21bill

Privacy Policy

Last updated 26 April 2026

21bill is operated by 21bill.com (the "service", "we", "us"). This policy explains what we collect from people who sign up for the service, how we use it, and what rights you have over it. We're an Indian SaaS targeting Indian SMBs and we keep this short on purpose.

1. What we collect

  • Account data — your full name, email address, phone (if you add one), and the organisation name + GSTIN you set up.
  • Authentication data — if you sign in with Google, we receive the email, name, and Google profile picture URL associated with your Google account. Nothing else (no Drive, Gmail, Calendar, Contacts).
  • Business data you enter — invoices, customers, products, payments, purchases, quotations, credit notes, GST returns, attached PDFs.
  • Usage logs — IP address, user-agent, referring URL, and per-request audit-trail entries. Retained for 90 days for security forensics, then rotated.
  • Payment data — for our own subscription billing, Razorpay processes your card or UPI mandate. We never see card numbers; we receive a tokenised customer_id and subscription_id.

2. How we use it

  • To run the service — display your invoices, send GST-compliant emails, generate filing JSONs.
  • To send transactional email (welcome, invoice dispatch, payment receipts, password reset).
  • To bill you (Razorpay charges and renewal notices on the 21bill subscription).
  • To debug failures and respond to support requests.
  • To comply with Indian tax law (we keep invoice + GST records for the legally-mandated period).

We do not use your data to train AI models or sell to third parties.

3. Who we share with

  • Razorpay — for processing your subscription payments to us.
  • Resend — for delivering transactional email on our behalf.
  • Google — only for authenticating you (sign-in only; we don't push data back).
  • Cloudflare — DNS, edge caching, DDoS protection for 21bill.com.
  • Sentry — error logs (scrubbed of personal data; see below).
  • Indian tax authorities — only if compelled by a valid legal request.

We do not share customer data with marketing or advertising networks. We do not have a Facebook Pixel, a Google Analytics tracking pixel, or LinkedIn Insight tag on the application.

4. Google API Services — Limited Use disclosure

21bill's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only request the openid, email, and profile scopes for the sole purpose of authenticating you and creating an account record. We never request Drive, Gmail, Calendar, Contacts, or any other Google user data.
  • We do not transfer Google user data to any third party except as needed to provide the 21bill service (e.g. displaying your profile picture in the app), to comply with applicable law, or as part of a merger / acquisition (in which case we'd notify you first).
  • We do not use Google user data to serve advertising of any kind, including remarketing, personalised, or interest-based advertising.
  • We do not allow humans to read Google user data unless we have your explicit consent for a specific request, are required to for security purposes (such as investigating abuse), or are required to comply with applicable law. Google user data visible to our team is limited to the email address and name on your account record.

5. Where data lives + cross-border transfers (DPDP §16)

All application data — invoices, customers, products, payments, GSTINs, account records — is stored on a Postgres database hosted at our Indian data-centre (Bengaluru region). Backups are encrypted and retained for 14 days rolling + 12 months monthly archives. Some processors operate outside India:

  • India (primary) — Postgres database, application servers, Razorpay payment processing
  • USA — Resend (transactional email delivery), Sentry (error logs, scrubbed)
  • Global edge / USA — Cloudflare (DNS, edge caching, DDoS protection)
  • Google (USA / global) — only when you sign in with Google, and only for authentication

As of the date of this policy, the Central Government has not notified any country as restricted under DPDP §16. We are subject to standard data-protection contractual clauses with each of the above processors.

5a. Data retention schedule (DPDP §8(7))

We retain personal data only as long as needed for the purpose for which it was collected:

Data categoryRetentionLegal basis
Invoice + GST records8 yearsCGST Act §36(1) — statutory
Customer / supplier master (linked to invoices)8 yearsCGST Act §36(1)
Account profile (name, email, phone)Until account deletion + 30-day graceDPDP §8(7) reasonable use
Audit logs (security forensics)90 days hot, 12 months archivedDPDP §8(5) security safeguards
Backups14 days rolling + 12 months monthlyOperational recovery
Sentry error logs (scrubbed)90 daysSentry default + DPDP §8(5)
Cancelled-account business data30 days then erased (except invoice records above)DPDP §8(7) + §12 erasure
Filing-download audit trail (subscription_events, filing_downloads)5 yearsTax-scrutiny defence

6. Sentry scrubbing

Frontend errors are sent to Sentry. We strip the following before they leave the browser: email addresses in error message bodies, GSTINs, invoice numbers, customer names, phone numbers, and authentication tokens. Sentry retains scrubbed events for 90 days.

7. Your rights under the DPDP Act 2023

As a data principal under the Digital Personal Data Protection Act 2023, you have the following rights, exercisable through your account or by emailing the Grievance Officer (see Section 13 below):

  • Right to access (DPDP §11) — every list page in the app has a CSV export button. You can also email [email protected] for a complete summary of the personal data we hold about you and the third parties with whom it has been shared.
  • Right to correction (DPDP §12) — most fields are editable in the app. For things you can't edit (e.g. historical invoices that are GST-locked under Section 31 of the CGST Act), contact support and we'll explain what's legally possible.
  • Right to erasure (DPDP §12) — Settings → Account → "Delete my account" triggers a 30-day reversible deletion window. After the window expires, we erase your business data. The only exception is invoice and GST records, which Indian tax law (Section 36 of the CGST Act) requires us to retain for 8 years; those are isolated from your account and cannot be linked back to you for any other purpose.
  • Right to nominate (DPDP §14) — you can designate a person to exercise your rights in the event of your death or incapacity. Settings → Account → "Nominee".
  • Right to withdraw consent (DPDP §6(4)) — withdrawal must be as easy as giving consent. Settings → Account → Linked sign-in methods → "Disconnect" any method (Google, etc.). Withdrawing consent for the underlying account is via the account-deletion flow above.
  • Right to grievance redressal (DPDP §13) — see Section 13 below.
  • Right to lodge a complaint (DPDP §27) — if you're not satisfied with our response within 30 days, you may file a complaint with the Data Protection Board of India.

8. Cookies

We use one type of cookie: a session cookie set by Supabase Auth so you stay logged in. We don't use tracking, analytics, or advertising cookies.

9. Children (DPDP §9)

21bill is a B2B service intended for users 18 years or older. At signup we require an affirmative declaration that you are 18+. We do not knowingly process the personal data of children, and we never engage in behavioural monitoring or targeted advertising directed at children. If you believe a minor has signed up, email [email protected] and we'll delete the account and any associated data within 7 days.

10. Data-breach notification (DPDP §8(6))

If we become aware of a personal-data breach affecting you, we will notify the Data Protection Board of India and each affected user without unreasonable delay (in any case within 72 hours of becoming aware), in the form prescribed by the DPDP Rules. Our internal breach-response runbook is documented at docs/breach-notification.md.

11. Grievance Officer (DPDP §8(11))

Vikas Swaminathan
Designation: Grievance Officer, 21bill
Email: [email protected] (with subject "Grievance Officer")
Response timeline: within 7 working days for initial acknowledgement; up to 30 days for full resolution as required by DPDP §13.

If we don't resolve your grievance to your satisfaction within 30 days, you may lodge a complaint with the Data Protection Board of India under DPDP §27. The Board's contact details are published at meity.gov.in/data-protection-framework.

12. Changes to this policy

We notify users of material changes via the email associated with their account, at least 30 days before the change takes effect. The policy is versioned in our public Git repository (history).

13. General contact

For non-grievance questions or general enquiries: [email protected]. For grievance officer contact, see Section 11 above.