HexaLabs Books

Privacy Policy

Last updated: 08 April 2026

HexaLabs ("we", "us", "our") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and the rights you have over your data when you use HexaLabs Books.

1. Information We Collect

We collect the following categories of information:

  • Account information — name, email, password (hashed), organisation name, role.
  • Business data you create — invoices, customers, vendors, products, expenses, payments, bank accounts, journal entries, and any documents you attach.
  • Configuration — your business address, GSTIN, PAN, logo, signature, SMTP credentials (encrypted), payment gateway keys (encrypted).
  • Usage data — log of API calls, IP addresses, browser type, timestamps. Stored in our audit log for security and compliance.
  • Payment information — handled entirely by Razorpay; we never see or store your card details.

2. How We Use Your Information

  • To provide the Service: storing and displaying your invoices, generating PDFs, sending emails on your behalf.
  • To process payments and manage subscriptions.
  • To send transactional emails (welcome, plan upgrade, password reset, invoice reminders).
  • To improve the Service and detect abuse.
  • To comply with legal obligations.

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your business data to train AI models or for analytics beyond what is necessary to operate the Service.

3. Data Storage and Security

  • Data is stored in MongoDB Atlas (Mumbai region) with encryption at rest and in transit.
  • File attachments are stored in Vercel Blob with org-scoped access paths.
  • Passwords are hashed using PBKDF2-SHA512 with 120,000 iterations and a unique salt per account.
  • Sessions use signed HTTP-only cookies with `SameSite=Lax`.
  • Each tenant's data is isolated by `orgId`; API endpoints enforce ownership on every request.
  • Every financial action (invoice / bill / payment / credit note) is recorded in an append-only audit log.

4. Third-Party Services

HexaLabs Books uses the following third-party providers to operate:

  • Razorpay — payment processing for subscriptions and customer invoices.
  • MongoDB Atlas — database hosting.
  • Vercel — application hosting and Blob storage for attachments.
  • SMTP provider (Gmail / SendGrid / your configured server) — outbound email delivery.
  • Anthropic — powers the in-app support chatbot. Only your typed support questions are sent, not your business data.

5. Cookies

We use essential cookies only — a session cookie to keep you signed in. We do not use advertising or tracking cookies.

6. Your Rights

You have the right to:

  • Access — view all data we hold about you via the in-app interface.
  • Export — download your data in CSV or JSON format.
  • Correct — edit or update your information at any time.
  • Delete — request deletion of your account and all associated data.
  • Withdraw consent — close your account at any time.

To exercise any of these rights, contact us at the email below.

7. Data Retention

We retain your data for as long as your account is active. After account closure, data is held for 30 days (to handle disputes and accidental deletions) then permanently removed from active systems. Backup copies are purged within 90 days.

8. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from minors.

9. Changes to This Policy

We may update this Privacy Policy as our practices evolve. Material changes will be notified via email or in-app notice. The "Last updated" date at the top reflects the most recent revision.

10. Contact

Privacy questions, data requests, or concerns: privacy@hexalabs.online.