Privacy Policy
Effective 20 June 2026 · Last updated 20 June 2026 · See changelog
This Privacy Policy ("Policy") describes how Lekha Logic Consulting Private Limited (CIN U69200DL2026PTC465960), the company that operates the "LekhaBooks" product and brand ("LekhaBooks", "we", "us", or "our"), collects, uses, discloses, retains, and protects personal data when you visit our website at lekhabooks.in, sign up for an account, or use the LekhaBooks web application, mobile applications, APIs, browser extensions, partner panels, or any related service we operate (collectively, the "Service").
This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and other applicable Indian laws. Under the DPDP Act, we are the Data Fiduciary for personal data we collect directly from you (as a user of the Service). For business data that you upload about your customers, vendors, or employees, we act as a Data Processor on your behalf, and you are the Data Fiduciary for that data.
By accessing or using the Service, you confirm that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please do not use the Service.
- Who we are & how to reach us
- Scope & definitions
- Information we collect
- How we use your data
- Legal basis for processing
- When we share data
- Third-party processors
- AI features & opt-in consent
- Cross-border data transfers
- Data retention
- Your rights as a Data Principal
- How to exercise your rights
- Security & safeguards
- Cookies & similar technologies
- Children & minors
- Breach notification
- Grievance Officer & DPB
- Changes to this Policy
- Contact
1. Who we are & how to reach us
Lekha Logic Consulting Private Limited (CIN U69200DL2026PTC465960) is a private limited company incorporated under the Companies Act, 2013, with its registered office at Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, South West Delhi, New Delhi 110045, India. "LekhaBooks" is a product and trademark of Lekha Logic Consulting Private Limited. We offer cloud-based bookkeeping, GST compliance, TDS, payroll, inventory, and management-information software to micro, small, and medium businesses in India.
General contact
Email: support@lekhabooks.in
Privacy questions: privacy@lekhabooks.in
Grievance Officer: grievance@lekhabooks.in
Postal: Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, New Delhi 110045, India.
2. Scope & definitions
This Policy applies to all personal data we collect through the Service, including from website visitors, free-tier users, paying subscribers, partner accounting practices, employees of our customers using sub-user logins, and individuals whose personal data is uploaded by our subscribers as part of their books of account (such as customers, vendors, or employees of the subscribing business).
2.1 Terms used in this Policy
- Data Principal means the natural person to whom personal data relates (you).
- Data Fiduciary means the entity that determines the purpose and means of processing of personal data. We are the Data Fiduciary for your account data; you are the Data Fiduciary for the books-of-account data you upload about third parties.
- Data Processor means an entity that processes personal data on behalf of a Data Fiduciary. We act as Processor for your tenant data.
- Personal data means any data about an individual who is identifiable by or in relation to such data.
- Processing means any operation performed on personal data, including collection, recording, organisation, storage, retrieval, use, disclosure, or erasure.
- Service means all software, websites, APIs, and applications operated by Lekha Logic Consulting Private Limited under the LekhaBooks brand.
3. Information we collect
3.1 Information you provide directly
Account & business profile. Full name, email address, mobile number, password (stored as a one-way bcrypt hash; we cannot read it). Business legal name, trade name, GSTIN, PAN, business type, date of incorporation, place of business, state, PIN code. Authorised signatory name and designation, signatory contact details, photograph or digital signature image (if you upload one). Industry / sector classification you select during onboarding.
Customer, vendor, and employee master data you upload. Customer or vendor names, addresses, GSTIN, PAN, mobile numbers, email addresses, contact persons, place of supply, opening balance. Bank account number, IFSC, UPI ID — only where you choose to record these. Employee names, employee codes, PAN, Aadhaar (last 4 digits only, where law permits), salary structure, UAN, ESIC, date of joining, if you use the optional Payroll module.
Transactional & books-of-account data. Sales/purchase invoices, credit/debit notes, payments, receipts, journal vouchers, contra entries; inventory items, batches, serial numbers; bank statements, payment-gateway settlements, e-way bills, e-invoice IRNs, GSTR returns drafts; documents you attach to vouchers.
Billing & payment data for our subscription. Billing name, billing GSTIN, billing address; payment-method tokens issued by our payment processor (Razorpay). We do not store full card numbers, CVV, UPI PIN, or net-banking credentials — these are handled and tokenised entirely by Razorpay in their PCI-DSS environment. Invoice number, plan name, billing cycle, amount paid, GST charged, transaction id.
Communications & support. Support tickets, chat transcripts, screenshots you share, voice recordings if you opt into a call-back; survey responses, NPS ratings, feature requests; email content when you write to us.
3.2 Information collected automatically
Device, network, & usage data. IP address (full, then truncated for analytics after 30 days), approximate city-level location derived from IP; browser user-agent, OS, device type, screen size, language; pages visited, features clicked, time spent, error events, crash reports, request latency; referrer URL.
Cookies & local storage. An ll_sess session cookie (HttpOnly, Secure, SameSite=Lax); a ll_csrf double-submit anti-CSRF token cookie; browser localStorage entries holding UI preferences; no third-party advertising cookies; no cross-site retargeting pixels.
3.3 Information from third parties
If you sign in via OAuth (Google), we receive your verified email, name, and Google profile picture — only the minimum scopes required to authenticate. If you connect a bank account via an aggregator API, we receive transaction lines (date, amount, narration, balance) but not your net-banking credentials.
3.4 Information about your customers, vendors, and employees
Important. When you upload data about third parties, you are the Data Fiduciary under the DPDP Act with respect to that data. You represent and warrant that you have obtained any consents required by law to share that data with us and to have us process it on your behalf for the purposes of running your books of account. We process that data only as instructed by you in your use of the Service.
4. How we use your data
We use personal data for the following specified, lawful purposes:
| Purpose | Examples | Categories used |
|---|---|---|
| Provide the Service | Authenticate logins; render dashboards; create invoices; compute GST/TDS; generate reports; back-up and restore your data. | Account profile, books data, device data. |
| Compliance & tax | Generate GSTR-1/3B/9, TDS Forms 26Q/24Q, AOC-4, MGT-7 templates; maintain audit trail under Companies Act Rule 3. | Books data, account profile. |
| Billing & collections | Charge subscription fees; raise GST tax invoices; manage renewals, dunning, refunds. | Billing data, account profile. |
| Customer support | Reply to tickets; debug your issue; train support staff (with PII redacted). | Communications, account profile, limited books data. |
| Service improvement | Identify slow pages; prioritise features; A/B test UI; produce aggregated, anonymised analytics. | Usage data, device data. |
| Security & fraud prevention | Detect brute-force logins; rate-limit abusive IPs; investigate suspicious activity. | Device data, audit logs. |
| Legal & regulatory | Respond to lawful requests; preserve evidence under court order; meet tax-record retention. | All categories as required. |
| Marketing (with consent) | Send product-update emails; invite to webinars. You can unsubscribe at any time. | Email, name, plan tier. |
We do not engage in automated decision-making that produces legal or similarly significant effects about you without human review.
5. Legal basis for processing
Under the DPDP Act, we process personal data on one or more of the following lawful bases:
- Service delivery — processing necessary to deliver the Service you have subscribed to, including account creation, authentication, invoicing, accounting computations, support, and billing.
- Compliance with legal obligation — processing necessary to comply with Indian law, including the Income-Tax Act 1961, the CGST/IGST/SGST Acts and rules, the Companies Act 2013, the Prevention of Money-Laundering Act 2002, and lawful directions of regulators or courts.
- Consent (Section 6) — for optional features such as marketing emails, AI/LLM processing, and use of analytics cookies beyond strictly necessary ones. Consent is sought through clear, granular toggles, may be withdrawn at any time, and withdrawal does not affect prior lawful processing.
- Certain legitimate uses (Section 7) — for security monitoring, fraud prevention, debugging, and protecting LekhaBooks and our users from harm.
6. When we share data
We do not sell, rent, or trade your personal data. We disclose personal data only in the limited circumstances below:
- Service providers ("Sub-processors") — trusted vendors who process data on our written instructions under a Data Processing Agreement, listed in Section 7.
- Your authorised users — sub-user accounts you invite, partner accountants you grant access to, or integrations you enable. You control these access grants.
- Legal & regulatory — when required by law, regulation, court order, or a valid request from a government authority acting within its jurisdiction. We resist over-broad requests and notify affected users where lawfully permitted.
- Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continuity of this Policy.
- Aggregated or de-identified data — data that cannot reasonably be linked back to you.
- With your consent — in any other case, only with your explicit consent.
7. Third-party processors
The current list of sub-processors who may receive personal data on our behalf:
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| MilesWeb (Mumbai data centre, India) | Hosting & storage | All Service data at rest | India (Mumbai) |
| Razorpay Software Pvt Ltd | Payment processing for our subscription fees | Billing name, email, amount, payment token | India (Bengaluru) |
| SendGrid (Twilio) / Mailgun | Transactional email delivery | Recipient email, message content | USA (transit), India-located fallback MTA |
| MSG91 / Gupshup | SMS & WhatsApp Business API notifications | Recipient mobile, message content | India |
| Cloudflare | CDN, WAF, DDoS protection | HTTP request metadata, IP address | Global edge (India POPs preferred) |
| Sentry | Application-error monitoring | Stack traces, request URL, user-id hash (no PII) | USA |
| OpenAI, Anthropic, Google (Gemini) | AI features (opt-in only) — see Section 8 | Only the specific text you submit to AI features after granting consent | USA (text), India where available |
| Razorpay Route / RazorpayX | Payouts (Partner Panel commissions) | Bank account, IFSC, payee name | India |
An up-to-date list is available on request at privacy@lekhabooks.in. We provide reasonable notice of material additions through our changelog and in-product banner.
8. AI features & opt-in consent
LekhaBooks offers optional artificial-intelligence features such as receipt OCR auto-fill, vendor-invoice extraction, narration suggestions, ledger-mapping suggestions, and natural-language reporting. These features call external Large Language Model ("LLM") providers including OpenAI, Anthropic, and Google.
AI processing is OFF by default for every tenant. To enable AI features, a tenant Owner must visit Settings → Privacy & AI and explicitly toggle the flag on. By doing so the Owner represents that the tenant has obtained any consents required from third-party data subjects whose data may be transmitted through AI features.
When AI features are enabled: only the specific text or document content you submit is sent to the LLM provider (your full books are not sent); we instruct LLM providers contractually not to use your inputs to train their general-purpose models (zero-retention mode where available); you may revoke consent at any time from the same setting.
9. Cross-border data transfers
Your primary data store, backups, and all routine processing remain in India, hosted in our hosting provider MilesWeb's Mumbai (India) data centre. Limited transfers outside India may occur for: AI features (opt-in); email delivery routing; error monitoring (Sentry, USA); and Cloudflare edge caching of request metadata. For each cross-border transfer we rely on contractual safeguards equivalent to Standard Contractual Clauses, the destination country not being restricted by the Central Government under Section 16 of the DPDP Act, and minimisation (transferring only what is necessary).
10. Data retention
| Category | Retention period | Basis |
|---|---|---|
| Active books of account, invoices, vouchers | While account is active + 8 years from end of relevant financial year | Section 36 CGST Act, Section 44AA Income-Tax Act |
| Tax-invoice records issued to you for our subscription | 8 financial years | Section 36 CGST Act |
| Account profile, login credentials | While account is active + 90 days for restoration | Contract + grace period |
| Support tickets, chat transcripts | 3 years from closure | Quality assurance, dispute resolution |
| Marketing emails & consent records | Until consent withdrawn + 1 year (proof of consent) | DPDP Section 6 |
| Server access logs, security & audit-trail events | 12 months (1 year) | Rule 6(1)(e), DPDP Rules 2025 — detection, investigation & remediation of unauthorised access; security monitoring & incident response |
| Failed-login / authentication-event logs | 12 months (1 year) | Rule 6(1)(e), DPDP Rules 2025 — brute-force detection & investigation |
| Transient IP rate-limit counters | 30 days | Operational throttling only (not a breach-detection log) |
| Daily encrypted backups | 30 days rolling; monthly snapshot 12 months | Disaster recovery |
| Anonymised product analytics | Indefinite | Product improvement, no re-identification possible |
On account closure or your erasure request, we delete data from active systems within 30 days and from backups within 90 days, subject to legal-hold obligations (active tax dispute, court order, regulatory investigation). Where law requires longer retention, only the legally-mandated minimum is kept and access is restricted.
11. Your rights as a Data Principal
Under Sections 11 to 14 of the DPDP Act you have the following rights:
- Right to access information about personal data (Sec. 11) — a summary of the personal data being processed, the activities of processing, and the identities of all sub-processors with whom your data has been shared.
- Right to correction & erasure (Sec. 12) — correction of inaccurate or misleading data; completion of incomplete data; updating; and erasure unless retention is required by law or contract performance.
- Right of grievance redressal (Sec. 13) — a readily-available means to raise grievances, with response within the period stated in Section 12 below.
- Right to nominate (Sec. 14) — nominate another individual to exercise your rights in the event of your death or incapacity.
- Right to data portability — export your books in JSON, CSV, Excel, or Tally XML formats from Settings → Data & Backup, at any time, without charge.
- Right to withdraw consent — for any processing based on consent (marketing, AI features, optional analytics). Withdrawal is as easy as giving consent and does not affect lawfulness of processing already done.
12. How to exercise your rights
The fastest path is to use the in-app tools at Settings:
- Access & portability — use "Download Backup (export all my data)" in Settings → Data & Backup.
- Correction — edit your profile and master records directly.
- Erasure — use "Delete my account" in Settings → Data & Backup. We delete on the schedule described in Section 10.
- Consent management — AI features are managed at Settings → Privacy & AI.
If you cannot or do not wish to use the in-app tools, write to privacy@lekhabooks.in from the email address registered with your account. We respond within 30 days. There is no fee for the first request in a 12-month period; for repeated or manifestly unfounded requests we may charge a reasonable administrative fee. If we cannot identify you, we may ask for additional verifying information before acting, to prevent unauthorised disclosure.
13. Security & safeguards
We follow reasonable security practices and procedures as required under Section 8(5) of the DPDP Act, Rule 6 of the DPDP Rules 2025, and Rule 8 of the SPDI Rules. Our technical and organisational measures include:
- Transport-layer encryption (TLS 1.2 or higher) for all data in transit; HSTS pre-loaded.
- Passwords stored only as bcrypt hashes with per-user salts; we cannot read your password.
- AES-256-GCM encryption at rest for sensitive PII fields including PAN, bank account number, IFSC, and one-time passwords. Encryption keys held in environment-isolated key material, rotated annually.
- Optional two-factor authentication for all accounts; mandatory for administrators and partner-panel users.
- Role-based access control with least-privilege defaults; granular voucher-level permissions.
- Application-layer logging of all create/update/delete operations with user attribution, IP, and timestamp (audit trail per Companies Act Rule 3).
- Security, access and audit logs are retained for at least 12 months, in line with Rule 6(1)(e) of the DPDP Rules 2025, to support detection, investigation and remediation of unauthorised access.
- Rate-limiting and brute-force protections on login, password-reset, and OTP endpoints.
- Web Application Firewall and DDoS protection at the edge.
- Regular dependency scanning, third-party penetration testing (annually), and quarterly internal security reviews.
- Encrypted, geo-redundant backups, tested for restoration quarterly.
- Background-verified engineering staff; security training; incident-response playbook.
No security regime is perfect. We do not warrant absolute security; we commit to operating in line with industry best practices and to transparent breach disclosure (Section 16).
14. Cookies & similar technologies
We use only the cookies necessary to operate the Service. We do not use third-party advertising cookies, retargeting pixels, or cross-site behavioural tracking. The cookies we set are:
| Cookie | Purpose | Duration | Category |
|---|---|---|---|
ll_sess | Authentication session | 14 days rolling, cleared on logout | Strictly necessary |
ll_csrf | Anti-CSRF double-submit token | Session | Strictly necessary |
ll_tenant | Last-selected tenant for multi-tenant users | 30 days | Functional |
ll_anon_id | Anonymous analytics identifier (no PII) | 180 days | Analytics — optional |
Strictly-necessary cookies do not require consent. The optional analytics cookie is set only with your consent and can be disabled at Settings → Privacy & AI.
15. Children & minors
The Service is intended for use by individuals aged 18 years or above acting in connection with a registered business. We do not knowingly collect personal data from children (defined under Section 9 of the DPDP Act as individuals below 18 years). If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that data as soon as practicable. If you are a parent or guardian and believe your child has provided us personal data, contact privacy@lekhabooks.in.
16. Breach notification
In the event of a personal-data breach, we will, in accordance with Rule 7 of the DPDP Rules 2025: (a) intimate each affected Data Principal without delay, through your user account or registered mode of communication, describing the nature of the breach, its likely consequences, the measures we have taken, and the safety measures you should take; and (b) intimate the Data Protection Board of India without delay of the nature, extent, timing and location of the breach, followed by a detailed report to the Board within 72 hours of becoming aware of the breach, covering the facts, mitigation steps, findings as to the cause, remedial measures, and a report on the intimations sent to Data Principals.
17. Grievance Officer & Data Protection Board
Grievance Officer
Name: Uday Bisht
Designation: Grievance Officer & Data Protection Officer
Email: grievance@lekhabooks.in
Postal: Lekha Logic Consulting Private Limited, Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, New Delhi 110045, India.
Response time: acknowledgement within 24 hours, resolution within 30 days as required by Section 13 of the DPDP Act.
If you remain dissatisfied after the Grievance Officer's response, you may complain to the Data Protection Board of India established under the DPDP Act, in the manner notified by the Board. The Board's contact and complaint-filing portal will be referenced here once published.
18. Changes to this Policy
We may revise this Policy from time to time. The "Effective" and "Last updated" dates at the top will always reflect the current version, and we maintain a public changelog of substantive revisions. For material changes (such as new categories of personal data collected, new sub-processors with cross-border implications, or change of legal basis), we will notify you by email and via in-product banner at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
19. Contact
General & product: support@lekhabooks.in
Privacy questions: privacy@lekhabooks.in
Grievance Officer: grievance@lekhabooks.in
Legal: legal@lekhabooks.in
Postal: Lekha Logic Consulting Private Limited, Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, New Delhi 110045, India.
© 2026 Lekha Logic Consulting Private Limited. All rights reserved. This Policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts at New Delhi. "LekhaBooks" is a trademark of Lekha Logic Consulting Private Limited.