Privacy Policy
MyBusinessBook (“the App”, “Service”, “we”, “us”, “our”) is a record-keeping application for lenders and small business owners to manage their own loan books. This Privacy Policy explains, in plain language and with full legal precision, what personal data we handle, why we handle it, who we share it with, how we protect it, how long we keep it, and the rights you can exercise over it.
This Policy applies to the MyBusinessBook mobile application (Android and iOS), the website at mybusinessbook.com, and all related services and communications.
A note on compliance: We have made every effort to ensure this Policy accurately reflects how the App handles data and that the App complies with applicable law — including India’s Digital Personal Data Protection Act 2023 (DPDP Act). Laws change, and our understanding of obligations evolves. If you believe there is an error in this Policy, or that the App may not be compliant with an applicable legal requirement, please contact us immediately at help@mybusinessbook.app or +91 87920 40344. We are committed to investigating such concerns and taking corrective action promptly.
1. Who We Are and Who This Policy Covers
Data Fiduciary (Controller): The operator of MyBusinessBook is the entity responsible for determining why and how personal data is processed. For data about the account holder (lender/shop owner), we are the Data Fiduciary.
Data Processor: For borrower (customer) data that a lender enters into the App, we process that data on the lender’s behalf. Under the DPDP Act 2023, the lender is the Data Fiduciary for their borrowers’ data; we are the Data Processor acting on their instructions.
This Policy applies to two groups:
- Account Holders (Lenders / Shop Owners) — the person who creates an account and uses the App to manage their lending business.
- Borrowers (Customers) — individuals whose details a lender records in the App. If you are a borrower and want your data corrected or removed, please contact the lender who recorded it, or contact us directly at help@mybusinessbook.app.
2. Data We Collect
We collect only what is necessary for the purposes described in this Policy (data minimisation). We do not collect sensitive personal data beyond what is explicitly listed below, and we do not profile individuals for marketing.
2.1 Data Provided Directly by Account Holders
| Category | Specific Data | Purpose |
|---|---|---|
| Identity | Phone number | Account creation, OTP sign-in |
| Business identity | Shop / business name, owner name | Account record, receipts |
| Financial records | Loan terms, disbursement amounts, interest rates, repayment schedules | Core app functionality |
| Borrower identity | Name, phone number, address | Loan record, receipt generation |
| Borrower KYC | KYC document type, identifier number, document details | Identity verification at lender’s discretion |
| Borrower photographs | Photos of pledged items, KYC document images | Collateral and identity documentation |
| Payment records | Payment amounts, dates, outstanding balances, payment method | Financial record keeping |
| Notes and logs | Freetext notes, activity timestamps | Audit trail |
2.2 Data Collected Automatically
| Category | Specific Data | Purpose |
|---|---|---|
| Device identifiers | App instance ID, FCM device token | Push notifications, crash diagnostics |
| Usage events | Screen name, feature interactions (no PII) | Analytics, product improvement |
| Crash data | Device type, OS version, app version, crash stack trace (no PII) | Stability and bug fixing |
| App Check tokens | Cryptographic attestation token | Backend abuse prevention |
What we do NOT collect automatically: We do not send borrower names, phone numbers, KYC identifiers, financial values, customer photos, or Storage download URLs to any analytics or crash-reporting service.
3. Purposes and Legal Bases for Processing
We process personal data only for specified, explicit, and legitimate purposes. For each purpose, we identify the legal basis under the DPDP Act 2023 and general privacy principles:
| Purpose | Legal Basis |
|---|---|
| Creating and authenticating your account | Contractual necessity |
| Providing core loan-record-keeping features | Contractual necessity |
| Maintaining integrity and audit history of financial records | Contractual necessity; Legal obligation |
| Sending account-related push notifications | Consent (you may withdraw via device settings) |
| Diagnosing crashes and improving App stability | Legitimate interest (balanced against your rights) |
| Detecting fraud and preventing unauthorised access | Legitimate interest; Legal obligation |
| Responding to support requests | Contractual necessity; Legitimate interest |
| Complying with applicable law and legal orders | Legal obligation |
We do not use your data or your borrowers’ data for advertising, marketing to third parties, behavioural profiling, or any automated decision-making that produces legal or similarly significant effects.
4. Third-Party Services and Data Sharing
We share data only with the infrastructure providers necessary to operate the Service. We do not sell personal data. We do not share personal data with advertisers or data brokers. Where we share data with third parties, we do so under contractual terms that require them to protect the data appropriately.
4.1 Google Firebase (Google LLC / Google India Pvt. Ltd.)
Firebase is our primary infrastructure platform. The following Firebase services are used:
| Firebase Service | What It Does | Data Shared |
|---|---|---|
| Firebase Authentication | Phone-number OTP sign-in and session management | Phone number, session tokens, UID |
| Cloud Firestore | Primary database for all records | All structured data entered in the App |
| Firebase Cloud Storage | File storage for photos and document images | Photos, KYC images |
| Firebase Analytics | Coarse app-usage statistics | Anonymised event data (screen name, feature interactions) — no PII |
| Firebase Crashlytics | Crash reports and diagnostics | Device metadata, crash stack trace — no PII |
| Firebase App Check | Protects backend from abuse and bots | App attestation tokens |
| Firebase Cloud Messaging (FCM) | Push notifications | Device token, notification payload |
Google’s Privacy Policy: https://policies.google.com/privacy
Google processes data in accordance with its Cloud Data Processing Addendum
and is certified under the EU–US Data Privacy Framework.
4.2 Expo / Expo Application Services (Expo, Inc.)
We use Expo’s build pipeline and over-the-air update service to develop and deliver the App. Expo does not receive access to Firestore records, Storage files, or any borrower data.
Expo’s Privacy Policy: https://expo.dev/privacy
4.3 Apple Inc. (iOS Platform)
If you use the iOS version of the App, Apple’s platform services handle:
- App delivery via the App Store
- Push notification delivery via Apple Push Notification service (APNs)
- In-app purchase processing (if applicable)
Apple receives only the device token required to send notifications. Apple does not receive your Firestore records or borrower data.
Apple’s Privacy Policy: https://www.apple.com/legal/privacy/
4.4 Google LLC (Android Platform)
If you use the Android version of the App, Google Play Services handles:
- App delivery via Google Play Store
- Device integrity attestation (used by Firebase App Check)
Google Play Privacy Policy: https://policies.google.com/privacy
4.5 Disclosure to Authorities
We may disclose personal data to law enforcement, courts, or regulators where required by a valid legal order or applicable law. Where permitted, we will notify the affected account holder before disclosing. We will not disclose more than is legally required.
4.6 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same protections described in this Policy. We will notify you of any such transfer.
5. Data Storage, Security, and Integrity
5.1 Where Data Is Stored
All structured data is stored in Google Cloud Firestore and all files in Firebase Cloud Storage, in Google-operated data centres. Data may be stored in servers located outside India; see Section 6 on cross-border transfers.
5.2 Security Measures
We implement the following technical and organisational security measures:
- Encryption in transit: All data is transmitted over TLS (HTTPS/WSS).
- Encryption at rest: Firebase encrypts all data at rest by default.
- Access isolation: Firebase Security Rules enforce strict tenant isolation — one account cannot read or write another account’s data, even if both are authenticated users.
- Storage access control: Photos and documents are stored under paths accessible only to the owning account’s authenticated session.
- Firebase App Check: Only genuine, verified instances of the App can access our backend. Automated or spoofed clients are rejected.
- Least privilege: Administrative access to production data is restricted to authorised personnel only, on a need-to-know basis.
- OTP-based authentication: Sign-in requires a one-time password delivered to the registered phone number; there are no password-based accounts.
5.3 Data Breach Response
In the event of a personal data breach that creates a risk to your rights and freedoms, we will:
- Assess and contain the breach as quickly as possible.
- Notify affected account holders without undue delay.
- Report to the Data Protection Board of India within the timeframe required by the DPDP Act 2023 and any implementing rules.
To report a suspected security incident: Contact us immediately at help@mybusinessbook.app or +91 87920 40344.
No security system is perfect. We cannot guarantee absolute security. If you notice suspicious activity on your account, lock it immediately via the App and contact us.
6. Cross-Border Data Transfers
Google Firebase may store and process data in servers located outside India. Google provides appropriate safeguards for international transfers through its standard data processing terms and its adherence to international data transfer frameworks. We rely on Google’s contractual commitments as the legal mechanism for such transfers.
7. Data Retention and Deletion
7.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account and loan records | Retained while the account is active |
| Push notification tokens | Refreshed automatically; deleted on account deletion |
| Analytics event data | Retained per Google Analytics retention settings (max 14 months) |
| Crash reports | Retained per Crashlytics defaults (90 days) |
| Deleted account data | See Section 7.2 below |
7.2 Account Deletion Process
You can request deletion of your account and all associated data at any time via the Delete Account & Data page in the App or on the website.
The deletion process works as follows:
-
Verified deletion request: You submit a deletion request. The App verifies your identity via OTP before processing.
-
Account locked (Day 0): Your account is immediately locked — no new data can be entered, and no one can sign in.
-
Grace period (60 days): During this period, you may cancel the request and restore access. We will send reminder notifications before the grace period ends.
-
Permanent deletion (Day 60+): When the grace period ends, all of the following are permanently and irreversibly deleted:
- All Firestore records (loan, borrower, payment, activity data)
- All Firebase Storage files (photos, KYC document images)
- The Firebase Authentication credential (phone sign-in)
- The FCM device token
-
Residual data: Anonymised, aggregated Analytics data (which cannot be linked back to any individual) may persist beyond this period. Firebase backups may retain a copy for up to 90 additional days before those backups also expire.
8. Your Rights Under the DPDP Act 2023
The Digital Personal Data Protection Act 2023 grants you the following rights. We will respond to verified requests within the timeframe required by law.
| Right | Description | How to Exercise |
|---|---|---|
| Right to Information | Know what personal data we process about you and why | Email help@mybusinessbook.app |
| Right of Access | Obtain a summary of your personal data we hold | Email help@mybusinessbook.app |
| Right to Correction | Correct inaccurate or incomplete personal data | Account holders: edit in-app. Borrowers: contact your lender or us |
| Right to Erasure | Have your personal data deleted | Use Delete Account & Data or email us |
| Right to Grievance Redressal | Have a complaint addressed by our Grievance Officer | See Section 11 |
| Right to Nominate | Nominate a person to exercise rights on your behalf in case of death or incapacity | Email help@mybusinessbook.app |
| Withdrawal of Consent | Withdraw consent for processing based on consent | Contact us; this does not affect prior lawful processing |
Borrowers: If you are a borrower whose data has been recorded by a lender using the App, you should primarily exercise your rights directly with that lender (who is the Data Fiduciary for your data). You may also contact us and we will assist where we are able.
9. Children’s Privacy
The App is intended solely for adults (18+) operating a lending or small business. We do not knowingly collect personal data from individuals under 18. If you believe a minor’s data has been submitted to the App, please contact us immediately at help@mybusinessbook.app and we will delete it without undue delay.
10. Cookies and Web Tracking
Mobile App: The App does not use browser cookies.
Website (mybusinessbook.com): The website may use:
- Essential cookies — required for basic site functionality and security.
- Analytics cookies — Google Analytics, to understand aggregate traffic (anonymised). No personal identifiers are collected through analytics cookies.
You can control and delete cookies through your browser settings. Disabling analytics cookies will not affect your ability to use the website.
11. Grievance Officer and Contact
As required by applicable law, we have designated a Grievance Officer to address privacy concerns and data rights requests.
Grievance Officer / Privacy Contact
MyBusinessBook
- Email: help@mybusinessbook.app
- Phone: +91 87920 40344
- Response commitment: We will acknowledge your grievance within 48 hours and resolve it within 30 days, or such shorter period as required by law.
If you are dissatisfied with our response, you have the right to raise a complaint with the Data Protection Board of India once it is fully constituted under the DPDP Act 2023.
12. Changes to This Policy
We may update this Privacy Policy when our practices change, when law requires it, or when we add new features. When we make material changes, we will:
- Update the “Effective” date at the top of this page.
- Notify active account holders through the App or by other reasonable means.
- Where required by law, seek fresh consent before continuing to process data on a basis that has materially changed.
Previous versions of this Policy remain accessible via the version history below. Your continued use of the App after the effective date of any update constitutes acceptance of the revised Policy, to the extent permitted by law.
Version history
- current Version 1.0 (viewing) effective 17 June 2026