Privacy Policy

BillRaja ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the BillRaja mobile application and website (collectively, the "Service").

This policy is published in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000 ("IT Act"), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").

This policy applies to two categories of users: (a) Business Users — business owners and their team members who create accounts and use BillRaja for billing, invoicing, and business management; and (b) End-Customers — customers of Business Users who access the OTP-verified bill viewing portal without creating a BillRaja account.

Under the DPDPA 2023, we process your personal data on the following lawful bases:

• Consent (Section 6, DPDPA): By creating an account or using the OTP portal, you provide consent for data processing as described in this policy. You may withdraw consent at any time by deleting your account or contacting us.
• Contractual necessity: Processing required to provide the Service you have subscribed to (invoicing, team management, payment processing).
• Legal obligation: Retention of GST records and financial data as required under the Income Tax Act, 1961 and GST Act, 2017.
• Legitimate interest: Crash diagnostics, fraud prevention, and service improvement — limited to non-intrusive analytics.

Sensitive Personal Data (SPDI Rules): Bank account details (account number, IFSC, bank name), UPI IDs, and financial information you provide are classified as Sensitive Personal Data or Information under the SPDI Rules. We collect this data only with your explicit consent, use it solely for invoice generation and payment facilitation, and protect it with reasonable security practices as required under Section 43A of the IT Act.

Account Information

• Your name, email address, and phone number (via Google Sign-In or phone verification)
• Firebase User ID (UID) and profile photo

Business Profile Data

• Business name, address, GSTIN, UPI ID, and bank details
• Business logo images
• Store GPS coordinates (when provided)

Business Records

• Customer data including GSTIN and contact details
• Invoice and financial data
• Product catalog and inventory records
• Purchase order information

Subscription & Payment

• Subscription plan and billing cycle information
• Payment status records (we do NOT store card numbers or UPI PINs)
• Google Play transaction references

Usage & Device Data

• FCM (Firebase Cloud Messaging) push notification tokens
• App usage patterns for analytics (no personally identifiable analytics)
• Device information (model, OS version) for crash diagnostics via Firebase Crashlytics
• App configuration preferences via Firebase Remote Config

Customer Bill Viewing (OTP Portal)

• BillRaja allows your business customers to view their invoices through a secure OTP-verified portal without creating a BillRaja account
• We collect the end-customer's phone number (to send and verify OTP), OTP verification status and timestamp, and basic device/browser information for security
• OTP codes expire after a limited time and are not stored after verification
• End-customers receive read-only access to invoices associated with their phone number only
• End-customer phone numbers may be visible to the business owner who generated the invoice
• End-customers can contact us at contact@billraja.com to request deletion of their OTP verification records

Location Data

• GPS location is collected only when you enable the Geo-Attendance feature for your team
• Location is used solely for geo-fenced attendance verification

Team & Collaboration Data

• Team member profiles and roles
• Attendance logs with timestamps
• Audit logs for business operations

We use the collected information to:

• Provide, operate, and improve the BillRaja Service
• Generate and manage your GST-compliant invoices
• Process subscription payments via Google Play Billing
• Send transactional notifications (invoice reminders, overdue alerts)
• Authenticate your identity and secure your account
• Enable team collaboration features
• Enable your customers to securely view their invoices via OTP verification
• Provide customer support and respond to inquiries
• Comply with applicable Indian laws and regulations

We do not sell your personal information or business data to third parties. We do not use your data for advertising.

All data is stored securely on Google Firebase (Firestore) servers. Firebase provides enterprise-grade security including:

• Encryption at rest and in transit (TLS/SSL)
• Strict Firestore security rules — you can only access your own data
• Firebase App Check to prevent unauthorized API access
• Google Cloud infrastructure with SOC 2, ISO 27001 compliance

The app supports 100 MB offline cache for uninterrupted use without internet. This data is stored locally on your device.

We may share your information only in the following limited circumstances:

• Service providers: Firebase (Google), Google Play Billing for payment processing
• Your customers: When you enable customer bill viewing, your customers can view their specific invoice details through the OTP-verified portal
• Legal requirements: When required by Indian law, court order, or government authority
• Business transfers: In the event of a merger or acquisition, with appropriate notice

Your customer data, invoice data, and business records are never shared with other BillRaja users or third parties for commercial purposes.

Cross-Border Data Transfer (Section 16, DPDPA): Your data is stored on Google Firebase servers which may be located outside India. By using the Service, you consent to this transfer. Google maintains appropriate security standards and data processing agreements. We will not transfer data to any country restricted by the Central Government under Section 16(1) of the DPDPA.

We retain your data for as long as your account remains active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., GST records may need to be retained for audit purposes).

Business data (invoices, GST records) that may be subject to statutory retention requirements under Indian law (Income Tax Act, GST Act) may be retained for up to 7 years even after account deletion.

Specific retention periods: OTP verification records for end-customers are retained for up to 90 days for security and fraud prevention, then automatically deleted. Firebase Analytics and Crashlytics data is retained per Google's default retention policies (14 months for Analytics, 90 days for Crashlytics).

As a Data Principal under the DPDPA 2023, you have the right to:

• Right to Access (Section 11): Request a summary of your personal data being processed and the processing activities
• Right to Correction & Erasure (Section 12): Update inaccurate information in the app settings, or request account and data deletion (see Account Deletion page)
• Right to Grievance Redressal (Section 13): File a complaint with our Grievance Officer, who will acknowledge receipt within 48 hours and resolve it within 30 days
• Right to Nominate (Section 14): Nominate another individual to exercise your rights in case of your death or incapacity, by writing to our Grievance Officer
• Data Portability: Export your business data as CSV (available on Pro and Enterprise plans)
• Withdrawal of Consent: Withdraw consent for data processing at any time by deleting your account or contacting us. Withdrawal does not affect the lawfulness of processing done prior to withdrawal. You may also disable specific permissions (location, contacts, camera) via your device settings.

End-Customer Rights: If you are an end-customer who accessed the OTP bill viewing portal, you may exercise your rights by emailing contact@billraja.com with your phone number and request.

BillRaja is not intended for persons under the age of 18. We do not knowingly collect personal information from children. If you are a parent and believe your child has provided us with personal information, please contact us immediately.

The Service integrates with the following third-party services, each governed by their own privacy policies:

• Google Firebase (authentication, database, analytics, crashlytics, remote config)
• Google Sign-In
• Google Play Billing (payment processing)

We may update this Privacy Policy from time to time. We will notify you of significant changes via in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

In accordance with the DPDPA 2023 and the Information Technology Act, 2000, the details of the Grievance Officer are:

For general questions or concerns regarding this Privacy Policy or your data: