BizRevolt (operated by Adi Creates, Ahmedabad, India) provides multi-tenant business-management software for Indian SMBs. This policy explains what personal information we collect, why we collect it, who we share it with, and how you can control it. We follow the EU General Data Protection Regulation (GDPR), the Indian Digital Personal Data Protection Act 2023 and the DPDP Rules 2025 (together, “DPDP”), and — for data we receive from Google APIs — the Google API Services User Data Policy, including the Limited Use requirements.
1. Information We Collect
Account information you provide: name, email address, phone number, company name, GSTIN, billing address, profile photo, and the password you choose (stored only as a bcrypt hash).
Customer Data submitted to your workspace: records you and your teammates create about your own customers, projects, plots, units, members, leads, invoices, payments, receipts and similar business artefacts. You own this data; we hold it only to run the Service.
Technical information collected automatically: IP address, browser user-agent, device type, page paths, and referer header. We use this to secure the Service, debug problems, and inform product decisions.
Information from third-party sign-in providers: if you choose to sign in with Google, see section 8 below for exactly what we receive and how it is used.
2. How We Use Information
We use personal information to operate the Service, authenticate users, process subscription payments, send transactional emails (welcome notes, magic-link sign-in, receipts, payment reminders, security alerts), provide customer support, prevent fraud and abuse, and comply with our legal obligations.
We do not sell personal information. We do not use Customer Data, Google user data, or any data subject to the Google API Services User Data Policy to train, develop or improve generalised or generic AI/ML models. We do not share Customer Data with any third party except as described in section 6.
Legal basis for each purpose
Under the DPDP Act 2023 and the GDPR every purpose we process personal data for rests on a defined legal basis. The table below maps each purpose to its basis.
| Processing purpose | Legal basis |
|---|---|
| Providing the Service (account, workspace, core features) | Performance of a contract |
| Transactional email (sign-in links, receipts, security alerts) | Performance of a contract |
| Subscription payments & invoicing | Performance of a contract |
| Marketing email (product news, offers) | Consent (withdrawable at any time) |
| First-party product analytics | Legitimate use / legitimate interest |
| Security, fraud and abuse prevention | Legitimate use / legitimate interest |
| Customer support | Performance of a contract / legitimate use |
| Retaining financial & tax records | Legal obligation |
| Sign-in with Google | Consent |
3. Data Security
We use industry-standard safeguards to protect personal information, including TLS 1.2+ for data in transit, AES-256-GCM encryption for sensitive fields at rest, bcrypt for password hashes, and short-lived signed JWTs for session tokens.
Each tenant is provisioned with its own isolated Postgres database — there is no shared-schema multi-tenancy. Tenant database credentials live outside the application database and are encrypted at rest. Every state-changing API call is written to an immutable audit log with actor, IP, timestamp and a JSON diff.
4. Data Retention
We retain Customer Data for as long as your workspace is active. After cancellation we retain it for 30 days to allow you to export, then it is permanently deleted from primary systems and removed from backups within the next backup rotation (≤ 35 days total).
Financial records (invoices, payment receipts, GST returns) are retained for the period required by Indian tax law — currently 8 years — even after cancellation, in a sealed archive accessible only for statutory and regulatory purposes.
Data we receive from Google APIs is deleted within 30 days of your account being disconnected from Google or your BizRevolt workspace being cancelled, whichever is earlier. See section 8.
5. Cookies
We use strictly-necessary cookies for authentication and session management. We use a small set of first-party analytics cookies to understand which features are used and where the product falls short. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking.
6. Third-Party Sub-Processors
We rely on a small number of vetted sub-processors to deliver the Service. Each is bound by a data-processing agreement and receives only the minimum data needed for its task.
Razorpay (PCI-DSS Level 1) processes subscription payments. They receive the billing details you enter at checkout and the transaction amount. Razorpay does not have access to your workspace data.
Resend delivers transactional emails (welcome messages, magic-link sign-in, receipts, password resets, payment reminders). Resend receives only the recipient email address and the message body.
Sentry captures application errors so we can diagnose bugs. Stack traces are sent with a request id but without Customer Data payload.
Google LLC — only when you choose to sign in with Google. Scope, data received and use described in section 8.
7. Data Storage & Cross-border Transfer
Your data is hosted in India. Both the application database and each tenant's isolated Postgres database are provisioned in Indian data-centre regions, and day-to-day operation of the Service takes place from India.
A small number of vetted sub-processors (see section 6) may process limited personal data outside India in the course of delivering a specific function — for example our email-delivery provider processes recipient addresses and message bodies, and our error-monitoring provider processes stack traces with a request id. Such transfers are limited to the minimum data needed for that function and are carried out only under appropriate contractual safeguards (data-processing agreements with confidentiality and security obligations). We do not transfer personal data to any country or entity that the Central Government has restricted under Section 16 of the DPDP Act 2023.
8. Sign-in with Google — Limited Use disclosure
BizRevolt offers "Sign in with Google" as a convenient authentication option. Use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes we request and why:
openid— required by the OpenID Connect protocol to identify the user.email— we use your Google email address to find or create your BizRevolt account and to send transactional email. It also becomes your default sign-in identifier.profile— we use your name and (if available) profile picture to personalise the workspace UI so teammates can recognise who took which action.
We do not request, access or store any other Google data — no Gmail, Drive, Calendar, Contacts, Photos, YouTube, or any restricted scope. We do not request offline access; tokens are short-lived and used only for the sign-in handshake.
How we use Google user data: strictly to provide and improve the user-facing sign-in feature you requested — matching your Google identity to an existing BizRevolt account, creating one if it does not exist, and signing you in. We do not use Google user data for advertising, we do not sell it, we do not share it with any other party (except a strictly-necessary sub-processor as listed above), and we do not use it to train AI/ML models.
How to revoke access: visit your Google account permissions page and remove BizRevolt. You can also email us at [email protected] to request deletion of any Google-sourced data we hold.
9. Your Rights (GDPR / DPDP)
Under the EU GDPR and the Indian DPDP Act 2023, you have the right to access and export a copy of your personal data, to correct or complete it, to request its deletion, to withdraw a consent you previously gave (as easily as you gave it), to nominate another person to exercise your rights in the event of death or incapacity (DPDP s.14), and to lodge a complaint with the relevant supervisory authority. Signed-in users can export their data and raise a deletion request from within the app; anyone can also exercise these rights by writing to the Grievance Officer in section 12.
Two roles, two routes. For your own account data (your name, email, login, billing), BizRevolt is the Data Fiduciary and handles your request directly. For Customer Data — the records your workspace keeps about your customers, students, patients or members — the business that operates the workspace is the Data Fiduciary and BizRevolt is only its Data Processor; a request from one of those individuals is routed to, and decided by, that business, with BizRevolt assisting as processor.
We acknowledge requests within 24 hours and respond to verified requests within 30 days. If we deny a request (for example because retaining the data is required by law — see section 4) we will explain why and tell you how to escalate to the Data Protection Board of India.
10. Children's Data (DPDP Act s.9)
BizRevolt does not direct its sign-up or marketing at children, and the account holders who register a workspace are adult business operators. We do not knowingly create BizRevolt accounts for anyone under 18.
Some of our tenants — for example pre-schools, day-cares, tuition and coaching centres and schools — use their workspace to keep records that include a child's personal data (such as a child's name, date of birth, attendance, photos or a guardian's contact). For that data the tenant is the Data Fiduciary and BizRevolt acts only as a Data Processor on the tenant's documented instructions. The tenant is responsible, under Section 9 of the DPDP Act 2023, for obtaining verifiable consent of the parent or lawful guardian before that child's data is processed, and our tenant terms require them to do so.
As the processor, BizRevolt never uses children's data for tracking, behavioural monitoring, profiling, or targeted advertising, and we do not sell it — consistent with the Section 9 prohibition. A parent or guardian who wishes to access, correct or delete a child's record should contact the relevant school or centre (the Data Fiduciary); BizRevolt will support that tenant in fulfilling the request and can be reached at [email protected] for any concern about how children's data is handled on the platform.
11. Updates to this Policy
We may update this policy from time to time as our practices evolve. Material changes will be notified via email or through the Service at least 30 days before they take effect. Older versions are archived and available on request.
12. Contact & Grievance Officer
For privacy questions or to exercise your rights under the DPDP Act 2023 or GDPR, email [email protected].
In accordance with Section 10 of the DPDP Act 2023, the designated Grievance Officer for BizRevolt is:
- Name & designation: Aditya Trivedi, Founder & Data Protection Officer
- Email:[email protected] (subject line: “DPDP Grievance”)
- Postal address: Adi Creates, Ahmedabad, Gujarat, India
- Response window: Acknowledgement within 24 hours; resolution within 30 days as required by the DPDP Rules.
Complaints to the Data Protection Board
The Grievance Officer above is your first point of contact. If your grievance is not resolved to your satisfaction, or you do not receive a response within the timelines stated, you have the right as a Data Principal to escalate the matter to the Data Protection Board of India (DPB) under the DPDP Act 2023. We ask that you raise the issue with our Grievance Officer first so we have an opportunity to put it right, but exhausting our grievance route is not a precondition for any statutory right you hold. Once the Board is constituted and its filing channels are published under the Act, you may lodge a complaint with it directly.