ReconBridge

Privacy Policy

Last updated: 01-01-2026

1. Introduction

ReconBridge ("we", "our", "us") operates the website reconbridge.in and the ReconBridge GST reconciliation software-as-a-service ("Service"). This Privacy Policy describes how we collect, use, store, and protect personal data in compliance with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable rules thereunder.

By using the Service, you consent to the collection and use of information as described in this Policy. If you do not agree, do not use the Service.

2. Data Fiduciary Identity

The Data Fiduciary under the DPDP Act is: ReconBridge (sole proprietorship / private limited, as applicable at the time of incorporation), India. Contact: privacy@reconbridge.in.

3. What We Collect and Why

3.1 Account Data

When you create an account, we collect:

  • Full name
  • Email address (used as login identifier and for transactional emails)
  • Firm/practice name (optional)
  • CA membership number (optional, for identity purposes)
  • Phone number (optional)
  • Billing state and address (required for GST invoice generation)
  • GSTIN of your firm (optional, for GST invoice)

Legal basis (DPDP Act, Section 4): Consent at signup, and performance of the subscription contract.

3.2 Payment Data

Payment transactions are processed by Razorpay (a PCI-DSS compliant Indian payment gateway). We do not store your card number, UPI VPA, or netbanking credentials. We receive and store: payment ID, subscription ID, amount, currency, payment status, and transaction timestamp from Razorpay.

3.3 Usage Metadata

We log usage events such as "reconciliation_run" and "export_excel" — these are counts and timestamps only. We do not log the content of your reconciliation: not your Excel data, not your GSTR-2B JSON, not your client GSTINs, not your invoice numbers.

This is a deliberate technical design. All GST data processing occurs entirely within your browser. None of it is transmitted to our servers.

3.4 Technical Data

We collect standard server logs including IP address, browser type, device type, pages visited, and session duration. This data is used for security monitoring, debugging, and aggregate analytics. It is not linked to individual user accounts for profiling purposes.

4. GST Data — A Critical Clarification

ReconBridge does not collect, transmit, or store any GST data processed through the reconciliation tool.

The reconciliation engine runs entirely in JavaScript within your browser. Your purchase register (Excel file), your GSTR-2B JSON, your client GSTINs, and the reconciliation output are never sent to our servers. You can verify this independently using your browser's Developer Tools (Network tab) — no outbound request carries this data.

This design means we have no technical ability to access your clients' GST data, and no obligation to protect data we do not possess. However, you remain responsible for the security of your own device and network while using the Service.

5. How We Use Your Data

  • To create and manage your account
  • To process payments and manage your subscription
  • To generate and deliver GST-compliant invoices
  • To send transactional emails (subscription confirmations, trial reminders, payment receipts)
  • To enforce usage quotas (e.g., 25 reconciliations/month on the Starter plan)
  • To respond to support inquiries
  • To monitor for fraudulent activity and enforce our Terms of Service
  • To improve the Service based on aggregate usage patterns

We do not use your data for behavioural advertising. We do not sell your personal data to third parties.

6. Data Sharing

We share data only with the following categories of processors:

  • Supabase Inc. — database and authentication infrastructure (data stored in AWS regions)
  • Razorpay Software Pvt. Ltd. — payment processing (India)
  • Resend Inc. — transactional email delivery
  • Vercel Inc. — hosting and edge infrastructure
  • Sentry Inc. — error monitoring (error logs only, no user content)

All processors are contractually bound to use data only for the purposes for which it is shared. We do not share data with any other third parties except where required by law or court order.

7. Data Retention

  • Account data is retained for the duration of your subscription plus 12 months after account closure, unless you request earlier deletion.
  • Payment records are retained for 7 years as required under India's Companies Act / Income Tax Act for financial record-keeping.
  • Server logs are retained for 90 days.
  • Usage metadata (event counts) is retained for 24 months for analytics.

8. Your Rights under the DPDP Act, 2023

As a Data Principal, you have the following rights:

  • Right to access — request a summary of personal data we hold about you
  • Right to correction and erasure — correct inaccurate data or request deletion (subject to legal retention requirements)
  • Right to grievance redressal — raise a complaint that we must acknowledge within 48 hours and resolve within 30 days
  • Right to nominate — nominate another individual to exercise these rights in the event of your death or incapacity

To exercise any right, email privacy@reconbridge.in from your registered email address. We will respond within 7 business days.

9. Cookies

We use only essential cookies required for authentication sessions (set by Supabase's auth library). We do not use tracking cookies, advertising cookies, or third-party analytics scripts (such as Google Analytics) that profile your behaviour.

10. Security

We implement appropriate technical and organisational measures including: TLS encryption for all data in transit, encrypted storage for sensitive fields, bcrypt-hashed passwords (via Supabase Auth), row-level security on all database tables, and API key rotation procedures. However, no system is completely immune to breach. In the event of a personal data breach, we will notify affected users as required by the DPDP Act.

11. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If we discover that a minor has created an account, we will delete the account and all associated data.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email to registered users at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Grievance Officer

In accordance with the DPDP Act, 2023, the Grievance Officer for ReconBridge is:

Name: Founder, ReconBridge
Email: grievance@reconbridge.in
Address: [Registered address to be added at incorporation]
Response time: Acknowledgement within 48 hours; resolution within 30 days.