1. Who we are (Data Fiduciary)
This Privacy Policy applies to all websites, applications and services operated under the TheWealthBuddy brand by CA Harsh Jain, having his principal place of business in Jaipur, Rajasthan, India. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we act as the Data Fiduciary for the personal data we collect from you. For any data you upload about your own clients (e.g. a CA uploading client invoices into BillBuddy), you are the Data Fiduciary and we act as a Data Processor on your instructions.
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, phone, firm name, GSTIN (optional), password (hashed) | You, at signup |
| Billing data | Plan selected, invoices, GSTIN for invoicing, last-4 digits of card / UPI handle (returned by gateway), payment status | Cashfree gateway |
| Customer Data — BillBuddy | Bills/invoices, bank statements, salary registers, Tally ledger exports you upload | You, on each use |
| Customer Data — MF AI | Mutual-fund holdings, CAS/Wealth Elite exports, transaction history, NAV history pulled from public sources | You + public market data |
| Usage data | Pages visited, features used, error logs, device/browser, IP address, approximate location | Automated |
| Communications | Emails / WhatsApp messages you send to support, feedback, recorded webinar registrations | You |
We do not intentionally collect Aadhaar numbers, biometric data, full card numbers, CVVs, or net-banking passwords. If such data appears inside a document you upload (for example a salary slip showing Aadhaar), we will redact or refuse to process it.
3. Why we use it (purposes & legal basis)
- Provide the Services — extract data from your bills, run reconciliations, generate Tally exports, run MF analytics. Legal basis: performance of contract.
- Billing & tax compliance — generate GST-compliant invoices, retain books as required by the Income-tax Act and CGST Act. Legal basis: legal obligation.
- Security & abuse prevention — detect suspicious logins, rate-limit usage, audit logs. Legal basis: legitimate use.
- Customer support — respond to your queries on email/WhatsApp.
- Product improvement — aggregated, de-identified analytics; never linked back to you for marketing.
- Marketing communications — only with your consent (newsletter opt-in, webinar follow-up). You can opt out any time.
4. Sub-processors we use
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Cashfree Payments India Pvt Ltd | Payments & recurring debits | Name, email, phone, amount, payment-instrument token | India |
| Cloudflare, Inc. | Edge hosting, DDoS protection, Workers, R2/D1 storage | All Service traffic, encrypted Customer Data | Global edge (data residency configured for India where supported) |
| OCR / LLM provider(s) | Extract structured data from invoices and statements | The specific document being processed (transient) | Per provider; configured for no-training endpoints where available |
| Email / WhatsApp service | Transactional notifications (invoice receipts, renewal reminders) | Email address, phone, message content | India / Global |
| Sentry / error-monitoring | Capture crashes & bugs | Stack traces, user ID, redacted request metadata | EU/US |
We sign data-processing terms with each sub-processor. We will update this list when a material change occurs.
5. Cookies & similar tech
We use a small number of cookies and local-storage keys, only for: keeping you logged in, remembering your preferences, and basic anonymous analytics. We do not use third-party advertising cookies. You can clear cookies in your browser at any time — note that this will sign you out.
6. How long we keep your data
- Account data — for as long as your account is active, plus up to 12 months after closure for dispute and audit handling.
- Customer Data uploads — for the duration of your subscription. After cancellation, retained for 30 days (recoverable on request) and then permanently deleted.
- Tax invoices & financial records — at least 8 years, as required under the Income-tax Act, 1961.
- Server logs — typically 30–90 days.
7. Your rights under the DPDP Act
You have the right to:
- Access a summary of the personal data we process about you;
- Correction & erasure — request correction of inaccurate data or deletion of data no longer needed;
- Withdraw consent — for any processing based on consent (e.g. marketing emails);
- Grievance redressal — escalate to our Grievance Officer (Section 10);
- Nominate another individual to exercise these rights in case of your death or incapacity.
To exercise these rights, email caharshjain22@gmail.com from the email address registered on your account. We will respond within 30 days.
8. How we secure your data
- HTTPS/TLS in transit; AES-encrypted storage at rest in Cloudflare R2 / D1;
- Hashed and salted passwords (bcrypt/argon);
- Role-based access — only Harsh and explicitly authorised support personnel can access production data, and only when needed to support a User request;
- Audit logs for sensitive actions (see
lib/audit_log.jsin our codebase); - API keys / secrets managed via Cloudflare environment variables — never committed to source control;
- Regular dependency and security reviews (see
SECURITY_AUDIT_STATUS.md).
9. Cross-border transfer
Some sub-processors (e.g. Cloudflare global edge, certain LLM/OCR endpoints, error monitoring) may process data outside India. Where this happens we rely on standard contractual safeguards and on the central government's notifications under Section 16 of the DPDP Act. By using the Services you consent to such transfer where it is necessary to deliver the Service to you.
10. Children
The Services are not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a child has shared data with us, contact the Grievance Officer below — we will delete it.
11. Grievance Officer
- Name: CA Harsh Jain
- Email: caharshjain22@gmail.com
- Phone / WhatsApp: +91 97994 20844
- Address: Jaipur, Rajasthan, India
- Acknowledgement: within 48 hours · Resolution: within 30 days.
12. Changes to this Policy
We may revise this Policy from time to time. Material changes will be notified by email and/or an in-app banner at least 15 days before they take effect.
13. Contact
For any privacy question, write to caharshjain22@gmail.com or WhatsApp +91 97994 20844.