Privacy Policy - TruBook

TruBook Technologies Private Limited("TruBook", "we", "us", or "our") operates the website trubook.aiand the TruBook mobile and web application (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal and financial information when you use our Platform.

By accessing or using TruBook, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Platform.

1. Definitions

"Personal Data" means any information that identifies or can be used to identify you, including your name, phone number, email address, GSTIN, PAN, and Aadhaar number.
"Financial Data" means bank account details, transaction records, invoices, payment information, GST returns, balance sheets, profit and loss statements, and any other financial information processed through the Platform.
"Sensitive Personal Data or Information" (SPDI) has the meaning ascribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
"User" means any individual or entity that accesses or uses the Platform, including SME Owners and Chartered Accountants.

2. Information We Collect

2.1 Information You Provide

Account Registration: Name, mobile phone number, email address, business name, business type, GSTIN, PAN.
CA Registration: ICAI membership number, firm name, client count, in addition to the above.
Invoicing: Customer and vendor details (names, GSTINs, addresses, HSN/SAC codes), invoice amounts, payment terms, bank account details for payment collection.
GST Compliance: GSTIN, GST return data (GSTR-1, GSTR-3B, GSTR-2B), tax computations, filing history, e-invoice data, and IRN numbers.
Financial Records: Chart of accounts, journal entries, ledger data, profit and loss statements, balance sheets, receivables, and payables.
Documents: Uploaded invoices, purchase bills, bank statements, and other financial documents for OCR processing.
Communications: Messages sent through in-app comment threads, WhatsApp notifications opt-in preferences.

2.2 Information Collected Automatically

Device Information: Device type, operating system, browser type, screen resolution, and unique device identifiers.
Usage Data: Pages visited, features used, timestamps, click patterns, session duration, and error logs.
Network Information: IP address, approximate geographic location (city/state level only).

2.3 Information from Third Parties

Account Aggregator (Bank Sync): With your explicit consent via the Account Aggregator framework (regulated by RBI), we receive bank account statements, transaction data, and account balances. This data is fetched only after you provide consent through the AA consent flow and is used solely for the purposes you authorize.
GST Portal (via GSP): With your authorization, we fetch GST return data, filing status, and GSTR-2B data from the GST Network through authorized GST Suvidha Providers.
Payment Gateway: Transaction confirmation data from Razorpay for subscription payments. We do not store your card details.

3. How We Use Your Information

We use your information strictly for the following purposes:

Core Services: Invoicing, bookkeeping, bank reconciliation, GST compliance, financial reporting, and CA-client collaboration.
AI Processing: Automated transaction categorization, invoice OCR, and intelligent bookkeeping suggestions. AI models process your data to provide categorization recommendations but do not retain your financial data after processing.
Authentication: Sending OTP via WhatsApp for login verification.
Notifications: Transaction alerts, GST filing reminders, payment due dates, and system updates via WhatsApp and in-app notifications (only with your consent).
Audit Trail: Maintaining a complete, immutable record of all data modifications for compliance and accountability.
Platform Improvement: Aggregated, anonymized usage analytics to improve features, fix bugs, and optimize performance. Individual financial data is never used for this purpose.
Legal Compliance: Fulfilling obligations under the Information Technology Act 2000, GST Act, Companies Act, and other applicable Indian laws.

4. What We Do NOT Do With Your Data

We make the following commitments:

We do NOT sell, rent, lease, or trade your personal or financial data to any third party, ever.
We do NOT share your data with advertisers or ad networks.
We do NOT use your financial data to build advertising profiles or for targeted marketing.
We do NOT use your data to train general-purpose AI/ML models. Your data is processed only to serve your specific requests.
We do NOT store payment card details. All subscription payments are processed by PCI-DSS compliant payment processors.
We do NOT access your bank accounts directly. Bank data is fetched only through the RBI-regulated Account Aggregator framework with your explicit, revocable consent.

5. Data Sharing and Disclosure

We share your information only in the following limited circumstances:

CA-Client Relationship: If you (as an SME Owner) invite a Chartered Accountant to your business on TruBook, your financial data is shared with that CA for the purpose of accounting, compliance, and advisory services. You control this access and can revoke it at any time.
GST Suvidha Provider (GSP): Your GST data is transmitted to authorized GSPs for filing returns with the GST Network, as initiated by you or your CA.
Account Aggregator: Bank data flows through RBI-licensed Account Aggregators under the consent framework. We act as a Financial Information User (FIU).
Payment Processor: Subscription payment data is shared with Razorpay (PCI-DSS Level 1 compliant) for processing payments.
Cloud Infrastructure: Data is stored on AWS (Mumbai region, ap-south-1). AWS acts as a data processor under our instructions and does not access your data.
AI Processing: Document text (for OCR) and transaction descriptions (for categorization) are sent to Anthropic Claude API for processing. Only the minimum data required is sent, and Anthropic does not retain this data per our Data Processing Agreement.
Legal Obligations: We may disclose data if required by law, court order, or government authority under applicable Indian law, including requests under the IT Act, Prevention of Money Laundering Act, or Income Tax Act.

6. Data Storage and Security

6.1 Where We Store Your Data

All data is stored on servers located in India (AWS Mumbai region, ap-south-1). Your financial data never leaves Indian borders for storage purposes. AI processing requests are sent to API endpoints but contain no persistent storage of your data outside India.

6.2 Security Measures

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: All stored data is encrypted using AES-256 encryption.
Access Controls: Role-based access control (RBAC) ensures users can only access data they are authorized to view. Multi-factor authentication is enforced for all accounts.
Audit Logging: Every data access and modification is logged in an immutable audit trail with timestamps, user identity, and action details.
Session Security: Sessions use secure, httpOnly cookies with automatic expiration. Concurrent session limits are enforced.
Infrastructure: Managed database with automated backups, point-in-time recovery, and network isolation via Virtual Private Cloud (VPC).
Vulnerability Management: Regular security assessments, dependency scanning, and prompt patching of known vulnerabilities.

7. Data Retention

Active Account: Your data is retained for as long as your account is active and you maintain a subscription.
After Account Deletion: Upon account deletion request, we delete your personal data within 30 days. Financial records required for legal/tax compliance (GST records, invoices, audit logs) are retained for a minimum of 8 years as required under the GST Act and Income Tax Act, after which they are permanently deleted.
Inactive Accounts: Accounts with no login activity for 24 consecutive months will be flagged. We will notify you via your registered phone number and email before any data deletion.
Backups: Encrypted backups may retain deleted data for up to 90 days for disaster recovery, after which backup data is purged.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law, you have the following rights:

Right to Access: Request a copy of all personal data we hold about you.
Right to Correction: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability: Export your data in standard machine-readable formats (CSV, JSON, PDF) at any time from Settings.
Right to Withdraw Consent: Withdraw consent for data processing at any time. For Account Aggregator (bank sync), consent can be revoked directly through the AA consent manager.
Right to Grievance Redressal: File a complaint with our Grievance Officer (details below) or with the Data Protection Board of India.

To exercise any of these rights, email us at privacy@trubook.ai. We will respond within 72 hours and fulfill your request within 30 days.

9. Cookies and Tracking

Essential Cookies: We use strictly necessary cookies for session management and authentication. These cannot be disabled as they are required for the Platform to function.
Analytics: We use anonymized, aggregated analytics to understand feature usage. No personal or financial data is included in analytics.
No Third-Party Trackers: We do not use third-party advertising trackers, social media pixels, or cross-site tracking technologies.

10. Children's Privacy

TruBook is a business financial platform and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

11. Third-Party Links

The Platform may contain links to third-party websites or services (e.g., GST Portal, bank websites). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and/or WhatsApp message at least 15 days before they take effect. Your continued use of the Platform after the updated policy takes effect constitutes acceptance of the changes.

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of our Grievance Officer are:

Grievance Officer: Data Protection Officer, TruBook Technologies Private Limited

Email: grievance@trubook.ai

Address: Registered Office: Noida, Uttar Pradesh, India

Response Time: Within 72 hours of receiving the complaint.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Email: privacy@trubook.ai

Company: TruBook Technologies Private Limited

Address: Registered Office: Noida, Uttar Pradesh, India

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts in New Delhi, India.

By accessing or using TruBook, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Platform.

1. Definitions

"Personal Data" means any information that identifies or can be used to identify you, including your name, phone number, email address, GSTIN, PAN, and Aadhaar number.
"Financial Data" means bank account details, transaction records, invoices, payment information, GST returns, balance sheets, profit and loss statements, and any other financial information processed through the Platform.
"Sensitive Personal Data or Information" (SPDI) has the meaning ascribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
"User" means any individual or entity that accesses or uses the Platform, including SME Owners and Chartered Accountants.

2. Information We Collect

2.1 Information You Provide

Account Registration: Name, mobile phone number, email address, business name, business type, GSTIN, PAN.
CA Registration: ICAI membership number, firm name, client count, in addition to the above.
Invoicing: Customer and vendor details (names, GSTINs, addresses, HSN/SAC codes), invoice amounts, payment terms, bank account details for payment collection.
GST Compliance: GSTIN, GST return data (GSTR-1, GSTR-3B, GSTR-2B), tax computations, filing history, e-invoice data, and IRN numbers.
Financial Records: Chart of accounts, journal entries, ledger data, profit and loss statements, balance sheets, receivables, and payables.
Documents: Uploaded invoices, purchase bills, bank statements, and other financial documents for OCR processing.
Communications: Messages sent through in-app comment threads, WhatsApp notifications opt-in preferences.

2.2 Information Collected Automatically

Device Information: Device type, operating system, browser type, screen resolution, and unique device identifiers.
Usage Data: Pages visited, features used, timestamps, click patterns, session duration, and error logs.
Network Information: IP address, approximate geographic location (city/state level only).

2.3 Information from Third Parties

Account Aggregator (Bank Sync): With your explicit consent via the Account Aggregator framework (regulated by RBI), we receive bank account statements, transaction data, and account balances. This data is fetched only after you provide consent through the AA consent flow and is used solely for the purposes you authorize.
GST Portal (via GSP): With your authorization, we fetch GST return data, filing status, and GSTR-2B data from the GST Network through authorized GST Suvidha Providers.
Payment Gateway: Transaction confirmation data from Razorpay for subscription payments. We do not store your card details.

3. How We Use Your Information

We use your information strictly for the following purposes:

Core Services: Invoicing, bookkeeping, bank reconciliation, GST compliance, financial reporting, and CA-client collaboration.
AI Processing: Automated transaction categorization, invoice OCR, and intelligent bookkeeping suggestions. AI models process your data to provide categorization recommendations but do not retain your financial data after processing.
Authentication: Sending OTP via WhatsApp for login verification.
Notifications: Transaction alerts, GST filing reminders, payment due dates, and system updates via WhatsApp and in-app notifications (only with your consent).
Audit Trail: Maintaining a complete, immutable record of all data modifications for compliance and accountability.
Platform Improvement: Aggregated, anonymized usage analytics to improve features, fix bugs, and optimize performance. Individual financial data is never used for this purpose.
Legal Compliance: Fulfilling obligations under the Information Technology Act 2000, GST Act, Companies Act, and other applicable Indian laws.

4. What We Do NOT Do With Your Data

We make the following commitments:

We do NOT sell, rent, lease, or trade your personal or financial data to any third party, ever.
We do NOT share your data with advertisers or ad networks.
We do NOT use your financial data to build advertising profiles or for targeted marketing.
We do NOT use your data to train general-purpose AI/ML models. Your data is processed only to serve your specific requests.
We do NOT store payment card details. All subscription payments are processed by PCI-DSS compliant payment processors.
We do NOT access your bank accounts directly. Bank data is fetched only through the RBI-regulated Account Aggregator framework with your explicit, revocable consent.

5. Data Sharing and Disclosure

We share your information only in the following limited circumstances:

CA-Client Relationship: If you (as an SME Owner) invite a Chartered Accountant to your business on TruBook, your financial data is shared with that CA for the purpose of accounting, compliance, and advisory services. You control this access and can revoke it at any time.
GST Suvidha Provider (GSP): Your GST data is transmitted to authorized GSPs for filing returns with the GST Network, as initiated by you or your CA.
Account Aggregator: Bank data flows through RBI-licensed Account Aggregators under the consent framework. We act as a Financial Information User (FIU).
Payment Processor: Subscription payment data is shared with Razorpay (PCI-DSS Level 1 compliant) for processing payments.
Cloud Infrastructure: Data is stored on AWS (Mumbai region, ap-south-1). AWS acts as a data processor under our instructions and does not access your data.
AI Processing: Document text (for OCR) and transaction descriptions (for categorization) are sent to Anthropic Claude API for processing. Only the minimum data required is sent, and Anthropic does not retain this data per our Data Processing Agreement.
Legal Obligations: We may disclose data if required by law, court order, or government authority under applicable Indian law, including requests under the IT Act, Prevention of Money Laundering Act, or Income Tax Act.

6. Data Storage and Security

6.1 Where We Store Your Data

6.2 Security Measures

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: All stored data is encrypted using AES-256 encryption.
Access Controls: Role-based access control (RBAC) ensures users can only access data they are authorized to view. Multi-factor authentication is enforced for all accounts.
Audit Logging: Every data access and modification is logged in an immutable audit trail with timestamps, user identity, and action details.
Session Security: Sessions use secure, httpOnly cookies with automatic expiration. Concurrent session limits are enforced.
Infrastructure: Managed database with automated backups, point-in-time recovery, and network isolation via Virtual Private Cloud (VPC).
Vulnerability Management: Regular security assessments, dependency scanning, and prompt patching of known vulnerabilities.

7. Data Retention

Active Account: Your data is retained for as long as your account is active and you maintain a subscription.
After Account Deletion: Upon account deletion request, we delete your personal data within 30 days. Financial records required for legal/tax compliance (GST records, invoices, audit logs) are retained for a minimum of 8 years as required under the GST Act and Income Tax Act, after which they are permanently deleted.
Inactive Accounts: Accounts with no login activity for 24 consecutive months will be flagged. We will notify you via your registered phone number and email before any data deletion.
Backups: Encrypted backups may retain deleted data for up to 90 days for disaster recovery, after which backup data is purged.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law, you have the following rights:

Right to Access: Request a copy of all personal data we hold about you.
Right to Correction: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability: Export your data in standard machine-readable formats (CSV, JSON, PDF) at any time from Settings.
Right to Withdraw Consent: Withdraw consent for data processing at any time. For Account Aggregator (bank sync), consent can be revoked directly through the AA consent manager.
Right to Grievance Redressal: File a complaint with our Grievance Officer (details below) or with the Data Protection Board of India.

To exercise any of these rights, email us at privacy@trubook.ai. We will respond within 72 hours and fulfill your request within 30 days.

9. Cookies and Tracking

Essential Cookies: We use strictly necessary cookies for session management and authentication. These cannot be disabled as they are required for the Platform to function.
Analytics: We use anonymized, aggregated analytics to understand feature usage. No personal or financial data is included in analytics.
No Third-Party Trackers: We do not use third-party advertising trackers, social media pixels, or cross-site tracking technologies.

10. Children's Privacy

11. Third-Party Links

12. Changes to This Policy

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of our Grievance Officer are:

Grievance Officer: Data Protection Officer, TruBook Technologies Private Limited

Email: grievance@trubook.ai

Address: Registered Office: Noida, Uttar Pradesh, India

Response Time: Within 72 hours of receiving the complaint.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Email: privacy@trubook.ai

Company: TruBook Technologies Private Limited

Address: Registered Office: Noida, Uttar Pradesh, India