Privacy Policy

FlashBooks ("we", "us", "our") is committed to protecting the privacy and security of our users' personal and business data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use FlashBooks at flashbooks.in.

This Privacy Policy is published in compliance with:

• The Information Technology Act, 2000 ("IT Act")
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
• The Digital Personal Data Protection Act, 2023 ("DPDPA")
• The Consumer Protection Act, 2019

By using FlashBooks, you consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please do not use the Service.

Under the Digital Personal Data Protection Act, 2023, FlashBooks is the Data Fiduciary responsible for the processing of your personal data.

• Name: FlashBooks
• Website: flashbooks.in
• Contact Email: support@flashbooks.in

We collect the following categories of personal data to provide and improve the Service:

3.1 Account Information (provided directly by you)

• Full name (first name and last name)
• Email address
• Mobile phone number (with +91 country code)
• Google account information (if you choose to sign in via Google OAuth)

3.2 Business Information (provided by you)

• Organisation name and business type (Proprietorship, Partnership, LLP, Company, HUF, Trust, etc.)
• GSTIN (Goods and Services Tax Identification Number)
• PAN (Permanent Account Number)
• Business address (address line, city, state, pincode)
• State of registration and GST registration type
• Fiscal year settings and financial preferences
• Company logo (if uploaded)

3.3 Financial and Transactional Data (provided by you)

• Sales and purchase invoices, including line items, amounts, quantities, rates, and tax details (CGST, SGST, IGST, Cess)
• Credit notes and debit notes
• Payment records (inward and outward) with payment method details — cash, cheque, online transfer, bank transfer, TDS, and bad debts
• Contact details of your customers and vendors — names, addresses, GSTIN, PAN, phone numbers, email addresses, and bank account details (including IFSC codes, account numbers, and bank names)
• Product and service catalogue data — product names, HSN/SAC codes, descriptions, rates, GST rates, units of measurement, and stock levels
• Expense records — amounts, categories, dates, and descriptions

3.4 Technical Data (collected automatically)

• IP address
• Device information (browser type, operating system, screen resolution)
• Session data (session tokens with automatic 7-day expiry)
• Cookies for authentication and theme preferences
• Timestamps of access and actions within the Service

In accordance with Section 4 of the Digital Personal Data Protection Act, 2023, we collect and process your personal data for the following specific, lawful purposes:

• Service Delivery: Providing and maintaining the FlashBooks platform, including invoice generation, payment tracking, contact management, and report generation
• Authentication: Verifying your identity through OTP-based authentication (email or SMS) or Google OAuth
• GST Compliance: Enabling generation of GST-compliant invoices with automatic CGST, SGST, and IGST calculations, and generating GSTR-1 reports
• Document Generation: Creating and exporting PDF invoices and enabling sharing via email and WhatsApp
• Communications: Sending service-related communications including OTP codes, account alerts, invoice delivery notifications, and payment reminders
• Organisation Management: Supporting multi-organisation functionality with role-based access control
• Service Improvement: Analysing usage patterns to improve the Service's functionality, performance, and user experience
• Security: Ensuring the security of the Service, preventing fraud, and detecting unauthorised access
• Legal Compliance: Complying with applicable Indian laws, regulations, and government directives

In accordance with Section 6 of the DPDPA, we collect and process your personal data based on your informed consent:

• At Registration: By creating an account and using the Service, you provide consent for the collection and processing of your personal data as described in this Privacy Policy
• Continued Use: Your continued use of the Service after being notified of changes to this Privacy Policy constitutes your consent to the updated practices
• Optional Communications: For non-essential communications (such as product updates or promotional messages), we will seek your explicit opt-in consent

Withdrawal of Consent: You may withdraw your consent at any time by contacting us at support@flashbooks.in or by deleting your account through the Settings section of the Service. Please note that withdrawal of consent may result in the inability to use certain or all features of the Service, as the data is necessary for service delivery.

Under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, "Sensitive Personal Data or Information" (SPDI) includes financial information such as bank account details and payment instrument details.

• FlashBooks may process financial information, including bank account details of your customers and vendors, as entered by you for the purpose of generating invoices and tracking payments
• FlashBooks uses passwordless authentication (OTP-based). We do not store any passwords, thereby eliminating password-related security vulnerabilities
• Financial data of your contacts (customers and vendors) that you enter into the Service is processed under your responsibility as the data controller for your organisation. You are responsible for ensuring that you have appropriate consent or legal basis to share such data with FlashBooks

We handle all SPDI with heightened security measures as prescribed under the SPDI Rules, including encryption at rest and in transit, access controls, and audit logging.

We implement robust security measures to protect your data in compliance with Section 43A of the Information Technology Act, 2000, which mandates reasonable security practices for handling sensitive personal data:

• Data Residency: All data is stored in Indian data centres, ensuring data residency within India
• Encryption at Rest: All stored data is encrypted using AES-256 encryption, the industry standard for data protection
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS/SSL protocols
• Passwordless Authentication: Our OTP-based authentication system eliminates the risk of password theft, brute-force attacks, and credential stuffing
• Session Management: Sessions are managed with automatic expiry after seven (7) days, reducing the risk of session hijacking
• Role-Based Access Control (RBAC): Within each organisation, access is controlled through defined roles — Owner, Admin, and User — with appropriate permission boundaries
• Data Isolation: Each organisation's data is logically separated to prevent cross-organisation data access
• Monitoring: We maintain access logs and conduct regular security assessments to detect and prevent unauthorised access

We do not sell, rent, or trade your personal or business data to any third party.

Your data may be shared only in the following limited circumstances:

• Service Providers: We use trusted third-party service providers to deliver specific functionality:
  • Email delivery services (for OTP verification and invoice sharing)
  • SMS services (for mobile OTP verification via MSG91)
  • Cloud infrastructure providers (Indian data centres for data storage)

  All third-party service providers are contractually obligated to protect your data, use it only for the specified purpose, and comply with applicable data protection laws.

• Legal Requirements: We may disclose your data when required by law, court order, or government directive issued under Indian law, including requests from law enforcement agencies, tax authorities, or regulatory bodies
• At Your Instruction: When you choose to share invoices via email or WhatsApp, the invoice content (including party details, amounts, and tax information) is transmitted to the recipient you specify. You are responsible for ensuring that such sharing is appropriate

We retain your data for as long as necessary to fulfil the purposes described in this Privacy Policy, subject to legal retention requirements:

• Active Account Data: Retained as long as your account remains active and you continue to use the Service
• Deleted Organisation Data: Permanently deleted upon your request through Settings > Data & Privacy, subject to any legal retention requirements
• Financial Records: Under GST regulations, businesses are required to maintain records for a minimum of seventy-two (72) months from the due date of filing the annual return. We may retain financial records for this period to support your compliance obligations
• Session Data: Automatically expired and cleared after seven (7) days
• Technical Logs: Retained for up to ninety (90) days for security monitoring, debugging, and incident response purposes

After the applicable retention period, data is permanently and irreversibly deleted from our systems.

Under Chapter III of the Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:

• Right to Access: You have the right to obtain a summary of your personal data being processed and the processing activities carried out on it
• Right to Correction: You have the right to request correction of inaccurate or incomplete personal data. You can update your profile, organisation details, and other information directly through the Service
• Right to Erasure: You have the right to request deletion of your personal data, subject to legal retention requirements (such as GST record-keeping obligations). You can delete your organisation and account through Settings
• Right to Data Portability: You can export your data in standard formats (JSON, CSV) through the Settings > Data & Privacy section of the Service
• Right to Nominate: You have the right to nominate another person to exercise your rights under the DPDPA in the event of your death or incapacity
• Right to Grievance Redressal: You have the right to register a grievance with our Grievance Officer or approach the Data Protection Board of India

To exercise any of these rights, please contact us at support@flashbooks.in. We will process your request within thirty (30) days of receipt, as required under the DPDPA.

FlashBooks is a business application intended for use by individuals who are at least eighteen (18) years of age. We do not knowingly collect personal data from individuals under the age of 18.

If we become aware that we have collected personal data from a minor without appropriate consent, we will take immediate steps to delete such data from our systems. If you believe that a minor has provided us with personal data, please contact us at support@flashbooks.in.

FlashBooks uses only essential cookies that are necessary for the Service to function:

• Authentication Cookies: Used to maintain your logged-in session and verify your identity across pages
• Preference Cookies: Used to remember your display preferences, such as light or dark theme selection

We do not use:

• Third-party advertising or marketing cookies
• Tracking pixels or web beacons
• Third-party analytics services that share your data with advertisers

You can manage cookies through your browser settings. However, disabling essential cookies may prevent the Service from functioning correctly.

All personal and business data collected through FlashBooks is stored and processed within India. We maintain data residency in Indian data centres.

Currently, no cross-border transfer of personal data takes place. In the event that any data needs to be transferred outside India in the future, such transfer will be carried out strictly in compliance with the provisions of the Digital Personal Data Protection Act, 2023, including ensuring adequate safeguards and obtaining any required approvals from the relevant authorities.

In the event of a personal data breach that is likely to cause harm to Data Principals, FlashBooks will:

• Notify the Data Protection Board of India as required under the Digital Personal Data Protection Act, 2023
• Notify affected users promptly through email and/or in-app notifications, providing details of the breach, the data affected, and recommended protective actions
• Take immediate steps to contain, investigate, and remediate the breach to prevent further unauthorised access
• Maintain detailed records of all data breaches and the remedial actions taken, as required by law

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Material changes will be communicated to you via email to your registered email address or through an in-app notification
• Your continued use of the Service after being notified of changes constitutes your acceptance of the updated Privacy Policy
• The "Last updated" date at the top of this page reflects the date of the most recent revision
• If you do not agree with the revised Privacy Policy, you must discontinue your use of the Service and delete your account

In accordance with Section 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 13 of the Digital Personal Data Protection Act, 2023, FlashBooks has appointed a Grievance Officer to address your concerns regarding data privacy and protection.

Grievance Officer Details:

• Email: support@flashbooks.in

All grievances will be acknowledged within twenty-four (24) hours of receipt and resolved within fifteen (15) days from the date of receipt, in compliance with the applicable regulations.

If you are not satisfied with the resolution provided, you may approach the Data Protection Board of India under Section 13 of the Digital Personal Data Protection Act, 2023, or the appropriate consumer forum under the Consumer Protection Act, 2019.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• FlashBooks
• Website: flashbooks.in
• Email: support@flashbooks.in