Invoice Processing Tool

by Smart Accountants

PricingTermsHome

Privacy Policy

Digital Personal Data Protection (DPDP) Compliance Matrix

  • Data Fiduciary: Smart Accountants
  • Effective Date: May 30, 2026
  • Core Legislation: Digital Personal Data Protection Act, 2023 (DPDP Act) & Information Technology Act, 2000
  • Platform Covered: Invoice Processing Tool (IPT) — https://ipt.smartaccountants.in

Smart Accountants operates the Invoice Processing Tool (IPT). We recognize your professional privacy and are fully committed to absolute transparency regarding data practices. Under the regulatory landscape of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000, Smart Accountants acts as a Data Fiduciary concerning the personal information collected to establish and service your commercial user account.

This Privacy Policy clearly outlines what personal data we systematically gather, where it is stored, how processing pipelines execute, and the rights you possess as a Data Principal under Indian law. This policy applies strictly to the web application hosted at https://ipt.smartaccountants.in.

THE ANCHOR PRINCIPLE — COMPREHENSIVE NON-RETENTION OF INVOICES

Smart Accountants operates a structural zero-retention data framework for corporate operational files. Any and all business invoice documents (PDFs, images, camera captures) along with the resulting extracted text tables, taxable line values, and compliance scores are NOT saved, archived, logged, or retained on our persistent servers or database tables. All invoice computational manipulation is strictly transient and client-session dependent.

1. Data Categories Collected & Structural Storage Locations

We separate data practices into two distinct classifications: account administrative data (Persistent) and transactional invoice files (Transient).

1.1. Persistent Information Managed via Supabase DB

To provision, validate, and manage user quotas, we persistently store the following data fields under rigorous Row-Level Security (RLS) policies within our Supabase cloud instance:

  • profiles table: Internal user_id, registered email address, user's full_name, voluntary company designation, an internal is_demo system flag, and automated metadata creation/modification timestamps.
  • subscriptions table: Active product plan assignment tier, account commercial status, remaining unconsumed numeric invoice quota, transactional count of invoices_used_this_period, current_period_start and current_period_end date limits, system execution environment identifier, and operational logging timestamps.
  • razorpay_payments table: Razorpay system-generated order identifier, payment reference identifier, cryptographically signed verification hash, transaction amount value, localized currency string, real-time payment status, metadata notes, and execution timestamps.

All core authentication states, cryptographic password hashing routines, active secure browser sessions, and Google OAuth federation parameters are managed natively through isolated, secure instances of Supabase Auth.

1.2. Transient Document Data Pipelines (Zero Storage)

When you upload file media (PDF, JPG, PNG, WEBP), the asset bypasses persistent server hard drives entirely. The content is held solely within volatile execution RAM and pushed directly over TLS-encrypted sessions via the Lovable AI Gateway to Google Gemini 2.5 Flash infrastructures for structured parsing. The resulting JSON file schema is returned straight back to your local browser environment. Once the user closes the tab or clears local application storage, this data layout completely ceases to exist within the system universe.

2. Lawful Grounds for Processing & Notice of Usage

In accordance with Section 6 of the DPDP Act, 2023, we collect and process account personal data exclusively on the ground of Consent, which is explicitly requested during your account creation process. The collection of your name, email, and corporate identifier is a strict, undeniable requirement to initialize account security, prevent fraudulent multi-tenant bot behaviors, manage digital product quotas, and compile legally compliant accounting billing rows under Indian tax regulations.

3. Sub-Processors & Third-Party System Integrations

To safely provide the automated B2B SaaS system architecture, we engage the following specific third-party organizations who act as Data Processors under our strict directive:

EntityPurposeData Transmitted
Supabase Inc.Cloud DB hosting, registration, session auth, metadata storage.Name, email, company, payment refs, quota balance.
Lovable / CloudflareApp infra hosting, edge CDN, serverless routing.Transient networking metadata, source IPs (non-persistent).
Google LLC (Gemini 2.5 Flash)OCR extraction & §17(5) CGST heuristic.Transient invoice binary/text data (no training/retention).
Razorpay Software Pvt. Ltd.Payment gateway, clearing, fraud checks.Name, email, card/net banking (within PCI-DSS frames).

By using the Platform, you acknowledge and consent that the textual contents of your uploaded invoices are transmitted across secure channels to Google's artificial intelligence infrastructure for real-time data parsing.

4. Technical & Structural Data Security Measures

  • Transit Protection: All external and internal application communications utilize robust HTTPS over TLS data streams.
  • Database Insulation: Row-Level Security (RLS) is explicitly hard-coded across all tables in the Supabase schema. Every data select or update query confirms the active user's signature; no authenticated user can access, read, or modify rows belonging to another account profile. The system service-role administration key is never exposed to public client interfaces.
  • Payment Integrity: Webhook signals from Razorpay are verified cryptographically using HMAC-SHA256 signature frameworks to intercept parameter injection.

5. Cookies & Local Storage Architecture

The IPT application does not utilize tracking cookies, tracking pixels, behavioral monitoring graphs, or third-party marketing/advertising analytics scripts. The app relies strictly on standard browser localStorage parameters to hold the active Supabase Auth session token. This allows you to remain logged into your business profile across standard page updates. This mechanism is technically non-optional for the continuous delivery of the software service.

6. Data Principal Rights (Under DPDP Act, 2023)

As a Data Principal residing within the Republic of India, you hold concrete legal rights under the framework of the DPDP Act, 2023, regarding your account records:

  • Right to Access & Summary: The right to see an overview of what profile metadata is currently maintained within our live databases.
  • Right to Correction & Update: The power to rectify typographical errors or out-of-date corporate descriptors tied to your profile table.
  • Right to Erasure & Consent Withdrawal: The absolute right to trigger complete account deletion. Upon receiving a valid request, we will instantly delete your live profile, subscription rows, and metadata from active nodes.

Retention Thresholds: Account profile data and payment logs are actively maintained for the operational lifespan of your user account. Following account deletion requests, specific transaction logs from the razorpay_payments matrix are securely archived for a mandatory duration of seven (7) years to ensure compliance with financial accounting, auditing, and tax laws under Indian corporate and GST legislation.

7. Grievance Redressal Mechanism

In accordance with Section 13 of the DPDP Act, 2023, any question, technical complaint, privacy dispute, or request to execute statutory data rights must be escalated directly to our designated Grievance Officer, who is bound to acknowledge and resolve valid escalations in a timely manner:

Designated Grievance Officer: Sudarsanan V

Official Designation: DPDP Compliance Lead & Partner

Direct Postal Address: Smart Accountants, No.138, F3 B Wing, 1st floor, Ameen Manors, Nungambakkam High Rd, near Indian Oil Bhavan, Chennai, Tamil Nadu 600006

Electronic Mail Access: sudarsan@smartaccountants.in

Direct Telephone Line: +91-9840546043

8. Amendments and Policy Updates

The Data Fiduciary reserves the right to modify this structural privacy document to maintain alignment with incoming rules under the DPDP Act framework or changes to our application architecture. All changes will be published instantly with an updated version date at the top of this URL interface.