Last updated: 2026-05-11

Privacy Policy

This Privacy Policy describes how mybillbook ("mb", "we", "us") collects, uses, and shares information about you when you use our Service. It complies with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and applies to all visitors and users of the Service.

1. Information we collect

1.1 Information you provide

• Account data: email address, password (hashed), full name, optionally Google account claims if you sign in via OIDC.
• Business data: business legal name, trade name, GSTIN, state code, address, bank details, signature image URL.
• Books data: invoices, credit notes, payments, customer records, supplier records, purchase records, quotations.
• Files: GSTR-2B JSON files you upload, signature images.
• Communications: support requests, contact-form submissions.

1.2 Information collected automatically

• Request metadata: IP address, user-agent string, request ID, request timestamp. Recorded on the audit log for mutation actions (signup, finalize invoice, record payment, etc.) for non-repudiation under DPDP §8(8).
• Session cookies: a single HttpOnly+Secure session cookie and a CSRF cookie. No third-party tracking cookies.
• No analytics: we do not run Google Analytics, Mixpanel, Segment, Facebook Pixel, or any other behavioural-analytics script.

2. How we use information

• Provide the Service: store and render your books, generate GST returns, deliver PDFs, send transactional email.
• Authenticate you: verify your identity on every request, prevent unauthorised access.
• Comply with law: maintain audit log for non-repudiation; retain books for 6 years per CGST Rules.
• Improve the Service: only via direct conversations with you. We do not run silent A/B tests.

3. How we share information

We do not sell or rent your data. We share only with:

• Sub-processors strictly necessary for the Service: Cloudflare (edge proxy, R2 storage), DigitalOcean (compute), Resend (transactional email), qpdf (PDF rendering). All in or transit through India / EU regions.
• Authorities: when required by law (court order, statutory notice). We will tell you unless legally prohibited.
• You: via the in-app export and on request for a Postgres dump.

4. Data location & retention

• Location: primary Postgres + worker + R2 object storage are hosted in Indian regions.
• Edge: Cloudflare serves static assets from a global PoP nearest you. No personal data is cached at the edge.
• Retention: account data is retained while your account is active. Books data (invoices, credit notes, payments, etc.) is retained for 6 years from the end of the financial year, per CGST Rules — this overrides any erasure request for those specific records.
• Backups: nightly snapshots, 30-day retention, encrypted at rest.

5. Your rights under DPDP Act 2023

Under §11 of the DPDP Act, you have the right to:

• Access a summary of the personal data we process about you and the processing activities.
• Correct or update inaccurate or incomplete personal data.
• Erase personal data we hold about you (subject to the 6-year GST retention exception above).
• Nominate another individual to exercise your rights in case of death or incapacity.
• Grieve about our handling of your data via our Grievance Officer (see DPDP disclosures).

To exercise any right, email vikas@networkershome.com with the subject "DPDP request". We will respond within 30 days.

6. Security

See our Security page for technical detail. In short: Postgres Row-Level Security enforces tenant isolation, argon2id hashes passwords, sessions are server-side, CSRF tokens are bound to the session, all traffic is TLS-only, and an append-only audit log records every mutation.

7. Children

The Service is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If we discover such data, we will delete it promptly.

8. Changes to this Policy

We will notify you by email and via an in-app banner at least 14 days before any material change to this Policy.

9. Contact

Privacy questions or requests: vikas@networkershome.com.

---

Template scaffolding aligned to DPDP Act 2023. Operator should have this Policy reviewed by Indian counsel and confirm the sub-processor list reflects the current production deployment before public launch.