Your data is yours.

Last updated: 17 May 2026

1. Introduction & Scope

This Privacy Policy explains how Rslip ("Rslip", "we", "us", "our") collects, uses, stores, discloses, and protects information about you when you use our website at rslip.com and the Rslip web application (collectively, the "Service"). By creating an account or using the Service, you consent to the practices described in this Policy.

This Policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act"). It applies to all users (Data Principals) located in India and elsewhere.

2. Data Fiduciary

For the purposes of the DPDP Act, the Data Fiduciary is the operator of Rslip. Contact details for privacy and grievance matters are listed in Section 13 below.

3. Information We Collect

3.1 Information you provide directly:

• Account information — full name, email address, mobile number, state, and (optionally) GSTIN, supplied at signup.
• Business profile — company name, brand name, address, PAN, bank details, signatory name, UPI ID, logo and signature images, and other configuration entered during onboarding or in the Company Profile.
• Business records — all invoices, proforma invoices, quotations, purchase orders, credit notes, purchase invoices, payments in/out, expenses, clients, manufacturers, products, leads, follow-ups and counters that you create within the Service.
• Communications — content of any messages you send us by email, contact form, or other channels.

3.2 Information we collect automatically:

• Authentication metadata — IP address, browser user-agent, login timestamps, and session tokens, processed by our authentication provider (Supabase Auth) to keep your account secure.
• Technical logs — short-lived diagnostic logs (request paths, error codes, timestamps) used to operate the Service. These logs do not contain the contents of your business records.
• Aggregated analytics — privacy-friendly, cookie-less analytics (such as Plausible Analytics) that track page views in aggregate. No personal identifiers are collected.

3.3 Information we do not collect: We do not collect Aadhaar numbers, government IDs, biometric data, location data beyond IP-derived country/state, or financial account numbers for payment processing (the Service is currently free; no payment data is taken).

4. Purpose & Legal Basis

We process your personal data for the following specific, lawful purposes:

• To provide the Service — creating and operating your account, storing and rendering your business records, generating invoices, PDFs and reports.
• To secure the Service — preventing fraud, abuse, unauthorised access, and bot signups; investigating security incidents.
• To communicate with you — sending transactional emails (account verification, password reset, security alerts) and, where you have opted in, product updates.
• To comply with law — responding to lawful requests from Indian authorities, regulators and courts.

Our legal basis under the DPDP Act is your consent (collected at signup via an explicit, opt-in checkbox), and where applicable, the legitimate purposes of providing the Service that you have requested and complying with legal obligations.

5. Consent

By ticking the "I agree to the Terms and Privacy Policy" checkbox at signup, you provide your free, specific, informed, unconditional, unambiguous consent to the processing described in this Policy. We record the date and time of your consent against your profile.

You may withdraw your consent at any time by emailing grievance@rslip.com. Withdrawal of consent will result in deletion of your account and data as described in Section 8, and will not affect the lawfulness of processing carried out before withdrawal.

6. How We Store & Protect Your Data

Your data is stored in a PostgreSQL database operated by Supabase Inc. in the Mumbai (Asia South 1) region of Amazon Web Services. We implement the following safeguards:

• Encryption in transit — all traffic between your browser and our infrastructure uses TLS 1.2 or higher.
• Encryption at rest — database storage and backups are encrypted at the disk level by the cloud provider.
• Row-Level Security (RLS) — every database query is rewritten to scope to your tenant identifier. No other user or business can read, modify, or delete your data.
• Authentication hardening — passwords are hashed using industry-standard algorithms; we never store or transmit passwords in plain text.
• Access controls — administrative access to production systems is restricted to authorised personnel and is logged.

No method of transmission or storage is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security and you use the Service at your own risk.

7. Sharing & Disclosure

We do not sell, rent, trade, or share your personal data with third parties for advertising or marketing purposes. We share data only:

• With service providers (Data Processors) who operate infrastructure on our behalf, under contractual confidentiality obligations. Current providers include Supabase (database & auth, Mumbai region), Cloudflare (hosting, DNS, email routing), and Sentry (error monitoring, EU region — Germany). When enabled in the future, this list may also include Resend (transactional email). All providers are bound by data-processing agreements that prohibit secondary use of your data.
• To comply with law — when required by a valid court order, subpoena, regulatory request, or to protect our rights, property or safety, or that of our users or the public.
• In a business transfer — if Rslip is acquired or merged, your data may be transferred to the successor entity, subject to this Policy.

8. Data Retention & Deletion

We retain your personal data only as long as necessary to provide the Service and fulfil the purposes set out in this Policy:

• While your account is active — your data is retained indefinitely so the Service can function.
• On account deletion request — all your business records, profile data, and authentication records are permanently deleted from our active systems within 30 days of receipt of a verified erasure request. Encrypted backups containing your data are overwritten within 90 days.
• Abandoned signups — if you create an account but never complete onboarding, your account and its associated tenant record may be automatically deleted after 7 days of inactivity.
• Legal holds — where we are required by law to retain certain records (for example, tax invoice records under Indian tax law), we will retain only the minimum data required for the minimum period required, and otherwise delete on schedule.

9. Your Rights as a Data Principal

Subject to the DPDP Act, you have the following rights:

• Right to access — request a summary of the personal data we hold about you.
• Right to correction — request that inaccurate or incomplete data be corrected. Most fields can be updated directly inside the app.
• Right to data portability — export all your business data at any time using the in-app Backup feature, which produces a JSON file containing every record in your account. On written request, we will also provide a raw machine-readable copy within 7 business days.
• Right to erasure — request deletion of your account and all associated personal data. Email grievance@rslip.com with the subject "Data Erasure Request". We will verify your identity and complete deletion within 30 days.
• Right to withdraw consent — see Section 5.
• Right to grievance redressal — see Section 13.
• Right to nominate — you may nominate another individual to exercise these rights in the event of your death or incapacity, by emailing the Grievance Officer.

10. Cookies & Local Storage

Rslip uses only strictly necessary local storage for authentication session management (a session token and a "remember email" preference). We do not set advertising cookies, third-party tracking cookies, or cross-site tracking pixels.

11. Children

The Service is intended for use by Indian businesses and is not directed at children under 18. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided personal data to us, please contact the Grievance Officer and we will delete it.

12. Cross-Border Transfers

Your primary business data is stored in India (Mumbai region). Limited diagnostic data — specifically, JavaScript error reports captured to help us fix bugs — is processed by Sentry in the European Union (Germany), which provides equivalent or stronger data-protection standards than India. Other service providers (such as our hosting CDN and email routing) operate globally and may process technical metadata outside India. Where transfers occur, they are subject to standard contractual protections.

13. Grievance Officer & Contact

In accordance with Section 13 of the DPDP Act, 2023 and Rule 5(9) of the IT Rules, 2011, a Grievance Officer has been designated to address your concerns:

Grievance Officer — Rslip
Email: grievance@rslip.com
Response time: within 7 business days of receipt

You may also contact us for general privacy questions or support enquiries at support@rslip.com.

If your concern is not satisfactorily resolved, you may approach the Data Protection Board of India once it is operational, or any other competent authority under Indian law.

14. Data Breach Notification

In the event of a confirmed personal data breach that is likely to affect you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act and applicable rules, in any event within 72 hours of confirmation where practicable. Notice will describe the nature of the breach, the data affected, the measures taken or proposed, and steps you can take to protect yourself.

15. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 7 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Limitation of Liability

To the maximum extent permitted by law, our aggregate liability arising out of or relating to this Privacy Policy or any processing of your personal data is limited as set out in our Terms of Service. Nothing in this Policy excludes or limits liability that cannot be excluded under applicable law.

17. Governing Law

This Privacy Policy is governed by the laws of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts at New Delhi, India.