Privacy Policy
Last updated: 8 May 2026
RudraTech ("KhataPro", "we", "us", "our") operates the KhataPro
mobile application and related websites at khata.arkbytetech.com (the
"Service"). This policy explains what we collect, how we use it, and the
rights you have. KhataPro is built specifically for businesses operating
in India and complies with:
- the Digital Personal Data Protection Act, 2023 (DPDP Act);
- the Information Technology Act, 2000 and the **Information Technology
- Google Play data-safety guidelines.
(Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021** (IT
Rules 2021);
Under the DPDP Act, you (the user) are the Data Principal, and KhataPro
/ RudraTech is the Data Fiduciary.
1. Information we collect
Account information. When you sign up we collect your phone number (for
OTP login), your name, your email address (required for email + password
login and account recovery, optional for OTP / Google sign-ins), a bcrypt
hash of your password if you choose email + password login, your preferred
language, and the device identifier required for multi-device sign-in.
You can sign in with any of three methods — phone OTP, Google Sign-In, or
email + password (with a "forgot password" reset link delivered by email).
Business information. Information you enter about your businesses,
customers, suppliers, staff, inventory, ledger transactions, invoices,
attendance, and salary payments.
Photos / receipts (ON-DEVICE ONLY). When you attach a photo to a ledger
entry, invoice, or business profile, the image is stored **on your phone
only** under the app's private documents folder
(<ApplicationDocumentsDirectory>/attachments/). The KhataPro server
stores nothing more than a relative file path string for that attachment —
we do not retain or process your captured images on our servers, and
photos are never uploaded to Vercel Blob, Neon, or any third-party
processor. If you uninstall the app or wipe the device, the photos go with
it.
Backups (you control where they go). KhataPro lets you create a ZIP
archive of your on-device attachments from **Settings → Backup → Export
attachments**, and share it to Google Drive, your own email, USB storage,
or any other destination of your choice. The backup never touches our
servers — it goes directly from your phone to the destination you pick.
You are responsible for keeping that backup secure.
Transactional information. When you collect a payment via UPI QR through
the app, the payment is settled directly between your customer's UPI app
and your linked bank account; KhataPro itself does not handle the
money. The app records only what the user enters (amount, party, optional
UTR you paste in).
Device information. App version, OS version, device model, crash logs,
the FCM token used to send notifications, and the resettable Android
Advertising ID used by Google AdMob (with your consent).
Usage information. Anonymised events about which features are used so we
can fix bugs and improve the product.
2. Permissions we request
KhataPro requests only the Android permissions necessary for its core
features. We never request location, contacts, call logs, or SMS read
access. Each permission is described below so you know exactly why it is
asked for and what it controls.
| Permission | Why KhataPro asks for it | Optional? |
|------------|--------------------------|-----------|
| Camera (android.permission.CAMERA) | (a) To capture a photo of a receipt or invoice and attach it to a ledger entry, and (b) to scan barcodes when adding inventory items. The camera is opened only after you tap Attach photo or the Scan barcode button — never silently in the background. Captured images are stored on your phone only (see §1, Photos / receipts) and are never uploaded to our servers. | Yes — you can use KhataPro without granting Camera. Photo attachment and barcode scanning are simply unavailable until you grant it. |
| Internet (INTERNET) and Network state (ACCESS_NETWORK_STATE) | Required for ledger sync, login, OTP delivery, and software updates. | No — without internet, the app cannot sync. |
| Notifications (POST_NOTIFICATIONS, Android 13+) | Used to deliver overdue-customer reminders, sync status, and product announcements. | Yes — the app works fully without notifications. |
| Biometric (USE_BIOMETRIC) | Used only by Settings → Security → App lock to unlock the app with your fingerprint or face. Biometric data never leaves the device — Android handles the matching. | Yes — App lock can also use a 4-digit PIN, or be turned off entirely. |
| Storage / files (WRITE_EXTERNAL_STORAGE, scoped) | Needed only when you tap Settings → Backup → Export attachments to write the user-controlled ZIP backup to a folder you pick. We do not scan your files. | Yes — backup export requires it; the rest of the app does not. |
| Advertising ID (com.google.android.gms.permission.AD_ID) | Used by Google AdMob to show non-personalised or (with your UMP consent) personalised ads. Android lets you reset or block this ID at any time from system settings. | Partial — you can decline personalised ads via the in-app consent screen and at OS level. |
The list above is exhaustive — KhataPro does not request any permission
beyond these.
3. How we use your information
- Provide and maintain the Service.
- Authenticate you via phone OTP, Google Sign-In, or email + password
- Sync your ledger data across your devices (photos remain on each device).
- Generate WhatsApp / SMS deep-links so you can send payment reminders to
- Send transactional emails (sign-in OTPs, password reset links, deletion
- Detect fraud and abuse, and enforce our Terms (including suspending
- Comply with Indian tax and regulatory obligations.
(with a Resend-delivered reset link if you forget your password).
your own customers from your own messaging app — see Section 8.
confirmations, invoice copies you initiate, support replies) via our
email partner Resend.
accounts that breach the Terms — see Section 13).
We do not sell your data, ever.
4. Lawful basis (DPDP Act § 6)
We process personal data on the lawful basis of your explicit consent,
which we collect through an in-app notice the first time you launch the app
and again whenever this policy materially changes. You may withdraw consent
at any time from Settings → Privacy → Delete my account or by emailing
rudratech97@gmail.com. Withdrawal will not affect the lawfulness of
processing based on consent before its withdrawal.
For limited operational purposes — fraud prevention, security incident
response, statutory tax record-keeping — we additionally rely on the
"legitimate uses" recognised under § 7 of the DPDP Act.
5. Sharing of information
We share data only with the following processors (Data Processors under the
DPDP Act), each bound by a written data-processing agreement:
| Processor | Purpose | Data hosting region |
|-----------|---------|---------------------|
| Vercel (Next.js hosting) | Application hosting; API functions colocated in syd1 (Sydney) for low-latency access to Neon. No user photos are stored on Vercel — photos remain on-device. | Asia-Pacific |
| Neon (managed Postgres) | Primary database (text data only — no images) | AWS Asia-Pacific (Sydney) |
| Resend | Transactional email delivery (OTP, password reset, deletion, invoice send) | EU + US |
| Firebase Cloud Messaging (Google) | Push notifications + (where wired) Crashlytics | Global |
| Google AdMob (Google) | Advertising — banner, interstitial, native, and rewarded video; UMP consent-gated | Global |
| Google Sign-In (Google Identity) | Optional Google login | Global |
We do not share your customer phone numbers or transactional data with
any party for marketing, profiling, or aggregation purposes. **Reminders
sent to your customers are composed and dispatched from your own device's
messaging app — KhataPro does not operate as an SMS or WhatsApp
gateway in v1.** See Section 8.
We may disclose information to government authorities when legally
compelled (e.g. CrPC / IT Act § 91 notice, court order). We notify users of
such requests where the law allows.
6. Cross-border transfer
The DPDP Act allows transfers of personal data outside India to any country
not specifically restricted by the Central Government. As of the date of
this policy, no countries are restricted. Where we transfer data to
Resend (EU / US) or Google services (global), we rely on each processor's
Standard Contractual Clauses or equivalent safeguard.
7. Data retention
| Category | Retention |
|----------|-----------|
| Active account & ledger data (text) | While your account is active |
| Photos / receipts | Stored only on your device; we hold none. The relative path string in our DB is overwritten / nulled when the entry is edited or deleted. |
| User-controlled backup ZIPs | Wherever you exported them — we have no copy and no access |
| Personal identifiers post-deletion request | Hard-deleted from primary storage within 30 days |
| Encrypted DB backups | Purged within 30 days of primary deletion |
| Anonymised audit-log entries (GST law mandate) | Up to 8 years |
| Aggregated analytics with no personal identifier | Indefinite |
8. Reminder messaging — sent from your device
When you tap "Send WhatsApp reminder" or "Send SMS reminder" on a customer,
the app opens your phone's own WhatsApp / SMS app with a pre-filled
message via standard wa.me and sms: deep-links. The message is sent
from your phone, by you, using your number. KhataPro:
- does not operate as an SMS gateway in v1 (no MSG91 / DLT routing
- does not operate as a WhatsApp Business Solution Provider in v1 (no
- does not receive a copy of, log, or store the messages you send to
from our servers);
Gupshup template send from our servers);
your customers.
You remain the legal sender for the purposes of TRAI / DLT regulations and
the WhatsApp Business policy. Your customers' phone numbers stay on your
device for the WhatsApp / SMS share — they only travel to our servers as
part of the ledger entry that you choose to sync.
9. Advertising (Google AdMob)
KhataPro is offered free of charge and is monetised through Google
AdMob. Ads are shown in the following formats and placements:
- Banner ads at the bottom of the dashboard and customers list.
- Interstitial ads after every third "save" event (transactions,
- Rewarded video that you may opt to watch in exchange for one-off
- Native ads interleaved roughly every sixth row in the customers
- We do not show app-open ads — KhataPro is a B2B utility and
invoices, GST invoices), capped by a 3-minute global cooldown so you
never see two interstitials back-to-back.
unlocks of premium-feel actions (e.g. exporting the Reports PDF).
list — visually distinct from your real entries and labelled as
sponsored.
we judged app-open ads too disruptive for shopkeepers.
For users in the EEA, the UK, and California, KhataPro presents
the Google User Messaging Platform (UMP) consent flow on first launch.
You may freely accept or decline personalised ads. Non-personalised ads
will still be shown to keep the app free; you can revisit your choice at
any time from Settings → Privacy → Ad personalisation. Outside those
jurisdictions, you may also opt out of ad personalisation from the same
screen and reset your Android Advertising ID via Android Settings →
Privacy → Ads.
We share with AdMob only the resettable Android Advertising ID and the
ad-request context (app, country, ad slot). We do not share your ledger,
your customers, your photos, or any business data with AdMob or any other
ad network.
10. Your rights as a Data Principal (DPDP § 11–14)
You can:
- Access the personal data we hold about you (Settings → Privacy →
- Correct, complete or update any data via the in-app editors.
- Erase your data — Settings → Privacy → Delete my account, or via
- Withdraw consent with the same ease as it was given (the same in-app
- Nominate another individual to exercise your rights in the event of
- File a grievance — see Section 14 below. Resolution within 15 days.
- Lodge a complaint with the Data Protection Board of India once it is
Export my data, or email rudratech97@gmail.com).
https://khata.arkbytetech.com/data-deletion. Hard delete within 30 days.
CTA covers both flows).
death or incapacity — email rudratech97@gmail.com with the
nominee's name, relationship, and contact.
operational, if you remain dissatisfied with our response.
11. Data security and breach notification
We use TLS 1.2+ for all transport, encrypt data at rest with AES-256 in our
managed Postgres host (Neon), bcrypt-hash passwords (when you choose email +
password login), single-use email reset tokens with short expiry for
"forgot password" flows, and rotate JWT signing keys quarterly. Access to
production data is limited to a small set of named employees with audited
logins. Photos never reach the server, so no cloud-side photo breach is
possible.
If we become aware of a personal-data breach, we will notify the Data
Protection Board of India and affected users within 72 hours, in line
with § 8(6) of the DPDP Act and the form prescribed thereunder.
12. Children
KhataPro is intended for adult business owners in India. The DPDP Act
defines a "child" as anyone under 18; we do not knowingly process data of
children. We collect a self-attested age confirmation at first launch, and
will erase any account we discover to be operated by a minor. Parental
consent for minors will only be implemented if KhataPro is ever
re-positioned as a consumer-facing app — at which point a verifiable
parental consent flow will be added.
13. Account suspension
We may suspend an account where we have reasonable grounds to believe the
account is being used to violate our Terms — including spam, harassment,
fraud, attempting to circumvent platform security, or repeated abuse of
WhatsApp / SMS deep-links to send unsolicited messages. A suspension
records suspendedAt and suspendedReason against your account; the
auth middleware will then reject API calls with **HTTP 403
account_suspended** and the app will show a friendly notice with the
reason. You may appeal a suspension by emailing rudratech97@gmail.com or
by writing to the Grievance Officer (Section 14). We aim to review
appeals within 7 business days.
14. Grievance Officer (IT Rules 2021, Rule 4)
In compliance with Rule 4(2) of the Intermediary Guidelines, we maintain a
Grievance Officer:
- Name: RudraTech (sole proprietor)
- Designation: Grievance Officer, RudraTech
- Email: rudratech97@gmail.com
- Acknowledgement: within 24 hours
- Resolution: within 15 days; 30 days at most for complex matters
If you are dissatisfied with the resolution, you may escalate to the
Grievance Appellate Committee under Section 28A of the IT Rules.
15. Cookies (web app)
The web companion at khata.arkbytetech.com uses **strictly necessary
cookies** to remember your sign-in (kp_admin, kp_user) and language
(kp_lang). We do not use third-party advertising cookies on the web.
Mobile-only users are unaffected.
16. Changes to this policy
We will notify you in-app and via email at least 14 days before any
material change to this policy. The mobile app re-prompts for consent
whenever the policy version stored on your device differs from the
current published version.
17. Contact
- Privacy / Data Protection Officer: rudratech97@gmail.com
- Grievance Officer (India): rudratech97@gmail.com