Legal

Privacy Policy

Last updated: May 15, 2026 · Effective from: April 25, 2026

    This Privacy Policy describes how Skill to Bill ("we", "our", or "us") collects, uses, stores, and protects your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law.
  

1. Who We Are

Skill to Bill is an order management platform built for makeup artists and beauty professionals in India. We provide booking management, client portal, invoicing, and revenue tracking services through our web application.

Data Controller: Skill to Bill
Grievance Officer: support@skilltobill.app
Contact: support@skilltobill.app

2. What Data We Collect

We collect only data that is necessary to provide our services:

From makeup artists (subscribers):

Name, username, and password (hashed — never stored in plain text)
Phone number and email address (optional, for profile)
Studio or business name
Booking records you create (client names, dates, services, amounts)
Revenue and expense data you enter

From clients (via client portal):

Name, phone number, email address
Event preferences, look references, and notes you voluntarily submit
Reference images uploaded by you (stored securely)

Automatically collected:

IP address (for rate limiting and security)
Browser type and device type (for app compatibility)
Session tokens (stored in your browser's local storage)

3. How We Use Your Data

To provide and maintain the Skill to Bill platform
To authenticate your identity and protect your account
To generate invoices and track bookings on your behalf
To send you important service communications (account alerts, password resets, two-factor authentication OTPs)
To respond to demo requests and support queries
To improve the platform based on usage patterns (no personally identifiable data used)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Legal Basis for Processing

Under the DPDP Act 2023, we process your data based on:

Consent: You provide consent when you register an account or submit the client portal form
Contractual necessity: Processing required to deliver the subscription service you paid for
Legitimate interest: Security monitoring, fraud prevention, and platform stability

5. Data Storage and Security

All data is stored on servers hosted on Railway (cloud infrastructure) with encrypted connections
Passwords are hashed using bcrypt (industry standard) — we cannot read your password
All API communication uses HTTPS/TLS encryption
Access tokens are signed with secure keys and expire after 7 days
We apply rate limiting and brute-force protection on all authentication endpoints
Two-factor authentication (2FA) uses a time-limited 6-digit OTP sent to your registered email — OTPs expire in 10 minutes and are deleted immediately after use

6. Data Sharing

We share your data only in the following limited circumstances:

Railway (cloud hosting) — stores all application data on encrypted servers
Resend (transactional email) — your email address is shared solely to deliver OTP and account notification emails. Resend does not use your data for any other purpose. Resend Privacy Policy →
Google Gemini API — powers Billie, our AI business assistant. When you use Billie, your booking and revenue data (no client personal data) is sent to Google's API to generate insights. Data is not used to train Google's models under our API agreement. Google AI Terms →
Legal requirements: If required by Indian law, court order, or government authority
With your explicit consent: No other sharing without your permission

We do not use your data for advertising and do not share it with advertising networks.

7. Your Rights Under DPDP Act 2023

As a data principal under Indian law, you have the following rights:

Right to access: Request a copy of the personal data we hold about you
Right to correction: Request correction of inaccurate or incomplete data
Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
Right to withdraw consent: Withdraw consent at any time; this will not affect prior processing
Right to grievance redressal: Raise concerns with our Grievance Officer

To exercise any of these rights, email us at support@skilltobill.app. We will respond within 30 days.

8. Data Retention

Active account data is retained as long as your subscription is active
On account closure, your data is deleted within 90 days
Demo request data is retained for 12 months for business purposes
Security logs (IP, rate limit events) are retained for 30 days

9. Cookies and Local Storage

We use browser local storage to store your authentication token. We do not use third-party tracking cookies or advertising cookies. We do not use Google Analytics or similar tracking services.

10. Children's Privacy

Skill to Bill is intended for use by adults and business professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us data, contact us immediately at support@skilltobill.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active subscribers of material changes via the app or email. Continued use of the service after changes constitutes acceptance of the revised policy.

12. Grievance Redressal

Grievance Officer
Skill to Bill
Email: support@skilltobill.app
Response time: Within 48 hours for acknowledgement, 30 days for resolution.

You may also approach the Data Protection Board of India if your grievance is not resolved satisfactorily.