Privacy Policy

This Privacy Policy explains how Billly ("Billly", "we", "us", "our") collects, uses, discloses, and protects personal data when you use our websites, apps, and services (collectively, the "Services"). It also describes your rights and choices.

If you do not agree with this Policy, do not use the Services. If you have questions, contact us at team.billly@gmail.com.

1) Who we are

Processor / Data Processor (customer content):
For invoice content you input (e.g., your customer details, line items, tax rates), Billly acts as a data processor on your instructions. You remain the controller/fiduciary for that data.

2) What this Policy covers

This Policy applies to:

• Our public site, product UIs (web/mobile), and support channels.
• Personal data of account holders, workspace members, and invoice recipients whose information you upload.

This Policy does not cover third-party sites/services linked from our Services.

3) Data we collect

A. Data you provide

• Account & profile: name, email, phone, password (hashed), avatar.
• Business details: legal name, GSTIN, PAN, company address, logo, signature/stamp, bank details you choose to display on invoices.
• Invoice data (customer content): bill-to details, recipient GSTIN, HSN/SAC, line items, MRP/unit price, discounts, GST %, CGST/SGST/IGST split, notes, attachments.
• Subscription & support: plan, invoices, communications with support.

B. Data from your device/use

• Usage & diagnostics: app interactions, timestamps, feature clicks, performance events, crash logs.
• Device & network: IP address, device/browser type, language, approximate location, referrer/UTM.

C. Data from third parties

• Payments: status, amount, timestamps from Razorpay. We do not collect or store full card numbers or CVV.

4) Why we process data (purposes)

We process data to:

1. Provide the Service: authenticate users, render templates, calculate taxes, generate PDFs, store invoice history.
2. Operate & secure: monitor reliability, prevent fraud/abuse, debug issues, ensure integrity/availability.
3. Payments & billing: manage subscriptions, detect non-payment, send receipts.
4. Support & communication: respond to tickets, product updates, policy/legal notices.
5. Compliance: meet tax, accounting, and legal obligations (e.g., GST record-keeping).
6. Improve the product: analytics, research, A/B tests, only with aggregated or de-identified data where possible.
7. Marketing (optional): with your consent, send tips and offers; you can opt out anytime.

5) Our roles & legal bases

• India (DPDP Act, 2023): We process on the basis of consent and legitimate uses (e.g., performance of a contract, security, fraud prevention, statutory compliance).
• EEA/UK (GDPR, if applicable): We rely on contract necessity, legitimate interests (security, product improvement that doesn't override your rights), consent (for optional analytics/marketing), and legal obligation (tax/law enforcement).

6) Cookies & local storage

• Strictly necessary cookies/local storage are used for login sessions, security (CSRF), preferences, and invoice drafts.
• We currently do not use third-party analytics cookies.

7) Data sharing & disclosures

We do not sell your personal data. We share it only with:

Service providers (sub-processors) acting on our instructions:

• Hosting/DB/Auth/Storage: Supabase (primary region: India — ap-south-1/Mumbai)
• Payments: Razorpay

Other disclosures:

• Enterprise/admins: Workspace owners/admins may see member activity and content within their workspace.
• Legal/Protection: If required by law or to protect rights, safety, and the integrity of our Services.
• Business transfers: In a merger, acquisition, or sale of assets, we'll continue to protect data and give notice of changes.

8) International transfers

We may process/store data outside your state/country. For India's DPDP Act (2023), cross-border transfers are permitted except to countries restricted by Government notification. For EEA/UK, we use appropriate safeguards (e.g., SCCs) where required.

9) Security

We implement organizational and technical measures, including but not limited to:

• Encryption in transit and at rest for databases and storage (via Supabase);
• Row-Level Security and role-based access controls;
• Secret management for credentials and keys;
• Network restrictions, MFA for admin access, and least-privilege practices;
• Backups and disaster recovery;
• Vendor due diligence and sub-processor contracts.

No method of transmission or storage is 100% secure; we continuously improve safeguards.

10) Retention

We retain personal data for as long as necessary to provide the Services and for legitimate and legal purposes, including:

• Account data: retained while your account is active and for a reasonable period after closure (e.g., up to 12 months) unless you request deletion sooner or law requires longer.
• Invoice content: retained per your workspace settings and as needed for compliance. Under Indian GST rules, businesses generally must retain records for up to 72 months (6 years) from the due date of the relevant annual return. Your own obligations may require longer keeping.
• We may retain minimal logs/records to comply with legal obligations, resolve disputes, and enforce agreements.

11) Your rights & choices

India (DPDP Act)

• Access to a summary of your personal data we process.
• Correction & update of inaccurate or incomplete data.
• Erasure where data is no longer needed or consent is withdrawn (subject to legal retention).
• Consent withdrawal for processing based on consent.
• Grievance redressal via our Grievance Officer.
• Nomination: designate someone to exercise your rights in case of death or incapacity.

EEA/UK (if applicable)

• Access, rectification, erasure, restriction, portability, objection;
• Withdraw consent at any time for optional processing;
• Complain to your local supervisory authority.

How to exercise: Email team.billly@gmail.com (or use in-product tools where available). We may need to verify your identity. We will respond within required timelines.

12) Children's privacy

Our Services are intended for business users. We do not knowingly collect personal data from children. In India, persons under 18 should use the Services only with the verifiable consent of a parent/guardian. If you believe a child has provided data, contact us to delete it.

13) Data breach notifications

If a personal data breach occurs that affects your rights, we will notify you and the relevant authority as required by applicable law (e.g., India's Data Protection Board under the DPDP Act) and take steps to mitigate harm.

14) Third-party links & integrations

Our Services may include links to third-party sites or allow you to connect integrations. Their privacy practices are governed by their own policies; please review them carefully.

15) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via email or in-app notice. The "Last updated" date reflects the most recent revision. Continued use of the Services after a change means you accept the updated Policy.

16) Contact us

17) Annex — Sub-processors (informational)

Keep this section updated on your website or a dedicated sub-processor page.

• Supabase — Managed Postgres DB, authentication, file storage, edge functions (India — ap-south-1/Mumbai).
• Razorpay — Subscription billing and payments.

18) Annex — Region-specific disclosures (optional)

If you serve users in these regions, include the following:

• EEA/UK: Identity of EU/UK representative (if required), data transfer mechanism (e.g., SCCs), and DPA link.
• California (CCPA/CPRA): Inform about sale/share of personal information (we do not sell) and provide a "Do Not Sell or Share My Personal Information" link if applicable.
• Australia: Include APPs references if targeting Australian users.