PocketSalesPocketSales
← Back to home
Legal

Privacy Policy

Last updated: 28 May 2026

Draft — pending lawyer review before final publication.

PocketSales ("we", "us", "our") is operated from India by the founders of pocketsales.app and provides a field sales and order management SaaS platform to Indian distributors, wholesalers and FMCG businesses.

This policy explains what information we collect when you use our website (pocketsales.app), our web dashboard (my.pocketsales.app) and our mobile apps, and how we handle that information. We comply with the Digital Personal Data Protection Act 2023 ("DPDP"), Google Play Data Safety disclosure requirements, and Apple App Store App Privacy requirements.

1. Information we collect

We collect only the information needed to run the service:

  • Account information — your name, business name, email address, mobile number and (optionally) GSTIN, captured at sign-up or invitation. Required to authenticate you, address you in the app, and issue GST-compliant tax invoices for paid subscriptions.
  • Operational data you enter into the app — clients, products, orders, payments, returns, attendance records, leave requests, beat plans, visit logs, optional visit photos, staff details. This belongs to your business; we hold it only to operate the service.
  • Location data — when a sales rep checks in or out of attendance, or attaches a visit photo, the mobile app captures latitude, longitude and the calculated distance from the configured shop coordinates. Used solely for geofence-based attendance verification and visit-proof. Location is not tracked outside these explicit user actions; we do not run background location collection.
  • Device information — device model, operating system version, app version and a randomised device identifier for crash and performance diagnostics. Push-notification tokens from Apple APN / Firebase FCM for delivering notifications you opt into (leave approved, payment received, daily briefing).
  • Authentication identifiers — if you choose to sign in with Google, we receive your Google account email, name and unique Google ID. We do not access your Gmail, Drive, Contacts or any other Google data.
  • Subscription billing records — payment proofs, invoice receipts, billing history. Retained for the period required by Indian tax law (currently 8 years).

A complete machine-readable inventory of every field we touch is maintained internally and reviewed before any new feature ships.

2. How we use your information

  • To provide, operate and maintain the service.
  • To authenticate you and your team.
  • To verify attendance against the shop's configured geofence radius.
  • To process subscription payments and issue GST-compliant tax invoices.
  • To diagnose crashes, fix bugs and improve performance.
  • To send transactional notifications (e.g. invite links, payment receipts, billing reminders, daily morning briefings, daily evening sales summaries, monthly accounts pack to your Chartered Accountant when configured) over email and WhatsApp.
  • To respond to your support requests.

We do not use your operational data to train AI models. We do not sell, rent, or share your data for advertising, profiling, or marketing by third parties.

3. Third-party processors we use

We share data only with the processors below, each bound by their own data-processing terms. None of these processors uses the data for their own purposes.

  • Supabase — managed Postgres database + authentication + private file storage. Region ap-southeast-1 (Singapore).
  • Railway — backend application hosting (region Mumbai, ap-south-1).
  • Vercel — web frontend hosting and CDN, server functions execute in Mumbai (bom1).
  • Cloudflare — DNS + R2 object storage for our Tally Lite agent binary distribution.
  • Google — only if you choose Google sign-in. Your Google account email is used to identify your PocketSales account. We do not access any other Google data.
  • Resend — transactional email delivery. Subject + recipient + body of automated emails (e.g. invite links, payment receipts, daily briefings, monthly accounts pack to your CA) pass through Resend.
  • Sentry — error and performance monitoring across our backend, web and mobile clients. Crash logs, anonymised device fingerprint, app version and breadcrumb of user actions before the crash are sent to Sentry to help us fix bugs. We do not send personal contact information to Sentry; user IDs sent are random internal account IDs.
  • Apple Push Notification service (APN) and Firebase Cloud Messaging (FCM) — delivery of push notifications to your device. Only the push token and the notification payload (which never contains sensitive operational data) pass through these services.
  • Razorpay or equivalent licensed Indian payment gateway — when subscription payment processing is enabled. PocketSales itself never touches card numbers. Until then, payments are handled via direct UPI / bank transfer with manual reconciliation by the founder.
  • WhatsApp / Meta — when you choose to share an invoice, invite or payment reminder via WhatsApp, the link opens in your own WhatsApp client. We do not relay messages through our servers; Meta's privacy policy applies to that interaction.

We may also disclose data when legally required by an Indian court, government authority, or to comply with the DPDP Act, tax law, or other applicable Indian law.

4. Data retention

For active subscriptions, we keep your data for as long as your account is active. After cancellation:

  • Operational data (orders, clients, products, attendance, visits, returns) is retained for 90 days to allow re-activation, then permanently deleted.
  • Visit photos auto-delete after 90 days regardless of subscription status (storage hygiene + privacy).
  • Sentry crash logs auto-purge after 90 days.
  • Audit log entries are retained for 2 years rolling.
  • Subscription billing records (invoices, payment proofs) are retained for 8 years per Indian tax law.
  • You can request earlier deletion by emailing us — see Section 7.

5. Where your data is stored

Most operational data is stored in our Supabase Postgres instance in Singapore (ap-southeast-1) — the closest Supabase region to Mumbai at present. Backend functions execute on Railway in Mumbai (ap-south-1). When Supabase makes a Hyderabad region generally available we will migrate the database there.

6. Security

  • All data is encrypted in transit (TLS 1.2+).
  • All data is encrypted at rest by our infrastructure providers.
  • Passwords are stored via Supabase Auth using industry-standard hashing (bcrypt) with per-user salts.
  • Database row-level security (RLS) is enforced on every table — even a compromised front-end token cannot read data from another tenant.
  • Production access is restricted to the platform owner and multi-factor-authentication-protected.
  • We commit to notifying you within 72 hours of confirming a data breach that affects your account.

7. Your rights under the DPDP Act

The DPDP Act gives you specific rights as a data principal:

  • Right to access — see what data we hold about you. Available inside the app under Profile + Settings, and via the CSV exports across Clients / Orders / Payments / Attendance.
  • Right to correction — update inaccurate data. Editable inside the app directly.
  • Right to erasure — request deletion of your account. Email pocketsales72@gmail.com and we will action within 30 days subject to Indian tax-law retention obligations on billing records.
  • Right to nominate — designate another person to exercise your rights in case of death or incapacity. Email us to register a nominee.
  • Right to grievance redressal — if our response is unsatisfactory, you may escalate to the Data Protection Board of India under Section 27 of the DPDP Act.
  • Right to withdraw consent — for any non-essential data use. Note that withdrawing consent for essential data uses (authentication, order processing, billing) requires you to cancel your subscription, since those uses are inseparable from the service.

8. Data Protection Officer / Grievance Officer

Until we cross the "Significant Data Fiduciary" threshold under the DPDP Act, the platform founder serves as our Grievance Officer:

  • Email: pocketsales72@gmail.com
  • Response timeline: 4 hours during business hours (Mon–Sat 9am–9pm IST); within 1 working day otherwise.

9. Children

PocketSales is a B2B service intended for users 18 years or older. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a person under 18, contact us immediately and we will delete it.

10. Changes to this policy

When we update this policy, we will change the "Last updated" date at the top and notify active customers by email and an in-app banner. Material changes to data uses are flagged with a 30-day notice before they take effect, giving you time to opt out by cancelling your subscription if you disagree.

11. Contact

For privacy questions, to exercise your rights, or to file a grievance, contact us at pocketsales72@gmail.com or via WhatsApp using the link at the bottom right of every page.