Privacy Policy

Last updated: 18 May 2026

The short version: Vachan stores the trading data you enter — your customers, transactions, payments, and bill photos — so we can show it back to you and your counterparties. We don't sell your data, we don't run ads, and we don't share it with third parties except the narrow set of providers (push notifications, WhatsApp delivery, file storage) we need to make the app work.

This Privacy Policy explains how Vachan ("we", "us", "the App") collects, uses, stores, and discloses information about you when you use the Vachan mobile application and related services. It is published in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 of India.

Vachan is operated by MysticApps ("the operator"). If you do not agree with this policy, please do not use the App.

1. Information we collect

1.1 Information you provide

Identity and contact: your mobile number (used as your primary identifier), your name, and your business / shop name.
Business profile: optional GST number, address, and other shop details you choose to add.
Trading data: transactions, IOUs, payments, due dates, notes, and counterparty details (name, phone number) that you record about your business dealings.
Receipts and invoices: photos of bills, lorry receipts, and other documents you upload. These are stored in encrypted object storage.
Reports: community credit reports you file about a counterparty.

1.2 Information collected automatically

Device identifiers: Firebase Cloud Messaging (FCM) tokens, used solely to deliver push notifications to your device.
Usage logs: request logs (timestamps, endpoints called, error codes) retained for a limited period to operate, secure, and debug the service.
Authentication state: a signed JSON Web Token (JWT) issued after OTP login, stored on your device.

1.3 Information accessed with your permission

Contacts: if you grant permission, Vachan reads your device contacts only to help you find and add counterparties. Phone numbers are checked against our registry to surface existing Vachan users. We do not upload, store, or share your full contact list on our servers. Cross-references are performed transiently and not persisted beyond the response.
Camera and photos: used only to capture or pick a receipt image when you attach it to a transaction.
Notifications: required to deliver reminders, acceptance alerts, and the daily morning summary.

2. How we use your information

To operate the credit ledger: record transactions, compute balances, and show them to you and the counterparty on the other side of the trade.
To deliver reminders on WhatsApp, SMS, and push — only when you actively initiate them, and subject to a 24-hour cooldown to prevent abuse.
To send the daily morning summary push notification (you can disable this in Settings).
To compute and serve credit reputation scores from observable payment history.
To secure the service, prevent fraud, and investigate misuse.
To comply with applicable Indian law and respond to lawful requests by public authorities.

We do not use your data to train machine-learning models for third parties, sell it to advertisers, or share it with data brokers.

3. Acceptance links and counterparty visibility

When you create a transaction, Vachan generates a public, tokenised acceptance link (for example https://m.vachanapp.com/ack/<token>) and allows you to share it. Anyone with the link can view the transaction details (amount, due date, your shop name, bill image) and accept the IOU.

You are responsible for sharing the link only with the intended counterparty. The link is unguessable and not indexed by search engines, but it is not protected by a password.

4. Sharing with third parties

We share data only with the following categories of service providers, each bound by contract to use the data only for the service they provide to us:

Cloud hosting: Supabase (managed PostgreSQL) and Cloudflare R2 (object storage for receipt images). Data is stored in their secured infrastructure.
Push notifications: Google Firebase Cloud Messaging.
Messaging delivery: Evolution API (self-hosted WhatsApp gateway) and SMS providers used to send reminders you initiate.
Analytics and error reporting: Google Analytics.

We may also disclose information when required by law, court order, or to protect the rights, property, or safety of Vachan, our users, or the public.

5. Where your data is stored

Your data is stored on servers operated by our infrastructure providers, primarily in data centres located in India and/or Singapore. By using Vachan you consent to the storage and processing of your data in these locations, subject to the protections of the DPDP Act and equivalent safeguards.

6. Retention

Trading data is retained for as long as your account is active. You may request deletion at any time (see "Your rights" below).
Authentication tokens expire 365 days after issue or earlier if you log out.
Server-side request logs are retained for up to 90 days for debugging and security.
Receipt images are deleted within 30 days of the linked transaction's deletion.
After account deletion we retain only the minimum data required to comply with legal, tax, or fraud-prevention obligations.

7. Your rights under the DPDP Act

You have the right to:

Access the personal data we hold about you.
Correct or update inaccurate information.
Erase your personal data, subject to legal retention requirements.
Nominate another person to exercise these rights on your behalf in the event of death or incapacity.
Grievance redressal — to raise a complaint with our Grievance Officer (see Section 12).
Withdraw consent at any time, although doing so may stop the App from working.

To exercise any of these rights, write to us at privacy@vachanapp.com.

8. Security

We use industry-standard measures to protect your data, including TLS in transit, encryption at rest for receipt images, signed JWT authentication, and access controls on internal systems. No system is perfectly secure, however, and we cannot guarantee that unauthorised access will never occur. In the event of a data breach affecting your personal data, we will notify you and the Data Protection Board of India as required by law.

9. Children

Vachan is intended for use by adults conducting business. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has used the App, please contact us so we can delete the account.

10. Cookies and tracking

The Vachan mobile app does not use cookies. This website (vachanapp.com) uses no third-party tracking cookies; it serves only static content and Google Fonts (which may set cookies governed by Google's own privacy policy).

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. If we make material changes that affect your rights, we will notify you in the App or by push notification.

← Back to home · Terms of Service