BahiKhata
Log in

Legal

Privacy policy

This policy explains what personal data BahiKhata collects, why we collect it, where it lives, and the rights you have over it under UK GDPR and the Data Protection Act 2018.

Last updated: 7 May 2026

1. Who we are

BahiKhata is operated by Sifotech UK Ltd(“we”, “us”, “our”), a company registered in England & Wales.

  • Registered office: [Registered office address — to be confirmed before launch]
  • Company number: [Companies House No: 00000000]
  • ICO registration: [ICO No: ZA000000 — to be confirmed before launch]
  • Data protection contact: privacy@bahikhata.co.uk

For the purposes of UK GDPR, Sifotech UK Ltd is the data controller for the BahiKhata service.

2. What data we collect

Account data

Your name, email address, hashed password, login timestamps, IP address at sign-up, language preference, and the company you create.

Business data

Anything you choose to record in BahiKhata: transactions, invoices, quotes, customer and supplier records, receipt images and PDFs, chart-of-accounts entries, VAT workings, bank statements you upload, notes and tags.

Payment data

Subscriptions are processed by [Stripe — Stripe Payments UK, Ltd]. We never see or store your full card number; Stripe gives us a token, the last four digits, card brand and expiry month so we can show your billing page and issue VAT invoices.

AI conversation logs

When you use the AI accountant — by chat, voice or photo — we send the relevant message, attachment or transcript to our AI provider (Anthropic) so it can reply or extract data from a receipt. We log the exchange against your account so you can review what was suggested and so we can debug issues.

Technical data

Browser type, device type, pages visited and feature usage, in aggregate. We do not use third-party advertising or tracking pixels.

3. Why we collect it (purposes)

  • Service delivery — to actually run BahiKhata: log you in, store your books, draft your VAT return, send you reminders, generate exports.
  • Legal compliance — to keep records HMRC and the ICO require us to keep, and to detect/prevent fraud.
  • Anonymous analytics — to understand which features are used so we can prioritise the roadmap. No tracking cookies, no third-party trackers.
  • Service communications— billing receipts, security alerts, important product changes. You can’t opt out of these while you have an account, because they’re part of the service.

4. Lawful bases (UK GDPR Article 6)

  • Contract — most processing is necessary to provide the service you signed up for.
  • Legitimate interest — running and securing the platform, anonymous product analytics, fraud prevention.
  • Legal obligation — keeping financial and tax records for the periods HMRC requires.
  • Consent — for any optional marketing emails. You can withdraw consent at any time from your account settings or by emailing us.

5. Where your data is stored

Your books and account data live in our Supabase database in the UK region (eu-west-2, London). This is the primary store of record.

6. Sub-processors

We use a small number of carefully chosen sub-processors. Each is bound by a data-processing agreement and only sees the minimum data they need to deliver their function.

  • Supabase (UK, eu-west-2) — primary database, authentication and file storage.
  • Vercel (Ireland, eu-west-1) — hosting and edge delivery of the BahiKhata application.
  • Anthropic (United States) — AI accountant (Claude). Conversations are sent for processing only; we never allow your data to be used to train third-party models. Where possible, we anonymise sensitive identifiers before sending.
  • Resend (United States) — transactional email delivery (login links, receipts, deadline reminders, VAT return drafts).
  • Stripe (United Kingdom) — subscription billing and VAT invoicing.

International transfers are protected by the UK IDTA / EU SCCs plus additional safeguards as required by the ICO’s international transfer guidance.

7. Retention

  • Account & financial records — kept for seven (7) years after account closure to satisfy HMRC record-keeping requirements.
  • AI conversation logs — retained for 90 days, then deleted.
  • Backups — encrypted, rotated on a 30-day cycle.
  • Marketing contacts — until you unsubscribe.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct anything that’s inaccurate.
  • Request deletion (subject to the retention periods above where we’re legally required to keep records).
  • Export your data in a portable format. BahiKhata gives every customer a one-click export of all their books and attachments.
  • Object to or restrict certain processing.
  • Lodge a complaint with the Information Commissioner’s Office (ICO). We’d love a chance to fix it ourselves first — email privacy@bahikhata.co.uk.

9. Cookies

We only use functional cookies — keeping you signed in, remembering your language and storing your CSRF token. We do not set advertising cookies, social-media cookies, or third-party tracking cookies.

10. Children

BahiKhata is a business product. It is not intended for, and we do not knowingly collect personal data from, anyone under 18. If you believe a child has created an account, please contact us and we’ll delete it.

11. Changes to this policy

When we make material changes, we’ll email every active customer at least 14 days before the new policy takes effect, and show a banner inside the app. We’ll also keep a dated archive of previous versions on request.

12. Contact

For anything privacy-related — access requests, deletion requests, questions, complaints — email privacy@bahikhata.co.uk. We aim to respond within five working days and always within the statutory thirty-day window.