Skip to content
BillKey — Billing Anywhere, Anytime
Start free trial

Draft — counsel review required

This policy is a working draft. It will be reviewed by legal counsel before public launch. If you have questions in the interim, contact us.

Privacy Policy

Last updated: TBD

1. Who we are

BillKey is operated by [Company legal name TBD] (the "Company"), registered in India. For the purposes of the Digital Personal Data Protection Act, 2023 (DPDP), the Company is a Data Fiduciary in respect of personal data you provide.

2. What we collect

  • Account data: name, email, phone, role, tenant, GSTIN.
  • Business data: invoices, buyer details, transport information, and related metadata you submit to generate E-Way Bills and IRNs.
  • Authentication data: password hashes (never plaintext), TOTP secrets (encrypted), refresh-token session metadata.
  • Operational data: IP address, user agent, request timestamps, audit logs.

3. Why we collect it

  • To provide the Service and to authenticate you.
  • To submit your invoice data to the NIC e-Way Bill and e-Invoice systems via our GSP.
  • To detect fraud, debug issues, and comply with applicable law.
  • To send transactional emails (e.g. invites, password resets, approvals).

4. How we protect it

  • Encryption in transit (TLS) and at rest.
  • httpOnly, host-scoped refresh-token cookies; short-lived access tokens.
  • Tenant-level isolation in the database.
  • Audit log for every sensitive action.

5. Retention

We retain personal data for as long as necessary to provide the Service and to comply with statutory record-keeping under Indian GST law (typically 8 years). You may request earlier deletion of data not subject to mandatory retention.

6. Sharing

We share only the minimum necessary data with:

  • Our GSP (TaxPro) and NIC systems for EWB / IRN generation.
  • Our email provider (Brevo) for transactional emails.
  • Our object-storage provider (Cloudflare R2) for PDF archival.
  • Government authorities when legally required.

We do not sell personal data.

7. Your rights under DPDP

  • Access to your personal data.
  • Correction or completion of inaccurate data.
  • Erasure of data not subject to statutory retention.
  • Grievance redressal through our Data Protection Officer.

To exercise these rights, email hello@billsaathi.in. We will respond within statutory timeframes.

8. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children.

9. Cross-border transfers

Our infrastructure is hosted with reputable providers. Where data is transferred outside India, we ensure equivalent safeguards consistent with DPDP requirements.

10. Updates

We may update this Policy. Material changes will be notified by email or in the dashboard.

11. Grievance officer

Grievance Officer: TBD. Email: hello@billsaathi.in.

WhatsApp us