What we hold, and why we hold it.

This Privacy Policy is issued pursuant to the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules).

We process your personal data on the following legal bases under the DPDP Act and applicable Indian law:

• Performance of contract: Processing required to provide the HourSlip service you signed up for (time tracking, invoicing, tax planning).
• Explicit consent: Processing for optional communications (e.g. marketing emails, if you opt in).
• Legitimate interest: Security monitoring, fraud prevention, and service improvement, balanced against your privacy rights.

By creating an account, you acknowledge this Privacy Policy and consent to the collection and processing of your personal data as described herein, in accordance with Section 6 of the DPDP Act 2023.

When you use HourSlip, we collect information you provide directly:

• Account info: Full name, email address (via Google OAuth, GitHub OAuth, or email/password).
• Business info: Trade name, GSTIN, PAN number, state code, address.
• Payment info: UPI ID, bank account number (masked), IFSC code. We do not store credit/debit card details — Razorpay handles payment processing.
• Client data: Client names, GSTINs, contact details, billing rates.
• Financial data: Time entries, invoices, expenses, platform income entries.

• To provide the HourSlip service (time tracking, invoicing, tax planning).
• To generate invoices, PDFs, and GSTR-1 exports on your behalf.
• To calculate tax estimates and display financial analytics.
• To process subscription payments via Razorpay.
• To send transactional emails (invoice receipts, payment confirmations, advance tax reminders) via Resend.
• To apply rate limiting for security and service quality (via Upstash Redis).

Your data is stored in Supabase (PostgreSQL) hosted in the ap-south-1 (Mumbai) region. All data is encrypted in transit using TLS. Row Level Security (RLS) enforces strict data isolation — you can only access your own data, and no other user can access yours.

Sensitive financial identifiers — GSTIN, PAN, UPI ID, and bank account details — are additionally protected with field-level AES-256-GCM encryption before storage. This means your most sensitive tax and banking identifiers are encrypted independently at the application layer, with a versioned key envelope that supports key rotation. General operational data (time entries, invoice amounts, client names) is stored securely in the database with RLS isolation but is not field-level encrypted.

In the event of a personal data breach affecting your data, we will notify you as soon as practicable and report to relevant authorities as required by applicable Indian law, including the DPDP Act 2023.

We do not have access to your data unless you explicitly share it for support purposes. No fabricated security certifications (ISO 27001, SOC 2, PCI-DSS) are claimed — the above describes our actual practices.

• Supabase: Database, authentication, and file storage. Hosted in Mumbai (ap-south-1). Privacy Policy
• Razorpay: Payment processing for subscription billing and invoice payments. Razorpay handles card data directly — we do not store card numbers. Privacy Policy
• Google OAuth: Optional sign-in method. Your Google profile name and email are shared with us at sign-in. Privacy Policy
• GitHub OAuth: Optional sign-in method. Your GitHub profile name and email are shared with us at sign-in. Privacy Statement
• Resend: Transactional email delivery (invoice receipts, payment confirmations, advance tax reminders). Resend processes your email address and email content. US-based. Privacy Policy
• Upstash Redis: Rate limiting for API security. Upstash processes request metadata (IP address, request counts) only — no personal financial data is sent. US/EU-based depending on region configuration. Privacy Policy
• Vercel: Hosting and edge delivery for the HourSlip web application. All HTTP traffic passes through Vercel infrastructure, which logs standard request metadata (IP address, browser, timestamps). US-based. Privacy Policy
• open.er-api.com: Live USD/INR exchange rates (no personal data sent).
• IFSC API (Razorpay): Bank branch lookup from IFSC code (no personal data sent).

Your primary data is stored in India (Supabase, Mumbai ap-south-1). However, some sub-processors — Resend (email), Upstash (rate limiting), and Vercel (hosting/edge) — are located outside India and may process certain personal data (email addresses, IP addresses, request metadata) in the United States or European Union. By using HourSlip, you consent to your personal data being processed in these countries by these sub-processors for the purposes described above. We require all sub-processors to maintain appropriate security measures consistent with applicable law. When cross-border transfer restrictions are notified under Section 16 of the DPDP Act 2023, we will update this policy accordingly.

HourSlip uses:

• Authentication cookies: To keep you logged in (managed by Supabase Auth). These are strictly necessary for the service to function.
• localStorage: To cache forex rates (1-hour TTL), timer state, and UI preferences. No third-party tracking cookies are used.

Your data is retained as long as your account is active. When you delete your account (Settings → Danger Zone), all data is permanently deleted, including time entries, invoices, clients, expenses, and income entries. This action is irreversible. We do not retain personal data beyond what is necessary for the purpose for which it was collected, in accordance with Section 8(7) of the DPDP Act 2023 and SPDI Rules 7.

Under the Digital Personal Data Protection Act 2023 and applicable Indian law, you have the following rights as a data principal:

• Access (§11): You can view all your data within the app at any time.
• Correction (§12): You can update your personal and business information from Settings.
• Erasure (§12): You can delete your account and all associated data from Settings → Danger Zone.
• Export: You can export invoices as PDF and GSTR-1 data as CSV.
• Withdraw consent (§6): You may withdraw consent to non-essential processing at any time. The operative mechanism for withdrawing consent to all processing is account deletion.
• Grievance redressal (§13): You may raise a grievance with us at [email protected] (see Contact below).
• Nomination (§14): You may nominate another person to exercise your data rights on your behalf in the event of your incapacity or death. Contact us at [email protected] to register a nominee.
• Data Protection Board (§27): If you are not satisfied with how we handle your grievance, you may approach the Data Protection Board of India once constituted under the DPDP Act 2023.

HourSlip is not intended for users under 18 years of age. We do not knowingly collect information from minors.

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or in-app notification at least 15 days before changes take effect. For material changes to how we process your personal data, we will seek fresh consent where required by the DPDP Act 2023. Continued use of HourSlip constitutes acceptance of non-material updates to the policy. You may withdraw consent by deleting your account.

For privacy-related questions, to exercise any of your data rights, or to raise a grievance, contact us at [email protected]. We aim to acknowledge requests within 24 hours and resolve them within 30 days. If you remain unsatisfied, you may approach the Data Protection Board of India once it is constituted under the DPDP Act 2023.