Privacy Policy & Data Protection

Privacy Policy Overview

At ZapBooks AI ("Company," "we," "us," "our"), we are committed to protecting your privacy and ensuring transparency about how we collect, process, and protect your personal data.

This Privacy Policy explains:

• What data we collect
• Why we collect it
• How we use it
• Who we share it with
• How long we retain it
• Your rights over your data
• How we protect your data
• How to contact us

This Privacy Policy complies with:

• India's Digital Personal Data Protection (DPDP) Act, 2023
• Information Technology Act, 2000
• Sensitive Personal Data Rules, 2011
• GDPR (for EU users)
• Best practices for data privacy

Data We Collect

A. Account Registration Data

• Name and email address
• Phone number
• Company name and registration details
• Job title and department
• GST registration number (optional)
• PAN/Tax ID (optional)
• Payment information (credit card, banking details)
• IP address and device information
• Login credentials (encrypted password)

B. Invoice Data (Customer Data)

• Invoice documents (PDF, images, scans)
• Vendor information (names, addresses, tax IDs)
• Invoice amounts and dates
• Line item details
• GST details and tax information
• Bank account details (if on invoices)
• Employee information (if referenced in invoices)
• Any other data contained in your invoices

C. Extracted Data (AI Processing)

• Vendor names, addresses, contact details
• Invoice totals, tax amounts, net amounts
• Dates and invoice numbers
• Payment terms and conditions
• Line item descriptions and amounts
• GST classifications
• Ledger codes and accounting categories

D. Usage Data

• Login times and frequency
• Features used and how often
• Invoices processed and sync status
• Data export requests
• Support tickets and communications
• Dashboard interactions and analytics
• Errors and performance issues
• API usage and integration activity

E. Communication Data

• Email communications with support
• Chat history if using live chat
• WhatsApp messages (for WhatsApp integration users)
• Support ticket contents
• Feedback and survey responses
• Complaint details and resolutions

F. Technology Data

• IP address and location data
• Browser type and version
• Operating system
• Device type and model
• Device identifiers
• Cookies and tracking pixels
• Session information
• Clickstream data

G. Payment & Billing Data

• Credit/debit card details (tokenized by Razorpay)
• Payment transaction history
• Invoice history
• Billing address
• Tax information
• Refund and credit information

Why We Collect This Data

Legal Basis for Processing (DPDP Act)

A. Providing the Service

• Processing invoices and extracting data
• Storing and managing your account
• Syncing with Tally or Zoho Books
• Generating reports and dashboards
• Customer support and technical assistance
• Billing and payment processing

B. Legitimate Interest

• Improving the Service and user experience
• Detecting and preventing fraud
• Security and abuse prevention
• Compliance with legal obligations
• Establishing, exercising, or defending legal claims
• Analytics and service improvement

C. Legal Compliance

• Complying with tax and accounting laws
• Fulfilling data breach notification requirements
• Responding to legal demands from authorities
• Maintaining records required by law

D. Consent

• Marketing communications (if you opt-in)
• Cookies and tracking (if you consent)
• Third-party integrations (if you authorize)

Who We Share Your Data With

A. Service Providers & Processors

• Cloud hosting provider (AWS)
• Payment processor (Razorpay)
• Email service provider (SendGrid/Mailgun)
• Accounting software (Tally, Zoho Books)
• Communication platforms (WhatsApp Business API)
• Support tools (help desk software)

B. Legal & Compliance

• Government authorities (on legal demand)
• Data Protection Board of India (for breach reports)
• CERT-In (for security incidents)
• Tax authorities (if required)
• Law enforcement (on court order)
• Regulators (if required by law)

C. Business Operations

• Our employees (only those with need-to-know)
• Our contractors and consultants (under NDA)
• Our affiliates (if expanding service)
• Professional advisors (lawyers, accountants, auditors)

D. Data NOT Shared

We do NOT sell, rent, or share your data with:

• Marketing companies or advertisers
• Data brokers or data sellers
• Competitors (for competitive purposes)
• Third-party apps without your authorization
• Unrelated businesses

Exception: If you explicitly authorize data sharing with specific third parties, we will share as authorized.

Data Retention & Deletion

A. Active Accounts

• Your personal data: Retained while account is active
• Your invoices: Retained while account is active
• Extracted data: Retained while account is active
• Usage logs: Retained for 90 days
• Backups: Retained for 90 days

B. Terminated/Inactive Accounts

• Deleted within 30 days of termination
• You can request deletion anytime
• Data download available for 30 days
• After 30 days: Permanently deleted
• Backups: Deleted within 90 days

C. Legal Holds

• If we receive court order or legal demand
• Data retained for legal proceedings
• Retention continues until matter is resolved
• You will be notified (if legally permitted)

D. Compliance Retention

• GST records: Retained 6 years (per GST Act)
• Financial records: Retained per accounting standards
• Tax records: Retained per income tax requirements
• Security logs: Retained 90 days
• Backup retention: 90 days

E. Right to Deletion

You can request deletion of your data:

• Submit request to: privacy@zapbooksai.com
• Include your account ID and specific data requested
• We will acknowledge within 5 days
• We will delete within 15 business days
• Some data may need to be retained (legal/compliance)
• Confirmation email sent once deleted

Your Privacy Rights (DPDP Act)

A. Right to Information

You have the right to:

• Know what personal data we have about you
• Know why we are processing it
• Know who we share it with
• Know how long we retain it

Request Your Information:

• Email: privacy@zapbooksai.com
• Include: "DATA SUBJECT ACCESS REQUEST"
• Provide your account details
• Response: Within 10 business days
• Format: Digital copy in standard format (CSV, PDF)
• Cost: Free (unless voluminous)

B. Right to Correction

You can request correction of:

• Inaccurate personal data
• Incomplete personal data
• Outdated information

Request Correction:

• Email: privacy@zapbooksai.com
• Include: "DATA CORRECTION REQUEST"
• Specify what needs correction
• Provide corrected information
• Response: Within 10 business days

C. Right to Erasure (Right to be Forgotten)

You can request deletion of your data in cases of:

• Data no longer necessary for stated purpose
• Withdrawal of consent
• Unauthorized processing
• Legal requirement to delete
• Data principal objects to processing

Exceptions (we may not delete):

• Data needed to comply with law
• Data needed for legal proceedings
• Data needed for crime prevention
• Data still necessary for service provision

Request Erasure:

• Email: privacy@zapbooksai.com
• Include: "DATA ERASURE REQUEST"
• Reason for erasure request
• Response: Within 15 business days
• Confirmation: Sent once deleted

D. Right to Data Portability

You can request your data in portable format:

• CSV format for easy import to other systems
• Structured and commonly used format
• Machine-readable format
• Directly transfer to other service providers

Request Portability:

• Email: privacy@zapbooksai.com
• Include: "DATA PORTABILITY REQUEST"
• Specify format preference
• Response: Within 10 business days

E. Right to Withdraw Consent

If processing is based on your consent:

• You can withdraw consent anytime
• Withdrawal is effective going forward
• Does not affect past processing
• Send withdrawal to: privacy@zapbooksai.com
• Processing stops within 5 business days

F. Right to Object

You can object to processing for:

• Marketing purposes (unsubscribe any time)
• Profiling or automated decision-making
• Processing for purposes other than stated
• Processing deemed intrusive

Request Objection:

• Email: privacy@zapbooksai.com
• Include: "OBJECTION TO PROCESSING"
• Specify what processing you object to
• Response: Within 10 business days

G. Right to Grievance Redressal

If your rights are violated:

• File complaint with us first
• Email: privacy@zapbooksai.com
• Include: "DATA PRIVACY GRIEVANCE"
• Details of violation
• Our response: Within 30 days

If unsatisfied with our response:

• File complaint with Data Protection Board of India
• Reference our response reference number

Data Security Measures

A. Technical Security Measures

• Encryption in transit: TLS 1.2+
• Encryption at rest: AES-256 encryption
• Multi-factor authentication (MFA) available
• Role-based access control (RBAC)
• Database encryption and isolation
• Regular security patches and updates
• Intrusion detection and prevention systems
• DDoS protection and mitigation
• Web application firewall (WAF)
• Regular security scanning and testing

B. Administrative Security

• Employee background checks
• Limited employee access (need-to-know basis)
• Confidentiality agreements for all staff
• Regular security training for employees
• Incident response procedures
• Data protection officer oversight
• Audit trails for all data access
• Regular security audits

C. Organizational Security

• Secure data center hosting (AWS)
• Regular backups with encryption
• Disaster recovery procedures
• Business continuity planning
• Vendor security assessment
• Contracts with security obligations
• Cyber liability insurance
• Regular risk assessments

D. Limitations

• No security is 100% secure
• We cannot guarantee against sophisticated attacks
• Third-party services may have vulnerabilities
• Your devices may be compromised
• Social engineering can bypass security

Cookies & Tracking

A. Cookies We Use

Strictly Necessary:

• Authentication cookies (session management)
• Security cookies (CSRF protection)
• Accessibility cookies
• No opt-out available (necessary for service)

Performance & Analytics:

• Google Analytics for usage statistics
• Hotjar for user interaction heatmaps
• Page performance and error tracking
• Opt-out available (set preferences)

Marketing & Advertising:

• Retargeting pixels (showing ads on other sites)
• Conversion tracking
• Social media pixels (Facebook, LinkedIn)
• Opt-out available (customize preferences)

B. Managing Cookies

Browser Settings:

• You can disable cookies in browser settings
• Effect: Some features may not work
• Clearing cookies: Logs you out

Do Not Track:

• If you enable "Do Not Track" in browser
• We will honor your preference
• Analytics and tracking will be limited

C. Third-Party Cookies

Third-party services set cookies:

• Google (Analytics, YouTube)
• Facebook (retargeting)
• LinkedIn (retargeting)
• Email service providers

We cannot control third-party cookies. Refer to their privacy policies.

D. Your Rights Regarding Cookies

• Right to refuse non-essential cookies
• Right to clear cookies anytime
• Right to opt-out of marketing tracking
• Right to access cookie data
• Cookies do not store personal data (unless you're logged in)

Children's Privacy

A. Age Restriction

The Service is intended for:

• Adults aged 18 and above
• Business users only
• If you are under 18, you may NOT use the Service

B. Children's Data

If invoices contain children's information:

• Minimal necessary data only
• Parent/guardian consent required for processing
• Data retained only as long as necessary
• Enhanced security measures applied
• Cannot be used for marketing to children

C. Parental Controls

If a parent/guardian wants to:

• Access their child's data
• Request deletion
• Withdraw consent
• Contact: privacy@zapbooksai.com

D. DPDP Act Compliance for Children

Under Section 8 of DPDP Act:

• Children under 18 need verifiable parental consent
• We will attempt to verify parent/guardian identity
• Parent can withdraw consent anytime
• Enhanced protections for children's sensitive data

International Data Transfers

A. India First

• Primary storage: AWS India region
• Backups: India-based backup systems
• Processing: Primarily in India
• Data localization: Sensitive data stays in India

B. Cross-Border Transfers (Limited)

Sometimes data transfers outside India to:

• Zoho Books (if you sync, may use US servers)
• Tally (depending on your configuration)
• WhatsApp (US-based platform)
• Third-party service providers

C. Legal Mechanisms

When we transfer data outside India:

• We use legally approved mechanisms
• Standard Contractual Clauses (SCCs)
• Adequacy determinations (where available)
• GDPR compliance for EU transfers
• Your explicit consent for some transfers

D. Third-Party Privacy

• Third parties have their own privacy policies
• We are not responsible for their practices
• Review their policies before syncing
• Exercise caution with international transfers

E. GDPR Compliance

If you are in EU:

• You have additional rights under GDPR
• We collect lawful basis for processing
• We provide GDPR privacy notices separately
• We honor GDPR data subject rights

Changes to This Privacy Policy

A. Right to Modify

We may update this policy:

• To reflect changes in law
• To reflect changes in our practices
• To clarify existing policies
• To address new technologies
• To improve privacy protections

B. Notice of Changes

• Material changes: 30 days' notice
• Minor changes: Effective immediately
• Notice via: Email or in-app notification
• "Last Updated" date changed

C. Your Consent to Changes

• Continued use = acceptance of new policy
• You can opt-out of new practices
• Opting out may limit your service use
• You can terminate account to avoid new terms

D. Archive of Policies

• Previous versions available upon request
• Email: privacy@zapbooksai.com

Contact & Grievance Redressal

A. Contact Information

• Privacy Email: privacy@zapbooksai.com
• Data Protection Officer: dpo@zapbooksai.com
• Website: www.zapbooksai.com

B. Response Times

• Privacy inquiries: 2-3 business days
• Data access requests: 10 business days
• Complaint acknowledgment: 5 business days
• Complaint resolution: 30 business days

C. Filing a Complaint

Step 1: Contact us

• Email: privacy@zapbooksai.com
• Provide: Account details, issue description, evidence

Step 2: Our investigation

• Acknowledge within 5 days
• Investigate within 20 days
• Provide detailed response

Step 3: Resolution

• If we find violation, we will remedy it
• If you're unsatisfied, escalate to DPB

D. Escalation to Data Protection Board

If unsatisfied with our response:

• File complaint with Data Protection Board of India
• Include: Our response reference number
• Attach: Copies of all communications

E. Dispute Resolution

• First: Good faith negotiation with us
• Second: Mediation (optional)
• Third: Arbitration (binding)
• Jurisdiction: Delhi courts (if arbitration fails)