Privacy Policy
What data we collect, why we collect it, and the controls you have.
Last updated: May 4, 2026
Plain summary: We collect only what we need to run AasanKhata for you — your account email, the businesses and invoices you create, and the payment metadata required to process subscriptions. We do not sell your data. We do not use your invoices to train AI models. You can export or delete your data anytime.
1. Who this applies to
This Privacy Policy applies to all visitors and registered users of aasankhata.in and any associated subdomain (the "Service"). The Service is operated by GrahAI Systems, registered at GrahAI Systems, Choodasandra, Bengaluru 560035, Karnataka, India ("we", "us").
2. Data we collect
2.1 Information you provide
- Account data: name, email, phone (for OTP login), password hash.
- Business data: business name, address, GSTIN, bank account details (if you choose to add them to invoices), logo.
- Invoice data: client names, GSTINs, line items, amounts, tax calculations, status of payment.
- Payment data: subscription tier and renewal dates. Card numbers are processed by Razorpay and never touch our servers — we receive only a payment ID and the last 4 digits for receipt generation.
2.2 Information collected automatically
- Device & usage:browser, OS, IP address, pages visited, actions taken (e.g., "invoice created").
- Cookies and local storage: session cookie for auth, preference cookies (e.g., language), analytics cookies (only if you accept).
3. Why we collect it
- To provide the Service: create, store, render, and deliver your invoices.
- To process payments: charge subscriptions via Razorpay; send payment receipts.
- To support you: respond to email tickets and reproduce bugs.
- To improve the product: aggregate, anonymised analytics (which features get used, where users drop off).
- To comply with law: retain financial records for the period required by Indian tax authorities.
4. Third parties we share data with
We share the minimum data required with these processors. Each is contractually bound to use the data only to perform the listed function.
| Processor | Purpose | Data shared |
|---|---|---|
| Google Firebase (Authentication, Firestore, Storage) | Account auth, primary database, invoice file storage | All account & invoice data |
| Razorpay Software Pvt Ltd | Subscription payments, refunds | Email, name, plan, amount, transaction IDs |
| Vercel Inc. | Hosting / serverless compute | Request logs, IP, user-agent |
| Google Cloud (Gemini API) | AI invoice description suggestions, only when you click the "✨ Suggest" button | The text of the line item you typed (no other invoice fields) |
| Email delivery provider | Transactional email (login OTP, payment receipts, invoice email-out) | Recipient email, subject, body |
| WhatsApp Business / Meta | WhatsApp invoice send, only when you click "Send via WhatsApp" | Recipient phone, invoice PDF link |
We do not sell personal data to third parties. We do not use your invoice content to train any AI model.
5. Data retention
- Active accounts: data retained as long as your account is active.
- Cancelled / deleted accounts: personal data deleted within 30 days of account deletion request, except where retention is required by law (e.g., GST records — 6 years per Section 36 of the CGST Act 2017).
- Backups: automated encrypted backups are retained for 30 days, then purged.
6. Your rights (DPDP Act 2023)
Under India's Digital Personal Data Protection Act, 2023, you have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- erase data that is no longer necessary;
- nominate someone to act on your behalf in case of incapacity or death;
- withdraw consent at any time; and
- file a grievance with our Grievance Officer.
To exercise any of these, email privacy@aasankhata.in. We respond within 30 days.
7. Cookies
We use first-party cookies for authentication and preferences. Third-party cookies are used only for analytics and only if you accept them via the cookie banner. You can disable cookies in your browser, but you will not be able to log in.
8. Security
- HTTPS everywhere — TLS 1.2+ enforced.
- Passwords are stored as one-way Argon2/bcrypt hashes, never plaintext.
- Invoice PDFs and uploads are stored encrypted at rest.
- Access to production data is restricted to a small number of engineers, audited, and revoked on offboarding.
No system is perfectly secure. If you suspect a vulnerability, email privacy@aasankhata.inwith "security" in the subject — we will respond within 1 business day.
9. Children
AasanKhata is a B2B service. It is not directed to children under 18. We do not knowingly collect data from minors. If you believe we have, email us and we will delete it.
10. International transfers
Your data is primarily stored in India (Firebase asia-south1, Vercel bom1). Some processors (e.g., Google Cloud, Meta) may process data in other jurisdictions. We rely on the processor's contractual safeguards (e.g., Standard Contractual Clauses) where applicable.
11. Changes to this policy
We will post any changes on this page and update the "Last updated" date. Material changes will be notified by email at least 14 days before they take effect.
12. Grievance Officer
For complaints under the IT Rules 2021 or the DPDP Act 2023, contact our Grievance Officer (full details on the Contact page):
Rahul Dubey
Grievance Officer, GrahAI Systems
grievance@aasankhata.in