Privacy Policy

Version 2026-05-01 · Effective from 2026-05-01

This Privacy Policy explains how Demystify Systems LLP (“we”, “us”, “our”) collects, uses, and protects information when you use FinFy (“the app”) at finfy.dmstfy.com. We comply with the Digital Personal Data Protection Act, 2023 of India (DPDP Act) and the Information Technology Rules, 2021.

1. What we collect

  • Account: email, password hash (managed by Supabase Auth), name, business name, optional phone, optional photo, city.
  • Business data you enter: clients, projects, visits, payments, expenses, invoices, voice-to-text notes, optional UPI VPA, optional GSTIN.
  • Device & usage: approximate IP (for security), browser/OS string, preferred language and theme. We do not run third-party analytics today.

2. Why we collect it

To provide the service you signed up for, to authenticate you, to keep your data isolated from other users (via row-level security), to generate receipts and reports, and to comply with applicable law.

3. Third-party processors

  • Supabase (database + auth + storage) — data hosted in the region you signed up to. See supabase.com/privacy.
  • Vercel (web hosting) — see vercel.com/legal/privacy-policy.
  • Browser Speech Recognition — voice input runs in your browser; we don't send your voice to our servers.

We do not sell, rent, or share your personal information for marketing.

4. Data retention

Your data is kept until you delete it. You can delete individual records anytime, or delete your entire account from Profile → Account → Delete my account. Deletion is final after a 30-day grace period, during which you can cancel.

5. Your rights under the DPDP Act

  • Access: download all your data as CSV from your profile.
  • Correction: edit any record directly in the app.
  • Erasure: delete records or your whole account.
  • Grievance: contact our Grievance Officer at grievance@dmstfy.com.
  • Consent withdrawal: revoke optional consents (notifications etc.) anytime in profile.

6. Security

Passwords are hashed by Supabase Auth. All traffic uses HTTPS/TLS. Database row-level security ensures one user cannot read another's rows. Receipts are stored in a public bucket addressed by unguessable UUIDs; treat receipt URLs as sensitive.

7. Children

FinFy is not intended for users under 18. We do not knowingly collect children's data.

8. Contact

Data Protection Officer / Grievance Officer:
Demystify Systems LLP
Email: support@dmstfy.com

We may update this policy. If we do, we'll re-prompt you to accept the new version on next login.

HomeClients
Profile
    Privacy Policy · FinFy