← Back to home

Privacy Policy

Last updated: 30 March 2026

Auditto ("we", "us", "our") is a product of Medtime Health Care Pvt Ltd (CIN: U24200KA2021PTC151358). This Privacy Policy explains how we collect, use, store, and protect your information when you use the Auditto platform at auditto.in and the Auditto Shopify app.

By using Auditto, you agree to the practices described in this policy. If you do not agree, please do not use the service.

1. Information We Collect

a) Account Information

When you sign up or install the Auditto Shopify app, we collect your business name, legal name, email address, and phone number (WhatsApp).

b) Business Identification

To enable GST reconciliation and compliance features, we collect your GSTIN (Goods and Services Tax Identification Number), PAN (Permanent Account Number), and state code. These are provided voluntarily by you in the Settings page.

c) Financial Data from Connected Channels

When you connect sales channels and payment gateways, we access and store:

  • Shopify: Order details (order ID, amounts, taxes, shipping, discounts, customer state/pincode for GST classification, fulfillment status). We do not access customer email, full address, or payment card details.
  • Amazon SP-API: Orders, financial events, settlement reports, commissions, and FBA fees.
  • Flipkart: Shipments, returns, commissions, penalties, and settlement data.
  • Razorpay: Settlement details, transaction-level reconciliation data, UTR numbers, and TDR deductions.
  • Zoho Books: Bank transactions, purchase invoices, and journal entries (bidirectional sync).

d) Uploaded Documents

If you send receipts or invoices via WhatsApp, we process them using OCR (optical character recognition) to extract vendor name, GSTIN, amounts, and tax breakdowns. The original image is not stored after processing.

e) Usage Data

We collect basic usage data such as pages visited, features used, and error logs to improve the product. We do not use third-party analytics trackers.

2. How We Use Your Data

Your data is used exclusively for:

  • Financial reconciliation: Matching orders, settlements, and bank entries across channels to identify discrepancies.
  • GST compliance: Comparing your sales data with GSTR-2A/2B filings to detect input tax credit (ITC) gaps.
  • Reporting: Generating P&L reports, channel-wise analysis, settlement tracking, and TCS/TDS summaries.
  • Tally export: Creating Tally-compatible XML vouchers from your reconciled data.
  • WhatsApp alerts: Sending you daily reconciliation summaries and discrepancy alerts to your registered WhatsApp number.
  • Product improvement: Aggregated, anonymised usage patterns to improve reconciliation accuracy.

We do not use your financial data for advertising, profiling, or any purpose unrelated to the reconciliation service.

3. How We Store and Protect Your Data

  • Encryption at rest: All API credentials, OAuth tokens, and sensitive fields are encrypted using AES-256-GCM before storage. Encryption keys are stored separately in a secrets vault.
  • Encryption in transit: All communications use TLS 1.2 or higher.
  • Tenant isolation: Your data is isolated from other merchants using Row-Level Security (RLS) policies in our database. No merchant can access another merchant's data, even at the database level.
  • Access control: Only our backend service role can read encrypted tokens. No frontend code or API ever exposes raw credentials.
  • Audit logging: All data mutations (creates, updates, deletes) are logged in an immutable audit trail with before/after snapshots.
  • Infrastructure: Data is hosted on Supabase (backed by AWS) with servers in the Mumbai (ap-south-1) region.

4. Third-Party Data Sharing

We do not sell, rent, or trade your data to any third party.

We share data only in these limited cases:

  • Services you connect: When you connect Zoho Books, we push reconciled journal entries and expense records to your Zoho account. This is initiated by you and can be disconnected at any time.
  • AI processing: Receipt images and order descriptions are sent to Google Gemini for OCR and natural language processing. No personally identifiable information (PII) is included in these requests.
  • WhatsApp delivery: Messages are delivered through the Meta WhatsApp Business API. We only send your phone number and the message content.
  • Legal obligations: We may disclose data if required by Indian law, court order, or regulatory authority.

5. Data Retention

  • Your financial data is retained for the duration of your active subscription.
  • After account closure or app uninstallation, we retain data for 90 days to allow reactivation, then permanently delete it.
  • Audit logs are retained for 1 year after account closure for compliance purposes.
  • You may request immediate data deletion at any time (see Section 6).

6. Your Rights

As an Auditto user, you have the right to:

  • Access: View all data we hold about your business through the dashboard and reports.
  • Export: Download your reconciled data as Tally XML, or request a full data export in JSON format.
  • Correction: Update your business details (GSTIN, PAN, contact info) at any time via Settings.
  • Deletion: Request complete deletion of your account and all associated data by emailing support@auditto.in. We will process deletion requests within 30 days.
  • Disconnect: Revoke access to any connected channel at any time. We will stop syncing and clear stored credentials for that channel immediately.
  • Withdraw consent: Stop using the service at any time by uninstalling the Shopify app or closing your account.

7. Cookies and Tracking

Auditto uses minimal cookies, limited to:

  • Session cookies: To maintain your login state and Shopify session. These expire when you close your browser or after 24 hours.
  • CSRF tokens: For security during form submissions and OAuth flows.

We do not use advertising cookies, retargeting pixels, or third-party analytics scripts.

8. Shopify App Compliance

The Auditto Shopify app complies with Shopify's API terms of service and data protection requirements:

  • We handle customers/data_request, customers/redact, and shop/redact mandatory webhooks.
  • On app uninstallation, we deactivate the merchant account and clear stored access tokens immediately.
  • We only request the minimum scopes needed: read_orders, read_reports, read_shopify_payments_payouts.

9. DPDP Act 2023 Compliance

Auditto is committed to compliance with the Digital Personal Data Protection Act, 2023 (India). In accordance with the Act:

  • We process personal data only for the specific purposes described in this policy, with your consent obtained during signup or app installation.
  • We collect only the data necessary for providing our reconciliation service (data minimisation).
  • We have implemented reasonable security safeguards including encryption, access controls, and audit logging.
  • You may exercise your rights as a Data Principal (access, correction, erasure, grievance) by contacting our Data Protection Officer.
  • We do not transfer personal data outside India. All data is processed and stored within the Mumbai (ap-south-1) region.

10. Children's Privacy

Auditto is a B2B service for business owners. We do not knowingly collect data from individuals under 18 years of age.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or WhatsApp notification at least 15 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

For privacy-related questions, data access requests, or complaints: