LekhaBooks

Privacy Policy

Effective 20 June 2026 · Last updated 20 June 2026 · See changelog

Plain-English summary. We are Lekha Logic Consulting Private Limited (CIN U69200DL2026PTC465960), the Indian company behind the LekhaBooks accounting and GST software for small businesses. We collect the data you give us (business profile, customers, vendors, invoices, payments) and a little technical data your browser sends. We use it to run the Service for you and to meet our tax and legal obligations. We do not sell your data. We follow the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025. AI features are opt-in. You have rights of access, correction, erasure, and grievance — listed in Section 11.

This Privacy Policy ("Policy") describes how Lekha Logic Consulting Private Limited (CIN U69200DL2026PTC465960), the company that operates the "LekhaBooks" product and brand ("LekhaBooks", "we", "us", or "our"), collects, uses, discloses, retains, and protects personal data when you visit our website at lekhabooks.in, sign up for an account, or use the LekhaBooks web application, mobile applications, APIs, browser extensions, partner panels, or any related service we operate (collectively, the "Service").

This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and other applicable Indian laws. Under the DPDP Act, we are the Data Fiduciary for personal data we collect directly from you (as a user of the Service). For business data that you upload about your customers, vendors, or employees, we act as a Data Processor on your behalf, and you are the Data Fiduciary for that data.

By accessing or using the Service, you confirm that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please do not use the Service.

On this page
  1. Who we are & how to reach us
  2. Scope & definitions
  3. Information we collect
  4. How we use your data
  5. Legal basis for processing
  6. When we share data
  7. Third-party processors
  8. AI features & opt-in consent
  9. Cross-border data transfers
  10. Data retention
  11. Your rights as a Data Principal
  12. How to exercise your rights
  13. Security & safeguards
  14. Cookies & similar technologies
  15. Children & minors
  16. Breach notification
  17. Grievance Officer & DPB
  18. Changes to this Policy
  19. Contact

1. Who we are & how to reach us

Lekha Logic Consulting Private Limited (CIN U69200DL2026PTC465960) is a private limited company incorporated under the Companies Act, 2013, with its registered office at Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, South West Delhi, New Delhi 110045, India. "LekhaBooks" is a product and trademark of Lekha Logic Consulting Private Limited. We offer cloud-based bookkeeping, GST compliance, TDS, payroll, inventory, and management-information software to micro, small, and medium businesses in India.

General contact
Email: support@lekhabooks.in
Privacy questions: privacy@lekhabooks.in
Grievance Officer: grievance@lekhabooks.in
Postal: Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, New Delhi 110045, India.

2. Scope & definitions

This Policy applies to all personal data we collect through the Service, including from website visitors, free-tier users, paying subscribers, partner accounting practices, employees of our customers using sub-user logins, and individuals whose personal data is uploaded by our subscribers as part of their books of account (such as customers, vendors, or employees of the subscribing business).

2.1 Terms used in this Policy

3. Information we collect

3.1 Information you provide directly

Account & business profile. Full name, email address, mobile number, password (stored as a one-way bcrypt hash; we cannot read it). Business legal name, trade name, GSTIN, PAN, business type, date of incorporation, place of business, state, PIN code. Authorised signatory name and designation, signatory contact details, photograph or digital signature image (if you upload one). Industry / sector classification you select during onboarding.

Customer, vendor, and employee master data you upload. Customer or vendor names, addresses, GSTIN, PAN, mobile numbers, email addresses, contact persons, place of supply, opening balance. Bank account number, IFSC, UPI ID — only where you choose to record these. Employee names, employee codes, PAN, Aadhaar (last 4 digits only, where law permits), salary structure, UAN, ESIC, date of joining, if you use the optional Payroll module.

Transactional & books-of-account data. Sales/purchase invoices, credit/debit notes, payments, receipts, journal vouchers, contra entries; inventory items, batches, serial numbers; bank statements, payment-gateway settlements, e-way bills, e-invoice IRNs, GSTR returns drafts; documents you attach to vouchers.

Billing & payment data for our subscription. Billing name, billing GSTIN, billing address; payment-method tokens issued by our payment processor (Razorpay). We do not store full card numbers, CVV, UPI PIN, or net-banking credentials — these are handled and tokenised entirely by Razorpay in their PCI-DSS environment. Invoice number, plan name, billing cycle, amount paid, GST charged, transaction id.

Communications & support. Support tickets, chat transcripts, screenshots you share, voice recordings if you opt into a call-back; survey responses, NPS ratings, feature requests; email content when you write to us.

3.2 Information collected automatically

Device, network, & usage data. IP address (full, then truncated for analytics after 30 days), approximate city-level location derived from IP; browser user-agent, OS, device type, screen size, language; pages visited, features clicked, time spent, error events, crash reports, request latency; referrer URL.

Cookies & local storage. An ll_sess session cookie (HttpOnly, Secure, SameSite=Lax); a ll_csrf double-submit anti-CSRF token cookie; browser localStorage entries holding UI preferences; no third-party advertising cookies; no cross-site retargeting pixels.

3.3 Information from third parties

If you sign in via OAuth (Google), we receive your verified email, name, and Google profile picture — only the minimum scopes required to authenticate. If you connect a bank account via an aggregator API, we receive transaction lines (date, amount, narration, balance) but not your net-banking credentials.

3.4 Information about your customers, vendors, and employees

Important. When you upload data about third parties, you are the Data Fiduciary under the DPDP Act with respect to that data. You represent and warrant that you have obtained any consents required by law to share that data with us and to have us process it on your behalf for the purposes of running your books of account. We process that data only as instructed by you in your use of the Service.

4. How we use your data

We use personal data for the following specified, lawful purposes:

PurposeExamplesCategories used
Provide the ServiceAuthenticate logins; render dashboards; create invoices; compute GST/TDS; generate reports; back-up and restore your data.Account profile, books data, device data.
Compliance & taxGenerate GSTR-1/3B/9, TDS Forms 26Q/24Q, AOC-4, MGT-7 templates; maintain audit trail under Companies Act Rule 3.Books data, account profile.
Billing & collectionsCharge subscription fees; raise GST tax invoices; manage renewals, dunning, refunds.Billing data, account profile.
Customer supportReply to tickets; debug your issue; train support staff (with PII redacted).Communications, account profile, limited books data.
Service improvementIdentify slow pages; prioritise features; A/B test UI; produce aggregated, anonymised analytics.Usage data, device data.
Security & fraud preventionDetect brute-force logins; rate-limit abusive IPs; investigate suspicious activity.Device data, audit logs.
Legal & regulatoryRespond to lawful requests; preserve evidence under court order; meet tax-record retention.All categories as required.
Marketing (with consent)Send product-update emails; invite to webinars. You can unsubscribe at any time.Email, name, plan tier.

We do not engage in automated decision-making that produces legal or similarly significant effects about you without human review.

5. Legal basis for processing

Under the DPDP Act, we process personal data on one or more of the following lawful bases:

6. When we share data

We do not sell, rent, or trade your personal data. We disclose personal data only in the limited circumstances below:

7. Third-party processors

The current list of sub-processors who may receive personal data on our behalf:

Sub-processorPurposeData sharedLocation
MilesWeb (Mumbai data centre, India)Hosting & storageAll Service data at restIndia (Mumbai)
Razorpay Software Pvt LtdPayment processing for our subscription feesBilling name, email, amount, payment tokenIndia (Bengaluru)
SendGrid (Twilio) / MailgunTransactional email deliveryRecipient email, message contentUSA (transit), India-located fallback MTA
MSG91 / GupshupSMS & WhatsApp Business API notificationsRecipient mobile, message contentIndia
CloudflareCDN, WAF, DDoS protectionHTTP request metadata, IP addressGlobal edge (India POPs preferred)
SentryApplication-error monitoringStack traces, request URL, user-id hash (no PII)USA
OpenAI, Anthropic, Google (Gemini)AI features (opt-in only) — see Section 8Only the specific text you submit to AI features after granting consentUSA (text), India where available
Razorpay Route / RazorpayXPayouts (Partner Panel commissions)Bank account, IFSC, payee nameIndia

An up-to-date list is available on request at privacy@lekhabooks.in. We provide reasonable notice of material additions through our changelog and in-product banner.

8. AI features & opt-in consent

LekhaBooks offers optional artificial-intelligence features such as receipt OCR auto-fill, vendor-invoice extraction, narration suggestions, ledger-mapping suggestions, and natural-language reporting. These features call external Large Language Model ("LLM") providers including OpenAI, Anthropic, and Google.

AI processing is OFF by default for every tenant. To enable AI features, a tenant Owner must visit Settings → Privacy & AI and explicitly toggle the flag on. By doing so the Owner represents that the tenant has obtained any consents required from third-party data subjects whose data may be transmitted through AI features.

When AI features are enabled: only the specific text or document content you submit is sent to the LLM provider (your full books are not sent); we instruct LLM providers contractually not to use your inputs to train their general-purpose models (zero-retention mode where available); you may revoke consent at any time from the same setting.

9. Cross-border data transfers

Your primary data store, backups, and all routine processing remain in India, hosted in our hosting provider MilesWeb's Mumbai (India) data centre. Limited transfers outside India may occur for: AI features (opt-in); email delivery routing; error monitoring (Sentry, USA); and Cloudflare edge caching of request metadata. For each cross-border transfer we rely on contractual safeguards equivalent to Standard Contractual Clauses, the destination country not being restricted by the Central Government under Section 16 of the DPDP Act, and minimisation (transferring only what is necessary).

10. Data retention

CategoryRetention periodBasis
Active books of account, invoices, vouchersWhile account is active + 8 years from end of relevant financial yearSection 36 CGST Act, Section 44AA Income-Tax Act
Tax-invoice records issued to you for our subscription8 financial yearsSection 36 CGST Act
Account profile, login credentialsWhile account is active + 90 days for restorationContract + grace period
Support tickets, chat transcripts3 years from closureQuality assurance, dispute resolution
Marketing emails & consent recordsUntil consent withdrawn + 1 year (proof of consent)DPDP Section 6
Server access logs, security & audit-trail events12 months (1 year)Rule 6(1)(e), DPDP Rules 2025 — detection, investigation & remediation of unauthorised access; security monitoring & incident response
Failed-login / authentication-event logs12 months (1 year)Rule 6(1)(e), DPDP Rules 2025 — brute-force detection & investigation
Transient IP rate-limit counters30 daysOperational throttling only (not a breach-detection log)
Daily encrypted backups30 days rolling; monthly snapshot 12 monthsDisaster recovery
Anonymised product analyticsIndefiniteProduct improvement, no re-identification possible

On account closure or your erasure request, we delete data from active systems within 30 days and from backups within 90 days, subject to legal-hold obligations (active tax dispute, court order, regulatory investigation). Where law requires longer retention, only the legally-mandated minimum is kept and access is restricted.

11. Your rights as a Data Principal

Under Sections 11 to 14 of the DPDP Act you have the following rights:

12. How to exercise your rights

The fastest path is to use the in-app tools at Settings:

If you cannot or do not wish to use the in-app tools, write to privacy@lekhabooks.in from the email address registered with your account. We respond within 30 days. There is no fee for the first request in a 12-month period; for repeated or manifestly unfounded requests we may charge a reasonable administrative fee. If we cannot identify you, we may ask for additional verifying information before acting, to prevent unauthorised disclosure.

13. Security & safeguards

We follow reasonable security practices and procedures as required under Section 8(5) of the DPDP Act, Rule 6 of the DPDP Rules 2025, and Rule 8 of the SPDI Rules. Our technical and organisational measures include:

No security regime is perfect. We do not warrant absolute security; we commit to operating in line with industry best practices and to transparent breach disclosure (Section 16).

14. Cookies & similar technologies

We use only the cookies necessary to operate the Service. We do not use third-party advertising cookies, retargeting pixels, or cross-site behavioural tracking. The cookies we set are:

CookiePurposeDurationCategory
ll_sessAuthentication session14 days rolling, cleared on logoutStrictly necessary
ll_csrfAnti-CSRF double-submit tokenSessionStrictly necessary
ll_tenantLast-selected tenant for multi-tenant users30 daysFunctional
ll_anon_idAnonymous analytics identifier (no PII)180 daysAnalytics — optional

Strictly-necessary cookies do not require consent. The optional analytics cookie is set only with your consent and can be disabled at Settings → Privacy & AI.

15. Children & minors

The Service is intended for use by individuals aged 18 years or above acting in connection with a registered business. We do not knowingly collect personal data from children (defined under Section 9 of the DPDP Act as individuals below 18 years). If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that data as soon as practicable. If you are a parent or guardian and believe your child has provided us personal data, contact privacy@lekhabooks.in.

16. Breach notification

In the event of a personal-data breach, we will, in accordance with Rule 7 of the DPDP Rules 2025: (a) intimate each affected Data Principal without delay, through your user account or registered mode of communication, describing the nature of the breach, its likely consequences, the measures we have taken, and the safety measures you should take; and (b) intimate the Data Protection Board of India without delay of the nature, extent, timing and location of the breach, followed by a detailed report to the Board within 72 hours of becoming aware of the breach, covering the facts, mitigation steps, findings as to the cause, remedial measures, and a report on the intimations sent to Data Principals.

17. Grievance Officer & Data Protection Board

Grievance Officer
Name: Uday Bisht
Designation: Grievance Officer & Data Protection Officer
Email: grievance@lekhabooks.in
Postal: Lekha Logic Consulting Private Limited, Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, New Delhi 110045, India.
Response time: acknowledgement within 24 hours, resolution within 30 days as required by Section 13 of the DPDP Act.

If you remain dissatisfied after the Grievance Officer's response, you may complain to the Data Protection Board of India established under the DPDP Act, in the manner notified by the Board. The Board's contact and complaint-filing portal will be referenced here once published.

18. Changes to this Policy

We may revise this Policy from time to time. The "Effective" and "Last updated" dates at the top will always reflect the current version, and we maintain a public changelog of substantive revisions. For material changes (such as new categories of personal data collected, new sub-processors with cross-border implications, or change of legal basis), we will notify you by email and via in-product banner at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

19. Contact

General & product: support@lekhabooks.in
Privacy questions: privacy@lekhabooks.in
Grievance Officer: grievance@lekhabooks.in
Legal: legal@lekhabooks.in
Postal: Lekha Logic Consulting Private Limited, Rzd-1/101, Gali No. 5, Mahavir Enclave, Palam Village, New Delhi 110045, India.

© 2026 Lekha Logic Consulting Private Limited. All rights reserved. This Policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts at New Delhi. "LekhaBooks" is a trademark of Lekha Logic Consulting Private Limited.