Bilty respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what choices you have. It applies to bilty.software, the Bilty progressive web app, and the Bilty mobile and desktop applications.

This policy is written for compliance with India's Digital Personal Data Protection Act 2023 (DPDP), Apple App Store and Google Play Store privacy disclosure requirements, and the EU GDPR (for the small number of users we have outside India).

1. Who we are

The data controller (or "Data Fiduciary" under the DPDP Act) is Bilty Technologies Pvt Ltd, a company registered under the Indian Companies Act 2013 with its registered office at [Address line 1, Bhiwandi, Maharashtra — 421302, India].

2. What data we collect

2.1 Account & identity

• Name, business name, GSTIN, PAN (when entered)
• Phone number, email address
• Username and bcrypt-hashed password
• Profile photo (only if you choose to upload one)

2.2 Customer-business data you enter

• Bilty / lorry receipt records (consignor, consignee, vehicle, freight, route)
• GST invoices, quotations, accounting entries, payments
• Master data — drivers, vehicles, brokers, banks, locations
• Attachments uploaded against any record (PDFs, images)

2.3 API credentials (encrypted at rest)

• GSP / E-way Bill keys (Cygnet, ClearTax, Webtel, Karvy, Custom)
• WhatsApp Cloud API access tokens
• Razorpay key ID + secret + webhook secret
• Wheels Eye GPS API key
• SMS provider credentials (MSG91 / Twilio / TextLocal)

All secrets are encrypted with AES-256-CBC before being written to the database. We never log decrypted secret values.

2.4 Technical & usage data

• IP address (used for session security only — not for advertising)
• Browser user-agent, device type, operating system
• App crash logs (mobile/desktop apps)
• Activity log entries (who did what, when — visible to your admin only)

2.5 Data we do NOT collect

• We do not collect or process payment-card numbers — that is handled directly by Razorpay (PCI-DSS compliant).
• We do not access your phone contacts, photos library, microphone, calendar, location (other than driver-trip GPS that you explicitly configure), or Bluetooth.
• We do not run any third-party advertising / analytics SDK in our apps. No Facebook Pixel, no Google Analytics, no behavioural tracker.

3. How we use it

Data type	Purpose	Legal basis (DPDP & GDPR)
Account & identity	Provide the Service, authenticate you, send transactional emails	Contract
Customer-business data	Render reports, dashboards, exports, e-way bill generation, GSTR filings	Contract
API credentials	Call third-party APIs on your behalf when you initiate the action	Consent
IP & user-agent	Session security, brute-force prevention, fraud detection	Legitimate interest
Crash logs	Improve software stability	Legitimate interest

4. Where it lives

Customer data is stored on dedicated MySQL/MariaDB servers in Mumbai, Maharashtra (India). Backups are kept on encrypted volumes in the same region. We do not transfer customer data outside India except as described in section 12.

5. Who we share with

We share Customer Data only with the following categories of recipients, and only as needed to deliver the Service you have asked for:

• GSP providers (Cygnet, ClearTax, Webtel, Karvy or Custom) — when you trigger an e-way bill API call. Only the EWB-01 payload for that bilty is sent.
• GSTN portal — when GSTR JSON or e-invoice JSON is uploaded by you (or pushed through the GSP API).
• Meta (WhatsApp Cloud API) — when you share a bilty or invoice via WhatsApp.
• Razorpay — when you generate an online payment link for an invoice.
• SMS gateway — when you send a transactional SMS.
• Wheels Eye / your GPS provider — periodic position polling for vehicles you enable.
• Indian government authorities — when required by law, court order or competent regulatory body.

We do not sell, rent, lease or trade your personal data to advertisers, brokers or any third party.

6. App permissions explained

The Bilty mobile apps may request the following OS permissions. You can deny any of them in your phone's Settings — affected features simply won't work.

Permission	Why we ask	Required?
Camera	Capture photo attachments on bilties / receivings (e.g., proof of delivery)	Optional
Storage	Save downloaded PDFs / Excel / JSON exports	Optional
Notifications	Push reminders for overdue invoices, vehicle-document expiry, EWB validity	Optional
Biometric (Face ID / Fingerprint)	Quick re-unlock instead of typing password	Optional
Internet	Sync with our servers	Required

7. Cookies & tracking

The bilty.software website uses one strictly-necessary cookie to maintain your session. We do not use advertising or analytics cookies. The mobile apps use no cookies.

8. Retention & deletion

We retain Customer Data for as long as your account is active and for 30 days after account closure (during which you can export). After 30 days the data is moved to cold storage for an additional 60 days for accidental-deletion recovery, then permanently deleted from active and backup systems.

Activity logs and audit trails are retained for 2 years to satisfy book-of-account requirements under the GST Act and the Companies Act.

9. Your rights (DPDP / GDPR)

Subject to the DPDP Act 2023 and applicable law, you have the following rights:

• Right to access — request a copy of personal data we hold about you
• Right to correction — fix inaccurate or incomplete data (most fields are also editable directly in your account)
• Right to erasure — request deletion of personal data, subject to legal retention obligations
• Right to grievance redressal — escalate any complaint to our Grievance Officer (see section 14)
• Right to nominate — designate another individual to exercise your rights in case of incapacity (DPDP-specific)
• Right to withdraw consent — at any time, by disabling the relevant API integration in App Config, by uninstalling the apps, or by closing your account

10. Children's privacy

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we will delete it.

11. Security measures

• HTTPS / TLS 1.2+ for all transport
• bcrypt password hashing (cost factor 12)
• AES-256-CBC encryption of API credentials at rest
• CSRF tokens on every state-changing request
• Session IP-binding to mitigate session hijacking
• Brute-force protection (5 failed attempts in 15 minutes triggers a lockout)
• Server-side input validation + prepared statements (no SQL injection surface)
• 30+ granular permission keys with role-based access control
• Annual third-party security review & penetration test

12. International transfers

Customer Data is stored in India. However, when you choose to integrate with services hosted outside India (e.g. Meta WhatsApp, Razorpay's global edge, Twilio, Firebase Cloud Messaging for push notifications), the necessary payload is transmitted to those providers' servers in their respective regions. By enabling such integrations you consent to those transfers.

13. Changes to this policy

We may update this Privacy Policy from time to time. The effective date at the top will reflect the latest revision. For material changes we will notify you 30 days in advance by email and via in-app banner.

14. Contact & grievance officer

For questions about this policy or to exercise any of your rights:

• Email — privacy: privacy@bilty.software
• Email — security: security@bilty.software

Under the DPDP Act, our designated Grievance Officer is:

• Name: [Grievance Officer Name]
• Email: grievance@bilty.software
• Postal: [Address line 1, Bhiwandi, Maharashtra — 421302, India]

The Grievance Officer will acknowledge your complaint within 24 hours and resolve it within 30 days.