Sovereign Ledger

1. Who We Are

Sovereign Ledger (operating as KhataLedger) is a B2B MSME business ledger application that enables small and medium businesses to track credit, payments, and party relationships. We are operated from India and subject to India's Digital Personal Data Protection (DPDP) Act, 2023.

Data Fiduciary: Sovereign Ledger / KhataLedger.

2. Data We Collect

We collect only data that is necessary for the service to function:

• Business information: Business name, GSTIN, city, address
• User information: Name, mobile phone number (used as login ID), role (Owner/Admin/Staff)
• Financial records: Transaction amounts, notes, dates, party names — entered by you
• Party data: Names, phone numbers, and addresses of your customers and vendors — entered by you
• Usage data: Timestamps, error logs for debugging (no behavioral tracking)

We do not collect: Aadhaar, PAN, bank account numbers, UPI PINs, biometric data, or any data from children under 18.

3. How We Use Your Data

• To operate your business ledger and sync it across your devices and team
• To enforce subscription plan limits (Free/Pro)
• To detect anomalous transactions using our on-device ML engine
• To provide AI-powered payment risk insights (Pro plan only)
• To send WhatsApp payment reminders on your behalf — only when you explicitly trigger them

We do not sell, rent, or share your data with third parties for advertising, profiling, or any commercial purpose.

4. Data Storage & Security

• All data is stored on servers located in Singapore (Supabase) with encryption at rest (AES-256) and in transit (TLS 1.3)
• Each business account is strictly isolated using database-level Row-Level Security — no other business can access your data
• Phone numbers shown in the app are masked by default to protect party PII
• Passwords are hashed using bcrypt (cost factor 12) and never stored in plaintext
• API access is rate-limited to prevent brute-force attacks

5. Data Sharing

We share data only with the following service providers, strictly for operating the app:

• Supabase — PostgreSQL database hosting
• Cloudflare — CDN, edge API routing, DDoS protection
• Google Play Billing — Android Play Store subscription checkout and purchase management
• Web payment providers — Web checkout processing when enabled; they process payment credentials and we do not store card data

Android Play Store purchases use Google Play Billing. Web payment processing may be handled by the configured web provider. We do not store card data, UPI PINs, or banking credentials.

All service providers are bound by data processing agreements.

6. Your Rights under DPDP Act 2023

As a Data Principal, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Correction: Correct inaccurate personal data
• Erasure: Delete your account and all associated data permanently (within 30 days)
• Grievance: Contact our Data Protection Officer to raise a complaint
• Nomination: Nominate another individual to exercise your rights in case of incapacity

To exercise these rights, use the account deletion page at khataledger.com/account-deletion/ or contact us at the address below. We will respond within 72 hours.

7. Data Retention

We retain your data for as long as your account is active. After account deletion:

• Personal data is purged within 30 days
• Transaction records may be retained in anonymized form for 90 days for fraud detection, then deleted
• Billing records are retained for 7 years as required by Indian tax law (GST compliance)

8. Changes to This Policy

We will notify you of material changes to this policy via in-app notification at least 7 days before the change takes effect. Continued use of the app after the effective date constitutes acceptance.

9. Contact & Grievance Officer