BizRevolt (operated by Adi Creates, Ahmedabad, India) provides multi-tenant business-management software for Indian SMBs. This policy explains what personal information we collect, why we collect it, who we share it with, and how you can control it. We follow the EU General Data Protection Regulation (GDPR), the Indian Digital Personal Data Protection Act 2023 (DPDP), and — for data we receive from Google APIs — the Google API Services User Data Policy, including the Limited Use requirements.
1. Information We Collect
Account information you provide: name, email address, phone number, company name, GSTIN, billing address, profile photo, and the password you choose (stored only as a bcrypt hash).
Customer Data submitted to your workspace: records you and your teammates create about your own customers, projects, plots, units, members, leads, invoices, payments, receipts and similar business artefacts. You own this data; we hold it only to run the Service.
Technical information collected automatically: IP address, browser user-agent, device type, page paths, and referer header. We use this to secure the Service, debug problems, and inform product decisions.
Information from third-party sign-in providers: if you choose to sign in with Google, see section 7 below for exactly what we receive and how it is used.
2. How We Use Information
We use personal information to operate the Service, authenticate users, process subscription payments, send transactional emails (welcome notes, magic-link sign-in, receipts, payment reminders, security alerts), provide customer support, prevent fraud and abuse, and comply with our legal obligations.
We do not sell personal information. We do not use Customer Data, Google user data, or any data subject to the Google API Services User Data Policy to train, develop or improve generalised or generic AI/ML models. We do not share Customer Data with any third party except as described in section 6.
3. Data Security
We use industry-standard safeguards to protect personal information, including TLS 1.2+ for data in transit, AES-256-GCM encryption for sensitive fields at rest, bcrypt for password hashes, and short-lived signed JWTs for session tokens.
Each tenant is provisioned with its own isolated Postgres database — there is no shared-schema multi-tenancy. Tenant database credentials live outside the application database and are encrypted at rest. Every state-changing API call is written to an immutable audit log with actor, IP, timestamp and a JSON diff.
4. Data Retention
We retain Customer Data for as long as your workspace is active. After cancellation we retain it for 30 days to allow you to export, then it is permanently deleted from primary systems and removed from backups within the next backup rotation (≤ 35 days total).
Financial records (invoices, payment receipts, GST returns) are retained for the period required by Indian tax law — currently 8 years — even after cancellation, in a sealed archive accessible only for statutory and regulatory purposes.
Data we receive from Google APIs is deleted within 30 days of your account being disconnected from Google or your BizRevolt workspace being cancelled, whichever is earlier. See section 7.
5. Cookies
We use strictly-necessary cookies for authentication and session management. We use a small set of first-party analytics cookies to understand which features are used and where the product falls short. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking.
6. Third-Party Sub-Processors
We rely on a small number of vetted sub-processors to deliver the Service. Each is bound by a data-processing agreement and receives only the minimum data needed for its task.
Razorpay (PCI-DSS Level 1) processes subscription payments. They receive the billing details you enter at checkout and the transaction amount. Razorpay does not have access to your workspace data.
Resend delivers transactional emails (welcome messages, magic-link sign-in, receipts, password resets, payment reminders). Resend receives only the recipient email address and the message body.
Sentry captures application errors so we can diagnose bugs. Stack traces are sent with a request id but without Customer Data payload.
Google LLC — only when you choose to sign in with Google. Scope, data received and use described in section 7.
7. Sign-in with Google — Limited Use disclosure
BizRevolt offers "Sign in with Google" as a convenient authentication option. Use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes we request and why:
openid— required by the OpenID Connect protocol to identify the user.email— we use your Google email address to find or create your BizRevolt account and to send transactional email. It also becomes your default sign-in identifier.profile— we use your name and (if available) profile picture to personalise the workspace UI so teammates can recognise who took which action.
We do not request, access or store any other Google data — no Gmail, Drive, Calendar, Contacts, Photos, YouTube, or any restricted scope. We do not request offline access; tokens are short-lived and used only for the sign-in handshake.
How we use Google user data: strictly to provide and improve the user-facing sign-in feature you requested — matching your Google identity to an existing BizRevolt account, creating one if it does not exist, and signing you in. We do not use Google user data for advertising, we do not sell it, we do not share it with any other party (except a strictly-necessary sub-processor as listed above), and we do not use it to train AI/ML models.
How to revoke access: visit your Google account permissions page and remove BizRevolt. You can also email us at [email protected] to request deletion of any Google-sourced data we hold.
8. Your Rights (GDPR / DPDP)
Under the EU GDPR and the Indian DPDP Act 2023, you have the right to access, correct, export, and request deletion of your personal data; to withdraw consent; and to lodge a complaint with the relevant supervisory authority. You may exercise these rights by writing to the address in section 11.
We respond to verified requests within 30 days. If we deny a request (for example because retaining the data is required by law) we will explain why and tell you how to escalate.
9. Children's Privacy
BizRevolt is a B2B product not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us and we will delete it promptly.
10. Updates to this Policy
We may update this policy from time to time as our practices evolve. Material changes will be notified via email or through the Service at least 30 days before they take effect. Older versions are archived and available on request.
11. Contact & Grievance Officer
For privacy questions or to exercise your rights under the DPDP Act 2023 or GDPR, email [email protected].
In accordance with Section 10 of the DPDP Act 2023, the designated Grievance Officer for BizRevolt is:
- Name & designation: Aditya Trivedi, Founder & Data Protection Officer
- Email:[email protected] (subject line: “DPDP Grievance”)
- Postal address: Adi Creates, Ahmedabad, Gujarat, India
- Response window: Acknowledgement within 24 hours; resolution within 30 days as required by the DPDP Rules.
If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India once it is constituted under the Act.