Privacy Policy
This Privacy Policy explains how Zesst Now Services Private Limited ("we", "us", "BizGST Pro") collects, uses, stores and protects personal data when you use https://bizgstpro.com and related services (the "Service"). We are the data fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") for account data, and act on your instructions for the business records you store in the Service.
1. Data We Collect
- Account data: name, email, phone, password (hashed — we never see it), business name, GSTIN, business address.
- Business records you create: customers, invoices, items, stock, expenses, payments, leads. This data belongs to you.
- Usage data: log data, IP address, device/browser type, pages visited — used for security (rate limiting, fraud prevention) and product improvement.
- Payment data: processed by our payment partner (Razorpay). We never store your card/UPI credentials.
2. Why We Process It (Purpose Limitation)
- To provide the Service: authentication, invoicing, reports, reminders.
- To secure the Service: CAPTCHA verification, abuse and brute-force prevention, audit logging.
- To communicate: transactional emails (verification, receipts), service updates. Marketing emails only with consent, with one-click unsubscribe.
- To comply with law: tax, accounting and regulatory obligations applicable in India.
We do not sell your personal data. We do not use your business records to advertise to your customers.
3. AI Features
When you use the AI assistant, your query text is sent to our AI provider (OpenAI) to generate a response. Queries are rate-limited per user. Do not include sensitive personal data in AI queries. We log query counts and token usage for billing and abuse prevention.
4. Where Data Is Stored & Subprocessors
- Supabase (database & authentication) — primary data stored in the Mumbai (ap-south-1) region, India.
- Vercel (application hosting/CDN) — global edge network.
- OpenAI (AI assistant) — processes AI queries.
- Razorpay (payments) — India.
- Cloudflare (CAPTCHA/security) — global.
Each subprocessor is bound by its own security and data-protection commitments. A current list is maintained on this page.
5. Your Rights (DPDP Act)
- Access & correction: view and edit your data in the app, or request a copy by email.
- Erasure: request account deletion; we delete personal data within 30 days except records we must retain by law (e.g., tax records).
- Grievance redressal: write to our Grievance Officer at support@bizgstpro.com; we respond within 15 days.
- Consent withdrawal: withdraw marketing consent anytime via unsubscribe or email.
6. Retention
Account data is retained while your account is active. Business records are retained until you delete them or your account. Backups roll off within 35 days of deletion. Legal/tax records may be retained longer where required by law.
7. Security
Encryption in transit (HTTPS/TLS) and at rest, row-level tenant isolation, role-based access, immutable audit logs, CAPTCHA and rate limiting. Details on our Security page. No system is 100% secure; we notify affected users and authorities of breaches as required by the DPDP Act.
8. Cookies
We use only essential cookies: session/authentication cookies and security tokens. We do not use third-party advertising cookies.
9. Children
The Service is for businesses and is not directed at children under 18.
10. Changes
We will post updates here and, for material changes, notify you by email or in-app notice. Continued use after the effective date means you accept the updated policy.
Other policies: Terms · Privacy · Refunds · Security · DPA · Disclaimer