Legal

Privacy Policy

Effective Date: 25 February 2026  |  Last Updated: 25 February 2026

This Privacy Policy describes how KOSHAQ Billing ("KOSHAQ", "we", "our", or "us") collects, uses, stores, and protects your personal data. This policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

1. Data Fiduciary

KOSHAQ acts as a Data Fiduciary as defined under the DPDP Act, 2023. We determine the purpose and means of processing your personal data. For questions, contact us at: privacy@koshaq.in

2. What Personal Data We Collect

Account & Identity Data

  • Full name, email address, and password (hashed — never stored in plain text)
  • Business name, GSTIN, PAN (via GSTIN), legal name, address, city, state, PIN code

Business Operations Data

  • Customer records (names, emails, phone numbers, billing/shipping addresses, GSTINs)
  • Invoice data, payment records, quotes, subscription information
  • Product/service catalog entries, pricing, SAC/HSN codes

Technical & Usage Data

  • IP address, browser type, device info (for security audit logs)
  • Session data (encrypted), access timestamps

3. Purpose of Processing

We process personal data for the following purposes, each grounded in a lawful basis under the DPDP Act:

  • Service Delivery: Creating and managing your billing workspace, generating GST-compliant invoices
  • Security & Fraud Prevention: Detecting unauthorised access, maintaining audit logs as required by IT Act 2000
  • Legal Compliance: Meeting GST, income tax, and financial record-keeping obligations under Indian law
  • Communication: Sending invoice emails, payment reminders, and system notifications
  • Product Improvement: Analysing usage patterns (anonymised) to improve features

4. Data Retention

We retain your data as long as your account is active. Upon account deletion:

  • Financial records (invoices, payments): Retained for 8 years as required under Section 128 of the Companies Act, 2013 and GST record-keeping rules
  • Audit logs: Retained for 5 years per CERT-In Directions 2022
  • Account & profile data: Deleted within 30 days of account closure request

5. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service Providers: Hosting providers, email delivery services (under data processing agreements)
  • Payment Processors: Razorpay (for online payments — subject to Razorpay's privacy policy)
  • Legal Obligation: When required by Indian law, court order, or government authority

6. Your Rights (DPDP Act 2023)

As a Data Principal, you have the following rights:

  • Right to Access — request a summary of personal data we hold about you
  • Right to Correction — correct inaccurate or incomplete personal data
  • Right to Erasure — request deletion of data not required for legal obligations
  • Right to Grievance Redressal — raise a complaint with our Data Protection Officer
  • Right to Nominate — nominate another individual to exercise your rights in case of death or incapacity

To exercise any right, email: privacy@koshaq.in. We will respond within 72 hours.

7. Security Practices

We implement reasonable security measures as required under Section 43A of the IT Act and the DPDP Act, including:

  • Passwords hashed using bcrypt (industry standard)
  • Session data encrypted at rest
  • HTTPS/TLS encryption in transit (production)
  • Multi-tenant data isolation — each business's data is strictly separated
  • Rate limiting on authentication endpoints (brute-force protection)
  • Security headers (X-Frame-Options, CSP, HSTS in production)
  • Immutable audit logs for all financial operations

8. Cookies

We use a single session cookie (HTTPOnly, SameSite=Lax) for authentication. We do not use third-party tracking cookies or advertising cookies.

9. Children's Data

KOSHAQ Billing is a business application intended for use by adults (18+) running registered businesses in India. We do not knowingly collect data from children under 18.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. Material changes will be communicated by email and/or a notice on the dashboard at least 7 days in advance.

11. Grievance Officer

In accordance with the DPDP Act 2023 and IT Act 2000, a Grievance Officer has been designated:

  • Name: KOSHAQ Privacy Team
  • Email: privacy@koshaq.in
  • Response Time: Within 72 hours of receipt
© 2026 KOSHAQ Billing. All rights reserved.
Terms of Service ← Back to Home