Privacy Policy — GST Invoice Pro

← Back to Home

Plain-English Summary We collect only what's needed to run your account and generate your invoices. Your data is stored securely in Supabase (AWS infrastructure). We never sell your data, never show you ads, and never share your business information with third parties. Payments are handled entirely by Razorpay — we never see your card or banking credentials.

Data stored: your email, name, mobile, and invoice records
Data not stored on our side: card numbers, UPI PINs, passwords in plaintext
Data never sold or rented to anyone

1 Who We Are

GST Invoice Pro is a sole-proprietorship product built and operated by Jay Modi, based in Ahmedabad, Gujarat, India. References to "we", "us", or "our" in this policy mean Jay Modi / GST Invoice Pro.

Contact: jaymodiuk@gmail.com

2 Data We Collect and Why

We collect personal data in two categories:

Data	Where it's stored	Why we collect it
Email address	Supabase Auth (AWS, Mumbai)	Account login and email verification
Full name	Supabase user metadata	Displayed in the dashboard; pre-fills invoice seller name
Mobile number	Supabase user metadata	Customer support and account recovery
Invoice records (invoice number, date, amounts, customer name, customer GSTIN, line items)	Supabase `invoices` table	Cloud backup, plan limit enforcement, GSTR export
Your own GSTIN	Browser localStorage only	Auto-fill on invoice forms; never sent to our servers
Payment record (Razorpay payment ID, plan, amount, timestamp)	Supabase `payments` table	Subscription management and billing history
Session token	Browser localStorage (cache only)	Keeps you logged in without re-entering credentials

We do not collect your GSTIN via our servers, your bank account numbers entered in invoices, or any data you do not explicitly provide during signup or invoicing.

3 Supabase (Our Database Provider)

All server-side data is stored in Supabase, hosted on Amazon Web Services (AWS) in the ap-south-1 (Mumbai) region. Supabase encrypts data at rest (AES-256) and in transit (TLS 1.2+).

Supabase's privacy policy: supabase.com/privacy

We use Row-Level Security (RLS) policies so that each user can only read their own invoice and payment records. Supabase staff access is governed by their own security policy and is not used to access your data for commercial purposes.

4 Razorpay Payment Processing

Subscription payments (Pro ₹99/mo, Business ₹499/mo) are processed by Razorpay Software Private Limited, a PCI-DSS Level 1 certified payment processor. When you pay:

Your card, UPI, or net-banking credentials are entered directly on Razorpay's checkout — they never pass through our servers.
Razorpay sends us a webhook confirming payment success, which includes: your Razorpay payment ID, the amount paid, and the plan you selected.
We store only that webhook data (payment ID, plan, amount) in our payments table to activate your subscription.

Razorpay's privacy policy: razorpay.com/privacy

5 Cookies and Local Storage

We use browser localStorage (not cookies) for two purposes:

Session cache — your login session details, so you stay logged in across page refreshes. This is cleared when you log out.
Your GSTIN — stored locally on your device for auto-fill convenience. This never leaves your browser.

We do not use tracking cookies, advertising cookies, or any third-party analytics. There are no Google Analytics, Facebook Pixel, or similar trackers on this site.

6 Data Sharing and Third Parties

We do not sell, rent, lease, or trade your personal data to any third party. Period.

We share data only with the infrastructure providers named above (Supabase, Razorpay, Vercel for hosting) and only to the extent necessary to deliver the service. These providers process data under their own privacy policies and are not permitted to use your data for their own commercial purposes.

We may disclose data if required by Indian law (e.g., a valid court order), but we will notify you where legally permitted to do so.

7 Indian IT Act Compliance

This policy is published in compliance with:

The Information Technology Act, 2000 (as amended in 2008)
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
The Digital Personal Data Protection Act, 2023 (DPDPA) — to the extent applicable to sole-proprietorship services

Under SPDI Rules, mobile numbers and passwords qualify as Sensitive Personal Data. We store mobile numbers in Supabase with access controls, and passwords are never stored in plaintext — Supabase Auth handles all password hashing using industry-standard bcrypt.

8 Data Retention

We retain your data for as long as your account is active. If you delete your account:

Your Supabase Auth record (email, name, mobile) is permanently deleted.
Your invoice and payment records are permanently deleted from our database.
Your session data in your browser is cleared immediately on logout.

Payment records may be retained for up to 7 years to comply with Indian accounting and tax record-keeping requirements under the GST Act.

9 Your Rights

You have the right to:

Access — request a copy of all data we hold about you
Correction — update your name or mobile number via the Dashboard
Deletion — request permanent deletion of your account and all associated data
Portability — export your invoices as PDF at any time from the Invoice page
Grievance — raise a complaint with the designated grievance officer (see below)

To exercise any right, email jaymodiuk@gmail.com with the subject line "Privacy Request — [your registered email]". We will respond within 30 days as required under SPDI Rules.

10 Security

We implement reasonable security measures including:

TLS 1.2+ encryption for all data in transit
AES-256 encryption at rest via Supabase / AWS
Row-Level Security (RLS) on all database tables — each user can only access their own records
Webhook signature verification (HMAC-SHA256) for all Razorpay payment events
No plaintext password storage — Supabase Auth uses bcrypt

No system is 100% secure. If you discover a security vulnerability, please report it to jaymodiuk@gmail.com immediately.

11 Children's Privacy

GST Invoice Pro is intended for use by businesses and individuals conducting commercial activities in India. It is not directed at children under the age of 18. We do not knowingly collect data from minors.

12 Changes to This Policy

We may update this policy as the product evolves. Material changes will be communicated via email to registered users at least 7 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

13 Grievance Officer & Contact

As required by the IT Act and SPDI Rules, the designated Grievance Officer for GST Invoice Pro is:

Jay Modi
GST Invoice Pro, Ahmedabad, Gujarat, India
Email: jaymodiuk@gmail.com
WhatsApp: +91 85116 47297

Complaints will be acknowledged within 48 hours and resolved within 30 days.