In plain language: your business data stays on your device. We never read your SMS, sell your data, or share it with advertisers. Cloud sync is optional and off by default.
1. Introduction
Hisab Expert (“we”, “us”, “our”) is a business accounting and bookkeeping application designed for small businesses, shopkeepers, and traders across India. We are committed to protecting your privacy and handling your personal data responsibly, transparently, and in accordance with applicable laws - including India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and applicable principles of the General Data Protection Regulation (GDPR) where relevant.
This Privacy Policy explains what information we collect, why we collect it, how we store and protect it, which third-party services we use, and what rights you have over your data. It applies to the Hisab Expert Android application, our website at hisabexpert.com, and any related services we provide.
Agreement to This Policy
By downloading, installing, or using Hisab Expert, you confirm that you have read and understood this Privacy Policy and agree to its terms. If you disagree with any part of this policy, please uninstall the application and do not use the Service.
2. Who We Are (Data Controller)
For the purposes of applicable data protection laws, the data controller responsible for your personal data is:
Hisab Expert
- Privacy Inquiries: privacy@
hisabexpert.com - General Support: support@
hisabexpert.com - Legal: legal@
hisabexpert.com - Phone: +91 6303537033
- Jurisdiction: Hyderabad, Telangana, India
- Response Time: Within 24–48 business hours
3. Information We Collect
We collect only the minimum data necessary to deliver the features of Hisab Expert. We never collect data silently - every category below is directly tied to a feature you actively use.
3.1 Personal Information You Provide Directly
| Data | Purpose | Required? |
|---|---|---|
| Mobile phone number | Account creation and OTP-based identity verification | Yes |
| Your name | Personalise your account and appear on invoices | Yes |
| Business / shop name | Display on invoices and reports | Yes |
| Language preference | Localise the app in your chosen language (10 supported) | Yes |
| Business category | Customise default categories (Kirana, Medical, Hardware, etc.) | Yes |
| Shop address | Printed on invoice headers | Optional |
| GST number | Displayed on invoices for compliance | Optional |
| Shop logo image | Displayed on generated invoice PDFs | Optional |
| Signature / stamp image | Displayed at the bottom of generated invoices | Optional |
3.2 Business Data You Create
All business records you create in the app belong entirely to you. This data is stored only on your device by default, encrypted with AES-256. It never leaves your device unless you explicitly enable cloud sync in Settings.
- Transaction records - income, expenses, amounts, categories, dates, notes, payment method
- Inventory data - product names, prices, stock quantities, units, minimum stock alert thresholds
- Customer records - customer names, phone numbers, credit balances, payment history
- Ledger - customer subscriptions, daily delivery records, payment receipts
- Invoice history - PDF invoices generated within the app
3.3 Data Collected Through Specific App Features
Voice Entry (Optional)
When you use the voice transaction feature, audio captured by your microphone is sent to Google's Speech Recognition service for real-time transcription. The transcribed text is saved as a transaction. Audio is processed in real time and is not stored permanently by us after processing. This feature is entirely optional.
OCR Ledger Scanning (Optional)
When you photograph a handwritten ledger, the image is transmitted securely to our backend and then processed via Microsoft Azure Computer Vision or OCR.space. The image is deleted immediately after text extraction. Images are never retained, shared, or used for any other purpose.
UPI Notification Reading (Optional)
If you enable UPI auto-detection, the app reads notifications from a whitelist of nine UPI payment apps. We extract only the payment amount, direction (received / paid), and sender or recipient name if present in the notification text. We do not read SMS, personal messages, emails, or notifications from any other application. This feature is off by default.
Crash & Error Reports (Optional)
If Sentry crash reporting is active, anonymised crash reports are collected when the app encounters an unexpected error. Reports include device model, OS version, app version, and the error stack trace. No personally identifiable information or business data is included in crash reports.
3.4 Automatically Collected Technical Data
- Device model and Android OS version (for compatibility diagnostics)
- App version (for update and bug tracking)
- Anonymised feature usage statistics - which screens are visited (does not include transaction amounts, customer names, or any business data)
What We Never Collect
- SMS or text messages
- Phone call history or contacts
- Precise or approximate GPS location
- Photos or media beyond what you initiate for OCR scanning
- Banking credentials, card numbers, or account balances
- Any data from apps other than the 9 whitelisted UPI apps (when UPI detection is enabled)
4. How We Use Your Information
We use the information we collect for the following purposes. Under data protection law, we must have a legal basis for each processing activity:
| Purpose | Legal Basis |
|---|---|
| ✓ Providing core bookkeeping, inventory, and reporting features | Performance of contract (service delivery) |
| ✓ Verifying your identity via OTP at login | Legitimate interest (account security) |
| ✓ Processing voice commands to create transactions | Consent (you enable the voice feature) |
| ✓ Extracting text from ledger photos via OCR | Consent (you initiate each scan) |
| ✓ Auto-detecting UPI payments from notifications | Consent (you explicitly enable UPI detection) |
| ✓ Syncing your data across devices | Consent (you enable cloud sync in Settings) |
| ✓ Generating invoices and sharing via WhatsApp or PDF | Performance of contract |
| ✓ Sending Ledger payment reminders (local notifications) | Consent |
| ✓ Improving app quality through anonymised usage data | Legitimate interest |
| ✓ Responding to support and legal inquiries | Legal obligation / legitimate interest |
What We NEVER Do With Your Data
- Sell, rent, or commercially share your data with any third party
- Share your business transaction data with advertisers or data brokers
- Use your data to build advertising profiles or for targeted advertising
- Allow our staff to access your transaction records or business data
- Transfer your data to any country without appropriate safeguards
5. Third-Party Services We Use
Hisab Expert integrates the following third-party services to deliver specific features. Each service operates under its own Terms of Service and Privacy Policy. We share only the minimum data necessary with each service. All integrations are optional - the core bookkeeping features work without them.
Firebase Authentication - Google LLC
Used for: Phone number OTP verification
When you log in with your phone number, Firebase sends a one-time password (OTP) to your number and verifies it. This is the only use of Firebase in Hisab Expert. Firebase Authentication does not retain your phone number beyond the verification session. We do not use Firebase for analytics, crash reporting, or cloud storage.
Supabase - Supabase Inc.
Used for: Optional cloud database and real-time sync
If you enable cloud sync in Settings, your business data is securely stored in Supabase's cloud database. Cloud sync is off by default. Your data in Supabase is associated with your unique account ID and is not accessible to any other user. You can disable cloud sync or permanently delete your cloud data at any time from Settings → Account → Delete Account.
Google Speech Recognition - Google LLC
Used for: Voice input transcription (optional)
Audio captured during voice transaction sessions is sent to Google's Speech-to-Text API for real-time transcription. Audio is processed in real time and is not stored by us after processing.
Microsoft Azure Computer Vision - Microsoft Corporation
Used for: OCR text extraction from ledger photos (optional)
When you scan a handwritten ledger, the photograph is transmitted securely to Microsoft Azure Computer Vision for text extraction. The image is deleted from Azure's servers immediately after the extraction result is returned. Images are never retained, indexed, or used to train AI models.
OCR.space - A9T9 Software GmbH
Used for: Fallback OCR service when Azure is unavailable (optional)
OCR.space is used as a secondary OCR service when Azure Computer Vision is temporarily unavailable. Data handling is identical: image sent, text extracted, image immediately deleted. No data is retained beyond the processing request.
WhatsApp - Meta Platforms, Inc.
Used for: Sharing invoices and sending payment reminders to your customers
Hisab Expert allows you to share generated invoice PDFs and Ledger payment reminders via WhatsApp. All sharing is initiated manually by you. We do not have access to the content of your WhatsApp messages or contacts.
Sentry - Functional Software, Inc.
Used for: Anonymised crash and error reporting
When enabled, Sentry collects anonymised crash reports if the app encounters an unexpected error. Reports include device model, Android OS version, app version, and the technical error trace. No personal data, business data, or transaction records are included in crash reports. Crash logs are automatically purged after 90 days.
We do not use Google Analytics, Facebook Pixel, advertising SDKs, or any data broker integrations.
6. UPI Auto-Detection - Detailed Disclosure
Because UPI notification reading is a sensitive capability, we are providing this dedicated section with full transparency about exactly how it works.
What It Does
The app uses Android's standard NotificationListenerService API to read incoming notifications from the following nine UPI payment apps only, to automatically create transaction records without manual entry:
What We Extract Per Notification
- Transaction amount (e.g., ₹500)
- Direction: received or paid
- Sender / recipient name or UPI ID (if present in notification text)
What We NEVER Access
- Bank account number or balance
- Full transaction history from UPI apps
- SMS or text messages
- Notifications from any unlisted app
- Personal messages, photos, or media
How to Enable and Disable
- Default state: Disabled. This feature is off when you first install the app.
- To enable: Android Settings → Special App Access → Notification Access → Hisab Expert → Allow. Then enable UPI Auto-Detection in Hisab Expert Settings.
- To disable: Revoke the Notification Access permission, or toggle off UPI Auto-Detection in Hisab Expert Settings.
Google Play Compliance Note
This implementation does not use the READ_SMS permission and does not read text messages in any form. It uses Android's standard NotificationListenerService API, restricted to a whitelist of nine UPI financial apps, solely to reduce manual data entry for users.
7. Android Permissions We Request
All permissions are optional - the core bookkeeping features work without granting any of the below. You can revoke any permission at any time from Android Settings → Apps → Hisab Expert → Permissions without losing your existing business data.
| Permission | Feature It Enables | Can You Decline? |
|---|---|---|
INTERNET | Cloud sync, OTP login, OCR processing, voice transcription | Yes - app works fully offline |
RECORD_AUDIO | Voice transaction entry (speak to record amounts and products) | Yes |
MODIFY_AUDIO_SETTINGS | Adjusts audio focus during speech recognition for accurate voice input | Yes - only active during voice entry |
CAMERA | OCR ledger scanning - photograph handwritten records to import transactions | Yes |
READ_MEDIA_IMAGES / READ_EXTERNAL_STORAGE | Select existing photos from gallery for OCR; save and share invoice PDFs | Yes |
USE_BIOMETRIC / USE_FINGERPRINT | Fingerprint or face unlock for the app lock screen | Yes |
FOREGROUND_SERVICE / FOREGROUND_SERVICE_DATA_SYNC | Keeps UPI detection running in background. A persistent notification is always shown while active. | Yes - only used when UPI detection is enabled |
RECEIVE_BOOT_COMPLETED | Restarts UPI detection service after device reboot, only if you had previously enabled it | Yes |
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | Requests battery exemption so UPI detection works reliably. Can be denied or revoked anytime from Battery Settings. | Yes |
POST_NOTIFICATIONS | Required on Android 13+ to display the UPI detection foreground service notification | Yes |
BIND_NOTIFICATION_LISTENER_SERVICE | Reads UPI payment notifications from 9 whitelisted apps only. Does NOT read SMS. Requires explicit grant via Android Settings → Special App Access. | Yes - explicit user action required |
Permissions We DO NOT Request
8. Data Storage and Security
8.1 Local Storage (Default)
All your business data is stored on your device using Hive, an encrypted local database. Data is encrypted with AES-256 using a key stored in the Android Keystore - a hardware-backed secure storage system. The encryption key never leaves your device and cannot be accessed by us or anyone else.
8.2 Cloud Storage (Optional)
If you enable cloud sync, your data is transmitted over TLS 1.3 and stored in Supabase (backed by AWS infrastructure). Each record is associated with your unique account ID. Your data is logically isolated from other users' data and can only be accessed with valid authentication credentials.
8.3 Security Measures
- Encryption at rest: AES-256 (local device), database-level encryption (cloud)
- Encryption in transit: TLS 1.3 for all server communications
- Authentication: PIN hashed with bcrypt (cost factor 10) + optional biometric unlock
- App lock: Automatically locks after 30 seconds of background activity
- No shared passwords: OTP-only login - no passwords are ever created or stored
- Reinstall protection: We detect tampered or restored authentication state on reinstall and prompt re-verification
8.4 Data Breach Response
In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware of the breach, as required by applicable data protection laws. We will inform you of the nature of the breach, what data was affected, and what steps we are taking to address it.
9. Data Sharing and Disclosure
We do not sell, rent, or commercially share your personal data with any third party. We may disclose information only in the following limited circumstances:
- With your explicit consent - for example, when you enable cloud sync, share an invoice, or initiate a WhatsApp message
- With third-party service providers (Section 5) - strictly to the extent necessary to deliver the stated feature, subject to contractual data processing agreements
- Legal requirements - if required by a valid court order, government authority, or applicable law, we will disclose the minimum information required and notify you where legally permitted
- Business transfer - if Hisab Expert is acquired or merged, your data may be transferred as part of that transaction. We will notify you before any such transfer, and you retain the right to delete your data
10. Your Rights Over Your Data
Under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable international data protection principles, you have the following rights:
| Right | What It Means | How to Exercise |
|---|---|---|
| ✓ Right to Access | Receive a copy of the personal data we hold about you | Email privacy@hisabexpert.com |
| ✓ Right to Correction | Update or correct inaccurate personal data | Edit directly in the app, or email us |
| ✓ Right to Erasure | Permanently delete your account and all associated data | Settings → Account → Delete Account, or email us |
| ✓ Right to Portability | Export your business data in CSV or JSON format | Settings → Export Data |
| ✓ Withdraw Consent | Disable UPI auto-detection, cloud sync, or analytics at any time | Settings, or revoke Android permissions |
| ✓ Right to Restrict Processing | Object to specific processing activities | Email privacy@hisabexpert.com |
| ✓ Lodge a Complaint | File a complaint with India's Data Protection Board | dpboard.gov.in (when operational) |
We will respond to all rights requests within 30 days. For complex requests, we may extend this by an additional 30 days with prior notice.
To exercise any of these rights, visit our Data Deletion page or email us at privacy@
11. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data (transactions, inventory, customers) | Retained for as long as you actively use the app |
| Account data after deletion request | Permanently deleted within 7 days |
| Cloud backup data after deletion request | Removed from backup systems within 90 days |
| Voice recordings | Deleted immediately after transcription - we do not store audio |
| OCR scan images | Deleted from our servers immediately after text extraction |
| Crash and error logs (Sentry) | Retained for 90 days, then automatically purged |
| Anonymised usage statistics | Retained in aggregate form for up to 2 years |
| Legal retention obligations | Some records may be retained longer if required by applicable law (e.g., tax compliance), in anonymised form where possible |
12. International Data Transfers
Your data is primarily stored on your device in India. When cloud sync is enabled, or when you use features such as voice input, OCR scanning, or OTP login, some data is transmitted to servers operated by the third-party services listed in Section 5. These servers may be located outside India, including in the United States.
All such transmissions occur over TLS 1.3 encryption. The services we use - Firebase (Google), Supabase (AWS), Microsoft Azure, and Google Speech - maintain appropriate data protection standards and are bound by contractual data processing terms that require them to protect your data to an equivalent standard.
13. Children's Privacy
Hisab Expert is a business accounting tool intended exclusively for adults aged 18 years and above. We do not knowingly collect, solicit, or process personal data from persons under 18 years of age.
If you are a parent or guardian and believe your child has created an account or provided us with personal information, please contact us immediately at privacy@
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or app features. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Notify you via in-app notification at your next app launch
- For significant changes, display the updated policy and ask you to review it before continuing
Your continued use of Hisab Expert after a policy update constitutes your acceptance of the revised policy. If you do not agree, you may delete your account (Settings → Account → Delete Account) and stop using the app.
15. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us through any of the following channels:
Contact Channels
- Privacy: privacy@
hisabexpert.com - Support: support@
hisabexpert.com - Legal: legal@
hisabexpert.com - Phone: +91 6303537033
Response Commitments
- Initial response: within 24–48 business hours
- Rights requests: within 30 days
- Data breach notifications: within 72 hours
- Jurisdiction: Hyderabad, Telangana, India
This Privacy Policy was written in plain language to ensure you fully understand how Hisab Expert handles your data. If any section is unclear, please email us at privacy@