Sahaya · Privacy
Last updated 6 July 2026.
This policy explains what Sahaya collects when you use our service, how it is used and protected, and the rights you have — including under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”). It covers the app at app.sahayaos.com and the connected channels: WhatsApp, email forwarding, and the Tally sync agent.
Account data — your name, email, phone number, and workspace details. Business records — the documents and data you (or your connected channels) send us: bills, invoices, bank statements, vouchers, stock records, employee and payroll records, and the ledger entries built from them. Usage data — actions taken in the app, kept in an audit trail that exists for your protection: it lets you see exactly who or what changed each record, and when.
Sahaya’s agents read your documents to draft entries, reconcile accounts, and prepare statutory workings. Document contents are processed by our AI provider (Anthropic) strictly to perform these tasks; your data is not used to train AI models. Agent actions are always attributable in the audit trail, and high-stakes output is subject to the review and approval controls in your workspace.
We use established providers to run the service, each bound to process data only for that purpose: Supabase (database), Amazon Web Services (document storage, email), Vercel (hosting), Anthropic (AI processing), Meta (WhatsApp Business messaging), Resend (transactional email), and — where you connect them — payment providers such as Razorpay, Stripe, or Cashfree. Some providers may process data outside India with contractual and technical safeguards. We do not sell personal data.
Books of account and related statutory records are retained for the periods Indian law prescribes (generally eight financial years under income-tax and companies law; certain employment records longer). Data with no statutory retention requirement is kept only while your workspace is active, plus a 30-day export window after closure.
Under the DPDP Act you may request access to, correction of, or erasure of your personal data, and you may nominate someone to exercise these rights for you. Erasure requests run through Settings → Privacy in the app, or by writing to us. Where a record must be retained by law, we pseudonymise the personal fields we can and retain only what the statute requires — the plan for each request is shown to you before it runs, and the outcome is auditable.
Grievances: write to support@sahayaos.com and we will acknowledge within 72 hours. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.
Every workspace’s data is isolated with database-level row security; records are encrypted in transit and at rest; posted accounting records are immutable (corrections happen by reversal, never by silent edit); and access is role-based within your team. No system is perfectly secure — if we learn of a breach affecting your data, we will notify you and the authorities as the DPDP Act requires.
We use cookies only to keep you signed in and the service working — no third-party advertising trackers. Sahaya is a business tool and is not directed at children; we do not knowingly process a child’s personal data except where it appears inside your business records (for example, a dependent’s name in an employee’s records), which you control.
We may update this policy as the service or the law changes; material changes will be notified in-app or by email, with the date above always reflecting the current version.