Dukan Khata

Billing & Business Management Platform

PRIVACY POLICY

Effective Date: April 14, 2025 | Version 1.0

1. Introduction

Welcome to Dukan Khata ("Platform", "we", "us", or "our"). Dukan Khata is a cloud-based Software-as-a-Service (SaaS) solution designed to empower retail and small-to-medium business owners with powerful billing, inventory management, customer relationship tracking, expense monitoring, financial reporting, subscription management, and WhatsApp marketing capabilities.

We are deeply committed to protecting the privacy, confidentiality, and security of the personal and business data you entrust to us. This Privacy Policy describes how we collect, use, process, store, share, and protect your information when you access or use our Platform, website, mobile applications, and related services (collectively, the "Services").

By registering for, accessing, or using Dukan Khata, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of our Services immediately.

2. Definitions

For the purpose of this Privacy Policy, the following terms shall have the meanings ascribed below:

• "Shop User" refers to any business owner, retailer, or operator who registers and uses the Dukan Khata platform for business operations.
• "Customer" refers to the end-customers or clients of Shop Users whose data may be entered into the Platform for billing and CRM purposes.
• "Personal Data" means any information that identifies or can be used to identify a natural person, directly or indirectly.
• "Business Data" means operational data including invoices, products, expenses, and financial records belonging to Shop Users.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
• "Super Admin" means authorized personnel of Dukan Khata who manage the platform at a system-wide level.

3. Information We Collect

3.1 Information You Provide Directly

When you register and use Dukan Khata, we collect the following categories of information:

• Shop Registration Data: Shop name, owner name, registered mobile number, business address, shop logo, invoice prefix, and language preferences.
• Authentication Data: Mobile phone numbers for OTP-based authentication; administrator email addresses and hashed passwords for admin access.
• Customer Records: Names, phone numbers, purchase history, total transaction amounts, and visit records of your business customers — entered by you into the Platform.
• Product & Inventory Data: Product names, SKUs, barcodes, prices, stock quantities, units, and active/inactive status.
• Invoice & Billing Data: Invoice numbers, line items, amounts, tax breakdowns, discounts, payment modes, payment status, and WhatsApp delivery status.
• Expense Records: Expense descriptions, amounts, categories, and dates.
• WhatsApp Configuration: API credentials, message templates, campaign data, and message delivery logs.
• Subscription & Payment Data: Chosen plan, billing cycle, Razorpay subscription IDs, mandate status, transaction IDs, and payment history.
• Settings & Branding: Uploaded logo files, shop configuration preferences, and subscription access tokens.

3.2 Information Collected Automatically

When you use our Platform, we may automatically collect:

• Device and browser information (user agent, operating system, browser type).
• IP address and approximate geographic location.
• Session identifiers and authentication tokens stored in secure HTTP-only cookies.
• Platform usage patterns, feature access logs, and navigation data.
• Error logs, crash reports, and performance diagnostics.
• Razorpay webhook event data including event types, signatures, and transaction metadata.

3.3 Information from Third Parties

We receive limited information from the following third-party service providers:

• Razorpay: Payment gateway confirmations, subscription status, mandate approvals, and refund information.
• WhatsApp Business API Provider: Message delivery receipts, template approval statuses, and campaign analytics.

4. How We Use Your Information

We use the information we collect for the following legitimate business purposes:

4.1 Service Delivery

• To authenticate users and maintain secure sessions via OTP and JWT-based mechanisms.
• To create, store, and manage invoices, customer records, products, and expenses on your behalf.
• To generate PDF invoices and enable WhatsApp sharing of billing documents.
• To enforce subscription plan access controls and feature gating.
• To process payments and manage recurring billing cycles through Razorpay.

4.2 Platform Operations

• To monitor platform health, diagnose technical issues, and ensure system reliability.
• To generate financial reports, dashboard analytics, and business insights for Shop Users.
• To send transactional communications such as OTP messages, payment confirmations, and subscription alerts.
• To enable Super Admins to manage and oversee platform-wide operations and compliance.

4.3 Improvement & Development

• To analyze usage patterns and improve existing features and user experience.
• To develop new features and modules based on aggregate, anonymized usage data.
• To conduct internal audits and quality assurance testing.

4.4 Legal & Compliance

• To comply with applicable laws, regulations, and judicial or governmental orders.
• To enforce our Terms and Conditions and protect the rights and safety of our users and platform.
• To prevent fraud, abuse, unauthorized access, and other prohibited activities.

5. Legal Basis for Processing

Under applicable data protection laws, our processing of your personal data is based on the following legal grounds:

• Contractual Necessity: Processing required to provide the Services as described in our Terms and Conditions, including account management, billing, and subscription services.
• Legitimate Interests: Processing for platform security, fraud prevention, service improvement, and business analytics, where these interests are not overridden by your rights.
• Consent: Processing based on your explicit consent, such as for marketing communications, where applicable.
• Legal Obligation: Processing required to comply with applicable laws, including the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal or business data. We may share your information in the following limited circumstances:

6.1 Service Providers

We engage trusted third-party service providers who assist us in operating the Platform, subject to strict confidentiality and data processing agreements:

• Razorpay Financial Solutions Pvt. Ltd.: For payment processing, subscription management, and webhook-based billing automation.
• WhatsApp Business API Providers: For message delivery, campaign execution, and template management.
• Cloud Infrastructure Providers: For hosting, database management, and storage of Platform data.

6.2 Legal Requirements

We may disclose your information when required to do so by law, court order, or governmental authority, or when we reasonably believe such disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, your information may be transferred to the successor entity, subject to equivalent privacy protections.

6.4 With Your Consent

We may share your information for other purposes with your explicit prior consent.

7. Data Retention

We retain your data for as long as your account remains active or as needed to provide Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

• Account and shop data: Retained for the duration of the active subscription and for up to 5 years post-termination for legal and compliance purposes.
• Invoice and transaction records: Retained for a minimum of 7 years in compliance with applicable financial and tax regulations.
• Authentication logs and OTP records: Retained for up to 90 days.
• WhatsApp campaign logs: Retained for up to 2 years.
• Admin audit logs: Retained for up to 3 years.

Upon expiry of the retention period, data is securely deleted or anonymized in accordance with our data destruction procedures.

8. Data Security

We implement commercially reasonable and industry-standard technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• JWT-based authentication with HTTP-only secure cookies for session management.
• bcrypt-based password hashing for administrator credentials.
• Razorpay webhook signature validation to prevent fraudulent payment notifications.
• Role-based access control separating Shop User, Admin, and Super Admin permissions.
• Encrypted connections (HTTPS/TLS) for all data transmission.
• Database-level access controls and query parameterization to prevent injection attacks.

While we take every reasonable precaution to secure your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong credentials and report any suspected security incidents to us immediately at security@dukaanplus.in.

9. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights with respect to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention obligations.
• Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to Data Portability: You may request transfer of your data in a structured, machine-readable format.
• Right to Object: You may object to our processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of the above rights, please submit a written request to privacy@dukaanplus.in. We will respond to verified requests within 30 days.

10. Cookies and Tracking Technologies

Dukan Khata uses HTTP-only cookies exclusively for authentication and session management purposes. Specifically:

• shop_token: A secure, HTTP-only JWT cookie used to maintain authenticated shop user sessions.
• admin_token: A secure, HTTP-only JWT cookie used to maintain authenticated super admin sessions.

We do not use cookies for advertising, behavioral tracking, or third-party analytics. Our cookies are session-purpose cookies essential for Platform functionality and cannot be disabled without impairing your ability to use the Services.

11. Third-Party Services and Links

Our Platform integrates with the following third-party services, each governed by their own privacy policies:

• Razorpay (razorpay.com): Payment processing and subscription management. Subject to Razorpay's Privacy Policy.
• WhatsApp Business API: Messaging and campaign delivery. Subject to Meta's Privacy Policy.

We are not responsible for the privacy practices of third-party services. We encourage you to review their respective privacy policies before using integrated features.

12. Children's Privacy

Dukan Khata is a professional business management platform intended exclusively for use by adults aged 18 years or older. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal information, we will promptly delete such information. If you believe a minor has submitted information through our Platform, please contact us at privacy@dukaanplus.in.

13. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will notify you by:

• Posting the updated Policy on our Platform with a revised Effective Date.
• Sending an in-platform notification or email to registered Shop Users.

Your continued use of the Platform following the posting of changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Team:

We are committed to resolving privacy-related concerns promptly and transparently.

This Privacy Policy is effective as of April 14, 2025

© 2025 Dukan Khata. All Rights Reserved.