Privacy Policy

1. Who we are

ThynkBooks is operated by ORIS Intelligence Pvt Ltd ("ORIS", "we"). For personal data processed in the Service, your organisation (the account holder) is ordinarily the Data Fiduciary and ORIS processes data on its instructions; for website visitors and account registration data, ORIS is the Data Fiduciary.

2. What we collect

Account data: name, work email, phone, role, organisation details, authentication identifiers (via ORIS Identity).

Service data: the financial records your organisation enters or uploads — ledgers, invoices, vendor/customer masters (which may contain personal data such as names, addresses, GSTIN/PAN), bank transactions, and uploaded documents.

Usage data: device/browser information, IP address, pages and features used, and diagnostic logs. Payment data is processed by our billing providers (ORIS billing / Razorpay); we do not store full card numbers.

3. How we use data

To provide and secure the Service (authentication, multi-tenant isolation, backups); to compute the outputs you request (returns, reports, reconciliations); to operate AI-assisted features — document text and relevant context are processed through the ORIS AI platform to produce suggestions, and are not used to train third-party foundation models; to communicate service notices and respond to support; to bill; and to meet legal obligations.

We do not sell personal data, and we do not use your financial records for advertising.

4. Legal bases and consent (DPDP Act 2023)

We process personal data with consent or for legitimate uses recognised by the Digital Personal Data Protection Act, 2023 — performing the contract you signed up for, complying with law, and security. Where consent is the basis, it is recorded in our consent ledger and can be withdrawn as easily as it was given.

5. Your rights

Under the DPDP Act you may: access a summary of your personal data and processing; request correction and erasure; nominate a person to exercise rights on your behalf; and raise a grievance. Submit requests in-app or to privacy@thynkbooks.com; identity verification applies. We respond within statutory timelines, and our Data Subject Access Request workflow tracks every request to closure.

If your data was entered by an organisation using ThynkBooks (e.g. you are their customer or vendor), we will route your request to that organisation, who controls those records.

6. Security

Controls include encryption in transit (TLS) and at rest, tenant isolation enforced at the application layer, role-based access control, maker-checker approvals, append-only journals, comprehensive audit logging, and secrets management. Production access is restricted and logged. No method of transmission or storage is 100% secure, but we treat your books with the controls we would demand for our own.

7. Retention

Account and Service data are retained for the life of the subscription plus a 30-day export window, then deleted from production. Financial records may be retained longer where Indian law requires (e.g. books of account retention periods) — in that case access is restricted to compliance use. Consent withdrawals, closed DSARs and access logs are purged on a scheduled retention job.

8. Sharing and processors

We share data only with: sub-processors needed to run the Service (cloud hosting, email delivery via Resend, payments via Razorpay/ORIS billing, error monitoring); the ORIS platform for identity, billing and AI routing; professional advisers and authorities where legally required; and parties you direct us to share with (e.g. your auditor through the auditor portal).

Sub-processors are bound by data-processing terms consistent with this policy.

9. International transfers

Primary processing and storage occur in India. Where a sub-processor processes data outside India, we ensure transfers comply with applicable law, including any countries restricted by notification under the DPDP Act.

10. Cookies

The app uses strictly-necessary cookies for authentication and security (session token, CSRF protections). The marketing site uses no advertising trackers. Any analytics we add will be disclosed here first.

11. Children

The Service is for business use and not directed at children under 18; we do not knowingly process children's data.

12. Grievance officer and contact

Grievance Officer, ORIS Intelligence Pvt Ltd — privacy@thynkbooks.com. If unsatisfied with our response you may approach the Data Protection Board of India.

We will notify material changes to this policy in-app or by email before they take effect.