Privacy Policy

Effective Date: 1st January, 2025

Last Updated: 24 December 2025

Introduction

Tandav Gaming Private Limited (“Billvoice”, “Company”, “We”, “Us”, “Our”) is committed to protecting the privacy and security of Your personal information. This Privacy Policy (“Policy”) describes how We collect, use, store, disclose, and protect personal data and other information when You use Our platform, website (www.billvoice.in), mobile applications, and services (collectively, the “Platform” or “Services”).

This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and other applicable privacy laws and regulations in India.

By accessing or using the Platform, You acknowledge that You have read, understood, and agree to be bound by this Privacy Policy. If You do not agree with this Policy, please do not use Our Services.

1. Definitions

In this Privacy Policy, the following terms shall have the meanings assigned to them:

• “Consent” means any freely given, specific, informed, and unambiguous indication of Your wishes by which You, through a clear affirmative action, signify agreement to the processing of Personal Data;
• “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of Personal Data, which in the context of this Policy refers to Billvoice;
• “Data Principal” means the individual to whom the Personal Data relates, which in the context of this Policy refers to You;
• “Data Processor” means any person who processes Personal Data on behalf of a Data Fiduciary;
• “Personal Data” means any data about an individual who is identifiable by or in relation to such data;
• “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction;
• “Sensitive Personal Data” includes financial data (bank account details, payment card information), health data, biometric data, genetic data, sex life or sexual orientation data, and any data specified by the Central Government;

2. Information We Collect

2.1 Information You Provide Directly

We collect information that You provide directly to Us when You:

1. Create an Account: Name, email address, phone number, password, business name, business type (proprietorship, partnership, company), business address;
2. Complete KYC Verification: PAN number, Aadhaar number (with consent), GSTIN, business registration documents, bank account details, identity and address proof;
3. Use Our Services: Invoice data, client information (names, contact details, GSTINs), payment information, contract details, service descriptions;
4. Communicate with Us: Support queries, feedback, complaints, communications through email, chat, or phone;
5. Participate in Surveys or Promotions: Survey responses, contest entries, promotional preferences.

2.2 Information Collected Automatically

When You use the Platform, We automatically collect:

1. Device Information: Device type, operating system, unique device identifiers, browser type and version, screen resolution;
2. Log Information: IP address, access times, pages viewed, actions taken, referring URL, exit pages;
3. Location Information: General location derived from IP address, precise location (with consent) for location-based features;
4. Usage Data: Features used, frequency of use, interaction patterns, performance metrics;
5. Cookies and Similar Technologies: Session cookies, persistent cookies, web beacons, pixels, local storage.

2.3 Information from Third Parties

We may receive information from third parties, including:

1. Banking Partners: Transaction data, account verification, payment status (through RazorpayX, Cashfree, etc.);
2. Payment Processors: Payment confirmation, transaction IDs, settlement information;
3. Government Databases: GSTIN verification data from GST Network, PAN verification from NSDL/UTIITSL;
4. Social Login Providers: If You sign in using Google, LinkedIn, or other social accounts, We receive basic profile information as per their policies;
5. Referral Programs: Information shared by users who refer You to Our Platform.

2.4 AI and Voice Data

When You use Our AI-powered features:

1. Voice Commands: Audio recordings processed through speech-to-text services, transcriptions, intent data;
2. AI Interactions: Chat transcripts with AI assistant, prompts, generated responses;
3. Prediction Data: Historical patterns used for payment prediction, behavioral analytics for recommendations.

Voice data is processed in real-time and is not stored beyond the duration necessary for providing the service unless You explicitly opt-in to data retention for service improvement.

3. Purpose and Legal Basis for Processing

3.1 Purposes of Processing

We process Your Personal Data for the following purposes:

1. Service Delivery: To provide, maintain, and improve the Platform and Services, including invoice generation, payment tracking, compliance management, and AI features;
2. Account Management: To create and manage Your Account, verify Your identity, and maintain accurate records;
3. Transaction Processing: To process payments, facilitate banking integrations, and enable financial transactions;
4. Compliance: To comply with GST, income tax, and other regulatory requirements, including maintaining audit trails and statutory records;
5. Communication: To send transactional communications, service updates, support responses, and with Your consent, marketing communications;
6. Analytics and Improvement: To analyze usage patterns, improve Our Services, develop new features, and enhance user experience;
7. Security: To detect, prevent, and investigate fraud, security breaches, and policy violations;
8. Legal Obligations: To comply with legal obligations, respond to lawful requests, and protect Our legal rights.

3.2 Legal Basis for Processing

Under the DPDP Act, 2023, We process Personal Data based on the following legal grounds:

1. Consent: Where You have given clear consent for Us to process Your Personal Data for specific purposes;
2. Contractual Necessity: Where processing is necessary for the performance of a contract with You or to take steps at Your request before entering into a contract;
3. Legal Obligation: Where processing is necessary for compliance with a legal obligation to which We are subject;
4. Legitimate Interests: Where processing is necessary for Our legitimate interests, provided such interests are not overridden by Your rights and interests.

4. Consent

4.1 Obtaining Consent

Where We rely on consent as the legal basis for processing, We will obtain Your clear and informed consent before collecting and processing Your Personal Data. Consent will be obtained through:

1. Affirmative actions such as ticking consent checkboxes;
2. Accepting Terms of Service and Privacy Policy;
3. Explicit consent for specific processing activities;
4. Granular consent options for different types of data processing.

4.2 Withdrawal of Consent

You have the right to withdraw Your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent:

1. Access Your Account settings and modify consent preferences;
2. Contact Us at support@billvoice.in;
3. Use the unsubscribe link in marketing communications.

Note: Withdrawal of certain consents may limit Your ability to use some features of the Platform.

4.3 Consent for Minors

The Platform is intended for users who are at least 18 years of age. We do not knowingly collect Personal Data from children under 18. If We become aware that We have collected Personal Data from a child under 18 without verification of parental consent, We will take steps to delete such information.

5. Disclosure and Sharing of Personal Data

5.1 Categories of Recipients

We may share Your Personal Data with the following categories of recipients:

1. Service Providers: Third-party vendors who provide services on Our behalf, including cloud hosting (AWS), payment processing (Razorpay, Cashfree), communication services (Twilio, AWS SES), analytics (Google Analytics, Mixpanel);
2. Banking Partners: Licensed banks and financial institutions for neo-banking services, account verification, and payment processing;
3. Government Authorities: GST Network for invoice verification, tax authorities for compliance, law enforcement when required by law;
4. Professional Advisors: Lawyers, auditors, accountants, and consultants who provide professional services to Us;
5. Business Transfers: In connection with mergers, acquisitions, or sale of assets, subject to appropriate confidentiality obligations;
6. Affiliates: Our parent company, subsidiaries, and affiliates for business operations and service delivery.

5.2 Conditions for Sharing

We share Personal Data only under the following conditions:

1. With Your consent;
2. To fulfill Our contractual obligations to You;
3. For legitimate business purposes;
4. To comply with legal obligations;
5. To protect the rights, property, or safety of Billvoice, Our users, or the public.

5.3 Data Processing Agreements

We require all third-party service providers to enter into data processing agreements that:

1. Limit processing to specified purposes;
2. Implement appropriate security measures;
3. Maintain confidentiality;
4. Comply with applicable data protection laws;
5. Delete or return data upon termination.

5.4 No Sale of Personal Data

We do not sell, rent, or trade Your Personal Data to third parties for their commercial purposes.

6. Cross-Border Data Transfer

6.1 Data Localization

We store all Personal Data on servers located within India. However, some of Our service providers may process data outside India for specific operational purposes.

6.2 Transfer Safeguards

Where Personal Data is transferred outside India, We ensure:

1. The recipient country has adequate data protection laws as notified by the Central Government;
2. Appropriate contractual safeguards are in place;
3. Your explicit consent is obtained where required;
4. The transfer is necessary for the performance of a contract or legal compliance.

6.3 Restricted Transfers

We do not transfer Personal Data to countries that have been restricted by the Central Government under the DPDP Act or any other applicable law.

7. Data Retention

7.1 Retention Periods

We retain Personal Data for the following periods:

1. Account Information: Duration of Your Account plus seven (7) years, as required for tax compliance;
2. Invoice Data: Minimum six (6) years from the due date of filing the annual GST return, as per GST law;
3. Financial Records: Seven (7) years from the end of the relevant assessment year, as per Income Tax Act;
4. Communication Records: Three (3) years from the date of communication;
5. Log Data: Twelve (12) months for security and analytics purposes;
6. Voice Data: Deleted immediately after processing unless You opt-in to retention.

7.2 Retention Beyond Standard Periods

We may retain Personal Data beyond the standard periods:

1. As required by applicable law or regulation;
2. To resolve disputes or enforce Our agreements;
3. To comply with audit requirements;
4. To establish, exercise, or defend legal claims.

7.3 Deletion

Upon expiry of the retention period and in the absence of any legal requirement to retain:

1. Personal Data will be securely deleted or anonymized;
2. Backups will be deleted within the next backup rotation cycle;
3. You will be notified before deletion of significant data.

8. Your Rights as a Data Principal

8.1 Rights Under DPDP Act

As a Data Principal under the DPDP Act, 2023, You have the following rights:

1. Right to Access: You have the right to obtain confirmation of whether We are processing Your Personal Data and to access such data;
2. Right to Correction: You have the right to request correction of inaccurate or incomplete Personal Data;
3. Right to Erasure: You have the right to request deletion of Your Personal Data, subject to legal retention requirements;
4. Right to Withdraw Consent: You have the right to withdraw consent at any time for processing based on consent;
5. Right to Nominate: You have the right to nominate another individual to exercise Your rights in case of Your death or incapacity.

8.2 Exercising Your Rights

To exercise Your rights:

1. Log in to Your Account and access the Privacy Settings;
2. Submit a request through Our online form at www.billvoice.in/privacy-request;
3. Email Us at support@billvoice.in with the subject line “Data Principal Rights Request”;
4. Write to Us at the address provided in the Contact Us section below.

8.3 Response Timeline

We will respond to Your request within:

1. Seven (7) days for acknowledgment of receipt;
2. Thirty (30) days for action on the request, unless an extension is required due to complexity.

8.4 Verification

We may require verification of Your identity before processing Your request to protect against unauthorized access to Personal Data.

9. Data Security

9.1 Security Measures

We implement comprehensive technical and organizational security measures to protect Personal Data, including:

1. Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit;
2. Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege;
3. Network Security: Firewalls, intrusion detection systems, DDoS protection, VPN for administrative access;
4. Application Security: Regular security assessments, vulnerability scanning, penetration testing, code reviews;
5. Physical Security: Data centers with 24/7 security, biometric access, CCTV surveillance;
6. Operational Security: Background checks for employees, security awareness training, incident response procedures.

9.2 ISO 27001 Compliance

We are committed to maintaining an Information Security Management System (ISMS) aligned with ISO 27001 standards and are pursuing formal certification.

9.3 PCI DSS Compliance

For payment card data, We comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. We do not store full card numbers; all payment processing is handled by PCI DSS compliant payment processors.

9.4 Breach Notification

In the event of a Personal Data breach:

1. We will notify the Data Protection Board of India as required under the DPDP Act;
2. We will notify affected Data Principals without undue delay if the breach is likely to result in harm;
3. We will take immediate steps to contain and remediate the breach;
4. We will document all breaches and actions taken.

10. Cookies and Tracking Technologies

10.1 Types of Cookies

We use the following types of cookies:

1. Essential Cookies: Necessary for the Platform to function, including authentication, security, and load balancing;
2. Functional Cookies: Remember Your preferences and settings;
3. Analytics Cookies: Help Us understand how visitors interact with the Platform;
4. Marketing Cookies: Track Your activity across websites to deliver targeted advertising.

10.2 Cookie Consent

When You first visit Our Website, We display a cookie consent banner allowing You to:

1. Accept all cookies;
2. Reject non-essential cookies;
3. Customize cookie preferences by category.

10.3 Managing Cookies

You can manage cookie preferences:

1. Through Our cookie preference center on the Website;
2. Through Your browser settings;
3. By using browser extensions or privacy tools.

Note: Disabling essential cookies may affect Platform functionality.

11. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services that are not operated by Us. We are not responsible for the privacy practices of such third parties. We encourage You to review the privacy policies of any third-party services before providing Personal Data.

Third-party services integrated with the Platform (such as banking partners, payment processors, and accounting software) are subject to their own privacy policies. Our Privacy Policy does not apply to information collected by third parties.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in Our practices, technologies, legal requirements, or for other operational reasons. When We make material changes:

1. We will post the updated Policy on Our Website with a new “Last Updated” date;
2. We will notify You by email or through the Platform for significant changes;
3. We may request Your renewed consent where required.

We encourage You to review this Policy periodically. Your continued use of the Platform after changes become effective constitutes acceptance of the updated Policy.

13. Contact Us

If You have any questions, concerns, or requests regarding this Privacy Policy or Our data practices, please contact Us at:

Schedules

Schedule A: Data Processing Details

Categories of Data Subjects

• Users (business owners, freelancers, creators, employees)
• Clients of Users (whose information is stored on the Platform)
• Employees and contractors of business Users
• Website visitors

Categories of Personal Data

• Identity data (name, PAN, Aadhaar, GSTIN)
• Contact data (email, phone, address)
• Financial data (bank details, payment information, transaction history)
• Business data (invoices, contracts, client information)
• Technical data (IP address, device information, usage data)
• Voice data (for AI features, with consent)

Processing Operations

• Collection, storage, and organization of data
• Processing for service delivery
• Analysis for insights and improvements
• Transmission to authorized third parties
• Secure deletion upon request or expiry

Schedule B: List of Sub-Processors

The following is a list of sub-processors as of the date of this document. This list may be updated from time to time:

* Cross-border transfer subject to appropriate safeguards and user consent as per DPDP Act, 2023.

Schedule C: Technical and Organizational Security Measures

1. Access Control

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication (MFA) for all administrative access
• Unique user IDs with password policies (minimum 12 characters, complexity requirements)
• Automatic session timeout after 15 minutes of inactivity
• Access logs with tamper-proof audit trails

2. Data Protection

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Field-level encryption for sensitive data (PAN, bank account numbers)
• Secure key management using AWS KMS
• Data masking for non-production environments

3. Network Security

• Web Application Firewall (WAF) with OWASP rule sets
• DDoS protection and mitigation
• Network segmentation and micro-segmentation
• Intrusion Detection and Prevention Systems (IDS/IPS)
• VPN for administrative access

4. Application Security

• Secure Software Development Lifecycle (SSDLC)
• Regular code reviews and static analysis
• Annual penetration testing by third-party security firms
• Vulnerability scanning (weekly automated, quarterly manual)
• Bug bounty program for responsible disclosure

5. Physical Security

• Data centers with SOC 2 Type II and ISO 27001 certifications
• 24/7 security personnel and CCTV monitoring
• Biometric access controls
• Environmental controls (fire suppression, climate control)

6. Incident Response

• 24/7 Security Operations Center (SOC)
• Documented incident response plan
• Mean Time to Detect (MTTD): < 1 hour
• Mean Time to Respond (MTTR): < 4 hours for critical incidents
• Regular incident response drills

7. Business Continuity

• Multi-region data replication
• Recovery Point Objective (RPO): < 1 hour
• Recovery Time Objective (RTO): < 4 hours
• Regular backup testing and restoration drills
• Disaster recovery site in separate availability zone

Schedule D: Data Retention Schedule