1. Introduction
SoloBooks (operated by SoloBooks Technologies Pvt. Ltd., “SoloBooks”, “we”, “our”, “us”) provides a cloud bookkeeping, billing, and GST accounting platform purpose-built for businesses operating in India. This Privacy Policy explains what information we collect when you use our website, mobile apps, and APIs (collectively, the “Service”), how we use it, how long we keep it, with whom we share it, and the choices you have.
This policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), and the Digital Personal Data Protection Act, 2023 (the “DPDP Act”).
For the purposes of the DPDP Act, SoloBooks is the “Data Fiduciary” in respect of the personal data of account owners, invited users, and individuals you record in your books (the “Data Principals”). Where you record personal data about your customers, employees, or vendors in the Service, you act as the Data Fiduciary for that data and SoloBooks acts as a “Data Processor” on your behalf.
2. Definitions
- Customer Data — books, vouchers, parties, items, payments, journal entries, and any other data you upload, enter, or generate in the Service.
- Personal Data — data about an identified or identifiable individual.
- Sensitive Personal Data or Information (SPDI) — as defined in the SPDI Rules: passwords, financial information such as bank details, and any other category covered by the Rules.
- Sub-processor — a third party engaged by SoloBooks to process Customer Data or Personal Data on our behalf.
- Tenant — your isolated workspace inside SoloBooks, identified by a unique tenant ID.
3. Information We Collect
We collect the following categories of information:
- Account information:name, email address, mobile number, business name, GSTIN, PAN, billing address, login credentials (passwords are stored hashed using bcrypt — never in plain text), and role assignments.
- Business records you enter or upload: sales bills, purchase invoices, party (customer and vendor) details including their contact information and GSTIN, item catalogues, payment receipts, bank statements, attachments, and journal entries.
- Tally import / export data: XML voucher data exchanged between SoloBooks and your Tally ERP 9 or Tally Prime instance.
- Payment information:billing address and limited card / UPI metadata returned by our payment gateway. Full card numbers, CVV, and bank credentials never touch SoloBooks servers — they are collected directly by the payment processor.
- Usage and device data: IP address, browser type, operating system, device identifiers, pages viewed, feature interactions, request IDs, and timestamps.
- Communications: support messages, WhatsApp helpline conversations, screen recordings you voluntarily share, and feedback you send us.
We do not knowingly collect biometric data, location coordinates, or special categories of sensitive data beyond what is described above.
4. How We Use Information
- To provide, operate, and maintain the Service, including billing, Udhar Khata, GST returns, bank reconciliation, and Tally compatibility.
- To authenticate users, enforce tenant isolation, and prevent unauthorised access to your books.
- To generate journal entries, party balances, and statutory reports in accordance with Indian double-entry accounting standards.
- To process payments for your subscription and issue tax invoices.
- To respond to support requests and send service-related notifications.
- To improve product performance, detect abuse, debug issues, and ensure platform integrity.
- To comply with applicable law, including responding to lawful requests from public authorities.
5. Legal Basis for Processing
We process personal data on the following bases: (a) your consent at sign-up and at the point of collecting specific data; (b) the performance of our contract with you (these Terms of Use and your order); (c) our legitimate interests in operating, securing, and improving the Service, balanced against your rights; and (d) compliance with our legal obligations under Indian tax, accounting, and anti-fraud law.
6. Tenant Isolation & Data Separation
SoloBooks is a multi-tenant platform. Every record carries a tenant identifier and access is verified on each request against a signed JSON Web Token. Application-level scoping ensures one tenant cannot read or modify another tenant's data. Internal staff access is limited to named engineers, requires multi-factor authentication, is audit-logged, and is used only to provide support, investigate incidents, or comply with law.
7. Sub-processors
We engage the following categories of sub-processors. Each is contractually bound by confidentiality, data-protection, and security obligations consistent with the SPDI Rules and the DPDP Act. We may update this list from time to time; material changes will be notified at least 30 days in advance.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Managed PostgreSQL hosting & storage | Mumbai (ap-south-1) / Singapore (ap-southeast-1) |
| Amazon Web Services | Underlying compute & storage infrastructure | Mumbai (ap-south-1) |
| Vercel Inc. | Edge hosting & CDN for the web application | Global edge; primary compute in Mumbai |
| Razorpay Software Pvt. Ltd. | Subscription payments & UPI / card processing | India |
| Stripe Payments India Pvt. Ltd. | International card payments (where applicable) | India / United States |
| AiSensy / Gupshup (WhatsApp BSP) | WhatsApp Business helpline & bill delivery | India |
| Amazon SES / Resend | Transactional email delivery | Mumbai / United States |
| Google Cloud Vision / AWS Textract | OCR for purchase-invoice scanning (only when used) | Mumbai / Singapore |
| Sentry / Better Stack | Error monitoring & observability | European Union / United States |
| PostHog | Product analytics (with IP anonymisation) | European Union |
The current authoritative list of sub-processors is published at solobooks.in/legal/sub-processors.
9. Data Storage, Location & Cross-Border Transfer
Your data is hosted on infrastructure located primarily in India (Mumbai region). Limited categories of data may be processed outside India by sub-processors listed in Section 7 (for example, error telemetry by Sentry, or international card payments). Such transfers are made only:
- to jurisdictions that are not restricted by the Central Government under section 16 of the DPDP Act; and
- under contractual safeguards equivalent to the protections in this policy.
Backups are encrypted at rest using AES-256 and replicated within the same region. Tally export files are generated on-demand and not retained on our servers after download.
10. Data Retention
Because your books are statutory records, retention periods differ by data type:
| Data Type | Retention Period |
|---|---|
| Bills, purchases, journal entries, party ledgers | For the life of your account + 8 years (Income Tax Act, 1961 and CGST Act, 2017) |
| Account profile & login credentials | Until 90 days after account closure |
| Payment / invoice records | 8 years from the date of the transaction |
| Support communications | 3 years |
| Application & security audit logs | 2 years |
| Product analytics (anonymised) | 25 months |
| Encrypted off-site backups | 35 days rolling |
You may request an export of your books in CSV or Tally XML format at any time. Soft-deleted records are preserved for accounting integrity and are not hard-deleted before the statutory retention period expires.
11. Security
We apply industry-standard safeguards, including:
- TLS 1.2+ encryption in transit; AES-256 encryption at rest for primary stores and backups.
- Bcrypt password hashing with per-record salts.
- Role-based access control with strict tenant scoping on every query.
- Per-tenant advisory locks on critical sequences (such as bill numbering).
- Rate limiting, audit logging, and structured observability on sensitive mutations.
- Multi-factor authentication for SoloBooks staff with production access.
- Quarterly internal security reviews and periodic third-party penetration testing.
No system is perfectly secure. You are responsible for keeping your login credentials confidential, enabling multi-factor authentication where offered, and notifying us promptly if you suspect unauthorised access.
12. Personal Data Breach Notification
If we become aware of a personal data breach affecting your information, we will notify the Data Protection Board of India and affected users without undue delay, and in any case within 72 hours of becoming aware of the breach, as required by the DPDP Act and the Cert-In Directions, 2022. Notifications will describe the nature of the breach, the categories of data affected, the likely consequences, the mitigation measures taken, and a contact point for further information.
13. Your Rights
Subject to applicable law, you may:
- Access and review your personal data in your account settings or by request.
- Correct, complete, or update inaccurate or incomplete data.
- Erase personal data where it is no longer necessary for the purpose collected, subject to statutory retention obligations.
- Export your books in CSV or Tally XML format at any time.
- Withdraw consent for any optional processing — without affecting the lawfulness of prior processing.
- Nominate a person to exercise your rights in the event of your death or incapacity, as provided under section 14 of the DPDP Act.
- Lodge a grievance with our Grievance Officer (Section 19) and, if unresolved, with the Data Protection Board of India.
We will respond to verifiable rights requests within 30 days. We may decline requests that are manifestly unfounded, excessive, or that would prejudice the rights of others.
14. Consent & Consent Managers
Where the DPDP Act requires consent, we obtain it through a clear affirmative action at the point of collection, in plain language, and in your chosen language where supported (English, Hindi). Once the Central Government notifies and registers Consent Managers under section 6(7) of the DPDP Act, you will be able to manage, review, and withdraw your consents through a registered Consent Manager linked to your SoloBooks account.
16. Law Enforcement & Government Requests
We disclose Customer Data to government authorities only when compelled by a valid legal demand (a written order, notice, or subpoena issued under Indian law). We review each request, push back on requests that are overbroad or improperly served, narrow the disclosure to the data strictly required, and notify the affected customer unless prohibited by law. Where permitted, we publish annual aggregate transparency statistics on government requests received.
17. Children
SoloBooks is intended for business use and is not directed at individuals under 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it promptly. Where you process personal data of children in your books (for example, a customer's dependant's name), you are responsible for obtaining verifiable parental consent in accordance with section 9 of the DPDP Act.
18. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes (such as new sub-processor categories, new retention periods, or expanded data collection) will be notified to you by email and through an in-product notice at least 30 days before they take effect. Non-material changes will be reflected by updating the “Last updated” date at the top of this page.
19. Contact & Grievance Officer
In accordance with the Information Technology Act, 2000, the SPDI Rules, and the DPDP Act, the following individual is designated as our Grievance Officer:
Name: Aditya Sharma
Designation: Grievance Officer & Data Protection Officer
SoloBooks Technologies Pvt. Ltd.
5th Floor, Prestige Atlanta, 80 Feet Road,
Koramangala, Bengaluru — 560034, Karnataka, India
Email: grievance@solobooks.in
Phone: +91-80-4567-8900 (Mon–Fri, 10:00–18:00 IST)
We will acknowledge grievances within 48 hours and aim to resolve them within 15 days. For general privacy queries, you may write to privacy@solobooks.in.