Privacy Policy

Fintrack ("we", "our", "us") operates the Fintrack platform — a financial management SaaS for Indian businesses. This Privacy Policy explains what data we collect, why we collect it, and how we protect it.

By creating an account or using Fintrack you agree to the practices described here. If you do not agree, please discontinue use and contact support@deltacodes.in to have your account deleted.

Account & identity data

• ▸Name, email address, and phone number provided at registration
• ▸Company name, GSTIN, and registered address
• ▸Role assigned to the user (Superadmin, Admin, User)
• ▸Login timestamps and IP addresses

Financial & operational data

• ▸Invoice records (party details, line items, GST amounts, statuses)
• ▸Transaction records (amounts, dates, payment modes, notes)
• ▸P&L entries (credit / debit amounts and dates per party)
• ▸Party records including GST numbers and contact details

Sensitive credential data (opt-in)

You may choose to store broker credentials (client ID, password, API key, TOTP secret) against a party record. This data is opt-in, encrypted at rest with AES-256, and never used for any purpose other than display to authorised users of your account.

Usage & technical data

• ▸Browser type, operating system, and device type
• ▸Pages visited, features used, and session duration
• ▸Error logs and performance metrics (stripped of PII)
• ▸Cookies — see our Cookie section below

We use the data we collect strictly for the following purposes:

• ▸Service delivery — providing invoicing, P&L tracking, TOTP generation, and all other features of the platform
• ▸Authentication — verifying your identity on login and enforcing role-based access controls
• ▸Billing — processing subscription payments and sending invoices for your Fintrack plan
• ▸Support — diagnosing bugs, answering support queries, and improving the product
• ▸Legal compliance — meeting obligations under Indian law, including the IT Act 2000 and DPDP Act 2023
• ▸Security — detecting fraudulent access, rate-limiting abusive requests, and auditing credential reveals

We do not sell your data, use it to train AI models, or share it with third-party advertisers. Financial data you enter (invoices, transactions, party details) belongs exclusively to you.

We share personal data only in the circumstances listed below. We do not sell or rent data to any third party.

Service providers (processors)

• ▸Amazon Web Services — cloud infrastructure and database hosting (ap-south-1)
• ▸Razorpay — payment processing for subscription billing
• ▸Resend / AWS SES — transactional email delivery
• ▸Sentry — anonymised error monitoring

All processors are bound by data processing agreements and are permitted to use your data only to provide services to us.

Legal disclosures

We may disclose data if required by a court order, government authority, or other legal obligation under Indian law. We will notify you where permitted.

Business transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. We will provide 30 days' notice by email before any such transfer.

We implement technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.

• ▸Encryption in transit — all traffic is served over TLS 1.3
• ▸Encryption at rest — database volumes are encrypted with AES-256
• ▸Credential fields — broker passwords, API keys, and TOTP secrets are further encrypted at the application layer with a key derived from libsodium secretbox before database storage
• ▸Audit log — every credential reveal and role change is logged with timestamp and user ID
• ▸Role-based access — credential fields are inaccessible to standard User roles at the API level, not just the UI
• ▸Penetration testing — annual third-party security assessments

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to security@deltacodes.in.

We retain data for as long as your account is active, plus the periods below:

You may request deletion of your account at any time. Financial records (invoices, transactions) may be retained for the statutory period required under the GST Act, even after account closure, in an archived and access-restricted state.

Under the Digital Personal Data Protection (DPDP) Act 2023 and our own policy, you have the following rights:

• ▸Access — request a copy of the personal data we hold about you
• ▸Correction — update inaccurate or incomplete data
• ▸Erasure — request deletion of your account and personal data (subject to statutory retention)
• ▸Portability — export your invoices and P&L data in CSV format at any time from Settings
• ▸Grievance redressal — lodge a complaint with our designated Grievance Officer

To exercise any of these rights, email privacy@deltacodes.in. We will respond within 30 days.

Grievance Officer

Fintrack uses only the cookies necessary to operate the service. We do not use advertising, tracking, or analytics cookies from third-party networks.

Fintrack is a business tool intended for users aged 18 and above. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us at privacy@deltacodes.in and we will delete the account immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by displaying a prominent notice in the dashboard at least 14 days before the changes take effect.

Your continued use of Fintrack after the effective date of a revised policy constitutes your acceptance of the changes.