Privacy Policy - BriskBill

1. Introduction and Scope

1.1 Purpose of this Policy
This Privacy Policy has been developed to clearly articulate how QSG TechLabs Pvt Ltd (“we”, “our”, or “us”), the creators and operators of the BriskBill platform, collect, use, store, disclose, and safeguard personal and business-related data. BriskBill is a secure, cloud-based invoicing and billing platform designed for SMEs and professionals. This Policy reflects our commitment to protecting data in accordance with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). It outlines the measures taken to ensure user privacy, transparency, and trust in digital operations.
1.2 Applicability
This Privacy Policy applies comprehensively to all categories of individuals and entities interacting with BriskBill, including but not limited to:
- 1.2.1 Users who create, manage, or operate accounts on the BriskBill platform in administrative or staff capacities (collectively referred to as “Account Holders”);
- 1.2.2 End customers whose data is processed through invoicing, billing, or customer management functionalities on the platform (“Clients” or “Invoice Recipients”);
- 1.2.3 Individuals who interact with BriskBill through our web application, mobile interfaces (if applicable), public APIs, customer support channels, or other official online means;
- 1.2.4 Visitors accessing the BriskBill platform without registering but interacting with its publicly available features.
1.3 Agreement to the Policy
By registering, accessing, or continuing to use any functionality of BriskBill, whether directly or through third-party integrations, you expressly agree to the terms and practices described in this Privacy Policy. If you do not agree with any of the terms outlined herein, you are advised to immediately discontinue use of the BriskBill platform and associated services. Your continued access and use will be interpreted as acceptance of the prevailing version of this Policy.
1.4 Relationship to Other Policies
This Privacy Policy operates in conjunction with and is subject to the Terms of Service governing BriskBill usage. It does not extend to third-party services integrated into or linked from BriskBill, such as payment gateways like Razorpay, external accounting tools, or websites accessed via embedded URLs. Those services are governed by their own independent privacy policies and data processing standards. We recommend users review the policies of such third parties separately before use.

2. Types of Data Collected

To ensure the effective operation, enhancement, and compliance of the BriskBill platform, we collect various categories of personal, business, transactional, and technical data. This data may be collected either directly from you, through your usage of our services, or from integrated service providers. The information we collect can be broadly categorized as follows:

2.1 Account Holder (Admin and Staff) Data
When you register and manage a BriskBill account as an Admin or Staff, we collect the following information, which is considered personally identifiable and, in certain cases, sensitive under the SPDI Rules:
- 2.1.1 Full legal name of the user
- 2.1.2 Email address used for registration and communication
- 2.1.3 Registered business name, type (proprietorship, partnership, company), and physical address
- 2.1.4 Contact phone number (optional, but recommended for OTP and support resolution)
- 2.1.5 Login password (stored in a one-way hashed format using industry- standard encryption methods)
- 2.1.6 Banking and financial account information for payment settlement and client remittances, including:
  - Account holder name
  - Bank name
  - Branch and IFSC code
  - Account number
2.2 End Customer (Client) Data
BriskBill allows you to input, process, and manage data of your own customers, vendors, or recipients of invoices (“Clients”). The nature of this information may vary depending on the industry, but typically includes:
- 2.2.1 Full name or business name of the customer
- 2.2.2 Email address and/or contact phone number
- 2.2.3 Billing address and delivery location, if applicable
- 2.2.4 GSTIN or tax identification numbers (where entered)
- 2.2.5 Any custom notes, internal references, or metadata you voluntarily input in invoice descriptions, notes, terms, or reference fields
2.3 Billing and Platform Usage Data
We capture operational and service-level metadata as part of the normal functioning of BriskBill, including but not limited to:
- 2.3.1 Subscription and billing details:
  - Plan name (Free, Premium, Custom)
  - Activation/renewal dates
  - Billing history and payment statuses
- 2.3.2 Invoice and financial transaction metadata:
  - Invoice numbers, due dates, invoice statuses
  - Payment history, including timestamps and status (paid/unpaid/partial)
  - Customer reference fields or tags
- 2.3.3 Razorpay payment integration logs:
  - Mode of payment (e.g., UPI, net banking, credit card – metadata only)
  - Payment confirmation IDs and gateway responses
  - Timestamp of payment initiation and confirmation
- 2.3.4 Technical and access logs:
  - IP addresses used to access the system
  - Browser type, operating system, and device information
  - Login timestamps, session duration, logout history
2.4 Sources of Data Collection
The data outlined above may originate through multiple trusted and lawful collection mechanisms:
- 2.4.1 Direct User Input Via account creation forms, invoice setup, manual entry of client information, or customer support submissions.
- 2.4.2 Automated System Activity Captured via BriskBill’s backend systems and analytics infrastructure, which logs access patterns, transactions, and usage statistics in real time.
- 2.4.3 Authorized Third-Party Integrations Where data is passed securely between BriskBill and third-party services like Razorpay (payment processing), AWS (cloud hosting), and Google Fonts or mail services (UX enhancements).

3. How Information Is Collected

BriskBill collects data through a combination of direct user input, automated backend processes, and secure interactions with third-party service providers. These collection mechanisms ensure the platform functions reliably, securely, and in a user-friendly manner. Each method is designed to align with the principles of transparency, minimization, and lawful processing.

3.1 Direct Collection from Users
Much of the personal and business data we process is voluntarily and explicitly submitted by users in the course of using BriskBill’s services. This includes:
- 3.1.1 Signing up for a BriskBill account, including providing your name, email, and business details
- 3.1.2 Filling out your company profile, bank account, tax identifiers (e.g., PAN, GSTIN), and custom branding information
- 3.1.3 Creating invoices or quotations by manually entering customer names, emails, line items, tax structures, and due dates
- 3.1.4 Adding client records, setting up recurring billing schedules, or tagging clients with internal labels
- 3.1.5 Submitting customer service queries, technical issues, or compliance- related questions through our support form or by email
- 3.1.6 Uploading optional visual or document elements such as invoice templates, custom logos, and footnotes
3.2 Automatic Collection Through System Activity
To ensure security, user experience optimization, and technical accuracy, BriskBill automatically logs certain types of metadata whenever users interact with the platform. This includes:
- 3.2.1 IP address, device type, browser version, operating system, and screen resolution
- 3.2.2 Login and logout times, number of active sessions, and whether logins occurred from a new location or device
- 3.2.3 Feature interaction logs — such as whether recurring invoices were enabled, whether the export function was used, or how often dashboard reports were accessed
- 3.2.4 Clickstream data — tracking which menu items, pages, or tabs within BriskBill were visited for improving UI/UX design
- 3.2.5 Internal error logs and crash reports to diagnose bugs, API failures, or data submission inconsistencies
3.3 Collection via Third-Party Services
BriskBill integrates with select third-party services to ensure smooth operations. These services are contractually bound to adhere to privacy and security standards. Data from these integrations may include:
- 3.3.1 Razorpay (Payment Gateway)
  - Metadata about each transaction (e.g., transaction ID, status, timestamp, and payment method)
  - Confirmation of successful or failed payments
  - Refund status and reconciliation identifiers
- 3.3.2 Amazon Web Services (AWS)
  - Infrastructure metrics (e.g., server uptime, API call latency, data throughput)
  - Application performance logs and service health alerts
  - Cloud storage logs related to invoice PDFs, backups, and report exports
- 3.3.3 Diagnostic Tools (Internal or Integrated)
  - We may use tools for security alerting, uptime monitoring, and tracking system performance, which may temporarily access anonymized or semi-structured log data under secure controls
3.4 Voluntary Surveys, Testimonials, and Pilot Programs
We may periodically request optional data from users for non-core purposes such as:
- 3.4.1 User experience or product improvement surveys
- 3.4.2 Invitations to participate in beta testing for upcoming features
- 3.4.3 Submissions of testimonials, feedback, or brand case studies (which will only be published after explicit consent)

4. How We Use the Information

The data collected by BriskBill is utilized strictly in accordance with applicable laws and for purposes that are necessary, proportionate, and lawful. Our primary objective in using your data is to deliver efficient invoicing and billing services, protect system integrity, and support legal and regulatory compliance. We do not use your data for advertising, profiling, or unrelated analytics without your consent.

4.1 Service Delivery and Core Operations
We use personal and business information to facilitate the key functions of the BriskBill platform, including:
- 4.1.1 Creating, activating, and maintaining your BriskBill user account
- 4.1.2 Enabling you to create, edit, and share tax-compliant invoices, quotations, credit notes, and receipts
- 4.1.3 Tracking payment statuses, client interactions, and invoice due dates
- 4.1.4 Managing your subscription plan (Free, Premium, or Custom), including renewals and plan upgrades
- 4.1.5 Supporting access roles (Admin vs. Staff) to enable internal collaboration and delegated functions
- 4.1.6 Generating downloadable reports, tax summaries (e.g., GST summaries), and invoice analytics
4.2 Communications and Service Notifications
Your contact information is used to communicate important operational or support-related updates:
- 4.2.1 Email and in-app notifications for logins from new devices, password changes, or suspicious access patterns
- 4.2.2 Transactional communications such as payment confirmation emails, invoice sharing status, or subscription expiry reminders
- 4.2.3 Responses to technical support tickets, feature requests, or feedback submissions
- 4.2.4 Important legal, policy, or platform changes that may affect your account or data handling
4.3 Legal and Regulatory Compliance
We process and retain certain categories of data to comply with mandatory legal obligations under Indian law, including:
- 4.3.1 Goods and Services Tax (GST) rules requiring preservation of invoices and billing data for audit and tax filing
- 4.3.2 Indian accounting and corporate regulatory norms (such as those under the Companies Act, Income Tax Act, etc.)
- 4.3.3 Statutory reporting obligations when responding to tax authorities, government notices, or court summons
- 4.3.4 Maintaining verifiable audit trails and system logs in case of data investigations, billing disputes, or platform misuse
4.4 Security Monitoring and Fraud Prevention
To ensure system reliability and to detect and mitigate unauthorized activities, we use relevant technical data to:
- 4.4.1 Identify and prevent suspicious login patterns, brute force attacks, or credential misuse
- 4.4.2 Investigate invoice tampering attempts, unusual payment activity, or suspected manipulation of invoice sequences
- 4.4.3 Apply temporary account freezes or lockdowns in case of potential fraud or violation of platform terms
- 4.4.4 Conduct internal forensic audits to understand error root causes and prevent recurrence
4.5 Platform Improvement and Analytics
We may analyse anonymized or pseudonymized usage data to:
- 4.5.1 Evaluate which features are most or least used across user segments
- 4.5.2 Monitor platform responsiveness, crash rates, and form input behaviours
- 4.5.3 Improve dashboard usability, navigation clarity, and report accuracy based on observed interactions
- 4.5.4 Create non-identifiable insights or usage benchmarks to refine BriskBill’s roadmap and development priorities
4.6 Consent-Based Processing
In limited scenarios, we process data only after obtaining your explicit consent:
- 4.6.1 Publishing client testimonials, case studies, or your company logo as a featured user
- 4.6.2 Enrolling your team in beta testing programs or pre-release feature trials
- 4.6.3 Contacting you for structured feedback surveys, industry insights, or use-case documentation

5. Legal Basis of Processing

BriskBill processes your personal and sensitive personal data in accordance with applicable Indian laws, particularly the Information Technology Act, 2000 and the SPDI Rules, 2011. Every instance of data processing is carried out on the basis of clear and justifiable legal grounds. We ensure that such processing is lawful, transparent, and limited to what is necessary for the relevant purpose.

5.1 Consent
Consent forms a key legal basis for the collection and processing of data in many circumstances, especially for sensitive personal data or information (SPDI).
- 5.1.1 When you voluntarily enter data into BriskBill, such as your bank account details or contact information, it is presumed that you have consented to its use for intended functions.
- 5.1.2 Consent may be given either expressly (e.g., through checkboxes, pop-up notices) or implied through continued usage of the platform’s features, after being made aware of this Policy.
- 5.1.3 You have the right to withdraw such consent at any point. However, withdrawal may affect your ability to use certain features or services that rely on that data. Requests for withdrawal must be sent via your registered email to the contact provided in Section 10.
5.2 Performance of a Contract
The majority of the data processing carried out by BriskBill is necessary to fulfil the contract between you (the user) and us (the service provider).
- 5.2.1 This includes creating and maintaining your user account, enabling invoice generation, sending payment links, and delivering reporting tools.
- 5.2.2 Failure to provide essential information (such as email address, business details, or bank info for payouts) may result in the partial or full inability to access BriskBill services.
- 5.2.3 Data processed under this basis is retained in accordance with the contract terms and Section 9 of this Policy, even after termination, for legal compliance.
5.3 Compliance with Legal Obligations
We are obligated under Indian laws to collect and retain certain categories of data for legal, tax, and regulatory purposes.
- 5.3.1 Examples include the obligation to preserve invoice records for at least 8 years under GST law, or to maintain logs under IT Act directives.
- 5.3.2 We may also be compelled to disclose information when directed by competent authorities via court orders, regulatory requests, or notices under applicable law.
- 5.3.3 In such cases, the scope of data shared will be strictly limited to what is legally mandated, and such actions will be recorded for accountability.
5.4 Legitimate Business Interests
In certain limited cases, we process data based on our legitimate interests as a technology service provider. These interests are balanced against your fundamental right to privacy.
- 5.4.1 Legitimate interests include ensuring the technical stability, security, and responsiveness of the platform, including:
  - Monitoring server uptime and user session metrics
  - Detecting fraud, misuse, or unauthorized access
  - Understanding usage patterns to improve dashboard design
  - Enabling feedback collection and internal research
- 5.4.2 Where feasible, we anonymize or pseudonymize the data used under this basis to minimize privacy risks.
- 5.4.3 You may object to processing under this ground if you believe it infringes your privacy rights. Such objections will be evaluated fairly and may result in opt-out options being offered.

6. Sharing and Disclosure of Data

At BriskBill, we are committed to maintaining the confidentiality of your data. We do not sell, lease, or disclose your personal or business information to third parties for advertising or monetization purposes. However, limited and controlled data sharing may occur under specific, justified circumstances as outlined below.

6.1 Sharing with Third-Party Service Providers
To ensure uninterrupted service delivery, we work with a limited number of trusted external service providers. These partners are contractually obligated to maintain data confidentiality, implement robust security measures, and process data only for specified purposes.
- 6.1.1 Amazon Web Services (AWS)
  - Hosts BriskBill’s cloud infrastructure
  - Provides encrypted and geo-redundant data storage located primarily in the United States
  - Enables secure application performance, encrypted backups, and robust access controls
- 6.1.2 Razorpay (Payment Gateway)
  - Facilitates payment processing for BriskBill users and their clients
  - Accesses transaction-level metadata (e.g., payment method, status, timestamps)
  - Does not have access to invoice content, client lists, or user credentials
  - Card numbers, UPI PINs, and CVVs are never stored or accessed by BriskBill at any stage
- 6.1.3 Diagnostic and Monitoring Tools
  - Internal or third-party services may be used to monitor system uptime, performance bottlenecks, or error diagnostics
  - Such tools operate on anonymized or log-level data and do not access user-level invoice content unless necessary for issue resolution
6.2 Legal and Regulatory Disclosures
We may disclose your personal or business information if required to do so by applicable law, regulatory authority, or judicial order. Such disclosures will be carried out only after verifying the legal legitimacy and scope of the request.
- 6.2.1 Responding to valid court summons, tax inquiries, law enforcement requests, or regulatory inspections under Indian law
- 6.2.2 Complying with GST and Income Tax laws requiring the submission of invoice or payment records for audit or scrutiny
- 6.2.3 Investigating, preventing, or taking action against illegal activities such as fraud, misuse, impersonation, or breach of terms
- 6.2.4 Enforcing our Terms of Service, Privacy Policy, or protecting BriskBill’s legal rights and reputation
6.3 Business Transfers and Restructuring Events
In the event of a corporate merger, acquisition, restructuring, or sale of assets, your data may be part of the transferred business assets.
- 6.3.1 Any acquiring or merging entity will be legally bound to comply with the terms of this Privacy Policy, unless you are notified and opt out
- 6.3.2 We will notify all active users of such events through email and/or a public announcement, and highlight any material changes to data handling
6.4 Disclosures Based on Your Consent
Certain data may be disclosed or shared only after receiving your specific and written (or electronic) consent. Examples include:
- 6.4.1 Integrating BriskBill with other platforms at your request (e.g., accounting, CRM, or email tools)
- 6.4.2 Featuring your testimonial, company logo, or use-case as part of our promotional material or case studies
- 6.4.3 Migrating or exporting your account data to another software system upon your instruction
6.5 No Sale or Profiling of User Data
BriskBill maintains a strict policy of not monetizing user data. We do not engage in:
- 6.5.1 Selling your data to advertisers, marketers, or data aggregators
- 6.5.2 Transferring data to third parties for lead generation or affiliate marketing
- 6.5.3 Behavioural profiling, remarketing, or ad targeting based on invoice data or user behaviour

7. Cross-Border Data Transfer

Although BriskBill is developed and operated by an Indian company (QSG TechLabs Pvt Ltd), certain aspects of our cloud infrastructure are hosted in geographically distributed data centres located outside India. This section explains how international data transfers are handled lawfully, securely, and in a manner that respects your privacy rights under Indian law.

7.1 Hosting Infrastructure Location
BriskBill’s application data and associated services are primarily hosted on Amazon Web Services (AWS), a globally trusted cloud infrastructure provider.
- 7.1.1 Your data — including user accounts, client records, invoices, payment logs, and document attachments — is stored on AWS servers located in the United States (and may be backed up in other global regions for redundancy).
- 7.1.2 AWS is certified under leading global standards such as ISO/IEC 27001, SOC 1/2/3, and PCI DSS, ensuring enterprise-grade infrastructure and security controls.
7.2 Legal Framework under Indian Law
The transfer of personal data outside India is governed by the Information Technology Act, 2000 and Rule 7 of the SPDI Rules, 2011.
- 7.2.1 Under current law, personal or sensitive personal data may be transferred to a foreign location if:
  - The recipient entity ensures the same level of data protection as mandated under Indian rules, and
  - The data subject (user) has consented to such transfer.
- 7.2.2 By using BriskBill, you explicitly consent to the transfer, storage, and lawful processing of your data on secure foreign servers operated by authorized infrastructure providers (primarily AWS).
- 7.2.3 We regularly evaluate the data protection practices of such third-party providers to ensure continued compliance with Indian standards and your rights as a user.
7.3 Technical Safeguards for Cross-Border Data
To protect your data even during international hosting, BriskBill implements multiple levels of security controls and encryption protocols:
- 7.3.1 All data transmissions between your device and BriskBill servers are encrypted via TLS 1.2 or higher (HTTPS), preventing interception or tampering in transit.
- 7.3.2 Sensitive data (e.g., bank account details, authentication tokens) is encrypted at rest using AWS Key Management Service (KMS), with periodic key rotation policies.
- 7.3.3 Access to the production environment is tightly controlled using Role-Based Access Controls (RBAC), Multi-Factor Authentication (MFA), and IP restrictions.
- 7.3.4 Backup systems are geo-redundant but encrypted, and undergo periodic testing for disaster recovery readiness.
7.4 Control Over Foreign Access
We strictly limit who can access user data, even within cloud infrastructure or support teams.
- 7.4.1 AWS personnel or support engineers do not access your personal data unless absolutely required for infrastructure support — and only under logged, time-bound conditions.
- 7.4.2 No offshore marketing, analytics, or third-party developers are given access to raw user data, except where authorized under written agreements with strict non-disclosure and data minimization terms.
7.5 Future Compliance with Indian Data Localization Laws
India’s data protection landscape is evolving, especially with the introduction of the Digital Personal Data Protection Act, 2023 (yet to be fully enforced as of this version).
- 7.5.1 If future regulations mandate mandatory localization of certain categories of data, we will take necessary steps to establish India-based hosting zones or hybrid storage solutions.
- 7.5.2 Users will be provided advance notice and transition assistance if there are material changes in hosting geography or related policies.

8. Data Security Measures

We at BriskBill recognize the critical importance of protecting the confidentiality, integrity, and availability of your data. In accordance with Rule 8 of the SPDI Rules, 2011, we have implemented comprehensive “Reasonable Security Practices and Procedures” to safeguard all categories of data under our control — including sensitive personal information.

Our security framework is multi-layered, combining technical controls, policy enforcement, employee training, and periodic audits to minimize the risk of unauthorized access or misuse.

8.1 Secure Data Transmission and Encryption
- 8.1.1 Transport Layer Security (TLS 1.2 or above) is used for all web-based traffic, ensuring that login credentials, invoice data, and personal information are shielded during transmission.
- 8.1.2 Data stored on our cloud infrastructure is encrypted at rest using Amazon Web Services Key Management Service (AWS KMS), with fine-grained access permissions and encryption key lifecycle management.
- 8.1.3 Where third-party integrations exist (e.g., Razorpay), tokenized and encrypted session mechanisms are used to prevent exposure of credentials or payment data.
8.2 Password and Credential Security
- 8.2.1 Passwords are hashed using industry-standard cryptographic algorithms (e.g., bcrypt or SHA-256 with salt) and are never stored in plain text.
- 8.2.2 BriskBill encourages the use of strong passwords and periodically prompts users to update them.
- 8.2.3 API tokens, system secrets, and internal credentials are managed using AWS Secrets Manager, and rotated based on risk posture.
- 8.2.4 Two-Factor Authentication (2FA) is supported and recommended for Admin-level users to add an extra layer of protection.
8.3 Role-Based Access Control (RBAC)
- 8.3.1 Admins and Staff have differentiated access to modules, ensuring that sensitive business data is not exposed unnecessarily.
- 8.3.2 Internal employees (e.g., support agents or developers) are granted access to user data only on a need-to-know basis, with logged justifications.
- 8.3.3 Manual changes to invoices, client records, or account settings are logged, reviewed, and time-stamped for full traceability.
8.4 Infrastructure Security and Backups
- 8.4.1 Firewalls, Intrusion Detection Systems (IDS), and network access controls are employed to detect and mitigate threats in real-time.
- 8.4.2 We perform encrypted, automated backups daily, which are retained for designated periods (see Section 9), and stored in geographically redundant locations.
- 8.4.3 Our disaster recovery protocols include regular testing of data restoration, ensuring business continuity in the event of natural disasters or cyberattacks.
8.5 Monitoring, Logging, and Threat Detection
- 8.5.1 Critical events — such as password resets, failed login attempts, unusual invoice edits, and payment mismatches — are captured and correlated for threat assessment.
- 8.5.2 BriskBill uses automated alerting systems to flag potentially malicious behaviour or policy violations.
- 8.5.3 Access logs are retained securely and reviewed periodically to verify that all interactions are compliant with internal standards.
8.6 Secure Development Lifecycle (SDLC)
- 8.6.1 All new features and updates undergo code review, automated testing, and security vetting before production release.
- 8.6.2 We do not store API keys or credentials in our source code repositories. Secrets are managed externally and injected securely during deployment.
- 8.6.3 Environments are segregated — development, staging, and production instances are isolated to prevent data leaks or unintentional exposure.
8.7 Incident Response and Breach Notification
- 8.7.1 BriskBill maintains a documented Incident Response Plan (IRP), assigning responsibilities to designated personnel across engineering, legal, and customer support teams.
- 8.7.2 If a breach is detected that compromises user data, we will notify affected users promptly via email and/or in-app alerts, as per regulatory requirements.
- 8.7.3 Where required under Indian law, we will notify the appropriate government or regulatory authorities and assist with investigations.

9. Data Retention and Deletion

BriskBill is committed to retaining your personal and business data only for as long as necessary to fulfill the purposes outlined in this Policy, or as mandated under Indian law, including statutory tax, audit, and regulatory requirements. We follow a combination of rule-based, role-based, and event-based data retention policies to ensure minimal and lawful data storage.

9.1 General Retention Principles
- 9.1.1 Data is retained only as long as necessary to provide services, resolve disputes, respond to legal obligations, or enforce our rights.
- 9.1.2 When the purpose of data retention is fulfilled, or upon valid user request, data is either permanently deleted or irreversibly anonymized.
- 9.1.3 We distinguish between user-level data (e.g., account details), client data (e.g., invoice recipients), and system data (e.g., logs), and apply different retention timelines to each category.
9.2 Specific Retention Periods by Data Category
- 9.2.1 Account Data (Admins and Staff)
  • Retained for the entire duration of your BriskBill subscription.
  • If your account is voluntarily closed, deactivated due to inactivity, or terminated, your data will be retained for up to 3 years from the date of deactivation, unless earlier deletion is requested in writing.
  • This retention allows for account reactivation, legal inquiries, or dispute resolution.
- 9.2.2 End Customer (Client) Data
  • Client data (entered by you) is retained as long as it is actively used or referenced in your invoices, reports, or client books.
  • When you manually delete a client record or invoice, the data is queued for permanent deletion within 30 days from the date of deletion.
  • You are responsible for ensuring that deletion of client data complies with your local business obligations and client agreements.
- 9.2.3 Invoices, Billing, and Financial Records
  • All GST invoices, transaction records, and financial reports are retained for a minimum of 8 years from the date of issuance, in line with Section 36 of the CGST Act and Income Tax regulations.
  • These records are protected using encryption, stored securely, and available for download by authorized users until expiry.
- 9.2.4 System Logs and Technical Metadata
  • Logs related to login activity, payment attempts, invoice edits, and audit trails are retained for 12 to 24 months to assist in technical diagnostics and fraud investigations.
  • After expiry, logs are either securely purged or aggregated for analytics in anonymized form.
- 9.2.5 Backup Files and Snapshots
  • Encrypted daily backups are maintained in a rolling window of 30–90 days, depending on criticality and storage policy.
  • Expired backups are permanently deleted through secure, automated AWS lifecycle policies.
9.3 User-Initiated Deletion Rights
- 9.3.1 You may request deletion of your BriskBill account, client database, uploaded invoice logos, stored payment preferences, or any sensitive personal data.
- 9.3.2 Requests must be initiated from your registered email ID and sent to our Grievance Officer (refer Section 10).
- 9.3.3 Verified requests are processed within 15 business days, unless:
  - Statutory retention laws override deletion, or
  - Data is part of an unresolved dispute or legal hold.
- 9.3.4 Once deleted, the data is non-recoverable, and you must explicitly confirm your intent before finalization.
9.4 Legal Holds, Exceptions, and Audit Preservation
- 9.4.1 This includes retention under ongoing:
  - Tax assessments
  - Court or regulatory proceedings
  - Dispute resolution, fraud analysis, or internal audit reviews
- 9.4.2 During a legal hold, the affected data will be archived securely and access-restricted until the hold is lifted.
- 9.4.3 We conduct periodic reviews of long-retained data to evaluate whether legal grounds for continued retention still apply.

10. User Rights, Policy Updates, and Contact Information

BriskBill values your right to privacy and strives to provide you with meaningful control over how your data is collected, used, and maintained. This section outlines your statutory rights under Indian law, our process for updating this Privacy Policy, and how to reach us for redressal or inquiries.

10.3 Grievance Redressal and Contact Information
In accordance with Rule 5(9) of the SPDI Rules, we have appointed a Grievance Officer to address data protection concerns, violations, or access requests.

Grievance Officer
QSG TechLabs Pvt Ltd
S-505, World Trade Centre, Brigade Gateway Campus
Dr. Rajkumar Road, Malleswaram West,
Bangalore – 560055, Karnataka, India

Email: it_admin@briskbill.com
Response Time: Within 15 business days from the date of valid request

10.1 User Rights under Indian Law

10.1.1 Right to Access
• You may request details about the categories of personal data we hold about you, the purposes of processing, and the entities with whom the data has been shared.
• We will provide such information in a machine-readable format, subject to verification of identity.

10.1.2 Right to Rectification
• You have the right to correct or update inaccurate, incomplete, or outdated information related to your profile, client details, or payment information.

10.1.3 Right to Erasure (Right to be Forgotten)
• You may request deletion of your data (partially or fully), particularly if:
  o The data is no longer necessary for the purpose it was collected
  o Consent has been withdrawn
  o You are discontinuing your account permanently
• Such requests will be honoured unless retention is required for legal, audit, or contractual reasons.

10.1.4 Right to Withdraw Consent
• Where we rely on your consent for non-essential data processing (e.g., case studies, surveys), you may withdraw such consent at any time without affecting core platform usage.

10.1.5 Right to Object or Restrict Processing
• You may object to or request temporary suspension of specific types of data processing, such as:
  o Marketing communications
  o Use of technical logs for analytics
  o Third-party disclosures (where not legally mandated)

10.2 Policy Updates and Change Notifications

10.2.1 Updates to this Policy may be prompted by:
• New data protection laws or government notifications
• Expansion of services or third-party integrations
• Enhancements in data security architecture

10.2.2 Significant changes affecting your rights or the scope of processing will be proactively communicated via:
• Email to the primary address linked with your BriskBill account
• In-app notifications or dashboard banners

10.2.3 The “Last Updated” date at the top of this document will always reflect the latest binding version.

10.2.4 Your continued use of the platform following such changes will constitute acceptance of the revised Policy.

Grievance Officer
QSG TechLabs Pvt Ltd
S-505, World Trade Centre, Brigade Gateway Campus
Dr. Rajkumar Road, Malleswaram West,
Bangalore – 560055, Karnataka, India

Email: it_admin@briskbill.com
Response Time: Within 15 business days from the date of valid request