logo

Privacy Policy

How we collect, use, and protect your information.

Last updated: 1 May 2026

1. Information We Collect

We collect information you provide (name, email, mobile, business details), information about your use of the Service (logs, usage data), and data you upload (transactions, customers, suppliers, items).

2. How We Use Your Information

To provide and improve the Service, communicate with you about your account, send service-related notifications, comply with legal obligations, and prevent fraud or abuse.

3. Data Storage & Location

All your data is stored in Indian data centres (ap-south-1). We use database-per-tenant architecture, ensuring physical isolation of your data from other customers.

4. Data Security

We use industry-standard security measures including TLS 1.2+ for transport, encryption at rest, Argon2id password hashing, KMS-managed encryption keys, regular backups, and access logging.

5. Data Sharing

We do not sell your data. We share information only with: service providers necessary to operate the Service (e.g., GSP, payment gateway, AI providers — under strict data processing agreements), legal authorities when required by law, and only with your explicit consent for any other purpose.

6. Your Rights (DPDPA 2023)

As a Data Principal under India's DPDPA, you have the right to access your personal data, correct or update it, request deletion, withdraw consent, and lodge a grievance. Contact [email protected] to exercise these rights.

7. Data Retention

We retain your data for as long as your account is active. After cancellation: 30 days export window, 60 days archive, then permanent deletion. Statutory retention (GST, IT) follows applicable law.

8. Cookies & Tracking

We use essential cookies for authentication and session management, and limited analytics cookies (no third-party advertising trackers). You can manage cookie preferences in your browser.

9. AI Processing

When you use AI features (invoice OCR, custom reports, search), data is sent to AI providers (Anthropic, OpenAI, or Google) for processing. PII is redacted where possible. AI providers are contractually prohibited from training on your data.

10. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email at least 30 days before they take effect.

11. Contact

For privacy questions or to exercise your rights, contact our Data Protection Officer at [email protected].