify your identity and specify the right you wish to exercise.
- Response Time: We will respond to all verifiable requests within 30 days of receipt. If we require additional time (up to a further 60 days), we will inform you of the reason and the expected completion date.
10. Cookies & Tracking
We use a limited number of cookies that are strictly necessary for the operation of the Service. Below is a complete list of the cookies we set:
| Cookie Name | Purpose | Duration | Type |
|---|
| westbridge_sid | Session authentication | 7 days | Essential |
| westbridge_csrf | Cross-site request forgery protection | Session | Essential |
| westbridge_logged_in | Client-side login state indicator | Session | Essential |
| westbridge_consent | Stores your cookie consent preferences | 1 year | Essential |
Analytics & Monitoring
- PostHog: We use PostHog for product analytics. PostHog may set its own cookies for session tracking. Analytics data is used in aggregate to improve the Service.
- Sentry: We use Sentry for error monitoring and performance tracking. Sentry may process limited session data when errors occur.
What We Do Not Use
We do not use advertising cookies, third-party tracking pixels, social media tracking widgets, browser fingerprinting techniques, or any other technology designed to track you across websites for advertising purposes.
Do Not Track
We honor Do Not Track (DNT) signals sent by your browser. When we detect a DNT signal, we disable non-essential analytics tracking for your session.
11. Children's Privacy
The Service is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect, solicit, or maintain personal information from anyone under 18 years of age. If we become aware that we have collected personal information from a child under 18, we will take prompt steps to delete that information from our systems. If you believe that we may have collected personal information from a child under 18, please contact us at privacy@westbridgetoday.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page.
For material changes that significantly affect how we collect, use, or share your personal information, we will provide at least 30 days' advance notice before the changes take effect. Notice will be provided via email to the address associated with your account and/or through a prominent notice within the Service.
Previous versions of this Privacy Policy are available upon request. To obtain a prior version, please contact us at privacy@westbridgetoday.com.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through one of the following channels:
- Privacy Inquiries: privacy@westbridgetoday.com
- Data Protection Officer: dpo@westbridgetoday.com
- General Support: support@westbridgetoday.com
- Mailing Address: Westbridge Inc., [Physical Address to be Updated], [City, State, ZIP]
For GDPR-related inquiries, you may also contact our Data Protection Officer directly. We will make every effort to resolve your concerns promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.
Back to home · Terms of Service