📒

ArthaNote

Privacy Policy

Version: 1.0
Effective Date: June 22, 2026
Developer: Tulsi Groups
Contact: tulsiprivateltd@gmail.com


This document governs the collection, use, and protection of personal data
by the ArthaNote application across all supported regions and jurisdictions.


Datenschutzerklärung • Politique de confidentialité • Política de Privacidad
தனியுரிமைக் கொள்கை • गोपनीयता नीति • سياسة الخصوصية

Table of Contents

  1. Introduction & Overview
  2. About ArthaNote
  3. Scope of This Policy
  4. Data Controller Information
  5. Personal Data We Collect
  6. How We Use Your Data
  7. Legal Basis for Processing
  8. Data Sharing and Third Parties
  9. International Data Transfers
  10. Data Retention
  11. Security Measures
  12. Your Privacy Rights (General)
  13. Regional Privacy Rights — EU/EEA (GDPR)
    1. 🇦🇹 Austria
    2. 🇧🇪 Belgium
    3. 🇧🇬 Bulgaria
    4. 🇭🇷 Croatia
    5. 🇨🇾 Cyprus
    6. 🇪🇪 Estonia
    7. 🇫🇮 Finland
    8. 🇫🇷 France
    9. 🇩🇪 Germany
    10. 🇬🇷 Greece
    11. 🇮🇪 Ireland
    12. 🇮🇹 Italy
    13. 🇱🇻 Latvia
    14. 🇱🇹 Lithuania
    15. 🇱🇺 Luxembourg
    16. 🇲🇹 Malta
    17. 🇳🇱 Netherlands
    18. 🇵🇹 Portugal
    19. 🇸🇰 Slovakia
    20. 🇸🇮 Slovenia
    21. 🇪🇸 Spain
    22. + Italy (GDPR supplement)
  14. Regional Privacy Rights — United Kingdom
  15. Regional Privacy Rights — Australia
  16. Regional Privacy Rights — Canada
  17. Regional Privacy Rights — United States
  18. Regional Privacy Rights — India
  19. Regional Privacy Rights — UAE
  20. Regional Privacy Rights — Saudi Arabia
  21. Regional Privacy Rights — Bahrain
  22. Regional Privacy Rights — Kuwait
  23. Regional Privacy Rights — Oman
  24. Regional Privacy Rights — Malaysia
  25. Regional Privacy Rights — Singapore
  26. Regional Privacy Rights — South Africa
  27. Regional Privacy Rights — Sri Lanka
  28. Regional Privacy Rights — Bangladesh
  29. Regional Privacy Rights — Nepal
  30. Children's Privacy
  31. Cookies and Tracking
  32. Changes to This Policy
  33. Contact Information
  34. Glossary
  35. Legal References Annex

1. Introduction & Overview

Datenschutzerklärung (DE) • Politique de confidentialité (FR) • தனியுரிமைக் கொள்கை (TA) • गोपनीयता नीति (HI)

In plain English: ArthaNote is a business ledger app for small retailers. We collect the minimum data needed to run the app — your email to log in, and the business records you enter (sales, expenses, customers, staff). We do not sell your data. We do not serve ads. Your financial records are encrypted in Google's cloud. You can delete your account and all your data at any time.

Welcome to ArthaNote (also referred to as "Artha Note"), a digital business ledger and accounting application designed to help small retailers, shopkeepers, and micro-entrepreneurs manage their daily sales, expenses, customer credit, supplier payments, staff attendance, and financial reports — all from a single mobile application.

This Privacy Policy ("Policy") is issued by Tulsi Groups ("Developer," "we," "us," or "our"), the individual developer and data controller responsible for the ArthaNote application. This Policy explains:

We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner. We believe that privacy is a fundamental right, and we have designed ArthaNote with data minimization and security as core principles.

This Policy applies to all users of the ArthaNote application on Android (Google Play Store) and any associated web interfaces or progressive web application (PWA) versions of the service.

By creating an account and using ArthaNote, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use the application.

This Policy is written primarily in English. Where local regulations require notice in a local language, key headings are provided in the relevant language as indicated throughout this document.

Effective Date: June 22, 2026
Version: 1.0
Last Updated: June 22, 2026

2. About ArthaNote

Summary: ArthaNote is a digital ledger app for small businesses. It replaces paper account books with a secure, cloud-synced mobile app. Available on Android, supporting English, Tamil, and Hindi.

ArthaNote is a comprehensive digital business management and accounting application developed specifically for small retailers, traders, shop owners, and micro-enterprises. The name "Artha" (अर्थ) means "wealth" or "money" in Sanskrit, reflecting the app's purpose of helping users manage their finances effectively.

2.1 Core Purpose

ArthaNote digitizes the traditional paper-based "khata" (account book) used by millions of small retailers across South Asia and beyond. It provides a secure, cloud-backed, mobile-first solution to record and manage:

2.2 Platform and Availability

ArthaNote is available as an Android application distributed through the Google Play Store. The application also functions as a Progressive Web Application (PWA) accessible via web browsers. The app supports three languages: English, Tamil (தமிழ்), and Hindi (हिंदी), making it accessible to users across India and the South Asian diaspora worldwide.

2.3 Subscription Model

ArthaNote offers a free tier with basic features (one shop, standard ledger functions) and a Pro subscription at ₹199 per month, processed through Google Play Billing. Pro features include unlimited shops, OCR receipt scanning, full MIS reports, and priority support.

2.4 Developer Information

ArthaNote is developed and maintained by Tulsi Groups, an independent software developer based in Tamil Nadu, India. The developer is the sole data controller for personal data processed through ArthaNote.

3. Scope of This Policy

Summary: This Policy covers all data collected through the ArthaNote Android app and PWA. It applies to users in all 36 countries where ArthaNote is available on Google Play.

3.1 What This Policy Covers

This Privacy Policy covers all personal data processing activities associated with:

3.2 Geographic Scope

ArthaNote is available in the following 36 countries on the Google Play Store. This Policy specifically addresses the privacy rights of users in each of these jurisdictions:

RegionCountries
European Union / EEAAustria, Belgium, Bulgaria, Croatia, Cyprus, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Portugal, Slovakia, Slovenia, Spain
United KingdomUnited Kingdom
Asia-PacificAustralia, Bangladesh, India, Malaysia, Nepal, Singapore, Sri Lanka
GCC / Middle EastBahrain, Kuwait, Oman, Saudi Arabia, United Arab Emirates
AfricaSouth Africa
North AmericaCanada, United States

3.3 What This Policy Does Not Cover

This Policy does not apply to:

4. Data Controller Information

Summary: Tulsi Groups is the data controller for ArthaNote. For your business's customer data stored in ArthaNote, you (the business owner) are the controller and ArthaNote is the processor.

4.1 Data Controller

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent legislation worldwide, the data controller for personal data collected through ArthaNote is:

DetailInformation
Controller NameTulsi Groups
RoleIndividual Developer / App Owner
Email Addresstulsiprivateltd@gmail.com
App NameArthaNote (Artha Note)
Country of EstablishmentIndia
Google Play Developer AccountArthaNote Developer

4.2 Dual Role: Controller and Processor

ArthaNote operates in two distinct capacities with respect to personal data:

As Data Controller: We determine the purposes and means of processing personal data relating to your user account, authentication credentials, and app usage. This includes your email address, display name, and device information.

As Data Processor: When you enter data about your customers (names, phone numbers, credit balances), your staff (names, attendance records), or your suppliers into ArthaNote, you are acting as the data controller for that third-party personal data. We process that data on your behalf, according to your instructions, to provide the ArthaNote service. You are responsible for ensuring you have a lawful basis to collect and store that data, and for notifying your customers and staff about its use.

4.3 No Data Protection Officer (DPO)

As an individual developer without large-scale systematic processing of sensitive data, a formally designated Data Protection Officer is not required under applicable law. However, all data protection queries are handled personally by the developer at tulsiprivateltd@gmail.com with a commitment to respond within 30 days.

4.4 EU/EEA Representative

For users in the European Union and European Economic Area, the developer does not currently maintain a formal Article 27 GDPR representative given the limited scale of processing. EU/EEA users may contact the developer directly at tulsiprivateltd@gmail.com for all data protection matters. If you are an EU/EEA supervisory authority, you may contact the Irish Data Protection Commission (the lead supervisory authority for Google/Firebase) as the relevant authority for our cloud infrastructure provider.

5. Personal Data We Collect

Summary: We collect your email and name for login, and the business records you enter (transactions, customer names, staff names). We use your camera only for QR scanning — no photos are stored. We do not collect your location.

5.1 Account and Identity Data

When you create an ArthaNote account, we collect:

Data TypeSpecific DataSourceRequired?
Email AddressYour email address used to create or sign in to your accountYou enter it, or obtained from Google OAuth consentYes — required for authentication
Display NameYour name as you provide it, or your Google account nameYou enter it or obtained from Google OAuthNo — optional but recommended
User ID (UID)A unique identifier assigned by Firebase AuthenticationAutomatically generated by FirebaseYes — system requirement
Authentication MethodWhether you signed in via email/password or Google OAuthAutomatically recorded by Firebase AuthYes — system requirement

5.2 Business Configuration Data

When you set up ArthaNote for your business, we collect:

Data TypeSpecific DataPurpose
Shop Name(s)Name(s) of your shop or business outlet(s)Identify transactions per location
Business TypeCategory (e.g., grocery, vegetables, textile, hardware, jewellery, medical, bakery, hotel, tea shop, finance/chit)Customize app experience and reporting
GST NumberYour Goods and Services Tax registration number (optional)For invoice generation and compliance
GST SettingsWhether GST is enabled and GST rateAccurate financial calculations

5.3 Financial Transaction Data

The core data you enter into ArthaNote consists of your business financial records:

Data TypeSpecific DataPurpose
Sales TransactionsDate, amount, description, shop, categoryDaily revenue tracking
Expense RecordsDate, amount, description, type, shopBusiness expense tracking
Customer Credit EntriesCustomer name (may be a personal name), phone number, credit amount, payment historyCustomer ledger management
Supplier RecordsSupplier business name, contact details, payment records, outstanding billsAccounts payable management
Payment RecordsAmounts paid/received, dates, payment methodsCash flow management

5.4 Staff and Attendance Data

If you use the staff management feature, you may enter:

Important: Your staff members whose data you enter into ArthaNote are data subjects. As their employer and the data controller for their personal data, you are responsible for informing them about how their data is used in ArthaNote.

5.5 Chit Fund and Finance Module Data

If you use the Finance and Chit Fund module, we collect:

5.6 Device and Technical Data

Data TypeSpecific DataPurpose
Firebase Device TokenA device-specific token generated by FirebaseCrash reporting and app diagnostics
App VersionVersion number of ArthaNote installedCompatibility and support
Operating SystemAndroid versionApp compatibility
Network StatusWhether the device is online or offlineOffline queue management and sync

5.7 Camera Usage

ArthaNote requests permission to access your device camera. Camera access is used solely for QR code scanning to record staff attendance. The camera is activated only when you explicitly open the QR scan feature. No photographs, videos, or images are captured, stored, or transmitted by ArthaNote. The camera feed is processed locally on your device in real time to detect QR codes only.

5.8 Data We Do NOT Collect

ArthaNote explicitly does not collect the following:

5.9 OCR Scanning (Pro Feature)

Pro users may use the OCR (Optical Character Recognition) scanning feature to convert handwritten ledger pages into digital entries. When this feature is used:

6. How We Use Your Data

Summary: We use your data to run the app, keep your records secure, process your subscription, and improve the service. We do not use your financial records for advertising, profiling, or any purpose other than providing ArthaNote to you.

6.1 Providing the ArthaNote Service

The primary use of your data is to operate and provide the ArthaNote application. Specifically:

6.2 Account Management

6.3 Subscription and Billing

Note: All payment processing is handled by Google Play Billing. We receive only confirmation of subscription status — not your payment card details or billing address.

6.4 App Improvement and Diagnostics

6.5 Customer Support

6.6 Legal and Compliance

6.7 What We Do NOT Do With Your Data

We explicitly confirm that we do not:

7. Legal Basis for Processing

Summary: For EU/EEA users, every processing activity has a specific GDPR legal basis. For most data, our basis is contractual necessity (you need us to store your records to use the app). For security and legal compliance we rely on legitimate interests and legal obligation.

For users in the European Union, European Economic Area, United Kingdom, and other jurisdictions with similar requirements, we rely on the following legal bases for processing your personal data under Article 6 of the GDPR (and equivalent provisions):

Processing ActivityLegal Basis (GDPR Art. 6)Explanation
Account creation and authentication (email, UID, display name) Art. 6(1)(b) — Contract Processing is necessary to perform the contract (Terms of Service) — you cannot use ArthaNote without an account
Storing financial transactions, expenses, customer data, supplier data Art. 6(1)(b) — Contract The core service you contracted for is digital ledger storage — this processing is essential to deliver the service
Staff names, roles, and attendance records Art. 6(1)(b) — Contract Staff management is a contracted feature; additionally Art. 6(1)(f) — Legitimate Interest of you (the business owner) in managing staff
Subscription status verification Art. 6(1)(b) — Contract Necessary to provide Pro features you have paid for
Crash reports and diagnostics Art. 6(1)(f) — Legitimate Interest Our legitimate interest in maintaining a secure, functional service; minimal data, no tracking
Customer support communications Art. 6(1)(f) — Legitimate Interest / Art. 6(1)(b) — Contract Legitimate interest in responding to users; also contractual where support is part of the service
Legal compliance (e.g., responding to court orders) Art. 6(1)(c) — Legal Obligation Required by applicable law
Data retention for tax/legal compliance (7 years) Art. 6(1)(c) — Legal Obligation Indian tax laws (GST Act, Income Tax Act) and other applicable laws require financial records to be retained
OCR image processing (Pro feature) Art. 6(1)(b) — Contract / Art. 6(1)(a) — Consent You actively initiate OCR scanning; implied consent through use of the feature, and necessary for Pro service delivery

7.1 Special Category Data

ArthaNote does not intentionally collect special category data as defined under GDPR Article 9 (health data, racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, etc.). If you choose to enter descriptive notes in transaction fields that incidentally contain such information, this is entirely at your discretion and we process it solely under Article 6(1)(b) as part of the ledger entry you have created.

7.2 Legitimate Interests Assessment

Where we rely on legitimate interests (Art. 6(1)(f)), we have considered the following factors:

8. Data Sharing and Third Parties

Summary: We share data only with Google (Firebase for infrastructure, Play Billing for subscriptions). We do not share your data with any other third party except as required by law. We never sell data.

8.1 Google Firebase (Core Infrastructure)

ArthaNote is built on Google Firebase, a platform provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The following Firebase services process your data:

Firebase ServiceData ProcessedPurpose
Firebase AuthenticationEmail address, display name, UID, sign-in method, sign-in timestampsUser account creation and authentication
Cloud FirestoreAll business data you store in ArthaNote (transactions, customers, staff, suppliers, config)Cloud database — stores and syncs all app data
Firebase AnalyticsAnonymized app usage events, device type, OS version, app versionUnderstanding feature usage to improve the app
Firebase CrashlyticsDevice token, crash stack traces, app version, OS versionIdentifying and fixing crashes and bugs

Google Firebase processes data under Google's Privacy Policy (available at https://policies.google.com/privacy) and Google's Cloud Data Processing Addendum. Data is processed according to Google's Data Processing Terms, which include Standard Contractual Clauses for international transfers.

8.2 Google Play Billing

Pro subscription payments are processed by Google Play Billing. When you subscribe to ArthaNote Pro:

8.3 Third-Party OCR APIs (Optional, User-Initiated)

The OCR scanning feature (Pro, optional) may transmit images to:

These APIs are used only when you actively initiate a scan. Images are transmitted to the API and the text response is returned; images are not retained by these providers beyond the API request lifecycle. Your API keys are stored locally on your device and are not shared with us.

8.4 Legal Disclosures

We may disclose your personal data to government authorities, courts, law enforcement agencies, or regulators when:

We will notify you of such requests to the extent permitted by law.

8.5 Business Transfers

If the ArthaNote business, application, or substantially all assets are transferred to another developer or entity through a merger, acquisition, or asset sale, your personal data may be part of the transferred assets. We will notify you by email and/or prominent notice within the app before your data becomes subject to a different privacy policy.

8.6 No Other Sharing

We do not share your personal data with:

9. International Data Transfers

Summary: Because we use Google Firebase (based in the USA), your data may be stored and processed in the United States and other countries. Google provides GDPR-compliant safeguards for these transfers through Standard Contractual Clauses.

9.1 Nature of International Transfers

ArthaNote is developed in India and uses Google Firebase infrastructure, which operates globally. When you use ArthaNote, your personal data may be transferred to, stored in, and processed in countries other than your country of residence. These transfers occur when your data is stored in Google's Cloud Firestore database, which may be hosted in data centers located in the United States, the European Union, or other regions depending on Firebase's global infrastructure.

9.2 Safeguards for EU/EEA Transfers

For users in the European Union, European Economic Area, and the United Kingdom, transfers to Google (USA) are protected by the following safeguards:

9.3 Transfers to Other Countries

For users in countries other than the EU/EEA and UK, your data is transferred to the United States (Google servers) where applicable data protection laws may differ from your country. We rely on Google's data processing terms and security measures as our safeguards. Users in countries with specific transfer requirements should refer to the relevant country section in this Policy.

9.4 Your Right to Information

You may request a copy of the safeguards we have in place for international data transfers by contacting us at tulsiprivateltd@gmail.com. We will provide this information within 30 days of your request.

10. Data Retention

Summary: We keep your data for as long as you use ArthaNote, plus legally required periods. Financial records are kept for 7 years (tax compliance). When you delete your account, your personal data is deleted within 30 days except where legal retention is required.

10.1 Retention Principles

We retain personal data for no longer than is necessary for the purposes for which it was collected, consistent with our legal obligations. Our retention approach is based on:

10.2 Specific Retention Periods

Data CategoryRetention PeriodReason
Account data (email, display name, UID)Duration of account + 30 days after deletionRequired for service operation; 30-day grace period for account recovery
Financial transactions (sales, expenses, payments)7 years from the date of the transactionIndian Income Tax Act 1961, GST Act 2017 require financial records to be maintained for 6-7 years; we retain for 7 years to cover maximum requirement across jurisdictions
Customer credit records7 years or until you delete the recordSame legal compliance as financial records
Supplier bills and payment records7 years from transaction dateTax compliance and audit requirements
Staff data and attendance records3 years after employee leaves or you delete the recordEmployment law compliance (India: 3 years under various statutes)
Chit fund records7 years from chit group closureFinancial compliance
Support communications (emails)3 yearsDispute resolution and service improvement
Crash reports and diagnostic data90 daysFirebase Crashlytics default retention; sufficient for bug resolution
Analytics data (aggregated)14 monthsFirebase Analytics default retention
App usage logs90 daysTroubleshooting and security

10.3 Retention After Account Deletion

When you delete your ArthaNote account:

  1. Within 24 hours: Your account is deactivated and you cannot log in;
  2. Within 30 days: Your account personal data (email, display name, UID) is permanently deleted from Firebase Authentication;
  3. Financial records: If you have financial data subject to legal retention requirements (7 years), that data may be retained in anonymized or encrypted form for the required period, associated only with an anonymous business identifier — not with your email address or name;
  4. Firebase Analytics: Analytics data already collected may be retained by Google for up to 14 months per Firebase Analytics' standard retention policy.

10.4 Your Control Over Data

You can delete individual transaction records, customer entries, or staff records at any time from within the app. You can request deletion of your entire account and all associated data by emailing tulsiprivateltd@gmail.com (see Section 12 and Section 33). Note that legally required financial records may be retained in accordance with Section 10.2 even after account deletion.

11. Security Measures

Summary: Your data is encrypted in transit (HTTPS/TLS) and at rest (Google Firebase encryption). Access is controlled by Firebase Security Rules so only you can read your data. We follow security best practices for a mobile application.

11.1 Technical Security Measures

We implement the following technical security measures to protect your personal data:

11.1.1 Encryption in Transit

11.1.2 Encryption at Rest

11.1.3 Firebase Security Rules

Our Firestore database is protected by security rules that enforce:

11.1.4 Local Device Security

11.2 Organizational Security Measures

11.3 Google Firebase Security

Google Firebase maintains extensive security certifications and programs:

11.4 Limitation of Security Guarantees

While we implement robust security measures, no system is completely immune to security breaches. You should also take steps to protect your account by:

11.5 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

12. Your Privacy Rights (General)

Summary: Regardless of your country, you have the right to access, correct, and delete your personal data. You can do most of this yourself within the app. For formal requests, email tulsiprivateltd@gmail.com and we will respond within 30 days.

Regardless of where you are located, we respect the following general privacy rights. Country-specific rights with stronger protections are described in Sections 13–29.

12.1 Right to Access

You have the right to know what personal data we hold about you. You can:

12.2 Right to Rectification (Correction)

If your personal data is inaccurate or incomplete, you can:

12.3 Right to Deletion (Right to Be Forgotten)

You can request deletion of your personal data:

12.4 Right to Portability

You have the right to receive your personal data in a structured, machine-readable format:

12.5 Right to Restrict Processing

You may request that we restrict processing of your data (continue storing it but not actively use it) in certain circumstances, such as while a dispute about accuracy is being resolved. Email tulsiprivateltd@gmail.com to make such a request.

12.6 Right to Object

Where we rely on legitimate interests (Section 7) as a legal basis for processing, you have the right to object. We will stop that specific processing unless we can demonstrate compelling legitimate grounds. Email tulsiprivateltd@gmail.com with subject "Processing Objection — [Your Email]".

12.7 Right to Withdraw Consent

Where processing is based on your consent (e.g., OCR feature usage), you can withdraw consent at any time by discontinuing use of the relevant feature. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

12.8 How We Handle Rights Requests

StepTimelineAction
1. Submit requestAny timeEmail tulsiprivateltd@gmail.com with clear subject line
2. Identity verificationWithin 5 daysWe may ask you to verify your identity to protect against unauthorized requests
3. AcknowledgmentWithin 7 daysWe confirm receipt of your request
4. ResponseWithin 30 daysWe fulfill the request or explain why it cannot be fulfilled
5. ExtensionUp to 60 additional daysFor complex requests, we may extend by 30–60 days and will notify you

12.9 No Fees

We do not charge fees for processing privacy rights requests. If a request is manifestly unfounded or excessive (e.g., repetitive requests within a short period), we may charge a reasonable fee or refuse to act — but we will explain our decision.

12.10 Right to Lodge a Complaint

If you are not satisfied with our response to a privacy request, you have the right to lodge a complaint with your local data protection authority. Specific contact details for supervisory authorities are provided in Sections 13–29 for each supported country.

13. Regional Privacy Rights — European Union & EEA (GDPR)

Datenschutzerklärung (DE) • Politique de confidentialité (FR) • Política de Privacidad (ES) • Informativa sulla Privacy (IT) • Política de Privacidade (PT) • Privacybeleid (NL) • Πολιτική Απορρήτου (EL)

Summary: If you are in the European Union or European Economic Area, the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) gives you strong, enforceable rights over your personal data. This section explains those rights and lists the data protection authority (DPA) for each of the 22 EU/EEA countries where ArthaNote is available.

This Section applies to all users located in the European Union (EU) and the European Economic Area (EEA). The processing of your personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR"), together with the national data protection laws of each Member State that supplement the GDPR.

13.1 Data Controller and Representative

The data controller is Tulsi Groups (contact: tulsiprivateltd@gmail.com), established in India. As an individual developer offering the app to EU users, we process personal data in accordance with Article 3(2) GDPR (extraterritorial scope). Where required under Article 27 GDPR, EU users may direct all data protection enquiries to the contact email above, and we will respond in accordance with GDPR timelines.

13.2 Legal Bases Under Article 6 GDPR

We process your personal data only where we have a lawful basis under Article 6(1) GDPR:

Processing ActivityLegal Basis (Article 6 GDPR)
Creating and maintaining your accountArt. 6(1)(b) — performance of a contract
Storing your ledger, customer, and business recordsArt. 6(1)(b) — performance of a contract
Processing Pro subscription paymentsArt. 6(1)(b) — performance of a contract
Retaining financial records for tax/legal complianceArt. 6(1)(c) — legal obligation
Security monitoring and fraud preventionArt. 6(1)(f) — legitimate interests
Optional OCR receipt-scanning featureArt. 6(1)(a) — consent
Crash reporting and app stability analyticsArt. 6(1)(f) — legitimate interests

13.3 Your Rights Under the GDPR

As a data subject in the EU/EEA, you have the following rights, which you may exercise at any time by emailing tulsiprivateltd@gmail.com:

13.4 International Transfers (Articles 44–49)

Your data is stored on Google Firebase/Google Cloud infrastructure, which may process data outside the EEA (including in the United States). Such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) incorporated into Google's Data Processing Addendum, and, where applicable, the EU–U.S. Data Privacy Framework. See Section 9 for details.

13.5 National Supervisory Authorities

You may lodge a complaint with the supervisory authority in your Member State:

🇦🇹 Austria — Österreichische Datenschutzbehörde (DSB), Vienna. National law: Datenschutzgesetz (DSG). Website: dsb.gv.at

🇧🇪 Belgium — Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA), Brussels. Website: autoriteprotectiondonnees.be

🇧🇬 Bulgaria — Commission for Personal Data Protection (CPDP), Sofia. Website: cpdp.bg

🇭🇷 Croatia — Croatian Personal Data Protection Agency (AZOP), Zagreb. Website: azop.hr

🇨🇾 Cyprus — Office of the Commissioner for Personal Data Protection, Nicosia. Website: dataprotection.gov.cy

🇪🇪 Estonia — Estonian Data Protection Inspectorate (AKI), Tallinn. National law: Personal Data Protection Act (Isikuandmete kaitse seadus). Website: aki.ee

🇫🇮 Finland — Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Helsinki. National law: Tietosuojalaki (1050/2018). Website: tietosuoja.fi

🇫🇷 France — Commission Nationale de l'Informatique et des Libertés (CNIL), Paris. National law: Loi Informatique et Libertés (Loi n° 78-17). Website: cnil.fr

🇩🇪 Germany — Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) and the state (Land) authorities. National law: Bundesdatenschutzgesetz (BDSG). Website: bfdi.bund.de

🇬🇷 Greece — Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων), Athens. Website: dpa.gr

🇮🇪 Ireland — Data Protection Commission (DPC), Dublin. National law: Data Protection Act 2018. Website: dataprotection.ie

🇮🇹 Italy — Garante per la protezione dei dati personali, Rome. National law: Codice in materia di protezione dei dati personali (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018). Website: garanteprivacy.it

🇱🇻 Latvia — Data State Inspectorate (Datu valsts inspekcija), Riga. Website: dvi.gov.lv

🇱🇹 Lithuania — State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), Vilnius. Website: vdai.lrv.lt

🇱🇺 Luxembourg — Commission nationale pour la protection des données (CNPD). Website: cnpd.public.lu

🇲🇹 Malta — Office of the Information and Data Protection Commissioner (IDPC). Website: idpc.org.mt

🇳🇱 Netherlands — Autoriteit Persoonsgegevens (AP), The Hague. National law: Uitvoeringswet AVG (UAVG). Website: autoriteitpersoonsgegevens.nl

🇵🇹 Portugal — Comissão Nacional de Proteção de Dados (CNPD), Lisbon. National law: Lei n.º 58/2019. Website: cnpd.pt

🇸🇰 Slovakia — Office for Personal Data Protection (Úrad na ochranu osobných údajov), Bratislava. Website: dataprotection.gov.sk

🇸🇮 Slovenia — Information Commissioner (Informacijski pooblaščenec), Ljubljana. Website: ip-rs.si

🇪🇸 Spain — Agencia Española de Protección de Datos (AEPD), Madrid. National law: Ley Orgánica 3/2018 (LOPDGDD). Website: aepd.es

🇮🇹 Italy (GDPR supplement) — In addition to the Garante, Italian users benefit from supplementary provisions of D.Lgs. 101/2018 concerning the minimum age of consent (14 years) for information society services under Article 8 GDPR.

14. Regional Privacy Rights — United Kingdom

Summary: UK users are protected by the UK GDPR and the Data Protection Act 2018. Your rights mirror the EU GDPR. The regulator is the Information Commissioner's Office (ICO).

If you are located in the United Kingdom, your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Following the United Kingdom's withdrawal from the European Union, the GDPR was retained in domestic law as the UK GDPR.

14.1 Your Rights

You have the same rights as described in Section 13.3, including the right of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. The legal bases for processing correspond to Article 6 of the UK GDPR.

14.2 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Helpline: 0303 123 1113. Website: ico.org.uk

14.3 International Transfers

Transfers of UK personal data outside the UK rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as incorporated into Google's data processing terms.

15. Regional Privacy Rights — Australia

Summary: Australian users are protected by the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). The regulator is the Office of the Australian Information Commissioner (OAIC).

If you are located in Australia, our handling of your personal information is governed by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 of that Act.

15.1 The Australian Privacy Principles

We comply with all applicable APPs, including: APP 1 (open and transparent management of personal information), APP 3 (collection of solicited personal information), APP 5 (notification of collection), APP 6 (use and disclosure), APP 8 (cross-border disclosure), APP 10 (data quality), APP 11 (security of personal information), APP 12 (access), and APP 13 (correction).

15.2 Cross-Border Disclosure (APP 8)

Your personal information is stored on Google Cloud infrastructure that may be located outside Australia. We take reasonable steps to ensure overseas recipients handle your information consistently with the APPs.

15.3 Complaints

If you believe we have breached the APPs, you may complain to us first at tulsiprivateltd@gmail.com. If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC), GPO Box 5288, Sydney NSW 2001. Phone: 1300 363 992. Website: oaic.gov.au

15.4 Notifiable Data Breaches

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach likely to result in serious harm, we will notify affected individuals and the OAIC as required.

16. Regional Privacy Rights — Canada

Summary: Canadian users are protected by PIPEDA federally, and by provincial laws such as Quebec's Law 25. You have the right to access and correct your data and to withdraw consent.

If you are located in Canada, our handling of your personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial legislation including Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, formerly Bill 64), British Columbia's PIPA, and Alberta's PIPA.

16.1 The Ten Fair Information Principles

We adhere to the ten principles in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

16.2 Consent

We obtain meaningful consent for the collection, use, and disclosure of your personal information. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting tulsiprivateltd@gmail.com.

16.3 Quebec Law 25

For users in Quebec, we comply with the enhanced requirements of Law 25, including privacy-by-default, transparency about automated processing, and the right to data portability (effective from 2024).

16.4 Complaints

You may complain to the Office of the Privacy Commissioner of Canada (OPC), 30 Victoria Street, Gatineau, Quebec, K1A 1H3. Phone: 1-800-282-1376. Website: priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information du Québec (CAI).

17. Regional Privacy Rights — United States

Summary: U.S. users have rights under state privacy laws such as California's CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, and Connecticut's CTDPA. We do not sell your personal information.

If you are located in the United States, your rights depend on your state of residence. The United States does not have a single comprehensive federal privacy law; instead, a growing number of states have enacted consumer privacy statutes.

17.1 California — CCPA/CPRA

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to: (i) know what personal information is collected; (ii) access their personal information; (iii) request deletion; (iv) correct inaccurate information; (v) opt out of the sale or sharing of personal information; and (vi) limit the use of sensitive personal information. We do not sell or share your personal information as those terms are defined under the CPRA. We will not discriminate against you for exercising your rights.

17.2 Virginia — VCDPA

Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents have rights to access, correct, delete, and obtain a portable copy of their data, and to opt out of targeted advertising and profiling.

17.3 Colorado — CPA

Under the Colorado Privacy Act (CPA), Colorado residents have similar rights, including the right to opt out via a universal opt-out mechanism.

17.4 Connecticut — CTDPA

Under the Connecticut Data Privacy Act (CTDPA), Connecticut residents have rights to access, correct, delete, and port their data, and to opt out of targeted advertising, sale, and profiling.

17.5 Other States

Residents of other states with comprehensive privacy laws (including Utah, Texas, Oregon, Montana, and others as they come into effect) may have comparable rights. We honor verifiable consumer requests regardless of state.

17.6 How to Exercise U.S. Rights

Email tulsiprivateltd@gmail.com with the subject "U.S. Privacy Request — [Your State]". We will verify your identity and respond within 45 days (extendable by an additional 45 days where permitted).

18. Regional Privacy Rights — India

गोपनीयता नीति (HI) • தனியுரிமைக் கொள்கை (TA)

Summary: Indian users are protected by the Digital Personal Data Protection Act, 2023 (DPDP Act). You are a "Data Principal" with rights to access, correction, and erasure. We act as a "Data Fiduciary."

If you are located in India, the processing of your personal data is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), along with the Information Technology Act, 2000 and applicable rules. ArthaNote is developed in India and the majority of our users are based in India.

18.1 Roles Under the DPDP Act

Under the DPDP Act, you are the Data Principal (the individual to whom the personal data relates), and Tulsi Groups is the Data Fiduciary (the person who determines the purpose and means of processing your personal data).

18.2 Consent and Notice

We process your personal data based on your consent, given through a clear affirmative action when you create an account and use the app. The notice provided at the point of collection describes the personal data being collected and the purpose of processing, consistent with Section 5 of the DPDP Act. You may withdraw consent at any time.

18.3 Your Rights as a Data Principal

18.4 Grievance Redressal

For any grievance regarding the processing of your personal data, contact our Grievance Officer at tulsiprivateltd@gmail.com. We will respond within the period prescribed under the DPDP Act. If unsatisfied, you may approach the Data Protection Board of India once it is constituted and operational.

19. Regional Privacy Rights — United Arab Emirates

سياسة الخصوصية (AR)

Summary: UAE users are protected by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. You have rights to access, correct, and delete your data.

If you are located in the United Arab Emirates, the processing of your personal data is governed by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL), the first comprehensive federal data protection law in the UAE.

19.1 Your Rights

Under the UAE PDPL, you have the right to: request information about your processed data; request the transfer of your data; request correction or erasure; restrict or stop processing; and object to processing. Requests may be made to tulsiprivateltd@gmail.com.

19.2 Regulatory Authority

The UAE Data Office is the federal authority responsible for the PDPL. Users in financial free zones (DIFC, ADGM) may be additionally protected by the DIFC Data Protection Law (DIFC Law No. 5 of 2020) or the ADGM Data Protection Regulations 2021 respectively.

20. Regional Privacy Rights — Saudi Arabia

سياسة الخصوصية (AR)

Summary: Saudi users are protected by the Personal Data Protection Law (PDPL) issued by Royal Decree M/19 of 2021, regulated by SDAIA.

If you are located in the Kingdom of Saudi Arabia, the processing of your personal data is governed by the Personal Data Protection Law (PDPL), issued under Royal Decree No. M/19 of 9/2/1443H (2021), as amended, and its Implementing Regulations.

20.1 Your Rights

Under the Saudi PDPL, you have the right to be informed of the legal basis and purpose of collection; the right to access your personal data; the right to request a copy of your data; the right to correction; and the right to request destruction of your personal data.

20.2 Regulatory Authority

The competent authority is the Saudi Data and Artificial Intelligence Authority (SDAIA). Complaints regarding the processing of personal data may be submitted to SDAIA in accordance with the PDPL.

21. Regional Privacy Rights — Bahrain

سياسة الخصوصية (AR)

Summary: Bahraini users are protected by the Personal Data Protection Law, Law No. 30 of 2018.

If you are located in the Kingdom of Bahrain, the processing of your personal data is governed by the Personal Data Protection Law, Law No. 30 of 2018 (Bahrain PDPL), which came into force in 2019.

21.1 Your Rights

Under the Bahrain PDPL, you have the right to be informed about processing; the right to access your data; the right to request correction, blocking, or erasure of data whose processing violates the law; and the right to object to processing for direct marketing purposes.

21.2 Regulatory Authority

The competent authority is the Personal Data Protection Authority (PDPA) of Bahrain. You may submit complaints to the PDPA in accordance with the law.

22. Regional Privacy Rights — Kuwait

سياسة الخصوصية (AR)

Summary: Kuwait does not yet have a single comprehensive data protection law. We apply protections derived from the CITRA Data Privacy Protection Regulation and general legal principles.

If you are located in Kuwait, please note that Kuwait does not currently have a single comprehensive personal data protection statute equivalent to the GDPR. However, data privacy is addressed through several instruments, including the Data Privacy Protection Regulation (No. 26 of 2024) issued by the Communication and Information Technology Regulatory Authority (CITRA), the Law No. 20 of 2014 on Electronic Transactions, and constitutional privacy protections.

22.1 Our Commitment

In the absence of a comprehensive law, we voluntarily extend to Kuwaiti users the core protections described in this Policy: lawful and transparent processing, data minimization, security safeguards, and the ability to access, correct, and delete your data by contacting tulsiprivateltd@gmail.com.

22.2 Regulatory Authority

The Communication and Information Technology Regulatory Authority (CITRA) oversees data privacy matters in Kuwait.

23. Regional Privacy Rights — Oman

سياسة الخصوصية (AR)

Summary: Omani users are protected by the Personal Data Protection Law (Royal Decree No. 6/2022) and the Electronic Transactions Law.

If you are located in the Sultanate of Oman, the processing of your personal data is governed by the Personal Data Protection Law, issued by Royal Decree No. 6/2022, which came into effect in 2023, together with the Electronic Transactions Law (Royal Decree No. 69/2008).

23.1 Your Rights

Under the Oman PDPL, you have the right to be informed about the processing of your data, to access and obtain a copy of your data, to request correction or erasure, to withdraw consent, and to object to processing that causes harm.

23.2 Regulatory Authority

The Ministry of Transport, Communications and Information Technology (MTCIT) is the competent authority for personal data protection in Oman.

24. Regional Privacy Rights — Malaysia

Dasar Privasi (MS)

Summary: Malaysian users are protected by the Personal Data Protection Act 2010 (PDPA) and its seven principles, regulated by the Personal Data Protection Department (JPDP).

If you are located in Malaysia, the processing of your personal data is governed by the Personal Data Protection Act 2010 (PDPA) and its subsequent amendments.

24.1 The Seven Principles

We comply with the seven Personal Data Protection Principles under the Malaysian PDPA: (1) the General Principle, (2) the Notice and Choice Principle, (3) the Disclosure Principle, (4) the Security Principle, (5) the Retention Principle, (6) the Data Integrity Principle, and (7) the Access Principle.

24.2 Your Rights

You have the right to access and correct your personal data, to withdraw consent, to limit processing for direct marketing, and to be informed about how your data is handled. Requests may be sent to tulsiprivateltd@gmail.com.

24.3 Regulatory Authority

The Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP), under the Ministry of Digital, regulates the PDPA. Website: pdp.gov.my

25. Regional Privacy Rights — Singapore

Summary: Singapore users are protected by the Personal Data Protection Act 2012 (PDPA), regulated by the Personal Data Protection Commission (PDPC).

If you are located in Singapore, the processing of your personal data is governed by the Personal Data Protection Act 2012 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2020.

25.1 Key Obligations

We comply with the PDPA's main obligations, including the Consent Obligation, Purpose Limitation Obligation, Notification Obligation, Access and Correction Obligation, Accuracy Obligation, Protection Obligation, Retention Limitation Obligation, Transfer Limitation Obligation, and the Data Breach Notification Obligation.

25.2 Your Rights

You have the right to access and correct your personal data, to withdraw consent, and to be informed of the purposes of collection. To exercise these rights, email tulsiprivateltd@gmail.com.

25.3 Regulatory Authority

The Personal Data Protection Commission (PDPC) is Singapore's data protection authority. Website: pdpc.gov.sg

26. Regional Privacy Rights — South Africa

Summary: South African users are protected by the Protection of Personal Information Act 2013 (POPIA), regulated by the Information Regulator.

If you are located in South Africa, the processing of your personal information is governed by the Protection of Personal Information Act 4 of 2013 (POPIA), which became fully enforceable on 1 July 2021.

26.1 The Eight Conditions for Lawful Processing

We comply with the eight conditions under POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

26.2 Your Rights as a Data Subject

You have the right to be notified that your data is being collected, to access your personal information, to request correction or deletion, to object to processing, and to lodge a complaint. Requests may be sent to tulsiprivateltd@gmail.com.

26.3 Regulatory Authority

The Information Regulator (South Africa) oversees POPIA. PO Box 31533, Braamfontein, Johannesburg, 2017. Website: inforegulator.org.za

27. Regional Privacy Rights — Sri Lanka

රහස්‍යතා ප්‍රතිපත්තිය (SI) • தனியுரிமைக் கொள்கை (TA)

Summary: Sri Lankan users are protected by the Personal Data Protection Act No. 9 of 2022, the first comprehensive data protection law in Sri Lanka.

If you are located in Sri Lanka, the processing of your personal data is governed by the Personal Data Protection Act No. 9 of 2022 (PDPA), which is being implemented in phases.

27.1 Your Rights

Under the Sri Lanka PDPA, you have the right to access your personal data, the right to rectification, the right to erasure, the right to withdraw consent, the right to object to processing, and the right to request that processing be restricted.

27.2 Regulatory Authority

The Data Protection Authority of Sri Lanka, established under the Act, is the competent regulator. Complaints may be made to the Authority in accordance with the PDPA.

28. Regional Privacy Rights — Bangladesh

Summary: Bangladesh does not yet have a comprehensive data protection law. We apply protections derived from constitutional privacy rights and the ICT and Digital Security frameworks.

If you are located in Bangladesh, please note that, as of the effective date of this Policy, Bangladesh does not have a single comprehensive personal data protection statute in force (a draft Personal Data Protection Act has been under consideration). Privacy is currently protected through the Constitution of Bangladesh (Article 43), the Information and Communication Technology Act, 2006, and the Digital Security Act, 2018.

28.1 Our Commitment

In the absence of a comprehensive law, we voluntarily extend the core protections in this Policy to users in Bangladesh, including lawful processing, security safeguards, and the right to access, correct, and delete your data by contacting tulsiprivateltd@gmail.com.

29. Regional Privacy Rights — Nepal

Summary: Nepali users are protected by the Privacy Act, 2018 (2075) and the Individual Privacy Regulation, 2020.

If you are located in Nepal, the processing of your personal data is governed by the Privacy Act, 2018 (Ain 2075) and the Individual Privacy Regulation, 2020 (2077), together with privacy protections under Article 28 of the Constitution of Nepal.

29.1 Your Rights

Under the Privacy Act, 2018, your personal data may only be collected and processed with your consent. You have the right to be informed about the collection and use of your personal data, the right to access your data, and the right to request correction. We obtain your consent before collecting and processing your personal information.

29.2 Our Commitment

We process personal data of Nepali users lawfully and only for the purposes described in this Policy. To exercise your rights, contact tulsiprivateltd@gmail.com.

30. Children's Privacy

Summary: ArthaNote is a business tool intended for adults. We do not knowingly collect data from children under 13 (or the higher minimum age in your country). Special protections apply for minors in certain jurisdictions, including Japan.

ArthaNote is a business and accounting application intended for use by business owners, shopkeepers, and their authorized staff. It is not directed at children.

30.1 Minimum Age

You must be at least 13 years of age to use ArthaNote. In jurisdictions where a higher minimum age of digital consent applies, that higher age governs. Under the EU GDPR (Article 8), the age of consent for information society services ranges from 13 to 16 depending on the Member State (for example, 16 in Germany and the Netherlands, 15 in France, 14 in Italy and Spain, 13 in Belgium). Under the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13.

30.2 No Knowing Collection

We do not knowingly collect personal data from children below the applicable minimum age. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child has provided us personal data, contact tulsiprivateltd@gmail.com.

30.3 Japan — Minors' Cancellation Rights

For users in Japan, we note that under the Civil Code of Japan, the cancellation (rescission) rights of minors are broadly protected. Any contract (including a Pro subscription) entered into by a minor without the consent of their legal representative may be cancellable in accordance with Japanese law. We encourage parents and guardians to supervise minors' use of the app and any in-app purchases. In-app purchases are processed through Google Play Billing, which provides parental controls and purchase-approval mechanisms.

31. Cookies, Local Storage, and Tracking

Summary: The app uses local storage and a service worker to work offline and cache your data. We do not use advertising cookies or third-party tracking for ads.

ArthaNote uses the following storage and caching technologies:

We do not use advertising cookies, cross-site tracking, or third-party advertising networks. ArthaNote contains no advertisements.

32. Changes to This Policy

Summary: We may update this Policy from time to time. We will post the updated version and, for material changes, notify you in the app or by email.

We may revise this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Policy. For material changes, we will provide a prominent notice within the app or by email to your registered address before the changes take effect. Your continued use of ArthaNote after the effective date constitutes acceptance of the revised Policy.

33. Contact Information

Summary: For any privacy question or to exercise your rights, email tulsiprivateltd@gmail.com. We respond within 30 days.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact:

ItemDetails
Data Controller / Data FiduciaryTulsi Groups
ApplicationArthaNote (Artha Note)
Emailtulsiprivateltd@gmail.com
Country of EstablishmentTamil Nadu, India
Response TimeWithin 30 days of a verified request
Grievance Officer (India, DPDP Act)Tulsi Groups, tulsiprivateltd@gmail.com

When contacting us about a privacy right, please include a clear subject line (for example, "Data Access Request") and the email address associated with your ArthaNote account so we can verify your identity.

Glossary of Key Terms

Summary: Plain-language definitions of the legal and technical terms used throughout this Policy.

Personal Data / Personal Information: Any information relating to an identified or identifiable natural person, such as a name, email address, phone number, or device identifier.

Data Controller / Data Fiduciary: The person who, alone or jointly with others, determines the purposes and means of processing personal data. For ArthaNote, this is Tulsi Groups.

Data Processor: A person or entity that processes personal data on behalf of the controller. For ArthaNote, Google (Firebase/Cloud) acts as a processor.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, alteration, or deletion.

Data Subject / Data Principal / Consumer: The individual to whom the personal data relates and who holds the privacy rights described in this Policy.

Consent: A freely given, specific, informed, and unambiguous indication of a data subject's agreement to the processing of their personal data.

GDPR: The General Data Protection Regulation (Regulation (EU) 2016/679), the EU's comprehensive data protection law.

Supervisory Authority / Data Protection Authority (DPA): The independent public authority responsible for monitoring the application of data protection law in a given country.

Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Retention Period: The length of time we keep personal data before deleting or anonymizing it.

Standard Contractual Clauses (SCCs): Pre-approved contractual terms adopted by the European Commission to safeguard personal data transferred outside the EEA.

Pseudonymization / Encryption: Technical measures that protect personal data by transforming it so it cannot be read or attributed to a person without additional information or a decryption key.

Legal References Annex

Summary: A consolidated list of every law and regulation referenced in this Policy, by jurisdiction.

JurisdictionLegal Instrument
European Union / EEARegulation (EU) 2016/679 (General Data Protection Regulation, GDPR)
AustriaDatenschutzgesetz (DSG)
FinlandTietosuojalaki (1050/2018)
FranceLoi n° 78-17 (Loi Informatique et Libertés)
GermanyBundesdatenschutzgesetz (BDSG)
IrelandData Protection Act 2018
ItalyD.Lgs. 196/2003 as amended by D.Lgs. 101/2018
NetherlandsUitvoeringswet AVG (UAVG)
PortugalLei n.º 58/2019
SpainLey Orgánica 3/2018 (LOPDGDD)
United KingdomUK GDPR; Data Protection Act 2018
AustraliaPrivacy Act 1988 (Cth); Australian Privacy Principles
CanadaPIPEDA (S.C. 2000, c. 5); Quebec Law 25; BC PIPA; Alberta PIPA
United StatesCCPA/CPRA (California); VCDPA (Virginia); CPA (Colorado); CTDPA (Connecticut); COPPA
IndiaDigital Personal Data Protection Act, 2023; Information Technology Act, 2000
United Arab EmiratesFederal Decree-Law No. 45 of 2021; DIFC Law No. 5 of 2020; ADGM DP Regulations 2021
Saudi ArabiaPersonal Data Protection Law (Royal Decree M/19 of 2021)
BahrainPersonal Data Protection Law, Law No. 30 of 2018
KuwaitCITRA Data Privacy Protection Regulation (No. 26 of 2024); Law No. 20 of 2014
OmanPersonal Data Protection Law (Royal Decree No. 6/2022); Royal Decree No. 69/2008
MalaysiaPersonal Data Protection Act 2010 (Act 709)
SingaporePersonal Data Protection Act 2012 (No. 26 of 2012)
South AfricaProtection of Personal Information Act 4 of 2013 (POPIA)
Sri LankaPersonal Data Protection Act No. 9 of 2022
BangladeshDigital Security Act 2018; ICT Act 2006; Constitution (Art. 43)
NepalPrivacy Act, 2018 (2075); Individual Privacy Regulation, 2020
JapanCivil Code of Japan (minors' capacity); Act on the Protection of Personal Information (APPI)

Disclaimer

Summary: We are not liable for personal information you share with us beyond what is required for registration. Contact our Grievance Officer for any privacy concerns.

In case any personal information is shared by you with us, which is not requested by us during registration (whether mandatory or optional), we will not be liable for any information security breach or disclosure in relation to such information. If you have any questions regarding this Policy or the protection of your personal information, please contact our data protection officer/grievance officer at tulsiprivateltd@gmail.com.

Reference

This Privacy Policy has been drafted with reference to industry-standard privacy policies and adapted to reflect ArthaNote's specific data processing activities and applicable legal requirements.


— End of ArthaNote Privacy Policy —
ArthaNote Privacy Policy | Version 1.0 | Effective June 22, 2026
© 2026 ArthaNote. All rights reserved.