Privacy Policy

Your data rights at a glance (DPDP 2023)

1. Who we are

StackBharat AI ("we", "us", "our") is a B2B SaaS platform operated from Mumbai, India. We provide an AI workspace product to accounting, finance, and back-office businesses. Our registered contact email is legal@stackbharat.com.

For all data privacy matters, contact our Data Protection Officer at privacy@stackbharat.com.

2. What data we collect

We collect only what is necessary to provide the service:

(a) Account data — your name, email address, and profile photo, obtained via Google OAuth when you sign in. We do not store your Google password.

(b) Usage data — query counts per user per day, AI model used, and token counts. This is used for billing enforcement and analytics.

(c) Company data — company name, subscription plan, and admin-configured topic restrictions.

(d) Billing data — your Razorpay subscription ID and customer reference. We do not store card numbers, CVVs, or bank account details. All payment data is held by Razorpay under their PCI-DSS compliance.

(e) Conversation data — messages you send to the AI and the AI's responses. These are stored for up to 24 hours to enable session continuity and admin compliance review, then automatically deleted.

(f) Uploaded files — parsed in memory only. The file content is extracted and sent to the AI. The original file and its extracted content are deleted from memory immediately after the AI responds. We maintain zero file retention.

3. Legal basis for processing (Consent)

Under India's Digital Personal Data Protection Act 2023, we process your personal data on the following lawful bases:

(a) Consent — by clicking "Continue with Google" and using the Service, you give clear, informed, and free consent to the collection and processing described in this policy. You may withdraw consent at any time by requesting account deletion.

(b) Legitimate use — we process usage data to enforce subscription limits, prevent abuse, and for billing purposes as outlined in our Terms of Service.

(c) Legal obligation — we may process or retain data where required by Indian law, a court order, or a regulatory authority.

We do not process sensitive personal data (health, financial account numbers, biometrics) as part of our core service. If you upload documents containing such data, it is processed in memory for the sole purpose of the AI query and immediately discarded.

4. How we use your data

We use your data to:

- Provide, operate, and improve the StackBharat AI service - Enforce query limits and subscription entitlements - Send invite emails, billing notifications, and usage alerts - Allow company admins to audit member usage within their own workspace - Detect and prevent fraudulent or abusive activity - Comply with applicable Indian and international law

We do not: - Sell your personal data to any third party - Use your conversations to train AI models (including Anthropic's models — we use their API under a data processing agreement that prohibits training on customer data) - Share your data with advertisers

5. Data retention

- Chat messages: automatically deleted after 24 hours - Uploaded files: deleted immediately after analysis (zero retention) - Usage statistics (query counts, token counts): retained for the lifetime of your account for billing and analytics, then deleted within 30 days of account deletion - Account data (name, email): retained until you request deletion, then deleted within 30 days - Billing records: retained for 7 years as required by Indian accounting law (GST compliance) - Audit logs: retained for 1 year

6. Third-party services

We share minimal data with the following processors:

- Supabase (database and authentication) — hosted in the EU/US. Supabase is SOC 2 Type II certified. - Anthropic (AI inference) — US. Your queries and file content are sent to Anthropic's API to generate responses. Anthropic does not use API customer data for training. See anthropic.com/privacy. - Razorpay (payment processing) — India. PCI-DSS Level 1 compliant. - Resend (transactional email) — US. Used to send invite and notification emails.

We do not use any third-party analytics, advertising, or tracking SDKs.

7. Company isolation

Each company's data is isolated at the database level using Row Level Security (RLS) enforced by Supabase PostgreSQL. No query issued by a user from one company can return data belonging to another company — this is enforced at the database engine level, not just the application layer.

Company admins can view usage statistics and conversation logs only for members within their own workspace. StackBharat staff access customer data only when required to resolve a support issue, and only with the explicit permission of the company admin.

8. Your rights under DPDP 2023

Under India's Digital Personal Data Protection Act 2023, you (as a Data Principal) have the following rights:

(a) Right to access — you may request a copy of the personal data we hold about you.

(b) Right to correction — you may request correction of inaccurate or outdated personal data.

(c) Right to erasure — you may request deletion of your personal data. We will delete your account, conversation history, usage logs, and profile data within 30 days. Billing records are retained as required by law (see Section 5).

(d) Right to grievance redressal — if you believe we have violated your rights under DPDP 2023, you may raise a grievance. We will acknowledge it within 48 hours and resolve it within 15 days. If unresolved, you may escalate to the Data Protection Board of India (once constituted).

(e) Right to nominate — you may nominate another individual to exercise your rights in case of death or incapacity.

(f) Right to withdraw consent — you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, use the Data Deletion & Rights Request form at stackbharat.com/data-deletion, or email privacy@stackbharat.com. We respond within 72 hours.

9. Data breach notification

In the event of a personal data breach, we will:

1. Internally detect and contain the breach within 24 hours of discovery 2. Notify affected users via email within 72 hours of becoming aware of the breach 3. Notify the Data Protection Board of India (once constituted) as required by DPDP 2023 4. Provide details of: what data was affected, how it happened, what we are doing to fix it, and what you can do to protect yourself

We maintain an incident response plan and conduct quarterly security reviews.

10. International data transfers

Your data is processed in India (Razorpay, primary database region) and may be processed in the EU/US (Supabase, Anthropic, Resend) as part of service delivery. All international transfers are governed by contractual data processing agreements with each sub-processor. We do not transfer data to any country restricted under DPDP 2023 rules (once the restricted country list is notified by the Government of India).

11. Security

- All data in transit is encrypted using HTTPS/TLS 1.2+ - Database access is protected by Supabase Row Level Security and JWT-based authentication - API keys are stored as environment variables on Vercel — never in client-side code or version control - User sessions are managed by Supabase Auth with automatic token rotation - We conduct quarterly dependency audits and address critical CVEs within 48 hours - We follow responsible disclosure — if you discover a security issue, email security@stackbharat.com

12. Children's data

StackBharat AI is a B2B workplace tool intended for use by adults in a professional context. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has registered, contact privacy@stackbharat.com and we will delete the account within 48 hours.

13. Changes to this policy

We may update this policy as our product evolves or as law requires. If we make material changes, we will notify all company admins via email at least 7 days before the changes take effect. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14. Grievance Officer (DPDP 2023)

As required by the Digital Personal Data Protection Act 2023, our designated Grievance Officer is reachable at:

Email: privacy@stackbharat.com Response time: 48 hours (acknowledgement), 15 days (resolution) Escalation: Data Protection Board of India (once constituted by the Government of India)

Privacy questions or data requests?

Email privacy@stackbharat.com — we reply within 72 hours.