Privacy Policy
We take your privacy seriously. This policy explains how we collect, use, and protect your personal and financial information.
1. Information We Collect
1.1 Information You Provide
- Account details: Your name, email address, and password when you register.
- Financial transactions: Transaction descriptions, amounts, categories, dates, payment modes, and optional notes you manually enter or import from bank statements.
- Investment data: Mutual fund folios, stock holdings, purchase prices, and quantities you enter for portfolio tracking.
- Tax saving data: ELSS investments, PPF contributions, NPS details, health insurance premiums you track under 80C, 80D, 80CCD sections.
- Budget & bill data: Budget limits and recurring bill details you set up in the app.
- Bank statement files: CSV files you upload for automatic transaction import (processed in memory only, see Section 5).
- Communications: Messages you send us via email or the contact form.
1.2 Information Collected Automatically
- Usage data: Pages visited, features used, session duration, and interaction patterns.
- Device information: Browser type, operating system, screen resolution, and device type.
- IP address: Used for security purposes and approximate geographic location (country/state level only).
- Cookies: Session cookies to keep you logged in and preference cookies to remember your settings. See Section 6 for full details.
1.3 Information We Do NOT Collect
- We do not access your bank accounts, UPI apps, or any financial institution directly via APIs or open banking.
- We do not collect payment card numbers (debit/credit card details) or banking credentials (passwords, PINs, OTPs).
- We do not store your Aadhaar number, PAN number, or any government ID unless required by law.
- We do not track your location beyond country/state level derived from IP address.
2. How We Use Your Information
We use your information solely to provide and improve the RozHisab service:
- To create and manage your account.
- To display your financial data (transactions, budgets, investments) on your personal dashboard.
- To generate reports, spending insights, and budget tracking visualisations.
- To calculate SIP returns, EMI schedules, and tax savings based on your inputs.
- To fetch live mutual fund NAV data and stock prices for your portfolio.
- To send service-related emails (password reset, account security alerts, billing notifications).
- To send optional weekly/monthly spending summaries if you opt in under Settings.
- To analyse aggregate, anonymised usage patterns to improve the app (e.g., which features are most used).
- To detect and prevent fraud, abuse, and security threats.
- To comply with applicable laws and legal obligations (e.g., responding to lawful government requests).
We do not use your financial data for:
- Targeted advertising or user profiling.
- Selling, renting, or sharing with third parties for marketing purposes.
- Training AI models or sharing with external machine learning platforms.
- Any purpose unrelated to providing the RozHisab service to you.
3. Data Storage & Security
Your data is stored on secured servers hosted in India (Mumbai region). We implement the following security measures:
- Passwords: Hashed using bcrypt with salt β we cannot see your password in plain text.
- HTTPS/TLS: All data transmission between your browser and our servers is encrypted using TLS 1.3 or higher.
- Database encryption: Transaction descriptions and notes are encrypted at rest using AES-256 (see Section 4).
- Access controls: Only authorised personnel can access production systems, with multi-factor authentication required.
- Session security: Sessions expire after 2 hours of inactivity. You are automatically logged out.
- Rate limiting: API endpoints are rate-limited to prevent brute force attacks.
- Regular backups: Encrypted database backups are taken daily and stored in a separate geographic location.
- Security monitoring: We monitor for suspicious activity, unauthorised access attempts, and anomalies.
Data retention: We retain your data for as long as your account is active. If you delete your account, all your data is permanently removed from our servers within 30 days. Backup copies are overwritten in the next backup cycle.
4. Transaction Encryption (Bank-Grade Security)
RozHisab encrypts your sensitive transaction data at rest using AES-256 encryption β the same standard used by banks and military systems.
4.1 What Gets Encrypted
The following fields are encrypted before being stored in our database:
- Transaction description: The narration/description text (e.g., "SWIGGY ORDER 9123456 MUMBAI", "UPI/1234567890@paytm/SALARY")
- Note field: Any personal notes you add to a transaction
These fields are stored as ciphertext β unreadable gibberish without the decryption key.
4.2 What Stays Visible (For Reports)
The following fields remain unencrypted because they are required for calculations and reports:
- Amount: Required for budgets, charts, and SUM calculations
- Category: Required for category breakdown reports
- Date: Required for monthly/yearly filters
- Type (income/expense): Required for profit/loss calculations
4.3 How Encryption Works
- When you enter or import a transaction, the description is encrypted instantly in your browser or on our server before being sent to the database.
- Each user account has a unique AES-256 encryption key generated using cryptographically secure random bytes.
- Your encryption key is stored separately from your transaction data with additional protection.
- When you view your transactions, they are decrypted only in your session β never in logs or backups.
4.4 Why This Matters
If our database were ever compromised (hacker, insider threat, server breach), an attacker would see:
- β Readable: Dates, amounts, categories (e.g., "15 Jan 2025, βΉ340, Food")
- π Unreadable: Transaction descriptions (e.g., "U2FsdGVkX1+mK9vXzR4qP8nH3Lw..." instead of "SWIGGY ORDER")
Plain-language commitment: Our team cannot read your transaction descriptions. We see amounts and categories for aggregate analytics, but the sensitive narration text is encrypted end-to-end.
5. Bank Statement Processing
RozHisab allows you to import transactions by uploading bank statement CSV files from HDFC, SBI, ICICI, Axis, Kotak, and other banks.
5.1 How Bank Statement Import Works
- You upload a CSV file from your Downloads folder.
- The file is sent to our server over HTTPS (encrypted in transit).
- Our parser reads the file in memory only β it is never written to disk.
- We extract transaction data (date, description, amount, balance) and categorise each transaction.
- Transaction descriptions are immediately encrypted using AES-256 before being stored in the database.
- The original CSV file is immediately discarded from memory after parsing completes.
5.2 What We Do NOT Do
- β We do not store your bank statement file on our servers.
- β We do not keep a copy in temporary directories, logs, or backups.
- β We do not share your bank statement with third parties.
- β We do not use your bank data for marketing, profiling, or training AI models.
5.3 What Happens to Parsed Data
After parsing, only the following data is retained (with descriptions encrypted):
- Transaction date
- Description (encrypted)
- Amount (debit/credit)
- Auto-detected category (editable by you)
- Closing balance (optional, for reconciliation)
You retain full control β you can edit categories, delete transactions, or export data as CSV anytime.
6. Cookies & Tracking Technologies
We use the following types of cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session Cookie | Keeps you logged in during your browser session | Session (deleted on browser close) |
| Preference Cookie | Remembers your app settings (theme, date format) | 30 days |
| Analytics Cookie | Helps us understand how the app is used (aggregated, anonymised) | 90 days |
You can disable cookies in your browser settings. Note that disabling session cookies will prevent you from logging in.
Note: We do not use advertising cookies. RozHisab does not show ads β we earn revenue from Premium subscriptions only.
7. Third-Party Services
We use the following third-party services, each governed by their own privacy policies:
- Razorpay: Payment processing for Premium subscriptions. Razorpay handles all payment card data β we never see or store your card details. Razorpay Privacy Policy
- AMFI (Association of Mutual Funds in India): We fetch live mutual fund NAV data from AMFI's public API. No personal data is shared.
- NSE/BSE APIs: We fetch live stock prices for your portfolio. No personal data is shared.
- Google Fonts: Loads typography assets. Google may log font request metadata. Google Privacy Policy
- Chart.js (CDN): JavaScript library for data visualisations. Served via jsDelivr CDN.
We do not share your personal or financial data with any third-party service. API calls to fetch mutual fund NAV or stock prices are anonymised β they contain no user identifiers.
8. Data Sharing & Advertising
8.1 We Do Not Sell Your Data
RozHisab does not sell, rent, or share your personal or financial data with advertisers, data brokers, or marketing companies. We earn revenue from Premium subscriptions β not from selling user data.
8.2 No Advertising
RozHisab does not display third-party advertisements. You will never see Google AdSense, Facebook Ads, or any other ad network on our platform.
8.3 Legal Disclosure
We may disclose your data only in the following limited circumstances:
- Legal compliance: If required by law, court order, or government authority (e.g., tax department, law enforcement).
- Protection of rights: To enforce our Terms of Service, investigate fraud, or protect the rights and safety of RozHisab or other users.
- Business transfer: If RozHisab is acquired or merged, your data may be transferred to the new entity (you will be notified in advance).
In all cases, we will notify you if legally permitted to do so.
9. Your Rights
You have the following rights regarding your personal data:
- Access: You can view all your data inside the RozHisab app at any time β transactions, budgets, investments, bills.
- Export: You can download all your transactions as a CSV file from the Transactions page. Premium users can export to PDF.
- Correction: You can edit any transaction, update your name, email, and preferences in Settings at any time.
- Deletion: You can permanently delete your account and all associated data from Settings β Danger Zone β Delete Account. All data is removed within 30 days.
- Portability: You can export your data in machine-readable CSV format and transfer it to another service.
- Objection: You may contact us to object to any specific data processing activity.
- Withdraw consent: You can unsubscribe from optional email notifications (weekly summaries) at any time from Settings.
To exercise any of these rights or if you have questions, contact us at support@rozhisab.com.
10. Children's Privacy
RozHisab is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at support@rozhisab.com and we will delete the data promptly.
11. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, features, or for legal/regulatory reasons. When we make significant changes, we will:
- Notify you by email (if you have an account).
- Display a prominent banner in the app for 30 days.
- Update the "Last updated" date at the top of this page.
Continued use of RozHisab after changes are posted constitutes your acceptance of the updated policy. If you do not agree with the changes, you may delete your account.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:
- Email: support@rozhisab.com
- Website: rozhisab.com/contact.php
- Support hours: MondayβFriday, 9:00 AM β 6:00 PM IST
- Response time: We aim to respond within 2 business days.