Privacy Policy

This Privacy Policy explains how YourBill ("YourBill", "we", "us", "our") collects, uses, stores, transfers, retains and protects your personal data when you use our website https://yourbill.in, our Android / iOS applications, and any related service (collectively, the "Service").

We are the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") for personal data that you submit to operate your account. We are a Body Corporate handling Sensitive Personal Data or Information (SPDI) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 framed under Section 43A of the Information Technology Act, 2000.

By using the Service, you confirm you have read this Policy and consent to the collection and processing described below.

Account data: full name, email address, mobile number, password (hashed; never stored in plain text), preferred language. Provided directly by you at signup.

Business data: business name, business address, business phone, business email, GSTIN, PAN, invoice prefix, FY-aware serial counters, bank account details (account number, IFSC, account type, bank name) used solely to print on your invoices, optional logo image uploaded by you.

Customer & product data: GSTINs, names, addresses, contact details, HSN/SAC codes, prices, and invoice line items that you (the User) enter to operate your business. This data is owned by you; we are a Data Processor for it.

Transactional data: invoice records, challans, payments, GSTR-1 export logs, AI usage logs.

Payment data: when you authorise a PayU SI Hub mandate, we receive a tokenised mandate identifier (no card number / CVV / UPI handle is ever sent to or stored on YourBill servers — that data is held by PayU as a PCI-DSS Level 1 compliant gateway).

Technical & log data: IP address, user-agent, device fingerprint, request timestamps, page views, error reports, and Cloudflare Turnstile captcha challenge results. Used for security, abuse prevention, and aggregate analytics only.

Optional cookies: a session cookie (httpOnly, sameSite=lax) for authentication, and a localStorage entry for the "Try YourBill" popup dismiss state.

We do not knowingly collect special category data (caste, religion, biometrics, health) and have no need for it. Do not submit such data through the Service.

To provide the Service (creating invoices, exports, AI suggestions) — performance of the contract you entered into when you signed up.

To bill you and prevent fraud (recurring PayU charges, GSTIN uniqueness enforcement, anti-abuse rate limits) — performance of contract and our legitimate interest in protecting all users.

To comply with Indian tax law — Section 36 of the CGST Act read with Rule 56 of the CGST Rules requires us to retain accounts and records for at least 8 financial years.

To improve the Service (aggregate analytics, error monitoring) — our legitimate interest, balanced against your privacy.

To send service announcements, security alerts, and billing notices — operational necessity.

Marketing communications are sent only with your prior opt-in consent and you can withdraw it any time.

We do not sell, rent, or trade your personal data. We share it only with the sub-processors below, all of whom are contractually bound to protect it on our behalf:

• Supabase Inc. — primary database, authentication, and file storage (hosted in AP-South-1, Mumbai). Data Processing Addendum on file. https://supabase.com/privacy

• PayU India (PayU Payments Pvt. Ltd.) — payment gateway, recurring billing via SI Hub. Card / UPI / netbanking data is held by PayU directly; we never touch it. https://payu.in/privacy-policy

• OpenAI, L.L.C. — AI inference for the HSN/SAC code finder and the GSTIN-to-business-name auto-fill on customer creation. We send only the minimum payload needed (e.g. product name, GSTIN). API requests are not used by OpenAI to train models per their commercial API terms.

• Cloudflare, Inc. — Turnstile captcha challenge to block automated signup abuse.

• Vercel Inc. — application hosting and edge CDN.

We may also disclose data when required to do so by a binding court order, statutory notice, or law-enforcement request validly issued under Indian law.

Primary database, file storage, and backups are hosted in AWS Mumbai (AP-South-1) via Supabase. Data is encrypted in transit using TLS 1.3 and at rest using AES-256. Daily encrypted snapshots are taken with seven-day retention.

When you use AI features, your minimal request payload is transmitted to OpenAI's US-based inference endpoints under a Data Processing Addendum that prohibits training on your data. You may disable AI features at any time from Dashboard → Settings — your invoicing data never leaves Mumbai if AI features are disabled.

Active accounts: data is retained for as long as the account is active.

Closed accounts: invoicing and tax records (invoices, challans, GSTR-1 exports, AI usage logs) are retained for at least eight (8) financial years from the date of issue, as mandated by Section 36 of the CGST Act read with Rule 56 of the CGST Rules.

After the statutory retention window, data may be deleted or anonymised. Backup copies are purged on the same retention schedule.

Authentication / log data is retained for up to 12 months for security review.

Under the DPDP Act, 2023 and SPDI Rules, you have the right to:

• Access the personal data we hold about you.

• Correct inaccurate or incomplete data.

• Erase data where there is no continuing lawful purpose to retain it (subject to the 8-year tax retention above).

• Withdraw any consent you previously gave (e.g. marketing email opt-in).

• Nominate another individual to exercise your DPDP rights in case of incapacity.

• Lodge a complaint with the Data Protection Board of India at the contact published by the Ministry of Electronics & IT.

To exercise any of these rights, write to our Grievance Officer at support@yourbill.in. We will acknowledge within 24 hours and respond substantively within 15 days.

We implement reasonable security practices including: TLS 1.3 in transit, AES-256 at rest, password hashing (bcrypt/argon2 via Supabase Auth), per-tenant Row-Level Security on every database table, scoped service-role keys, audit logging on admin operations, daily encrypted backups, MFA for internal admin access, and a written incident-response plan.

If we become aware of a personal-data breach that creates a material risk to you, we will notify you and the Data Protection Board of India within 72 hours of becoming aware, in line with the DPDP Act notification rules.

No system is impenetrable. You are responsible for protecting your password and for keeping the device you use to access the Service free of malware.

We use only first-party cookies that are strictly necessary to operate the Service: a httpOnly session cookie for authentication, a businessId cookie to scope your dashboard, and a userId cookie. These are not used for advertising or cross-site tracking.

We do not load Google Analytics, Meta Pixel, or third-party advertising scripts on the authenticated dashboard. The marketing pages may load Vercel Speed Insights for aggregate performance metrics — this collects no personally identifying information.

The Service is meant for businesses and is not directed to individuals under 18. We do not knowingly collect data from children. If you believe a minor has signed up, contact support@yourbill.in and we will deactivate the account and delete the data.

We may revise this Policy from time to time. Material changes (those that expand the categories of data we collect or the parties we share with) will be communicated by email at least 14 days before they take effect. The effective date at the top of this page tells you when we last revised it.

In compliance with the IT Rules, 2011 and the Intermediary Guidelines, 2021, our designated Grievance Officer can be reached at:

Email: support@yourbill.in (subject line: "Grievance — Privacy")

We acknowledge grievances within 24 hours and aim to resolve them within 15 days.