Legal

Privacy Policy.

Last updated: 2026-04-21

Replace this placeholder text before production

The copy below is a scaffold for layout and third-party-processor accuracy. It is not legal advice. Engage privacy counsel to draft a Privacy Policy that matches your jurisdiction, regulatory posture (DPDP in India, GDPR if you serve EU, etc.), and your actual data-handling practices.

1. Data we collect

Account data: name, email, organisation name, hashed password, optional phone, timestamps. Usage data: task, client, and document content you enter into the product; activity timestamps; IP address and user-agent on authenticated requests. Billing data: subscription state, plan, and invoice history. Payment card details are handled entirely by Razorpay; we never see or store card numbers.

2. How we use it

We use your data to deliver the service: authenticate you, route tasks to the right teammates, enforce usage limits against your plan, send transactional email (magic links, welcome, payment-failed, password reset), and produce audit trails for security investigations. We do not sell your data. We do not use it to train third-party AI/ML models.

3. Third-party processors

  • Razorpay - payments. Sees cardholder / UPI / bank details required to process your subscription. Our own systems receive only tokenised identifiers.
  • SendGrid - transactional email. Receives recipient email address and the content of transactional templates (magic link, welcome, etc.).
  • MongoDB hosting (current region: [PRIMARY_REGION]) - stores all application data. Encrypted at rest; access limited to production credentials.
  • Cloudflare R2 / S3-compatible storage - attachments and client documents. Encrypted at rest; signed URLs expire on access.
  • Sentry - error monitoring. Receives stack traces and user/role identifiers; we scrub request bodies before sending.

4. Cookies

We set an HttpOnly cookie named token after successful login; it holds a signed session JWT. We do not set analytics or advertising cookies. The product does not embed third-party trackers.

5. Your rights

You can access, export, or delete your organisation’s data at any time. Reach out via the contact-sales form or your billing settings for data-subject requests. We’ll respond within a reasonable window consistent with applicable law.

6. Data retention

Active account data is retained for as long as your subscription is live plus a short window after cancellation for restore. Email delivery logs are retained for 90 days. Audit logs for security-sensitive events are retained longer per our internal policy.

7. Contact

Privacy questions: reach out through your billing settings or the contact-sales form. For data-protection-officer queries in a regulated jurisdiction, mark your message “DPO” in the subject line.