Last updated: 5 July 2026
Riffit ("we," "our," or "us") operates the website riffit.in, the Riffit web dashboard at app.riffit.in, and the Riffit WhatsApp bot (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data. Our practices are designed to align with the Digital Personal Data Protection Act, 2023 (DPDP Act) and comply with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules").
We collect information that you provide directly when using Riffit:
Account Information: Your phone number (via WhatsApp), business name, email address, PAN number, and GST number (if applicable). This is required to create professional invoices with your business details.
Invoice and Client Data: Client names, email addresses, phone numbers, invoice amounts, line-item descriptions, payment terms, and payment status. This data is provided by you and is necessary to generate and deliver invoices as you request.
Usage Data: WhatsApp interactions with our bot, dashboard activity, feature usage, device and browser information, and — as described in Section 6 — analytics and session-recording data. We use this to operate, fix, and improve the Service.
Payment Information: Subscription payments are processed by Razorpay. We do not store your card or bank-account details.
Sensitive information: Your PAN, GST, and payment-related details are treated as Sensitive Personal Data or Information under the SPDI Rules. We collect them only with your consent, only to generate compliant invoices and operate your account, and we apply reasonable security practices to protect them.
We use your information for two kinds of purpose. First, to provide the Service — creating invoices, sending them to your clients, tracking payments, sending reminders, managing your account and subscription, and complying with legal and tax obligations. This processing is necessary to deliver the Service you signed up for. Second, to improve the Service — understanding usage patterns and diagnosing issues through analytics and session recording (see Section 6). You can opt out of this second, optional purpose without losing access to the core Service.
We share invoice details with your clients when you send an invoice — this includes your business name, contact information, and invoice contents. We use the following third-party processors to operate the Service, each accessing only the data needed for its function:
We may disclose information if required by law, regulation, or legal process. We do not sell your personal data.
Your data is stored on servers provided by Supabase and Vercel, and analytics/session-recording data is processed by PostHog in the United States — so some of your data is processed outside India. Where we transfer data abroad, we do so under our contractual terms with these providers and only for the purposes described in this policy.
We apply reasonable security practices to protect your data, including encryption in transit (HTTPS/TLS), secure authentication (JWT tokens), access controls, and limiting who can access sensitive data. No method of transmission or storage is completely secure.
Data breach: in the event of a personal data breach, we will take remedial steps and notify the affected users and the relevant authorities (including the Data Protection Board of India and CERT-In) in accordance with applicable law.
We use PostHog (hosted in the United States) for product analytics and session recording, to understand how the Service is used and to fix problems and improve it.
Session recording captures a reconstruction of your interactions with our web dashboard — clicks, navigation, and page structure — so we can diagnose issues. We configure it to mask all input fields and all on-screen text, so sensitive values such as your PAN, GST number, bank and UPI details, invoice amounts, and client contact details are not captured in the recording. We do not run analytics or session recording on the login / OTP screen, on authentication pages, or on the public invoice pages that your clients view.
PostHog uses your browser's local storage (not advertising cookies) to recognise a browser within and across sessions. We do not use analytics for advertising. You can opt out at any time by enabling "Do Not Track" in your browser (which we honour) or by writing to our Grievance Officer (Section 11). Analytics and session-recording data are retained for a limited period (see Section 9).
Our web dashboard uses essential cookies and local storage for authentication and to keep you signed in. We also use local storage for the analytics described in Section 6. We do not use cookies or local storage for advertising.
Under the DPDP Act, 2023, you have the right to access the personal data we hold about you, correct inaccurate data, request deletion of your data (subject to legal retention requirements), withdraw consent for processing, and nominate another person to exercise your rights on your behalf. You can also opt out of analytics and session recording as described in Section 6.
To exercise any of these rights, or to withdraw consent, contact our Grievance Officer (Section 11). Withdrawing consent is as easy as giving it; where you withdraw consent, we will stop the relevant processing within a reasonable time, though this may limit some features.
We retain your account and invoice data for as long as your account is active. Invoice and tax-relevant records may be retained for up to eight years as required under Indian tax law. Analytics and session-recording data are retained for a limited window (currently up to 30 days) and then deleted. When you request account deletion, we erase your personal data (including analytics and session-recording identifiers) within a reasonable period, except records we are required by law to keep. You may request deletion at any time via our Grievance Officer.
Riffit is designed for business use by adults and you must be at least 18 years old to use it. We do not knowingly collect data from, or carry out behavioural monitoring (including session recording) of, any person we know to be under 18. We rely on your representation at sign-up that you are 18 or older. If we become aware that we have collected a minor's data, we will delete it.
In line with the DPDP Act, 2023 and the SPDI Rules, 2011, you can contact our Grievance Officer with any question, complaint, or request about your personal data:
Aaqil Jamal, Founder & Grievance Officer, Riffit
Email: grievance@riffit.in
Bengaluru, Karnataka, India
We aim to acknowledge grievances within 48 hours and resolve them within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is operational.
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date, and, where appropriate, through the Service. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
For general questions about this Privacy Policy or our data practices, contact us at: support@riffit.in. For data-rights requests and grievances, please use the Grievance Officer contact in Section 11.
Riffit — Bengaluru, Karnataka, India