Privacy Policy

Effective date: May 16, 2025 · Last updated: May 16, 2026

1. Who we are

Alvan Labs Pay ("we", "our", "the service") is a UPI payment auto-reconciliation platform operated by Alvan Labs (payments.alvanlabs.com). We help Indian merchants automatically verify UPI payments by reading bank credit alert emails delivered to the merchant's own Gmail inbox.

Contact: payments@alvanlabs.com

2. What Google user data we access

When a merchant connects their Gmail account, we request the following Google OAuth scope:

https://www.googleapis.com/auth/gmail.readonly — read-only access to Gmail messages.

We use this scope exclusively to:

Receive real-time Gmail notifications when a new email arrives.
Fetch and read bank credit alert emails (e.g. from HDFC Bank, SBI, ICICI Bank) to extract the UPI transaction amount and UTR reference number.
Automatically mark the corresponding merchant order as paid.

We access only emails from the merchant's configured bank sender address. We do not read, store, or process any other emails.

3. How we use Google user data

Gmail data is used only to verify UPI payments for the authenticated merchant.
We extract only two values from bank emails: payment amount and UTR number.
Full email bodies are never stored. Only the extracted amount and UTR are saved.
Gmail data is never used for advertising, analytics, profiling, or any purpose unrelated to payment verification.
Gmail data is never shared with, sold to, or transferred to any third party.
Gmail data is never used to train machine learning or AI models.

4. Google API Services User Data Policy

Alvan Labs Pay's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically, data obtained via Google APIs will only be used to provide and improve the UPI payment reconciliation feature described in this policy. It will not be transferred to others except as necessary to provide the service, will not be used for serving advertisements, and will not be used for any purpose that the user has not consented to.

5. Data we store

OAuth tokens: Stored encrypted in a secured PostgreSQL database. Used only to authenticate Gmail API calls on the merchant's behalf. Deleted immediately when the merchant disconnects Gmail.
Transaction records: Payment amount, UTR number, timestamp, and order reference. Retained for 90 days for reconciliation audit purposes.
Merchant account data: Email address, business name, UPI ID, and bank sender email provided during onboarding.
We do not store Gmail passwords, full email content, or any other email metadata.

6. Data sharing

We do not sell, rent, or share any user data with third parties. The only external service involved is:

Google LLC — OAuth 2.0 authentication and Gmail notification delivery. Governed by Google's Privacy Policy.

7. Security

All data is transmitted over HTTPS/TLS. OAuth tokens are stored in an encrypted, access-controlled PostgreSQL database on a private server. We do not store any Gmail passwords or credentials. Access to merchant data requires authenticated sessions.

8. Your rights and controls

You may at any time:

Disconnect Gmail: Visit your merchant settings page and click "Disconnect". This immediately revokes our OAuth access token and deletes it from our database.
Revoke access directly from Google: Visit Google Account Permissions and remove "Alvan Labs Pay".
Request data deletion: Email us at payments@alvanlabs.com to delete all data associated with your account.

9. Children's privacy

This service is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect data from minors.

10. Changes to this policy

We may update this policy. Changes will be posted on this page with an updated effective date. For material changes affecting Google user data, we will notify merchants by email.

11. Contact

For privacy questions, data access requests, or deletion requests:
payments@alvanlabs.com
Alvan Labs, India