Privacy Policy

Last updated: 4 June 2026

CredInfinite ("we", "our", or "us") operates the CredInfinite platform — a WhatsApp-native expense management service for Indian SMEs. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our website, WhatsApp bot, and web application (collectively, the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use our Service.

1. Information We Collect

1.1 Information You Provide

• Account details — name, email address, phone number, company name, GSTIN, PAN, CIN
• Company profile — registered address, state, pincode, phone, email, bank account details (bank name, account number, account holder name, IFSC code, branch)
• Employee data — names, phone numbers, email addresses, WhatsApp numbers, employee codes, departments, designations, bank account details for salary disbursement, monthly allowance budgets
• Financial records — expense amounts, vendor names, vendor GSTIN, receipt images, invoice details with client names and addresses
• CA firm data — client firm names, GSTIN, PAN, CIN, addresses, and bank details imported via CSV
• Candidate data — resumes (PDF/DOC/DOCX), names, email addresses, phone numbers, LinkedIn profiles, interview feedback
• Tax declarations — investment proofs (documents uploaded by employees for IT declarations under Sections 80C, 80D, HRA, etc.)
• Payment information — processed by Razorpay; we do not store full card numbers or UPI IDs
• WhatsApp messages — bill photos, approval responses, invoice creation inputs, and conversation data sent to our business number

1.2 Information Collected Automatically

• Device and browser information (user agent, screen size, operating system)
• IP address and approximate geographic location (country/city level)
• Usage data — pages visited, features used, timestamps, login/logout events
• Login audit records — email, IP address, and login status (success/failure) for security monitoring
• WhatsApp session state — conversation context to maintain interactive workflows

1.3 Marketing & Lead Data

• Whitepaper downloads — name, work email, company name, and IP address submitted via our lead capture form
• Marketing website analytics — anonymised page views, referral sources, and device information via Google Analytics 4

1.4 Information from Third Parties

• WhatsApp Business API (via MSG91) — message delivery status, phone number verification, message content
• Google Gemini Vision — OCR results from receipt images (processed in real-time, not stored by Google)
• Google Gemini AI — HSN/SAC code suggestions and recruitment candidate scoring (reads resume PDFs)
• Razorpay — payment confirmation, subscription status, billing cycle events
• HubSpot CRM — lead data from whitepaper downloads (synced asynchronously)

2. How We Use Your Information

• Process expense submissions, approvals, reimbursements, and payroll disbursements
• Extract data from receipt images using AI (Google Gemini Vision)
• Score and shortlist candidates from uploaded resumes (Google Gemini AI)
• Send WhatsApp notifications, approval requests, and invoice links to employees and managers
• Generate Tally-compatible XML exports, GSTR-1/2B/3B reports, and financial summaries
• Generate and deliver invoice PDFs with GST-compliant formatting
• Process payments and manage subscriptions via Razorpay
• Send transactional emails — OTP verification, approval notifications, reimbursement confirmations, interview schedules, and offer letters
• Sync lead information with HubSpot CRM for sales follow-up
• Log login events (success/failure) for account security monitoring
• Improve and maintain the Service through usage analytics
• Comply with legal obligations under the Income Tax Act (8-year record retention), GST Act, and other applicable Indian laws

3. Data Storage and Security

All data is stored on servers located in India. We use PostgreSQL databases with encryption at rest. Receipt images are stored in S3-compatible object storage with server-side encryption. All data in transit is encrypted using TLS 1.2+.

Authentication uses JWT tokens with 24-hour expiry. Passwords are hashed using bcrypt. API keys are stored as SHA-256 hashes. OTP codes are bcrypt-hashed and embedded in short-lived tokens — they are never stored in the database.

4. Data Sharing

We do not sell your data. We share information only with:

• MSG91 (WhatsApp Business API provider) — for WhatsApp message delivery
• Resend — for transactional email delivery (OTP, notifications, payslip PDFs, offer letters)
• Google Gemini Vision — for OCR processing of receipt images and AI scoring of candidate resumes (processed in real-time, not retained by Google)
• Razorpay — for payment processing and subscription management
• HubSpot CRM — for lead management from whitepaper downloads
• Your designated Chartered Accountant or finance team — via Tally XML and CSV exports that you initiate

We may disclose data if required by law, court order, or government regulation applicable in India.

5. Data Retention

We retain your data for as long as your account is active. Expense records are retained for a minimum of 8 years to comply with Indian tax regulations (Income Tax Act, 1961). Receipt images are retained for the same period. You can request deletion of non-regulatory data by emailing us.

6. Your Rights

Under applicable Indian law, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Request deletion of your data (subject to legal retention requirements)
• Withdraw consent for non-essential processing
• Export your data in a machine-readable format (CSV, XML)

To exercise any of these rights, email us at privacy@credinfinite.com.

7. Cookies and Analytics

7.1 Essential Storage

Our web application uses a JWT authentication token stored in localStorage to maintain your login session. The marketing website (credinfinite.com) does not use authentication cookies.

7.2 Analytics

We use Google Analytics 4 (GA4) on our marketing website to understand how visitors interact with our content. GA4 collects:

• Pages visited and time spent on each page
• Referral source (how you found our website)
• Browser type, device type, and screen resolution
• Approximate geographic location (country/city level only)

IP addresses are anonymised (GA4 IP anonymisation is enabled). No personally identifiable information (names, email addresses, phone numbers) is sent to Google Analytics from our website.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

8. WhatsApp Data

When employees interact with our WhatsApp bot, message content (including bill photos) is processed via the Meta-verified WhatsApp Business API through MSG91. We store conversation state to manage the expense submission workflow. Bill photos sent via WhatsApp are uploaded to our secure S3 storage and processed by Google Gemini Vision for data extraction.

WhatsApp session data is automatically purged after 24 hours of inactivity.

9. Children's Privacy

Our Service is designed for businesses and is not intended for individuals under 18 years of age. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the Service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: