Privacy Policy
Last updated: 11 July 2026
This Privacy Policy explains how DevCults Technologies Pvt Ltd(“we”, “us”, or “BilKit”) collects, uses, shares, and protects personal data when you use BilKit, our GST-compliant invoicing service (the “Service”). We act as a data fiduciary under India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”) for the account data you provide, and as a data processor for the invoicing and customer data you enter into the Service.
1. Who we are
BilKit is operated by DevCults Technologies Pvt Ltd, a company incorporated in India. For any privacy questions or to exercise your rights, contact us at connect@thedevscult.com.
2. Data we collect
- Account & identity data — your name, email address, and authentication identifiers, managed through our identity provider (AWS Cognito) when you sign up and sign in.
- Organization & billing profile — company name, legal name, GSTIN, address, and place of supply that you enter to issue compliant invoices.
- Invoicing & customer data — clients, services, invoices, projects, and tax details that you create in the Service. This data belongs to you; we process it on your behalf.
- Subscription & payment data — your plan and billing status. Card details are collected and processed directly by our payment processor (Razorpay); we do not store your full card number.
- Reliability & support data — error and crash diagnostics, feature-flag state, and support identity, via PostHog. We treat these as essential (legitimate interest) so we can keep the Service secure and reliable and help you — they run even if you decline analytics, and we keep error reports minimal and free of personal data where we can.
- Usage & device data — pages visited, features used, approximate device/browser information, and session replay of on-screen activity, via PostHog, to improve the product. Session replay masks all text and inputs, so it never captures your invoice data or anything you type. These are optional — you can decline analytics and session replay at any time; see our Cookie Policy.
3. What we store in your browser
To keep you signed in and remember your preferences, the Service stores a small amount of data in your browser:
| What | Where | Purpose |
|---|---|---|
| Access token & email | localStorage | Keep you signed in and refresh your session (essential) |
| Active organization | localStorage | Remember which organization you are working in (essential) |
| Refresh token | HttpOnly cookie | Securely renew your session (essential) |
| Interface preferences | Cookie | Remember UI settings such as the sidebar state (essential) |
| Analytics & consent | Cookies / localStorage | Product analytics and your cookie choice (optional) |
4. How we use your data
- To provide, operate, and secure the Service.
- To generate GST-compliant invoices and tax documents you request.
- To process subscriptions, trials, and payments.
- To provide support and respond to your requests.
- To understand usage and improve features (analytics).
- To comply with legal, tax, and accounting obligations.
5. Legal bases
We process your personal data on the basis of your consent, the performance of our contract with you (our Terms), our legitimate business interests in operating and improving the Service, and compliance with applicable law.
6. Sharing & third-party processors
We do not sell your personal data. We share data only with service providers who process it on our behalf under appropriate safeguards:
- Amazon Web Services (AWS) — authentication and hosting.
- Razorpay — subscription and payment processing.
- PostHog — product analytics and error diagnostics.
7. International transfers
Some of our processors (including PostHog and AWS) may store or process data on servers located outside India, including in the United States. Where this occurs, we take steps to ensure your data receives an adequate level of protection consistent with the DPDP Act and applicable law.
8. Data retention
We retain your account and invoicing data for as long as your account is active and as required to meet legal, tax, and accounting obligations. You may request deletion of your account, subject to records we are required to keep by law.
9. Your rights
Under the DPDP Act, you have the right to:
- Access and obtain a summary of your personal data.
- Correct, complete, or update inaccurate data.
- Request erasure of your personal data.
- Withdraw consent (including for analytics cookies) at any time.
- Nominate another person to exercise your rights in specified cases.
- Raise a grievance with us.
To exercise any of these rights, email connect@thedevscult.com. We will respond within the timelines required by applicable law.
10. Security
We use reasonable technical and organizational measures — including encrypted transport, scoped access tokens, and access controls — to protect your data. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Children
The Service is intended for businesses and is not directed to individuals under 18. We do not knowingly collect personal data from children.
12. Grievance officer
If you have any concern about how your data is handled, contact our grievance contact at connect@thedevscult.com and we will work to resolve it.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by notifying you within the Service.
