Privacy Policy

Last updated: 24 May 2026 · v1.0

1. Data we collect

None. The app never sends your customers, products, invoices, payments, expenses, or any business data to any server we control. We do not run a backend.

2. Data stored on your device

Everything: customers, products, invoices, payments, GST settings, business profile, preferences. Stored in an encrypted SQLite database in your app's private storage. Other apps on your phone cannot read it.

3. Backups to your Google Drive

When you tap "Back up now", we copy your local database, encrypt it with a key only your device holds (AES-256-CBC + HMAC), and upload that encrypted blob to a dedicated folder in YOUR own Google Drive. We use Google's drive.file scope, which means we can only see files this app itself creates — never your other documents or photos. You can delete the backups from Drive at any time.

4. Encryption key

The 256-bit AES key is generated on first launch using the OS secure random source and stored in the platform's secure keystore (Android Keystore / iOS Keychain). It never leaves your device. If you reinstall the app without restoring the keystore entry, old backups cannot be decrypted.

5. Google sign-in

We use Google Sign-In only to authenticate to Google Drive on your behalf, so the encrypted backup can be uploaded. We do not receive an OAuth refresh token; the token is held by Google Play Services on your phone.

6. Camera & photos

The camera and photo library are used only when you tap "Scan receipt" to attach a bill photo to an expense, or upload a business logo. Photos are saved to your app's private storage. We do not upload them anywhere.

7. Notifications

Local payment-due notifications are scheduled on your phone using the OS scheduler. They never leave the device.

8. Sharing — WhatsApp, SMS, email, Drive

When you tap Share / Print / WhatsApp on an invoice, the PDF leaves the app via the OS share sheet to the app you pick. We have no visibility into what happens after the handoff.

9. Analytics & crash reporting

We ship no analytics SDK and no crash reporter in this build.

10. Permissions we request

CAMERA — barcode scanner and receipt-photo capture. We never take photos in the background.
INTERNET — encrypted Drive backup, optional FX rate refresh, optional e-invoice / e-way bill submission to NIC.
BLUETOOTH_CONNECT — thermal receipt printer pairing only. We do not scan for or log other Bluetooth devices.
READ_MEDIA_IMAGES (Android 13+) — picking a logo or signature image. We only access the file you select.
POST_NOTIFICATIONS (Android 13+) — local low-stock and recurring-invoice reminders.
FOREGROUND_SERVICE — long-running Drive backup so Android doesn't kill it mid-upload.

11. Children

GSTEasy is intended for business owners over 18. We do not knowingly collect data from children.

12. Changes to this policy

If the app ever starts collecting any new data, we will update this policy and prompt you in-app before the new behaviour takes effect. The previous version remains available on request — email support@msetuapps.com.

13. Contact

Questions, concerns, or data deletion requests: support@msetuapps.com.

14. Operator

GSTEasy is operated by Colligo Infotech, published under the brand MSetu Apps.