Last updated: 2026-05-11
DPDP Act 2023 disclosures
The Digital Personal Data Protection Act, 2023 (the "DPDP Act") requires every data fiduciary processing personal data of Indian Data Principals to make certain disclosures. This page is the consolidated set for mb.
Data fiduciary identity
| Data fiduciary | mybillbook (sole proprietor) |
| Proprietor | Vikas Swaminathan |
| Place of business | Bengaluru, Karnataka, India |
| Contact | vikas@networkershome.com |
Grievance Officer (DPDP §10(b))
For any complaint, query, or grievance regarding the processing of your personal data, contact:
| Name | Vikas Swaminathan |
| Designation | Proprietor & Grievance Officer |
| vikas@networkershome.com | |
| Response window | Within 30 calendar days, per DPDP §13 |
Note: as the operator scales, this responsibility may be delegated to a dedicated officer. We will update this page and notify existing users by email at least 14 days before any change.
Purposes of processing (DPDP §5(2))
- Providing the Service: storing books data, generating GST returns, emailing transactional notices.
- Authenticating users: verifying identity on every authenticated request.
- Maintaining audit records for non-repudiation (DPDP §8(8) and GST audit trail requirements).
- Complying with statutory retention requirements (6 years under CGST Rules).
- Responding to user support requests and providing customer service.
We do not process your data for behavioural advertising, third-party marketing, profile-building, ML training, or sale to data brokers.
Categories of personal data
- Account identifiers: email, name, hashed password, Google OIDC subject claim (if used).
- Contact data: phone number (optional), business address.
- Statutory identifiers: GSTIN, PAN (if entered), state code.
- Books data: invoices, credit notes, payments — much of this is technically Indian-business data, not personal data, but is treated under the same protection regime.
- Technical data: IP address, user-agent string, timestamps.
Your rights as a Data Principal
Under DPDP §11, you have the following rights:
- Right to summary: a description of the personal data we process about you and the processing activities. Email vikas@networkershome.com with subject "DPDP summary request".
- Right to correction / completion / update: most fields can be edited directly in the app. For fields you cannot edit, email us with "DPDP correction request".
- Right to erasure: email us with "DPDP erasure request". We will erase your account data and personal identifiers within 30 days. Important exception: books data (invoices, credit notes, payments) generated through the Service is retained for 6 years from the end of the financial year, as mandated by the CGST Rules. We will anonymise personal identifiers (your name, email) in those records on erasure but retain the books.
- Right of nomination: you may nominate another individual to exercise your rights in case of your death or incapacity. Email us with "DPDP nomination" and the nominee's details.
- Right to grievance: file a complaint with our Grievance Officer above. If unresolved, you may approach the Data Protection Board of India.
Consent record
When you sign up, you consent to the processing described above.
Your consent is recorded in our consents table with:
your user ID, the version of the Terms / Privacy Policy you
accepted, the timestamp, and your IP address. You can withdraw
consent at any time via the erasure-request flow above.
Sub-processors and cross-border transfers
See the Privacy Policy §3 for our sub-processor list. Note specifically:
- Primary database (Postgres on DigitalOcean): Bangalore region (India).
- Object storage (Cloudflare R2): India region.
- Transactional email (Resend): EU region; emails to Indian users transit through EU briefly. Per DPDP, this is permitted; we'll add an India PoP when available.
- PDF rendering (qpdf service): India region.
- Edge CDN (Cloudflare): global; only public static marketing pages are cached at edge — no books data.
Security and breach notification
Technical safeguards are documented on the Security page. In the event of a personal data breach affecting your data, we will notify you and the Data Protection Board of India within 72 hours of becoming aware, per DPDP §8(6).
Children
Per DPDP §9, we do not knowingly process personal data of individuals under 18. We do not perform behavioural monitoring, targeted advertising, or behavioural profiling of any user.
Template scaffolding aligned to DPDP Act 2023 as published by the Ministry of Electronics & Information Technology. This disclosures page should be reviewed by Indian counsel before relying on it for production. Specific rules under the Act may have been updated after the publication date above.