This Privacy Policy describes how MyKharch ("we", "us") collects, uses, stores and shares your personal data. We comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 with the SPDI Rules 2011, and applicable RBI and CERT-In directives.
1. Who we are
MyKharch (legally "Kedaya Tech LLP", a LLP) is operated from India. We act as a Data Fiduciary under the DPDP Act for personal data we collect from users of our SaaS product.
2. What we collect and why
| Category | Examples | Purpose & lawful basis |
|---|---|---|
| Account data | Email, phone, full name, password hash | To create and authenticate your account. Lawful basis: contract performance + consent. |
| Business data | Business name, GSTIN, PAN, address, parties, accounts, transactions, invoices | To provide the bookkeeping service. Lawful basis: contract performance. |
| Payment data | Plan, last-4 digits, gateway order/transaction IDs | To bill you. We do not store full card numbers; the payment gateway (Cashfree / PhonePe) handles that. |
| Device & security data | IP, user-agent, device fingerprint, last-seen | Fraud prevention, session management, audit log. Lawful basis: legitimate interest + IT Act 2000 compliance. |
| Usage data | Pages viewed, feature events | Improving the product. Lawful basis: consent (you may opt out in Settings → Notifications). |
3. Sensitive data and encryption
GSTIN, PAN, phone numbers and other identifiers are encrypted at rest using AES-256-GCM. Searchable identifiers also have a HMAC-SHA256 blind index so that we can find a record without ever storing the value in plaintext.
4. Where your data is stored
Production data is hosted in Indian regions (AWS Mumbai ap-south-1 or equivalent). Backups are also retained
in India. Payment data subject to RBI's localisation directive does not leave India.
5. Sharing
- Sub-processors: our payment gateways (Cashfree Payments India Pvt Ltd, PhonePe Payments Pvt Ltd), our email provider, and our infrastructure provider — bound by contract to protect your data.
- Government / law enforcement: only when compelled by a lawful order under Indian law.
- We do not sell your data to anyone.
6. Retention
- Account profile: while your account exists, plus 30 days grace.
- Financial records (transactions, invoices, journal entries): retained for 8 years under sec. 149 of the Income Tax Act, 1961 and the IT Act 2000, even after account deletion. After deletion they are pseudonymised (your identity is removed) but the ledger stays for tax compliance.
- Audit and security logs: minimum 180 days under CERT-In Directive 6/2022.
7. Your rights under the DPDP Act
- Right to access: see what we hold about you. Settings → Security → Download your data.
- Right to correction: correct inaccurate or incomplete data. Update from your profile, or write to us.
- Right to erasure: request deletion. We honour this with a 30-day grace period; financial records are pseudonymised but not destroyed (see Retention above).
- Right to portability: receive a portable JSON+CSV bundle of your data.
- Right to grievance redressal: see our Grievance Officer page.
8. Consent
We log your consent in a tamper-evident consent ledger when you sign up and whenever you change a privacy preference. You may withdraw consent at any time, though some processing (e.g. fraud prevention, statutory record-keeping) may continue under another lawful basis.
9. Breach notification
If we suffer a personal data breach that meets the DPDP Act threshold, we will notify the Data Protection Board of India and affected users within 72 hours. We will report cyber incidents to CERT-In within 6 hours as required by Directive 6/2022.
10. Cookies
We use first-party cookies for authentication, CSRF protection and remembering your dark-mode preference. We do not use third-party advertising cookies.
11. Changes
Material changes to this policy will be notified by email and on the dashboard. The "Last updated" date at the top reflects the current version.
12. Contact
For privacy questions, write to hello@kedayatech.com or use the contact details on our Grievance Redressal page.