Privacy Policy

Information we collect

Account information

When you create an account, we collect your name, email address, and a password (which is hashed using Argon2id before storage -- we never store your password in plain text).

Business data

The data you enter into Hisaabo -- invoices, party details, item catalogues, payments, expenses, and business settings -- is stored to provide the Service. This is your data. We process it solely to deliver the features you use.

Usage data

We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies, does not collect personal data, and is compliant with GDPR, CCPA, and PECR. We see aggregate page views and referral sources -- nothing that identifies you personally.

Server logs

Our servers automatically log IP addresses, request timestamps, and user agent strings for security and debugging. These logs are retained for 30 days and then deleted.

How we use your information

• To provide, maintain, and improve the Service
• To authenticate your identity and secure your account
• To generate invoices, reports, and other documents you request
• To send you essential service communications (account verification, security alerts, billing)
• To respond to your support requests
• To detect and prevent fraud, abuse, and security threats

We do not use your business data for advertising, profiling, or any purpose other than delivering the Service to you. We do not sell your data to anyone.

Data storage and security

Your data is stored on servers located in India. We use PostgreSQL databases with encrypted connections, and all data in transit is encrypted using TLS 1.3.

Passwords are hashed using Argon2id, a memory-hard hashing algorithm resistant to brute-force attacks. Sessions use HttpOnly, Secure, SameSite cookies with 30-day expiry.

We implement rate limiting, input validation, and regular security audits. The source code is open for independent security review.

Third-party services

We use a minimal set of third-party services:

• Plausible Analytics -- privacy-focused, cookie-free website analytics
• Cloudflare -- CDN, DDoS protection, and Turnstile (bot verification)
• Payment processor -- for processing subscription payments (if applicable); we never store your card details

We do not share your business data with any third party for advertising or marketing purposes.

Cookies

The Hisaabo website uses Plausible Analytics, which does not use cookies. We do not set any tracking or advertising cookies.

The Hisaabo application (app.hisaabo.in) uses a single HttpOnly session cookie for authentication. This is a strictly necessary cookie required for the service to function -- it is not used for tracking.

Your rights

You have the right to:

• Access your data -- view and export all your business data at any time through the application
• Correct your data -- edit your account information and business data directly
• Delete your data -- request complete deletion of your account and all associated data
• Export your data -- download your data in standard formats (CSV, JSON)
• Self-host -- take the open-source version and run it entirely on your own infrastructure

To exercise any of these rights, contact us at privacy@hisaabo.in. We will respond within 30 days.

Compliance

Hisaabo is operated from India and complies with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable. We also aim to align with GDPR principles for users worldwide.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you via email or a prominent notice in the application. The "last updated" date at the top of this page indicates when the policy was last revised.

Contact

If you have questions or concerns about this privacy policy, contact us at:

privacy@hisaabo.in