Privacy Policy

1. Introduction

OneDash Fintech Private Limited ("we," "us," "our," or "Company") operates the one-cashbook platform ("Service," "Platform," or "one-cashbook"), a web-based cash flow management application designed for small and medium businesses. This Privacy Policy ("Policy") describes how we collect, use, process, store, protect, and disclose your personal information and business data when you access or use our Service.

By accessing or using one-cashbook, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Policy, please do not use our Service.

This Policy complies with applicable data protection laws, including but not limited to:

• The General Data Protection Regulation (GDPR) (EU Regulation 2016/679)
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• The Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India)
• Other applicable data protection and privacy laws in jurisdictions where we operate

1.1 Scope of Service and Disclaimer

We provide digital software for cash entry and bookkeeping purposes only. We do not offer loans, credit services, investment products, insurance, or financial advisory services of any kind.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us when you:

Account Registration and Authentication:

• Full name
• Email address
• Password (encrypted and hashed)
• Profile information (optional)

Business and Financial Data:

• Business name(s)
• Cashbook entries (cash receipts, expenses, transactions)
• Business parties (customers, vendors, suppliers)
• Payment modes
• Categories and classifications
• Financial reports and summaries
• Business settings and preferences

Contact and Communication:

• Contact form submissions (name, email, phone number, message)
• Expert accounting services inquiries (name, email, phone, business name, city, number of employees, preferred contact time, additional message)
• Support requests and communications
• Feedback and survey responses

Team and Collaboration:

• Member invitations and team member information
• Access permissions and roles
• Collaboration data

2.2 Information Collected Automatically

Technical Information:

• IP address
• Browser type and version
• Device information (type, operating system, screen resolution)
• Referral source
• Pages visited and time spent on pages
• Click patterns and navigation paths
• Date and time of access
• Language preferences

Usage Analytics:

• Page views and interactions
• Button clicks
• Form submissions
• File downloads (PDF, Excel, CSV)
• Outbound link clicks
• Conversion events (sign-ups, form completions)
• Error logs and performance metrics

Cookies and Similar Technologies:

• Authentication cookies (essential for login sessions)
• Session cookies (for website functionality)
• Analytics cookies (Google Analytics 4, with user consent)
• Preference cookies (user settings and preferences)

2.3 Information from Third-Party Services

• Authentication Services (Clerk): User authentication data, session tokens, account verification information
• Cloud Infrastructure (Supabase): Database records, file storage metadata, backup and recovery data
• Email Services (Resend): Email delivery status, bounce and delivery reports
• Analytics Services (Google Analytics 4): Aggregated usage statistics, anonymized user behavior data, conversion tracking data

3. How We Use Your Information

3.1 Service Provision

• To create and manage your account
• To provide, maintain, and improve our Service
• To process and store your cashbook entries and financial data
• To generate reports, summaries, and analytics
• To enable team collaboration and multi-user access
• To provide customer support and respond to inquiries
• To send service-related communications (account updates, security alerts, feature announcements)

3.2 Business Operations

• To process contact form submissions and service inquiries
• To communicate with you about our services
• To send administrative information (terms updates, policy changes)
• To manage business relationships and partnerships
• To conduct research and analysis to improve our Service

3.3 Legal and Compliance

• To comply with applicable laws, regulations, and legal processes
• To respond to government requests and court orders
• To enforce our Terms of Service and other agreements
• To protect our rights, property, and safety, and that of our users
• To detect, prevent, and address fraud, security issues, and technical problems

3.4 Analytics and Improvement

• To analyze usage patterns and trends
• To understand how users interact with our Service
• To improve user experience and functionality
• To develop new features and services
• To measure the effectiveness of our marketing efforts

3.5 Marketing and Communications (with your consent)

• To send promotional communications (only if you have opted in)
• To provide information about new features, updates, and services
• To conduct surveys and gather feedback

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to perform our contract with you (providing the Service)
• Legitimate Interests: Processing is necessary for our legitimate business interests (security, fraud prevention, service improvement)
• Legal Obligation: Processing is required to comply with applicable laws
• Consent: Processing is based on your explicit consent (marketing communications, non-essential cookies)

5. Data Ownership and User Rights

5.1 Your Data Ownership

• All cashbook entries, financial data, and business information you create belong exclusively to you
• You retain full ownership and intellectual property rights to your data
• We act as a data processor, storing and processing your data on your behalf
• You can access, modify, export, or delete your data at any time

5.2 Your Privacy Rights

Depending on your location, you may have the following rights:

Right to Access:

• Request a copy of your personal data
• Know what personal information we hold about you
• Understand how your data is being used

Right to Rectification:

• Correct inaccurate or incomplete personal data
• Update your account information
• Modify your business data

Right to Erasure ("Right to be Forgotten"):

• Request deletion of your personal data
• Delete your account and all associated data
• Remove specific data entries

Additional Rights:

• Right to Restrict Processing: Request that we limit how we use your personal data
• Right to Data Portability: Receive your data in a structured, machine-readable format and export your cashbook data (PDF, Excel, CSV formats)
• Right to Object: Object to processing based on legitimate interests, opt-out of marketing communications, withdraw consent for non-essential processing
• Right to Withdraw Consent: Withdraw consent for data processing at any time, manage cookie preferences, opt-out of analytics tracking
• Right to Non-Discrimination (CCPA): Exercise your privacy rights without discrimination
• Right to Know (CCPA): Know what personal information is collected, how it is used and shared, and the categories of third parties with whom we share data
• Right to Delete (CCPA): Request deletion of personal information
• Right to Opt-Out (CCPA): Opt-out of the sale of personal information (we do not sell data)

To exercise these rights, please contact us at [email protected] with your request. We will respond within 30 days (or as required by applicable law).

6. Data Sharing and Disclosure

6.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or business data to third parties for marketing or advertising purposes.

6.2 Limited Data Sharing

We may share your information only in the following limited circumstances:

Service Providers:

We engage trusted third-party service providers to help us operate our Service:

• Clerk (Authentication): User authentication and account management
• Supabase (Database & Storage): Secure cloud database and file storage
• Resend (Email Services): Transactional and notification emails
• Google Analytics 4 (Analytics): Website usage analytics (with consent)
• Vercel (Hosting): Application hosting and content delivery

These service providers are contractually obligated to use your data only for specified purposes, maintain appropriate security measures, comply with applicable data protection laws, and not use your data for their own purposes.

Legal Requirements:

We may disclose your information if required by law, regulation, legal process, or government request, including court orders, regulatory investigations, law enforcement requests, and tax and financial reporting requirements.

Business Transfers:

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

Protection of Rights:

We may disclose information to protect our rights, property, or safety, or that of our users, including preventing fraud or abuse, investigating security breaches, enforcing our Terms of Service, and protecting against legal liability.

6.3 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research and analytics, industry reports, service improvement, and marketing and business development.

7. Data Security

7.1 Security Measures

We implement comprehensive technical and organizational security measures to protect your data:

Technical Safeguards:

• Encryption in transit (TLS/SSL) for all data transmission
• Encryption at rest for sensitive data stored in databases
• Secure authentication and access controls
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• Firewall and network security
• Secure coding practices and regular code reviews
• Automated security monitoring and alerting

Organizational Safeguards:

• Limited access to personal data on a need-to-know basis
• Employee training on data protection and security
• Confidentiality agreements with employees and contractors
• Regular security training and awareness programs
• Incident response procedures
• Data breach notification protocols

Infrastructure Security:

• Hosted on secure cloud infrastructure (Vercel, Supabase)
• Regular backups and disaster recovery procedures
• Redundancy and failover systems
• Compliance with industry security standards

7.2 Data Breach Procedures

In the event of a data breach that may affect your personal information:

• We will investigate and assess the scope and impact
• We will notify affected users and relevant authorities as required by law
• We will take immediate steps to contain and remediate the breach
• We will provide information about the breach and recommended actions

7.3 Your Role in Security

You are responsible for maintaining the confidentiality of your account credentials, using strong, unique passwords, not sharing your account with others, logging out when using shared devices, and reporting suspected security breaches immediately.

8. Data Retention

8.1 Retention Periods

We retain your personal information for as long as necessary to:

Active Accounts:

• Retain data while your account is active
• Maintain data for the duration of your use of the Service

Deleted Accounts:

• Delete or anonymize data within 30 days of account deletion
• Retain certain data as required by law (e.g., financial records, tax information)
• Maintain backup copies for up to 90 days before permanent deletion

Legal Requirements:

• Retain data as required by applicable laws, regulations, or legal obligations
• Maintain records for tax, accounting, or regulatory compliance
• Preserve data for legal proceedings or disputes

Contact Forms and Inquiries:

• Retain contact form submissions for up to 3 years
• Retain service inquiries for up to 2 years
• Retain support communications for up to 2 years

8.2 Data Deletion

Upon your request or account deletion, we will delete or anonymize your personal data, remove your data from active systems, delete backup copies within 90 days, and retain only data required by law.

9. International Data Transfers

9.1 Data Transfer Locations

Your data may be processed and stored in India (primary data center), United States (service providers: Clerk, Supabase, Vercel, Google), and European Union (where applicable for EU users).

9.2 Transfer Safeguards

We ensure appropriate safeguards for international data transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers, including data protection obligations
• Adequacy Decisions: We rely on adequacy decisions where applicable and ensure equivalent protection in all jurisdictions
• Additional Safeguards: Encryption of data in transit and at rest, access controls and security measures, regular audits and compliance checks

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

Essential Cookies:

• Required for website functionality
• Enable user authentication and login sessions
• Maintain security and prevent fraud
• Cannot be disabled without affecting Service functionality

Analytics Cookies:

• Google Analytics 4 cookies (with your consent)
• Track website usage and performance
• Help us improve user experience
• Can be disabled through cookie consent banner

Preference Cookies:

• Remember your settings and preferences
• Store language and display preferences
• Enhance user experience

10.2 Cookie Management

You can manage cookies through our cookie consent banner (on first visit), your browser settings (disable or delete cookies), Google Analytics opt-out tools, or by contacting us to update preferences. Note: Disabling essential cookies may affect Service functionality.

10.3 Third-Party Tracking

We use the following third-party services that may set cookies: Google Analytics 4 (website analytics, with consent), Clerk (authentication and session management), and Vercel (performance and security monitoring).

11. Children's Privacy

Our Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information upon verification.

12. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party websites or services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of third-party websites and services before providing any information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal or regulatory requirements, service updates and new features, and user feedback and best practices.

Notification of Changes:

• We will notify you of material changes via email or Service notification
• We will update the "Last Updated" date at the top of this Policy
• Significant changes will be highlighted for 30 days

Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy. If you do not agree with the changes, you may delete your account and discontinue use of the Service.

14. Your Choices and Controls

14.1 Account Settings

You can manage your privacy preferences through account settings (update profile, change password), privacy settings (manage data sharing preferences), and notification preferences (email, in-app notifications).

14.2 Data Export and Deletion

You can export your cashbook data (PDF, Excel, CSV formats), download your account data, delete specific entries or entire cashbooks, and delete your account and all associated data.

14.3 Communication Preferences

You can opt-out of marketing emails (unsubscribe link in emails), manage notification preferences, control cookie settings, and disable analytics tracking.

15. Data Protection Officer and Contact Information

15.1 Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

15.2 Response Time

We will respond to your inquiries and requests within:

• General inquiries: 5 business days
• Privacy rights requests: 30 days (or as required by applicable law)
• Data breach notifications: As required by applicable law (typically 72 hours for GDPR)

15.3 Supervisory Authority

If you are located in the EEA and believe we have not addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

16. Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of India. Any disputes arising from this Policy or your use of the Service shall be subject to the exclusive jurisdiction of the courts in Noida, Uttar Pradesh, India.

For users in the EEA, this Policy is also subject to the GDPR and the jurisdiction of relevant EU data protection authorities. For users in California, this Policy is also subject to the CCPA and CPRA and the jurisdiction of California courts.

17. Additional Information for Specific Jurisdictions

17.1 European Economic Area (EEA)

If you are located in the EEA, you have additional rights under the GDPR (as detailed in Section 5), we process your data based on legal grounds specified in Section 4, you can contact your local data protection authority with complaints, and we use Standard Contractual Clauses for international transfers.

17.2 California

If you are a California resident, you have rights under the CCPA and CPRA (as detailed in Section 5), we do not sell your personal information, we do not share your personal information for cross-context behavioral advertising, and you can request information about data collection and sharing practices.

17.3 India

If you are located in India, we comply with the Information Technology Act, 2000 and related rules, we implement reasonable security practices and procedures, and we handle sensitive personal data in accordance with applicable Indian laws.

18. Definitions

• Personal Data/Personal Information: Any information that can identify, relate to, describe, or be associated with an individual.
• Sensitive Personal Data: Special categories of personal data, including financial information, that require enhanced protection.
• Data Controller: The entity that determines the purposes and means of processing personal data (OneDash Fintech Private Limited).
• Data Processor: The entity that processes personal data on behalf of the controller (e.g., Supabase, Clerk).
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• Consent: Freely given, specific, informed, and unambiguous agreement to processing of personal data.

19. Acknowledgment

By using one-cashbook, you acknowledge that you have read and understood this Privacy Policy, you consent to the collection, use, and processing of your information as described, you understand your rights and how to exercise them, and you agree to be bound by this Policy and any updates.

20. Effective Date

This Privacy Policy is effective as of January 9, 2025, and will remain in effect except with respect to any changes in its provisions in the future, which will take effect immediately upon posting to this page.