Version 2026-05-01 · Effective from 2026-05-01
This Privacy Policy explains how Demystify Systems LLP (“we”, “us”, “our”) collects, uses, and protects information when you use Finocket (“the app”) at finocket.com. We comply with the Digital Personal Data Protection Act, 2023 of India (DPDP Act) and the Information Technology Rules, 2021.
1. What we collect
- Account: email, password hash (managed by Supabase Auth), name, business name, optional phone, optional photo, city.
- Business data you enter: clients, projects, visits, payments, expenses, invoices, voice-to-text notes, optional UPI VPA, optional GSTIN.
- Device & usage: approximate IP (for security), browser/OS string, preferred language and theme. We do not run third-party analytics today.
2. Why we collect it
To provide the service you signed up for, to authenticate you, to keep your data isolated from other users (via row-level security), to generate receipts and reports, and to comply with applicable law.
3. Third-party processors
- Supabase (database + auth + storage) — data hosted in the region you signed up to. See supabase.com/privacy.
- Vercel (web hosting) — see vercel.com/legal/privacy-policy.
- Browser Speech Recognition — voice input runs in your browser; we don't send your voice to our servers.
- Amazon Selling Partner API — if you connect your Amazon.in seller account, we fetch your GST Merchant Tax Reports and settlement reports from Amazon on your behalf. See Amazon's privacy notice.
- Flipkart Marketplace API — if you connect your Flipkart seller account, we fetch your orders, returns and settlements from Flipkart on your behalf.
- Marketplace CSV imports (Meesho, Blinkit, Zepto, Swiggy Instamart, JioMart) — files you upload are parsed on our servers and stored as order / settlement rows in your own workspace. We never contact those platforms directly.
Marketplace credentials: any API credential you provide (Amazon refresh token, Flipkart app secret) is encrypted with AES-256-GCM before storage. The plaintext never touches our database, and the encryption key is held only in server configuration. We use these credentials exclusively to read your seller data — we never modify anything in your marketplace account.
We do not sell, rent, or share your personal information for marketing.
4. Data retention
Your data is kept until you delete it. You can delete individual records anytime, or delete your entire account from Profile → Account → Delete my account. Deletion is final after a 30-day grace period, during which you can cancel.
5. Your rights under the DPDP Act
- Access: download all your data as CSV from your profile.
- Correction: edit any record directly in the app.
- Erasure: delete records or your whole account.
- Grievance: contact our Grievance Officer at grievance@dmstfy.com.
- Consent withdrawal: revoke optional consents (notifications etc.) anytime in profile.
6. Security
Passwords are hashed by Supabase Auth. All traffic uses HTTPS/TLS. Database row-level security ensures one user cannot read another's rows. Receipts are stored in a public bucket addressed by unguessable UUIDs; treat receipt URLs as sensitive.
7. Children
Finocket is not intended for users under 18. We do not knowingly collect children's data.
8. Contact
Data Protection Officer / Grievance Officer:
Demystify Systems LLP
Email: support@dmstfy.com
We may update this policy. If we do, we'll re-prompt you to accept the new version on next login.