Datenschutzerklärung (DE) • Politique de confidentialité (FR) • தனியுரிமைக் கொள்கை (TA) • गोपनीयता नीति (HI)
In plain English: ArthaNote is a business ledger app for small retailers. We collect the minimum data needed to run the app — your email to log in, and the business records you enter (sales, expenses, customers, staff). We do not sell your data. We do not serve ads. Your financial records are encrypted in Google's cloud. You can delete your account and all your data at any time.
Welcome to ArthaNote (also referred to as "Artha Note"), a digital business ledger and accounting application designed to help small retailers, shopkeepers, and micro-entrepreneurs manage their daily sales, expenses, customer credit, supplier payments, staff attendance, and financial reports — all from a single mobile application.
This Privacy Policy ("Policy") is issued by Tulsi Groups ("Developer," "we," "us," or "our"), the individual developer and data controller responsible for the ArthaNote application. This Policy explains:
We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and responsible manner. We believe that privacy is a fundamental right, and we have designed ArthaNote with data minimization and security as core principles.
This Policy applies to all users of the ArthaNote application on Android (Google Play Store) and any associated web interfaces or progressive web application (PWA) versions of the service.
By creating an account and using ArthaNote, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use the application.
This Policy is written primarily in English. Where local regulations require notice in a local language, key headings are provided in the relevant language as indicated throughout this document.
Effective Date: June 22, 2026
Version: 1.0
Last Updated: June 22, 2026
Summary: ArthaNote is a digital ledger app for small businesses. It replaces paper account books with a secure, cloud-synced mobile app. Available on Android, supporting English, Tamil, and Hindi.
ArthaNote is a comprehensive digital business management and accounting application developed specifically for small retailers, traders, shop owners, and micro-enterprises. The name "Artha" (अर्थ) means "wealth" or "money" in Sanskrit, reflecting the app's purpose of helping users manage their finances effectively.
ArthaNote digitizes the traditional paper-based "khata" (account book) used by millions of small retailers across South Asia and beyond. It provides a secure, cloud-backed, mobile-first solution to record and manage:
ArthaNote is available as an Android application distributed through the Google Play Store. The application also functions as a Progressive Web Application (PWA) accessible via web browsers. The app supports three languages: English, Tamil (தமிழ்), and Hindi (हिंदी), making it accessible to users across India and the South Asian diaspora worldwide.
ArthaNote offers a free tier with basic features (one shop, standard ledger functions) and a Pro subscription at ₹199 per month, processed through Google Play Billing. Pro features include unlimited shops, OCR receipt scanning, full MIS reports, and priority support.
ArthaNote is developed and maintained by Tulsi Groups, an independent software developer based in Tamil Nadu, India. The developer is the sole data controller for personal data processed through ArthaNote.
Summary: This Policy covers all data collected through the ArthaNote Android app and PWA. It applies to users in all 36 countries where ArthaNote is available on Google Play.
This Privacy Policy covers all personal data processing activities associated with:
ArthaNote is available in the following 36 countries on the Google Play Store. This Policy specifically addresses the privacy rights of users in each of these jurisdictions:
| Region | Countries |
|---|---|
| European Union / EEA | Austria, Belgium, Bulgaria, Croatia, Cyprus, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Portugal, Slovakia, Slovenia, Spain |
| United Kingdom | United Kingdom |
| Asia-Pacific | Australia, Bangladesh, India, Malaysia, Nepal, Singapore, Sri Lanka |
| GCC / Middle East | Bahrain, Kuwait, Oman, Saudi Arabia, United Arab Emirates |
| Africa | South Africa |
| North America | Canada, United States |
This Policy does not apply to:
Summary: Tulsi Groups is the data controller for ArthaNote. For your business's customer data stored in ArthaNote, you (the business owner) are the controller and ArthaNote is the processor.
For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent legislation worldwide, the data controller for personal data collected through ArthaNote is:
| Detail | Information |
|---|---|
| Controller Name | Tulsi Groups |
| Role | Individual Developer / App Owner |
| Email Address | tulsiprivateltd@gmail.com |
| App Name | ArthaNote (Artha Note) |
| Country of Establishment | India |
| Google Play Developer Account | ArthaNote Developer |
ArthaNote operates in two distinct capacities with respect to personal data:
As Data Controller: We determine the purposes and means of processing personal data relating to your user account, authentication credentials, and app usage. This includes your email address, display name, and device information.
As Data Processor: When you enter data about your customers (names, phone numbers, credit balances), your staff (names, attendance records), or your suppliers into ArthaNote, you are acting as the data controller for that third-party personal data. We process that data on your behalf, according to your instructions, to provide the ArthaNote service. You are responsible for ensuring you have a lawful basis to collect and store that data, and for notifying your customers and staff about its use.
As an individual developer without large-scale systematic processing of sensitive data, a formally designated Data Protection Officer is not required under applicable law. However, all data protection queries are handled personally by the developer at tulsiprivateltd@gmail.com with a commitment to respond within 30 days.
For users in the European Union and European Economic Area, the developer does not currently maintain a formal Article 27 GDPR representative given the limited scale of processing. EU/EEA users may contact the developer directly at tulsiprivateltd@gmail.com for all data protection matters. If you are an EU/EEA supervisory authority, you may contact the Irish Data Protection Commission (the lead supervisory authority for Google/Firebase) as the relevant authority for our cloud infrastructure provider.
Summary: We collect your email and name for login, and the business records you enter (transactions, customer names, staff names). We use your camera only for QR scanning — no photos are stored. We do not collect your location.
When you create an ArthaNote account, we collect:
| Data Type | Specific Data | Source | Required? |
|---|---|---|---|
| Email Address | Your email address used to create or sign in to your account | You enter it, or obtained from Google OAuth consent | Yes — required for authentication |
| Display Name | Your name as you provide it, or your Google account name | You enter it or obtained from Google OAuth | No — optional but recommended |
| User ID (UID) | A unique identifier assigned by Firebase Authentication | Automatically generated by Firebase | Yes — system requirement |
| Authentication Method | Whether you signed in via email/password or Google OAuth | Automatically recorded by Firebase Auth | Yes — system requirement |
When you set up ArthaNote for your business, we collect:
| Data Type | Specific Data | Purpose |
|---|---|---|
| Shop Name(s) | Name(s) of your shop or business outlet(s) | Identify transactions per location |
| Business Type | Category (e.g., grocery, vegetables, textile, hardware, jewellery, medical, bakery, hotel, tea shop, finance/chit) | Customize app experience and reporting |
| GST Number | Your Goods and Services Tax registration number (optional) | For invoice generation and compliance |
| GST Settings | Whether GST is enabled and GST rate | Accurate financial calculations |
The core data you enter into ArthaNote consists of your business financial records:
| Data Type | Specific Data | Purpose |
|---|---|---|
| Sales Transactions | Date, amount, description, shop, category | Daily revenue tracking |
| Expense Records | Date, amount, description, type, shop | Business expense tracking |
| Customer Credit Entries | Customer name (may be a personal name), phone number, credit amount, payment history | Customer ledger management |
| Supplier Records | Supplier business name, contact details, payment records, outstanding bills | Accounts payable management |
| Payment Records | Amounts paid/received, dates, payment methods | Cash flow management |
If you use the staff management feature, you may enter:
Important: Your staff members whose data you enter into ArthaNote are data subjects. As their employer and the data controller for their personal data, you are responsible for informing them about how their data is used in ArthaNote.
If you use the Finance and Chit Fund module, we collect:
| Data Type | Specific Data | Purpose |
|---|---|---|
| Firebase Device Token | A device-specific token generated by Firebase | Crash reporting and app diagnostics |
| App Version | Version number of ArthaNote installed | Compatibility and support |
| Operating System | Android version | App compatibility |
| Network Status | Whether the device is online or offline | Offline queue management and sync |
ArthaNote requests permission to access your device camera. Camera access is used solely for QR code scanning to record staff attendance. The camera is activated only when you explicitly open the QR scan feature. No photographs, videos, or images are captured, stored, or transmitted by ArthaNote. The camera feed is processed locally on your device in real time to detect QR codes only.
ArthaNote explicitly does not collect the following:
Pro users may use the OCR (Optical Character Recognition) scanning feature to convert handwritten ledger pages into digital entries. When this feature is used:
Summary: We use your data to run the app, keep your records secure, process your subscription, and improve the service. We do not use your financial records for advertising, profiling, or any purpose other than providing ArthaNote to you.
The primary use of your data is to operate and provide the ArthaNote application. Specifically:
Note: All payment processing is handled by Google Play Billing. We receive only confirmation of subscription status — not your payment card details or billing address.
We explicitly confirm that we do not:
Summary: For EU/EEA users, every processing activity has a specific GDPR legal basis. For most data, our basis is contractual necessity (you need us to store your records to use the app). For security and legal compliance we rely on legitimate interests and legal obligation.
For users in the European Union, European Economic Area, United Kingdom, and other jurisdictions with similar requirements, we rely on the following legal bases for processing your personal data under Article 6 of the GDPR (and equivalent provisions):
| Processing Activity | Legal Basis (GDPR Art. 6) | Explanation |
|---|---|---|
| Account creation and authentication (email, UID, display name) | Art. 6(1)(b) — Contract | Processing is necessary to perform the contract (Terms of Service) — you cannot use ArthaNote without an account |
| Storing financial transactions, expenses, customer data, supplier data | Art. 6(1)(b) — Contract | The core service you contracted for is digital ledger storage — this processing is essential to deliver the service |
| Staff names, roles, and attendance records | Art. 6(1)(b) — Contract | Staff management is a contracted feature; additionally Art. 6(1)(f) — Legitimate Interest of you (the business owner) in managing staff |
| Subscription status verification | Art. 6(1)(b) — Contract | Necessary to provide Pro features you have paid for |
| Crash reports and diagnostics | Art. 6(1)(f) — Legitimate Interest | Our legitimate interest in maintaining a secure, functional service; minimal data, no tracking |
| Customer support communications | Art. 6(1)(f) — Legitimate Interest / Art. 6(1)(b) — Contract | Legitimate interest in responding to users; also contractual where support is part of the service |
| Legal compliance (e.g., responding to court orders) | Art. 6(1)(c) — Legal Obligation | Required by applicable law |
| Data retention for tax/legal compliance (7 years) | Art. 6(1)(c) — Legal Obligation | Indian tax laws (GST Act, Income Tax Act) and other applicable laws require financial records to be retained |
| OCR image processing (Pro feature) | Art. 6(1)(b) — Contract / Art. 6(1)(a) — Consent | You actively initiate OCR scanning; implied consent through use of the feature, and necessary for Pro service delivery |
ArthaNote does not intentionally collect special category data as defined under GDPR Article 9 (health data, racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, etc.). If you choose to enter descriptive notes in transaction fields that incidentally contain such information, this is entirely at your discretion and we process it solely under Article 6(1)(b) as part of the ledger entry you have created.
Where we rely on legitimate interests (Art. 6(1)(f)), we have considered the following factors:
Summary: We share data only with Google (Firebase for infrastructure, Play Billing for subscriptions). We do not share your data with any other third party except as required by law. We never sell data.
ArthaNote is built on Google Firebase, a platform provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The following Firebase services process your data:
| Firebase Service | Data Processed | Purpose |
|---|---|---|
| Firebase Authentication | Email address, display name, UID, sign-in method, sign-in timestamps | User account creation and authentication |
| Cloud Firestore | All business data you store in ArthaNote (transactions, customers, staff, suppliers, config) | Cloud database — stores and syncs all app data |
| Firebase Analytics | Anonymized app usage events, device type, OS version, app version | Understanding feature usage to improve the app |
| Firebase Crashlytics | Device token, crash stack traces, app version, OS version | Identifying and fixing crashes and bugs |
Google Firebase processes data under Google's Privacy Policy (available at https://policies.google.com/privacy) and Google's Cloud Data Processing Addendum. Data is processed according to Google's Data Processing Terms, which include Standard Contractual Clauses for international transfers.
Pro subscription payments are processed by Google Play Billing. When you subscribe to ArthaNote Pro:
The OCR scanning feature (Pro, optional) may transmit images to:
These APIs are used only when you actively initiate a scan. Images are transmitted to the API and the text response is returned; images are not retained by these providers beyond the API request lifecycle. Your API keys are stored locally on your device and are not shared with us.
We may disclose your personal data to government authorities, courts, law enforcement agencies, or regulators when:
We will notify you of such requests to the extent permitted by law.
If the ArthaNote business, application, or substantially all assets are transferred to another developer or entity through a merger, acquisition, or asset sale, your personal data may be part of the transferred assets. We will notify you by email and/or prominent notice within the app before your data becomes subject to a different privacy policy.
We do not share your personal data with:
Summary: Because we use Google Firebase (based in the USA), your data may be stored and processed in the United States and other countries. Google provides GDPR-compliant safeguards for these transfers through Standard Contractual Clauses.
ArthaNote is developed in India and uses Google Firebase infrastructure, which operates globally. When you use ArthaNote, your personal data may be transferred to, stored in, and processed in countries other than your country of residence. These transfers occur when your data is stored in Google's Cloud Firestore database, which may be hosted in data centers located in the United States, the European Union, or other regions depending on Firebase's global infrastructure.
For users in the European Union, European Economic Area, and the United Kingdom, transfers to Google (USA) are protected by the following safeguards:
For users in countries other than the EU/EEA and UK, your data is transferred to the United States (Google servers) where applicable data protection laws may differ from your country. We rely on Google's data processing terms and security measures as our safeguards. Users in countries with specific transfer requirements should refer to the relevant country section in this Policy.
You may request a copy of the safeguards we have in place for international data transfers by contacting us at tulsiprivateltd@gmail.com. We will provide this information within 30 days of your request.
Summary: We keep your data for as long as you use ArthaNote, plus legally required periods. Financial records are kept for 7 years (tax compliance). When you delete your account, your personal data is deleted within 30 days except where legal retention is required.
We retain personal data for no longer than is necessary for the purposes for which it was collected, consistent with our legal obligations. Our retention approach is based on:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (email, display name, UID) | Duration of account + 30 days after deletion | Required for service operation; 30-day grace period for account recovery |
| Financial transactions (sales, expenses, payments) | 7 years from the date of the transaction | Indian Income Tax Act 1961, GST Act 2017 require financial records to be maintained for 6-7 years; we retain for 7 years to cover maximum requirement across jurisdictions |
| Customer credit records | 7 years or until you delete the record | Same legal compliance as financial records |
| Supplier bills and payment records | 7 years from transaction date | Tax compliance and audit requirements |
| Staff data and attendance records | 3 years after employee leaves or you delete the record | Employment law compliance (India: 3 years under various statutes) |
| Chit fund records | 7 years from chit group closure | Financial compliance |
| Support communications (emails) | 3 years | Dispute resolution and service improvement |
| Crash reports and diagnostic data | 90 days | Firebase Crashlytics default retention; sufficient for bug resolution |
| Analytics data (aggregated) | 14 months | Firebase Analytics default retention |
| App usage logs | 90 days | Troubleshooting and security |
When you delete your ArthaNote account:
You can delete individual transaction records, customer entries, or staff records at any time from within the app. You can request deletion of your entire account and all associated data by emailing tulsiprivateltd@gmail.com (see Section 12 and Section 33). Note that legally required financial records may be retained in accordance with Section 10.2 even after account deletion.
Summary: Your data is encrypted in transit (HTTPS/TLS) and at rest (Google Firebase encryption). Access is controlled by Firebase Security Rules so only you can read your data. We follow security best practices for a mobile application.
We implement the following technical security measures to protect your personal data:
Our Firestore database is protected by security rules that enforce:
Google Firebase maintains extensive security certifications and programs:
While we implement robust security measures, no system is completely immune to security breaches. You should also take steps to protect your account by:
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
Summary: Regardless of your country, you have the right to access, correct, and delete your personal data. You can do most of this yourself within the app. For formal requests, email tulsiprivateltd@gmail.com and we will respond within 30 days.
Regardless of where you are located, we respect the following general privacy rights. Country-specific rights with stronger protections are described in Sections 13–29.
You have the right to know what personal data we hold about you. You can:
If your personal data is inaccurate or incomplete, you can:
You can request deletion of your personal data:
You have the right to receive your personal data in a structured, machine-readable format:
You may request that we restrict processing of your data (continue storing it but not actively use it) in certain circumstances, such as while a dispute about accuracy is being resolved. Email tulsiprivateltd@gmail.com to make such a request.
Where we rely on legitimate interests (Section 7) as a legal basis for processing, you have the right to object. We will stop that specific processing unless we can demonstrate compelling legitimate grounds. Email tulsiprivateltd@gmail.com with subject "Processing Objection — [Your Email]".
Where processing is based on your consent (e.g., OCR feature usage), you can withdraw consent at any time by discontinuing use of the relevant feature. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
| Step | Timeline | Action |
|---|---|---|
| 1. Submit request | Any time | Email tulsiprivateltd@gmail.com with clear subject line |
| 2. Identity verification | Within 5 days | We may ask you to verify your identity to protect against unauthorized requests |
| 3. Acknowledgment | Within 7 days | We confirm receipt of your request |
| 4. Response | Within 30 days | We fulfill the request or explain why it cannot be fulfilled |
| 5. Extension | Up to 60 additional days | For complex requests, we may extend by 30–60 days and will notify you |
We do not charge fees for processing privacy rights requests. If a request is manifestly unfounded or excessive (e.g., repetitive requests within a short period), we may charge a reasonable fee or refuse to act — but we will explain our decision.
If you are not satisfied with our response to a privacy request, you have the right to lodge a complaint with your local data protection authority. Specific contact details for supervisory authorities are provided in Sections 13–29 for each supported country.
Datenschutzerklärung (DE) • Politique de confidentialité (FR) • Política de Privacidad (ES) • Informativa sulla Privacy (IT) • Política de Privacidade (PT) • Privacybeleid (NL) • Πολιτική Απορρήτου (EL)
Summary: If you are in the European Union or European Economic Area, the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) gives you strong, enforceable rights over your personal data. This section explains those rights and lists the data protection authority (DPA) for each of the 22 EU/EEA countries where ArthaNote is available.
This Section applies to all users located in the European Union (EU) and the European Economic Area (EEA). The processing of your personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR"), together with the national data protection laws of each Member State that supplement the GDPR.
The data controller is Tulsi Groups (contact: tulsiprivateltd@gmail.com), established in India. As an individual developer offering the app to EU users, we process personal data in accordance with Article 3(2) GDPR (extraterritorial scope). Where required under Article 27 GDPR, EU users may direct all data protection enquiries to the contact email above, and we will respond in accordance with GDPR timelines.
We process your personal data only where we have a lawful basis under Article 6(1) GDPR:
| Processing Activity | Legal Basis (Article 6 GDPR) |
|---|---|
| Creating and maintaining your account | Art. 6(1)(b) — performance of a contract |
| Storing your ledger, customer, and business records | Art. 6(1)(b) — performance of a contract |
| Processing Pro subscription payments | Art. 6(1)(b) — performance of a contract |
| Retaining financial records for tax/legal compliance | Art. 6(1)(c) — legal obligation |
| Security monitoring and fraud prevention | Art. 6(1)(f) — legitimate interests |
| Optional OCR receipt-scanning feature | Art. 6(1)(a) — consent |
| Crash reporting and app stability analytics | Art. 6(1)(f) — legitimate interests |
As a data subject in the EU/EEA, you have the following rights, which you may exercise at any time by emailing tulsiprivateltd@gmail.com:
Your data is stored on Google Firebase/Google Cloud infrastructure, which may process data outside the EEA (including in the United States). Such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) incorporated into Google's Data Processing Addendum, and, where applicable, the EU–U.S. Data Privacy Framework. See Section 9 for details.
You may lodge a complaint with the supervisory authority in your Member State:
🇦🇹 Austria — Österreichische Datenschutzbehörde (DSB), Vienna. National law: Datenschutzgesetz (DSG). Website: dsb.gv.at
🇧🇪 Belgium — Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA), Brussels. Website: autoriteprotectiondonnees.be
🇧🇬 Bulgaria — Commission for Personal Data Protection (CPDP), Sofia. Website: cpdp.bg
🇭🇷 Croatia — Croatian Personal Data Protection Agency (AZOP), Zagreb. Website: azop.hr
🇨🇾 Cyprus — Office of the Commissioner for Personal Data Protection, Nicosia. Website: dataprotection.gov.cy
🇪🇪 Estonia — Estonian Data Protection Inspectorate (AKI), Tallinn. National law: Personal Data Protection Act (Isikuandmete kaitse seadus). Website: aki.ee
🇫🇮 Finland — Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Helsinki. National law: Tietosuojalaki (1050/2018). Website: tietosuoja.fi
🇫🇷 France — Commission Nationale de l'Informatique et des Libertés (CNIL), Paris. National law: Loi Informatique et Libertés (Loi n° 78-17). Website: cnil.fr
🇩🇪 Germany — Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) and the state (Land) authorities. National law: Bundesdatenschutzgesetz (BDSG). Website: bfdi.bund.de
🇬🇷 Greece — Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων), Athens. Website: dpa.gr
🇮🇪 Ireland — Data Protection Commission (DPC), Dublin. National law: Data Protection Act 2018. Website: dataprotection.ie
🇮🇹 Italy — Garante per la protezione dei dati personali, Rome. National law: Codice in materia di protezione dei dati personali (D.Lgs. 196/2003 as amended by D.Lgs. 101/2018). Website: garanteprivacy.it
🇱🇻 Latvia — Data State Inspectorate (Datu valsts inspekcija), Riga. Website: dvi.gov.lv
🇱🇹 Lithuania — State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), Vilnius. Website: vdai.lrv.lt
🇱🇺 Luxembourg — Commission nationale pour la protection des données (CNPD). Website: cnpd.public.lu
🇲🇹 Malta — Office of the Information and Data Protection Commissioner (IDPC). Website: idpc.org.mt
🇳🇱 Netherlands — Autoriteit Persoonsgegevens (AP), The Hague. National law: Uitvoeringswet AVG (UAVG). Website: autoriteitpersoonsgegevens.nl
🇵🇹 Portugal — Comissão Nacional de Proteção de Dados (CNPD), Lisbon. National law: Lei n.º 58/2019. Website: cnpd.pt
🇸🇰 Slovakia — Office for Personal Data Protection (Úrad na ochranu osobných údajov), Bratislava. Website: dataprotection.gov.sk
🇸🇮 Slovenia — Information Commissioner (Informacijski pooblaščenec), Ljubljana. Website: ip-rs.si
🇪🇸 Spain — Agencia Española de Protección de Datos (AEPD), Madrid. National law: Ley Orgánica 3/2018 (LOPDGDD). Website: aepd.es
🇮🇹 Italy (GDPR supplement) — In addition to the Garante, Italian users benefit from supplementary provisions of D.Lgs. 101/2018 concerning the minimum age of consent (14 years) for information society services under Article 8 GDPR.
Legal references: Regulation (EU) 2016/679 (GDPR); national implementing acts as cited above.
Summary: UK users are protected by the UK GDPR and the Data Protection Act 2018. Your rights mirror the EU GDPR. The regulator is the Information Commissioner's Office (ICO).
If you are located in the United Kingdom, your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Following the United Kingdom's withdrawal from the European Union, the GDPR was retained in domestic law as the UK GDPR.
You have the same rights as described in Section 13.3, including the right of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. The legal bases for processing correspond to Article 6 of the UK GDPR.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Helpline: 0303 123 1113. Website: ico.org.uk
Transfers of UK personal data outside the UK rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as incorporated into Google's data processing terms.
Legal references: UK GDPR; Data Protection Act 2018; The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
Summary: Australian users are protected by the Privacy Act 1988 and the 13 Australian Privacy Principles (APPs). The regulator is the Office of the Australian Information Commissioner (OAIC).
If you are located in Australia, our handling of your personal information is governed by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 of that Act.
We comply with all applicable APPs, including: APP 1 (open and transparent management of personal information), APP 3 (collection of solicited personal information), APP 5 (notification of collection), APP 6 (use and disclosure), APP 8 (cross-border disclosure), APP 10 (data quality), APP 11 (security of personal information), APP 12 (access), and APP 13 (correction).
Your personal information is stored on Google Cloud infrastructure that may be located outside Australia. We take reasonable steps to ensure overseas recipients handle your information consistently with the APPs.
If you believe we have breached the APPs, you may complain to us first at tulsiprivateltd@gmail.com. If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC), GPO Box 5288, Sydney NSW 2001. Phone: 1300 363 992. Website: oaic.gov.au
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach likely to result in serious harm, we will notify affected individuals and the OAIC as required.
Legal references: Privacy Act 1988 (Cth); Australian Privacy Principles (Schedule 1); Notifiable Data Breaches scheme (Part IIIC).
Summary: Canadian users are protected by PIPEDA federally, and by provincial laws such as Quebec's Law 25. You have the right to access and correct your data and to withdraw consent.
If you are located in Canada, our handling of your personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial legislation including Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, formerly Bill 64), British Columbia's PIPA, and Alberta's PIPA.
We adhere to the ten principles in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.
We obtain meaningful consent for the collection, use, and disclosure of your personal information. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting tulsiprivateltd@gmail.com.
For users in Quebec, we comply with the enhanced requirements of Law 25, including privacy-by-default, transparency about automated processing, and the right to data portability (effective from 2024).
You may complain to the Office of the Privacy Commissioner of Canada (OPC), 30 Victoria Street, Gatineau, Quebec, K1A 1H3. Phone: 1-800-282-1376. Website: priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information du Québec (CAI).
Legal references: PIPEDA (S.C. 2000, c. 5); Quebec Law 25; BC PIPA; Alberta PIPA.
Summary: U.S. users have rights under state privacy laws such as California's CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, and Connecticut's CTDPA. We do not sell your personal information.
If you are located in the United States, your rights depend on your state of residence. The United States does not have a single comprehensive federal privacy law; instead, a growing number of states have enacted consumer privacy statutes.
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to: (i) know what personal information is collected; (ii) access their personal information; (iii) request deletion; (iv) correct inaccurate information; (v) opt out of the sale or sharing of personal information; and (vi) limit the use of sensitive personal information. We do not sell or share your personal information as those terms are defined under the CPRA. We will not discriminate against you for exercising your rights.
Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents have rights to access, correct, delete, and obtain a portable copy of their data, and to opt out of targeted advertising and profiling.
Under the Colorado Privacy Act (CPA), Colorado residents have similar rights, including the right to opt out via a universal opt-out mechanism.
Under the Connecticut Data Privacy Act (CTDPA), Connecticut residents have rights to access, correct, delete, and port their data, and to opt out of targeted advertising, sale, and profiling.
Residents of other states with comprehensive privacy laws (including Utah, Texas, Oregon, Montana, and others as they come into effect) may have comparable rights. We honor verifiable consumer requests regardless of state.
Email tulsiprivateltd@gmail.com with the subject "U.S. Privacy Request — [Your State]". We will verify your identity and respond within 45 days (extendable by an additional 45 days where permitted).
Legal references: CCPA (Cal. Civ. Code § 1798.100 et seq.); CPRA; VCDPA; Colorado Privacy Act; Connecticut Data Privacy Act.
गोपनीयता नीति (HI) • தனியுரிமைக் கொள்கை (TA)
Summary: Indian users are protected by the Digital Personal Data Protection Act, 2023 (DPDP Act). You are a "Data Principal" with rights to access, correction, and erasure. We act as a "Data Fiduciary."
If you are located in India, the processing of your personal data is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), along with the Information Technology Act, 2000 and applicable rules. ArthaNote is developed in India and the majority of our users are based in India.
Under the DPDP Act, you are the Data Principal (the individual to whom the personal data relates), and Tulsi Groups is the Data Fiduciary (the person who determines the purpose and means of processing your personal data).
We process your personal data based on your consent, given through a clear affirmative action when you create an account and use the app. The notice provided at the point of collection describes the personal data being collected and the purpose of processing, consistent with Section 5 of the DPDP Act. You may withdraw consent at any time.
For any grievance regarding the processing of your personal data, contact our Grievance Officer at tulsiprivateltd@gmail.com. We will respond within the period prescribed under the DPDP Act. If unsatisfied, you may approach the Data Protection Board of India once it is constituted and operational.
Legal references: Digital Personal Data Protection Act, 2023; Information Technology Act, 2000; IT (Reasonable Security Practices) Rules, 2011.
سياسة الخصوصية (AR)
Summary: UAE users are protected by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. You have rights to access, correct, and delete your data.
If you are located in the United Arab Emirates, the processing of your personal data is governed by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL), the first comprehensive federal data protection law in the UAE.
Under the UAE PDPL, you have the right to: request information about your processed data; request the transfer of your data; request correction or erasure; restrict or stop processing; and object to processing. Requests may be made to tulsiprivateltd@gmail.com.
The UAE Data Office is the federal authority responsible for the PDPL. Users in financial free zones (DIFC, ADGM) may be additionally protected by the DIFC Data Protection Law (DIFC Law No. 5 of 2020) or the ADGM Data Protection Regulations 2021 respectively.
Legal references: Federal Decree-Law No. 45 of 2021; DIFC Data Protection Law No. 5 of 2020; ADGM Data Protection Regulations 2021.
سياسة الخصوصية (AR)
Summary: Saudi users are protected by the Personal Data Protection Law (PDPL) issued by Royal Decree M/19 of 2021, regulated by SDAIA.
If you are located in the Kingdom of Saudi Arabia, the processing of your personal data is governed by the Personal Data Protection Law (PDPL), issued under Royal Decree No. M/19 of 9/2/1443H (2021), as amended, and its Implementing Regulations.
Under the Saudi PDPL, you have the right to be informed of the legal basis and purpose of collection; the right to access your personal data; the right to request a copy of your data; the right to correction; and the right to request destruction of your personal data.
The competent authority is the Saudi Data and Artificial Intelligence Authority (SDAIA). Complaints regarding the processing of personal data may be submitted to SDAIA in accordance with the PDPL.
Legal references: Personal Data Protection Law (Royal Decree M/19 of 2021) and its Implementing Regulations.
سياسة الخصوصية (AR)
Summary: Bahraini users are protected by the Personal Data Protection Law, Law No. 30 of 2018.
If you are located in the Kingdom of Bahrain, the processing of your personal data is governed by the Personal Data Protection Law, Law No. 30 of 2018 (Bahrain PDPL), which came into force in 2019.
Under the Bahrain PDPL, you have the right to be informed about processing; the right to access your data; the right to request correction, blocking, or erasure of data whose processing violates the law; and the right to object to processing for direct marketing purposes.
The competent authority is the Personal Data Protection Authority (PDPA) of Bahrain. You may submit complaints to the PDPA in accordance with the law.
Legal references: Personal Data Protection Law, Law No. 30 of 2018 (Bahrain).
سياسة الخصوصية (AR)
Summary: Kuwait does not yet have a single comprehensive data protection law. We apply protections derived from the CITRA Data Privacy Protection Regulation and general legal principles.
If you are located in Kuwait, please note that Kuwait does not currently have a single comprehensive personal data protection statute equivalent to the GDPR. However, data privacy is addressed through several instruments, including the Data Privacy Protection Regulation (No. 26 of 2024) issued by the Communication and Information Technology Regulatory Authority (CITRA), the Law No. 20 of 2014 on Electronic Transactions, and constitutional privacy protections.
In the absence of a comprehensive law, we voluntarily extend to Kuwaiti users the core protections described in this Policy: lawful and transparent processing, data minimization, security safeguards, and the ability to access, correct, and delete your data by contacting tulsiprivateltd@gmail.com.
The Communication and Information Technology Regulatory Authority (CITRA) oversees data privacy matters in Kuwait.
Legal references: CITRA Data Privacy Protection Regulation (No. 26 of 2024); Law No. 20 of 2014 on Electronic Transactions; Constitution of Kuwait (Article 39).
سياسة الخصوصية (AR)
Summary: Omani users are protected by the Personal Data Protection Law (Royal Decree No. 6/2022) and the Electronic Transactions Law.
If you are located in the Sultanate of Oman, the processing of your personal data is governed by the Personal Data Protection Law, issued by Royal Decree No. 6/2022, which came into effect in 2023, together with the Electronic Transactions Law (Royal Decree No. 69/2008).
Under the Oman PDPL, you have the right to be informed about the processing of your data, to access and obtain a copy of your data, to request correction or erasure, to withdraw consent, and to object to processing that causes harm.
The Ministry of Transport, Communications and Information Technology (MTCIT) is the competent authority for personal data protection in Oman.
Legal references: Personal Data Protection Law (Royal Decree No. 6/2022); Electronic Transactions Law (Royal Decree No. 69/2008).
Dasar Privasi (MS)
Summary: Malaysian users are protected by the Personal Data Protection Act 2010 (PDPA) and its seven principles, regulated by the Personal Data Protection Department (JPDP).
If you are located in Malaysia, the processing of your personal data is governed by the Personal Data Protection Act 2010 (PDPA) and its subsequent amendments.
We comply with the seven Personal Data Protection Principles under the Malaysian PDPA: (1) the General Principle, (2) the Notice and Choice Principle, (3) the Disclosure Principle, (4) the Security Principle, (5) the Retention Principle, (6) the Data Integrity Principle, and (7) the Access Principle.
You have the right to access and correct your personal data, to withdraw consent, to limit processing for direct marketing, and to be informed about how your data is handled. Requests may be sent to tulsiprivateltd@gmail.com.
The Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP), under the Ministry of Digital, regulates the PDPA. Website: pdp.gov.my
Legal references: Personal Data Protection Act 2010 (Act 709), Malaysia; Personal Data Protection (Amendment) Act 2024.
Summary: Singapore users are protected by the Personal Data Protection Act 2012 (PDPA), regulated by the Personal Data Protection Commission (PDPC).
If you are located in Singapore, the processing of your personal data is governed by the Personal Data Protection Act 2012 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2020.
We comply with the PDPA's main obligations, including the Consent Obligation, Purpose Limitation Obligation, Notification Obligation, Access and Correction Obligation, Accuracy Obligation, Protection Obligation, Retention Limitation Obligation, Transfer Limitation Obligation, and the Data Breach Notification Obligation.
You have the right to access and correct your personal data, to withdraw consent, and to be informed of the purposes of collection. To exercise these rights, email tulsiprivateltd@gmail.com.
The Personal Data Protection Commission (PDPC) is Singapore's data protection authority. Website: pdpc.gov.sg
Legal references: Personal Data Protection Act 2012 (No. 26 of 2012), Singapore; PDP (Amendment) Act 2020.
Summary: South African users are protected by the Protection of Personal Information Act 2013 (POPIA), regulated by the Information Regulator.
If you are located in South Africa, the processing of your personal information is governed by the Protection of Personal Information Act 4 of 2013 (POPIA), which became fully enforceable on 1 July 2021.
We comply with the eight conditions under POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.
You have the right to be notified that your data is being collected, to access your personal information, to request correction or deletion, to object to processing, and to lodge a complaint. Requests may be sent to tulsiprivateltd@gmail.com.
The Information Regulator (South Africa) oversees POPIA. PO Box 31533, Braamfontein, Johannesburg, 2017. Website: inforegulator.org.za
Legal references: Protection of Personal Information Act 4 of 2013 (POPIA), South Africa.
රහස්යතා ප්රතිපත්තිය (SI) • தனியுரிமைக் கொள்கை (TA)
Summary: Sri Lankan users are protected by the Personal Data Protection Act No. 9 of 2022, the first comprehensive data protection law in Sri Lanka.
If you are located in Sri Lanka, the processing of your personal data is governed by the Personal Data Protection Act No. 9 of 2022 (PDPA), which is being implemented in phases.
Under the Sri Lanka PDPA, you have the right to access your personal data, the right to rectification, the right to erasure, the right to withdraw consent, the right to object to processing, and the right to request that processing be restricted.
The Data Protection Authority of Sri Lanka, established under the Act, is the competent regulator. Complaints may be made to the Authority in accordance with the PDPA.
Legal references: Personal Data Protection Act No. 9 of 2022, Sri Lanka.
Summary: Bangladesh does not yet have a comprehensive data protection law. We apply protections derived from constitutional privacy rights and the ICT and Digital Security frameworks.
If you are located in Bangladesh, please note that, as of the effective date of this Policy, Bangladesh does not have a single comprehensive personal data protection statute in force (a draft Personal Data Protection Act has been under consideration). Privacy is currently protected through the Constitution of Bangladesh (Article 43), the Information and Communication Technology Act, 2006, and the Digital Security Act, 2018.
In the absence of a comprehensive law, we voluntarily extend the core protections in this Policy to users in Bangladesh, including lawful processing, security safeguards, and the right to access, correct, and delete your data by contacting tulsiprivateltd@gmail.com.
Legal references: Constitution of the People's Republic of Bangladesh (Article 43); ICT Act 2006; Digital Security Act 2018; draft Personal Data Protection Act.
Summary: Nepali users are protected by the Privacy Act, 2018 (2075) and the Individual Privacy Regulation, 2020.
If you are located in Nepal, the processing of your personal data is governed by the Privacy Act, 2018 (Ain 2075) and the Individual Privacy Regulation, 2020 (2077), together with privacy protections under Article 28 of the Constitution of Nepal.
Under the Privacy Act, 2018, your personal data may only be collected and processed with your consent. You have the right to be informed about the collection and use of your personal data, the right to access your data, and the right to request correction. We obtain your consent before collecting and processing your personal information.
We process personal data of Nepali users lawfully and only for the purposes described in this Policy. To exercise your rights, contact tulsiprivateltd@gmail.com.
Legal references: Privacy Act, 2018 (2075), Nepal; Individual Privacy Regulation, 2020 (2077); Constitution of Nepal (Article 28).
Summary: ArthaNote is a business tool intended for adults. We do not knowingly collect data from children under 13 (or the higher minimum age in your country). Special protections apply for minors in certain jurisdictions, including Japan.
ArthaNote is a business and accounting application intended for use by business owners, shopkeepers, and their authorized staff. It is not directed at children.
You must be at least 13 years of age to use ArthaNote. In jurisdictions where a higher minimum age of digital consent applies, that higher age governs. Under the EU GDPR (Article 8), the age of consent for information society services ranges from 13 to 16 depending on the Member State (for example, 16 in Germany and the Netherlands, 15 in France, 14 in Italy and Spain, 13 in Belgium). Under the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13.
We do not knowingly collect personal data from children below the applicable minimum age. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child has provided us personal data, contact tulsiprivateltd@gmail.com.
For users in Japan, we note that under the Civil Code of Japan, the cancellation (rescission) rights of minors are broadly protected. Any contract (including a Pro subscription) entered into by a minor without the consent of their legal representative may be cancellable in accordance with Japanese law. We encourage parents and guardians to supervise minors' use of the app and any in-app purchases. In-app purchases are processed through Google Play Billing, which provides parental controls and purchase-approval mechanisms.
Legal references: GDPR Article 8; COPPA (15 U.S.C. §§ 6501–6506); Civil Code of Japan (provisions on capacity of minors).
Summary: The app uses local storage and a service worker to work offline and cache your data. We do not use advertising cookies or third-party tracking for ads.
ArthaNote uses the following storage and caching technologies:
We do not use advertising cookies, cross-site tracking, or third-party advertising networks. ArthaNote contains no advertisements.
Summary: We may update this Policy from time to time. We will post the updated version and, for material changes, notify you in the app or by email.
We may revise this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this Policy. For material changes, we will provide a prominent notice within the app or by email to your registered address before the changes take effect. Your continued use of ArthaNote after the effective date constitutes acceptance of the revised Policy.
Summary: For any privacy question or to exercise your rights, email tulsiprivateltd@gmail.com. We respond within 30 days.
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact:
| Item | Details |
|---|---|
| Data Controller / Data Fiduciary | Tulsi Groups |
| Application | ArthaNote (Artha Note) |
| tulsiprivateltd@gmail.com | |
| Country of Establishment | Tamil Nadu, India |
| Response Time | Within 30 days of a verified request |
| Grievance Officer (India, DPDP Act) | Tulsi Groups, tulsiprivateltd@gmail.com |
When contacting us about a privacy right, please include a clear subject line (for example, "Data Access Request") and the email address associated with your ArthaNote account so we can verify your identity.
Summary: Plain-language definitions of the legal and technical terms used throughout this Policy.
Personal Data / Personal Information: Any information relating to an identified or identifiable natural person, such as a name, email address, phone number, or device identifier.
Data Controller / Data Fiduciary: The person who, alone or jointly with others, determines the purposes and means of processing personal data. For ArthaNote, this is Tulsi Groups.
Data Processor: A person or entity that processes personal data on behalf of the controller. For ArthaNote, Google (Firebase/Cloud) acts as a processor.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, alteration, or deletion.
Data Subject / Data Principal / Consumer: The individual to whom the personal data relates and who holds the privacy rights described in this Policy.
Consent: A freely given, specific, informed, and unambiguous indication of a data subject's agreement to the processing of their personal data.
GDPR: The General Data Protection Regulation (Regulation (EU) 2016/679), the EU's comprehensive data protection law.
Supervisory Authority / Data Protection Authority (DPA): The independent public authority responsible for monitoring the application of data protection law in a given country.
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Retention Period: The length of time we keep personal data before deleting or anonymizing it.
Standard Contractual Clauses (SCCs): Pre-approved contractual terms adopted by the European Commission to safeguard personal data transferred outside the EEA.
Pseudonymization / Encryption: Technical measures that protect personal data by transforming it so it cannot be read or attributed to a person without additional information or a decryption key.
Summary: A consolidated list of every law and regulation referenced in this Policy, by jurisdiction.
| Jurisdiction | Legal Instrument |
|---|---|
| European Union / EEA | Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) |
| Austria | Datenschutzgesetz (DSG) |
| Finland | Tietosuojalaki (1050/2018) |
| France | Loi n° 78-17 (Loi Informatique et Libertés) |
| Germany | Bundesdatenschutzgesetz (BDSG) |
| Ireland | Data Protection Act 2018 |
| Italy | D.Lgs. 196/2003 as amended by D.Lgs. 101/2018 |
| Netherlands | Uitvoeringswet AVG (UAVG) |
| Portugal | Lei n.º 58/2019 |
| Spain | Ley Orgánica 3/2018 (LOPDGDD) |
| United Kingdom | UK GDPR; Data Protection Act 2018 |
| Australia | Privacy Act 1988 (Cth); Australian Privacy Principles |
| Canada | PIPEDA (S.C. 2000, c. 5); Quebec Law 25; BC PIPA; Alberta PIPA |
| United States | CCPA/CPRA (California); VCDPA (Virginia); CPA (Colorado); CTDPA (Connecticut); COPPA |
| India | Digital Personal Data Protection Act, 2023; Information Technology Act, 2000 |
| United Arab Emirates | Federal Decree-Law No. 45 of 2021; DIFC Law No. 5 of 2020; ADGM DP Regulations 2021 |
| Saudi Arabia | Personal Data Protection Law (Royal Decree M/19 of 2021) |
| Bahrain | Personal Data Protection Law, Law No. 30 of 2018 |
| Kuwait | CITRA Data Privacy Protection Regulation (No. 26 of 2024); Law No. 20 of 2014 |
| Oman | Personal Data Protection Law (Royal Decree No. 6/2022); Royal Decree No. 69/2008 |
| Malaysia | Personal Data Protection Act 2010 (Act 709) |
| Singapore | Personal Data Protection Act 2012 (No. 26 of 2012) |
| South Africa | Protection of Personal Information Act 4 of 2013 (POPIA) |
| Sri Lanka | Personal Data Protection Act No. 9 of 2022 |
| Bangladesh | Digital Security Act 2018; ICT Act 2006; Constitution (Art. 43) |
| Nepal | Privacy Act, 2018 (2075); Individual Privacy Regulation, 2020 |
| Japan | Civil Code of Japan (minors' capacity); Act on the Protection of Personal Information (APPI) |
Summary: We are not liable for personal information you share with us beyond what is required for registration. Contact our Grievance Officer for any privacy concerns.
In case any personal information is shared by you with us, which is not requested by us during registration (whether mandatory or optional), we will not be liable for any information security breach or disclosure in relation to such information. If you have any questions regarding this Policy or the protection of your personal information, please contact our data protection officer/grievance officer at tulsiprivateltd@gmail.com.
This Privacy Policy has been drafted with reference to industry-standard privacy policies and adapted to reflect ArthaNote's specific data processing activities and applicable legal requirements.
— End of ArthaNote Privacy Policy —
ArthaNote Privacy Policy | Version 1.0 | Effective June 22, 2026
© 2026 ArthaNote. All rights reserved.