BillRaja ("we", "our", or "us") is a business management application designed to help small businesses in India with billing, invoicing, employee attendance tracking, team management, membership management, inventory, GST compliance, and business reporting. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our app.
This policy is published in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000 ("IT Act"), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").
This policy applies to two categories of users: (a) Business Users — business owners and their team members who create accounts and use BillRaja for billing, invoicing, and business management; and (b) End-Customers — customers of Business Users who access the OTP-verified bill viewing portal without creating a BillRaja account.
By using BillRaja, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the app.
1A. Lawful Basis for Processing (DPDPA 2023)
Under the DPDPA 2023, we process your personal data on the following lawful bases:
Consent (Section 6, DPDPA): By creating an account or using the OTP portal, you provide consent for data processing as described in this policy. You may withdraw consent at any time by deleting your account or contacting us.
Contractual necessity: Processing required to provide the Service you have subscribed to (invoicing, team management, payment processing).
Legal obligation: Retention of GST records and financial data as required under the Income Tax Act, 1961 and GST Act, 2017.
Legitimate interest: Crash diagnostics, fraud prevention, and service improvement — limited to non-intrusive analytics.
Sensitive Personal Data (SPDI Rules): Bank account details (account number, IFSC, bank name), UPI IDs, and financial information you provide are classified as Sensitive Personal Data or Information under the SPDI Rules. We collect this data only with your explicit consent, use it solely for invoice generation and payment facilitation, and protect it with reasonable security practices as required under Section 43A of the IT Act.
1. Information We Collect
a) Account & Sign-In Information
Depending on how you sign in, we may collect:
Unique user identifier (UID)
Your name, email address, and Google profile photo URL when you use Google Sign-In
Your phone number when you use phone number verification (OTP)
b) Business Profile Information
To generate invoices and comply with GST requirements, you may provide:
Business/store name, address, and state
Phone number and email
GSTIN (GST Identification Number)
Business logo (uploaded image)
Bank account details (account holder name, account number, IFSC code, bank name)
UPI ID for payment collection
Invoice number prefix and payment terms
Digital signature (captured in-app or uploaded)
c) Customer Data & Contact Import
Customer name, phone number, email, and address
Customer GSTIN
Customer group classifications and notes
Outstanding balance and payment history
If you choose to import a customer from your address book, we access the selected contact details so you can save them into the app.
d) Invoice & Financial Data
Invoice numbers, dates, and due dates
Line items: descriptions, quantities, prices, HSN codes, units
GST rates and tax calculations (CGST, SGST, IGST)
Discounts (percentage or flat amount)
Payment status (paid, pending, overdue, partially paid)
Amount received and payment method (Cash, UPI, Bank Transfer, Cheque)
Invoice notes and terms
Creator signature (name, UID, and signature URL) when invoices are created by team members
e) Product & Inventory Data
Product names, descriptions, categories, SKUs, and prices
Stock levels and stock movement history (purchase, sale, manual adjustment, return)
HSN codes for GST compliance
f) Purchase Order Data
Vendor/supplier information
Purchase order line items, quantities, and costs
PO status (draft, confirmed, received, cancelled)
g) Team & Collaboration Data
If you create or join a team workspace, we collect and store:
Team membership details (your role: Owner, Manager, or Staff)
Permission settings and overrides per team member
Team invitations (email, status, timestamps)
Creator attribution on invoices (which team member created each invoice)
Team owners and managers can view all team data. Your business data created under a team workspace is accessible to other team members based on their role and permissions.
h) Attendance & Location Data
If your team uses attendance features, we collect:
Check-in and check-out timestamps
QR code attendance scans
Precise GPS location (latitude and longitude) at the time of check-in/check-out for geo-fenced attendance
Distance from configured office location
Hours worked, on-time status, and attendance statistics
Location is collected only in the foreground when you actively open the Attendance screen and tap Check In or Check Out. We do not track your location in the background or when the app is closed.
Your attendance and location data is visible to your team owner/manager for verification purposes.
i) Membership & Subscription Plan Data
Membership plans you create (name, duration, pricing, benefits, GST settings)
Member records (linked to plans, payment history, status, expiry dates)
Membership invoices and renewal tracking
j) Subscription & Payment Data
Your BillRaja subscription plan (Free, Pro, Enterprise)
Billing cycle (monthly or annual) and subscription status
Google Play purchase and subscription identifiers
Subscription period dates (start, end, grace period)
Note: We do NOT store your credit/debit card numbers or banking credentials. Payment processing is handled by Google Play Billing.
When you use BillRaja's AI features (Business Chat and Team Insights), relevant business data is sent to Google's Gemini AI service to generate responses. This may include:
Aggregated invoice data (revenue, counts, amounts)
Customer names and payment summaries
Product sales and inventory levels
Team member performance summaries
Payment and collection patterns
How AI data is handled:
Data is sent to Google's Gemini API over encrypted connections
AI-generated insights may be cached temporarily to improve performance
We do not use your business data to train AI models
Google's use of data sent to Gemini is governed by Google's AI terms of service and Firebase AI terms
AI responses are generated in real-time and are not stored permanently unless cached for a limited period
Important: AI-generated insights, advice, and responses are for informational purposes only. They should not be treated as professional financial, legal, tax, or accounting advice. Always verify AI-generated information independently.
m) Customer Bill Viewing (OTP Portal)
BillRaja allows your business customers to view their invoices through a secure OTP (One-Time Password) verification portal. When a customer accesses this portal:
Information collected from end-customers:
Phone number (to send and verify OTP)
OTP verification status and timestamp
Device and browser information for security purposes
IP address for rate limiting and fraud prevention
How end-customer data is handled:
Phone numbers are used solely for OTP delivery and verification
OTP codes expire after a limited time and are not stored after verification
End-customers can only view invoice data shared by the business — they cannot modify, delete, or access other business data
End-customer access sessions expire automatically
We do not create a BillRaja account for end-customers
End-customer phone numbers may be visible to the business owner who generated the invoice
End-customer rights: End-customers can contact us at contact@billraja.com to request information about their data or request deletion of their OTP verification records.
2. How We Use Your Information
Provide and maintain all app features — billing, invoicing, team management, attendance, membership, inventory, GST reports, and purchase orders
Authenticate your identity and secure your account
Enforce single active session per account
Process subscription payments through Google Play Billing
Send push notifications (overdue reminders, team updates)
Generate PDF invoices with your business branding and signatures
Enable invoice sharing via WhatsApp, SMS, email, and direct links
Calculate and display GST reports and GSTR-3B data
Enforce plan limits and track feature usage
Manage team workspaces, roles, and permission-based access
Record and display employee attendance and location verification
Manage membership plans, member records, and renewals
Provide AI-powered business insights, chat responses, and team analytics using Google's Gemini AI
Enable your customers to securely view their invoices via OTP verification
Deliver one-time passwords for customer bill access verification
Improve app performance, fix bugs, and prevent abuse
Comply with legal obligations
3. Data Storage & Security
Your data is stored using Google Firebase services:
Cloud Firestore: Business profile, invoices, customers, products, teams, attendance, memberships, and subscription data — stored on Google's secure cloud infrastructure with automatic encryption at rest.
Firebase Storage: Business logos, invoice PDFs for sharing, and signature images.
Local Cache: Up to 100 MB cached on your device for offline access. Syncs automatically when connected.
Security measures:
Firestore security rules enforce account ownership and role-based team access
While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
Google Play Billing (subscription payment processing) — Privacy Notice
5. Data Sharing
We do NOT sell, trade, or rent your personal information to third parties.
Your data may be shared only in these circumstances:
With Google Play: To process subscription payments.
With Google/Firebase: For authentication, data storage, analytics, and push notifications.
With Google Gemini AI: Business data summaries are sent to Google's Gemini API to generate AI-powered insights. This data is processed per Google's AI terms.
With your customers: When you enable customer bill viewing, your customers can view their specific invoice details through the OTP-verified portal.
Invoice and payment sharing: When YOU choose to share invoices or payment requests via WhatsApp, SMS, email, or public links, the invoice data is made available through those channels.
With your team: If you are part of a team workspace, your attendance records, invoices, and business data may be visible to team owners and managers based on role permissions.
Legal compliance: If required by law, regulation, or valid legal process.
Cross-Border Data Transfer (Section 16, DPDPA)
Your data is stored on Google Firebase servers which may be located outside India. Data sent to Google's Gemini AI service may also be processed on servers outside India. By using the Service, you consent to this transfer. Google maintains appropriate security standards and data processing agreements. We will not transfer data to any country restricted by the Central Government under Section 16(1) of the DPDPA.
6. Data Retention
We retain your data for as long as your account is active. If you delete your account:
Your business profile, invoices, customers, products, purchase orders, membership plans, members, team data, attendance records, and analytics are deleted from our backend systems.
Uploaded assets (business logo, signature images, shared invoice PDFs) are deleted from storage.
Active subscriptions may be cancelled as part of the deletion flow.
If you are a team owner, your team workspace and all associated team member relationships are affected.
Local cached data on your device continues to exist until app data is cleared or the app is uninstalled.
Payment records maintained by Google Play are subject to Google's retention policies.
We may retain limited records as required by Indian tax and business regulations.
Specific retention periods: OTP verification records for end-customers are retained for up to 90 days for security and fraud prevention, then automatically deleted. AI-generated insight caches expire automatically within 24-48 hours. Firebase Analytics and Crashlytics data is retained per Google's default retention policies (14 months for Analytics, 90 days for Crashlytics).
7. Your Rights (Section 11-14, DPDPA)
As a Data Principal under the DPDPA 2023, you have the right to:
Right to Access (Section 11): Request a summary of your personal data being processed and the processing activities. View all your data within the app at any time.
Right to Correction & Erasure (Section 12): Update your business profile, customer, product, and team information anytime. Delete your account in Settings > Danger Zone, via our account deletion page, or by emailing contact@billraja.com.
Right to Grievance Redressal (Section 13): File a complaint with our Grievance Officer, who will acknowledge receipt within 48 hours and resolve it within 30 days.
Right to Nominate (Section 14): Nominate another individual to exercise your rights in case of your death or incapacity, by writing to our Grievance Officer.
Data Portability: Export invoices, customers, and products as CSV files (Pro and Enterprise plans).
Withdrawal of Consent: Withdraw consent at any time by deleting your account or contacting us. Withdrawal does not affect the lawfulness of processing done prior to withdrawal. You may also disable specific permissions (location, contacts, camera) via device settings.
End-Customer Rights: If you are an end-customer who accessed the OTP bill viewing portal, you may exercise your rights by emailing contact@billraja.com with your phone number and request.
8. Children's Privacy
BillRaja is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us at contact@billraja.com and we will promptly delete it.
9. Permissions
Internet: Required for syncing data, authentication, and processing payments.
Notifications: For invoice reminders, overdue alerts, and team updates.
Contacts: If you choose to import customer details from your address book.
Photo/Media Picker: If you choose to upload a business logo.
Camera: For QR code attendance check-in scanning and uploading business logo or signature images.
Location (ACCESS_FINE_LOCATION): Used only for geo-fenced attendance. Collected in the foreground when you check in or check out. Not collected in the background.
Vibration: To support notification delivery on supported devices.
Optional permissions are requested only when you trigger the related feature.
10. Data Breach Notification
In the event of a data breach that affects your personal or business data, we will:
Notify affected users via email and/or in-app notification without unreasonable delay.
Provide details of the nature of the breach, the data affected, and the steps we are taking.
Report the breach to relevant authorities as required under the Digital Personal Data Protection Act (DPDPA) 2023 and other applicable Indian laws.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or via email. Continued use of the app after changes constitutes acceptance of the updated policy.
The Grievance Officer shall acknowledge your complaint within 48 hours and resolve it within 30 days of receiving them, in compliance with the IT Act and DPDPA requirements.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your data: