Privacy Policy

Effective Date: 1 March 2026 | Last Updated: 1 March 2026

1. Who We Are

This Privacy Policy is published by OTD Business Solutions LLP ("we", "us", "our", "Company"), a limited liability partnership registered in India, acting as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

We operate two products under separate brands:

BahiFlow (bahiflow.in) — automated B2B collections via WhatsApp for SMBs.
CAflow (caflow.in) — AI-powered GST extraction, filing, reconciliation, and practice management for Chartered Accountants.

Both products share a common backend infrastructure and are governed by this single Privacy Policy.

Registered Address: #1974B, 15th Cross, 24th Main, Sector-1, HSR Layout, Bengaluru, Bengaluru-560102

Contact: contact@bahiflow.in (BahiFlow) | contact@caflow.in (CAflow)

2. Data We Collect

2.1 Data You Provide Directly

Category	Examples	Purpose
Identity data	Name, business name, phone number, email address	Account creation, communication
Business identifiers	GSTIN, PAN	GST filing, compliance, identity verification
Financial data	UPI VPA, invoice amounts, payment references	Payment processing, collections

2.2 Data Processed on Your Behalf (Customer Data)

Category	Examples	Product
Customer contact details	Customer name, phone number, email	BahiFlow
Invoice & payment data	Invoice amounts, due dates, payment history, recovery fees	BahiFlow
GST records	Extracted invoice data (supplier/buyer names, amounts, HSN codes, GSTINs), GST returns, reconciliation results, filing records	CAflow
Documents	Invoice PDFs, bank statements, Tally exports, compliance documents	Both

2.3 Data Generated Through Use

Category	Examples
Communication logs	WhatsApp messages sent/received, delivery status, timestamps
Consent records	Consent timestamps, method (explicit YES / implicit engagement)
AI-generated data	Extracted invoice fields, confidence scores, classification labels (CAflow only)

2.4 Technical Data

We use session cookies only for the admin panel (Django session management). We do not use tracking cookies, advertising cookies, analytics pixels, or any third-party trackers on our platform.

3. Purpose of Processing

BahiFlow

Sending automated payment reminders via WhatsApp on behalf of your business
Tracking invoice and payment status
Generating billing invoices for our platform subscription
Providing payment links (Razorpay) and UPI deep links
Sending daily summaries, morning reports, and recovery analytics

CAflow

AI extraction of invoice data from PDFs, images, and Excel files using Google Gemini
Preparing and filing GST returns (GSTR-1, GSTR-3B) via GSP API
Reconciliation of purchase records against GSTR-2B portal data
Filing deadline reminders and status reporting via WhatsApp
Bank statement extraction and categorization

Both Products

Account management and user authentication
Customer support via WhatsApp
Compliance with applicable laws (Companies Act, GST Act, Income Tax Act)
Security monitoring and fraud prevention

4. Legal Basis for Processing

Basis	Application
Consent (DPDP Act s6)	We obtain consent via WhatsApp keyword ("YES" to confirm, "STOP" to withdraw). Your first message interaction constitutes implicit consent for the purpose of that interaction.
Contract performance	Processing necessary to deliver the services you have subscribed to (reminders, GST filing, reconciliation).
Legal obligation	Retention of financial records per Companies Act 2013 s128 (7 years), GST Act s36 (6 years), Income Tax Act s149 (7 years).

5. Third-Party Data Sharing

We share data only with the following third parties, strictly for the purposes described:

Third Party	Data Shared	Purpose	Location
Meta / WhatsApp Business API	Phone numbers, message content	Sending and receiving WhatsApp messages	Global (Meta infrastructure)
Amazon Web Services (S3)	Uploaded documents (PDFs, images, Excel files)	Secure file storage	ap-south-1 (Mumbai, India)
Google Gemini API	Invoice PDFs/images for AI extraction (CAflow only)	Data extraction and classification	Google Cloud (may be outside India — see Section 10)
Razorpay	Billing invoice amounts, business name (BahiFlow only)	Payment link generation and processing	India
Brevo (Sendinblue)	Email address	Password reset emails only	EU/India
GSP API Provider	GSTIN, GST return data (CAflow only)	GST filing with government portal	India

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. Data Retention

Data Type	Retention Period	Legal Basis
Financial records (invoices, payments, recovery fees)	7 years from creation	Companies Act 2013 s128
GST filing records, returns, reconciliation results, extracted data	6 years from due date of annual return	GST Act s36
Communication logs (WhatsApp messages)	Duration of business relationship + 1 year	Purpose limitation (DPDP Act)
Contact personal data (name, phone, email)	Duration of business relationship + 1 year	Purpose limitation (DPDP Act)
Uploaded documents	6 years (GST-related) or duration of relationship + 1 year (others)	GST Act s36 / DPDP Act
Session cookies	24 hours (session-based)	Technical necessity

After the applicable retention period expires, data is either permanently deleted or anonymized (personal identifiers removed while retaining financial records for legal compliance).

7. Your Rights Under the DPDP Act

As a Data Principal under the DPDP Act 2023, you have the following rights:

Right	Description	How to Exercise
Right to Access	Request a summary of your personal data we process and the processing activities	Email the Grievance Officer
Right to Correction	Request correction of inaccurate or incomplete personal data	Email the Grievance Officer or reply via WhatsApp
Right to Erasure	Request deletion of your personal data, subject to legal retention requirements	Email the Grievance Officer
Right to Withdraw Consent	Withdraw consent at any time; processing before withdrawal remains valid	Reply STOP on WhatsApp or email the Grievance Officer
Right to Nominate	Nominate another person to exercise your rights in case of death or incapacity	Email the Grievance Officer

Important: Financial records (invoices, payments) and GST filing records are legally exempt from erasure during the mandatory retention period (7 years for financial data, 6 years for GST data per GST Act s36). In such cases, we will anonymize your personal identifiers (name, phone, email) while retaining the financial/filing records as required by law.

8. Security Measures

We implement the following technical and organizational measures to protect your data:

Encryption in transit: All connections use HTTPS with HSTS (HTTP Strict Transport Security) enabled for 1 year, including subdomains and preload.
Webhook verification: All incoming WhatsApp webhooks are verified using HMAC-SHA256 signature validation.
PII masking: All application logs mask personal identifiable information — only the last 4 digits of phone numbers appear in logs.
Session security: Admin sessions expire after 24 hours of inactivity, with secure and HTTP-only cookie flags in production.
Encrypted storage: Document files stored on AWS S3 use server-side encryption (SSE-S3).
Idempotency checks: Duplicate webhook messages are detected and rejected to prevent data corruption.
Rate limiting: API endpoints are rate-limited to prevent abuse (webhook: 200/min, payment: 30/min).
Access control: Role-based access control (RBAC) ensures users only access data belonging to their organization.

9. Cookies

We use session cookies only for the Django admin panel. These cookies:

Are strictly necessary for admin authentication
Expire when the browser is closed or after 24 hours of inactivity
Are marked as Secure and HTTP-only in production
Do not track users across websites

We do not use any advertising, analytics, or third-party tracking cookies. No cookie consent banner is required as we only use strictly necessary session cookies.

10. Cross-Border Data Transfers

Disclosure: The following data transfers may involve processing outside India:

Service	Data Transferred	Destination
Google Gemini API (CAflow only)	Invoice PDFs/images containing supplier/buyer names, addresses, amounts, GSTINs	Google Cloud servers (location determined by Google; may be outside India)
Meta / WhatsApp Business API	Phone numbers, message content	Meta global infrastructure
Brevo (email)	Email addresses for password resets	EU-based servers

All other data (AWS S3 storage, database, GSP API) is processed within India. If the Government of India notifies specific categories of data requiring mandatory localization under the DPDP Act, we will take steps to ensure compliance, including evaluating India-region alternatives for AI processing.

11. Children's Data

Our services are designed exclusively for business use — specifically for SMBs (BahiFlow) and Chartered Accountants (CAflow). We do not knowingly collect or process personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact our Grievance Officer immediately.

12. Data Breach Notification

In the event of a personal data breach, we commit to:

Notifying the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDP Act.
Notifying affected Data Principals (you) within 72 hours via WhatsApp and/or email, describing the nature of the breach and the steps being taken.
Documenting the breach, its effects, and the remedial actions taken.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will provide at least 30 days' advance notice via WhatsApp message and/or email to registered account holders.
The updated policy will be published at this URL with a new "Last Updated" date.
Continued use of our services after the notice period constitutes acceptance of the updated policy.

14. Grievance Officer

In accordance with the DPDP Act 2023, we have appointed a Grievance Officer to address your concerns regarding data processing:

Name: Sanjay Chaturvedi

Email: contact@bahiflow.in (BahiFlow) | contact@caflow.in (CAflow)

Address: #1974B, 15th Cross, 24th Main, Sector-1, HSR Layout, Bengaluru, Bengaluru-560102

Response time: We will acknowledge your request within 48 hours and provide a substantive response within 30 days.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India, including but not limited to:

Digital Personal Data Protection Act, 2023 (DPDP Act)
Information Technology Act, 2000 and IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Indian Contract Act, 1872

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India.