Privacy Policy
Last updated: 16 May 2026
ZipInvo is built by Divergeix. This policy explains what personal data we collect, why we collect it, where it lives, and the choices you have. The short version: we collect only what we need to run the Service, we don't sell or share your data, and your invoice data stays primarily in your own browser.
1. What we collect
When you sign up and use ZipInvo, we collect:
- Account info: email address, name, phone number (mandatory for invoice contact), how you signed in (magic link / password / Google), and the timestamps of your sign-ins.
- Business profile: business name, GSTIN, address, state, signatory name, bank details, UPI ID, brand colours, invoice prefix — the things that appear on your generated documents.
- Credit balance: how many credits each of your businesses has used, when your trial started, what credit packs you purchased.
- Idempotency markers:a hash of each document number you consume a credit for, so we don't double-charge if a request retries.
- Anti-abuse signals: a non-identifying browser fingerprint (a SHA-256 hash of stable browser properties like user-agent, screen size, timezone, language — computed on your device, only the hash leaves it) and a hashed subnet of your IP address (the /24 prefix for IPv4 or /64 for IPv6, HMAC-hashed with a server pepper before storage). Used SOLELY to prevent the free trial from being claimed multiple times from the same device or network. Not used for advertising, tracking, profiling, or building any cross-site profile of you. Legitimate-interest basis under the DPDP Act 2023 (fraud prevention).
What we do NOTcollect on our servers: the contents of your invoices, your line items, your client records, or the PDFs you generate. Those live in your browser's IndexedDB (and your own Google Drive folder if you opt into Cloud Backup).
2. Why we collect it
We use the data above to operate the Service: authenticate you, render the correct business profile on PDFs, enforce credit balances, send transactional emails (magic links, password resets, receipts), and respond to support requests.
We don't use your data for advertising, profiling, or training third-party models. We don't sell or rent your data to anyone.
3. Where it lives
Account and credit data are stored in Microsoft Azure Cosmos DB in the Central Indiaregion (Pune). Your local invoice / PDF data stays in your browser's IndexedDB on your device. If you enable Cloud Backup, an encrypted snapshot is written to a hidden, app-only folder in your own Google Drive — we do not have access to it, and neither does any other ZipInvo user.
Transactional emails (magic links, reset links, purchase receipts) are sent via Azure Communication Services from the verified domain zipinvo.com.
4. Cookies and local storage
We use one HTTP-only session cookie (named zipinvo_session) to keep you signed in for 7 days after a successful sign-in. It contains nothing more than an opaque session token tied to your account on our servers. We don't use any third-party analytics, ad trackers, or social cookies.
We use your browser's localStorage to keep per-business document counters, the currently-active business ID, and (within a session) the form draft state so refreshing doesn't blow away your in-progress invoice. None of that leaves your device.
5. Sharing with third parties
We share data with the following service providers only:
- Microsoft Azure— hosts our application and stores account / credit data. Bound by Microsoft's data processing agreements.
- Azure Communication Services — sends transactional emails on our behalf (magic links, receipts).
- Razorpay — processes credit-pack purchases. We share the amount and your email; Razorpay handles all card / UPI / netbanking data directly, we never see it.
- Google— only if you opt into Cloud Backup, in which case we use Google's Drive API to write a single snapshot file to your app-only folder. We do not see anything else in your Drive.
We will disclose information if required by Indian law, subpoena, or other legal process — and only the specific information requested.
6. Your rights
You can, at any time:
- Export all your invoice / business data from the Manage Businesses screen (JSON download).
- Edit your account email, name, phone, and business details from the app.
- Delete your account entirely by emailing support.divergeix@gmail.com. We'll remove server-side data within 30 days. Your locally stored data stays on your device until you clear your browser's storage.
- Withdraw consent for cloud backup at any time from the Cloud Backup screen — we revoke the Drive token and stop writing snapshots immediately.
7. Data retention
Account data is kept for as long as your account is active. When you delete your account, server-side data is removed within 30 days. Backup snapshots (in your own Drive) are yours — we don't touch them when you delete the account.
Anonymised aggregate metrics (e.g., total documents generated, total credits sold) may be retained indefinitely for product analytics, but never tied back to individual users.
8. Security
Passwords are hashed with scrypt before storage — even our own engineers cannot read your password. Sign-in cookies are HTTP-only and HTTPS-only. All traffic between your browser and our servers is encrypted in transit (TLS 1.2+). Database access on our side is restricted to a small set of named administrators.
No system is perfectly secure. If you discover a security issue, please report it to support.divergeix@gmail.com — we'll respond within 72 hours.
9. Children's privacy
ZipInvo is intended for adults running a business. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, please email us and we'll delete the account.
10. International transfers
Your data is primarily processed in India (Azure Central India). If you sign in from outside India, your browser traffic still terminates at an Indian region. Some Azure platform features may transit through Azure's global edge infrastructure for performance — this is governed by Microsoft's data processing terms.
11. Changes to this policy
We may update this Privacy Policy from time to time. The current version always lives at this URL. The “Last updated” date at the top reflects the most recent change. If a change materially affects your rights or how we process your data, we'll email you in advance.
12. Contact
Questions or data requests? Email support.divergeix@gmail.com. Our postal address is Divergeix, IRC Village, Bhubaneswar, Odisha, India.