In private beta, request accessSign in
ShippingBill.ai

Legal

Privacy notice.

Last updated: 24 May 2026. Effective immediately.

This Privacy Notice describes how ShippingBill Technologies Pvt Ltd ("we", "us", "ShippingBill") collects, uses, stores, and discloses your personal data when you use the ShippingBill.ai web application, marketing site, and related services (collectively, the "Services").

We act as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 in respect of personal data relating to individuals you identify to us as our points of contact, your authorised users (including your CA and CHA), and visitors to our marketing site. Where you upload personal data relating to other individuals (for example, customs broker contact details), you remain the Data Fiduciary for that data and we are a Data Processor on your behalf.

1. Data we collect

  • Account data. Name, work email, phone number, role, company name, IEC, GSTIN, primary port, sector, billing address.
  • Shipping bill data. Shipping bill numbers, dates, port codes, HS codes, FOB values, destinations, AWB or BL numbers, AD code references, exchange rate references.
  • Reconciliation data. RoDTEP scrip references, eBRC records, EDPMS extracts you upload, classification accept/override decisions, audit log entries.
  • Banking metadata. AD bank name, ad code, branch identifier (we do not collect or store account numbers, passwords, or net banking credentials).
  • Communications. Email, WhatsApp messages, and support tickets between you and us.
  • Site analytics. Anonymised page-view, referrer, and user-agent data via Plausible (no cookies, no cross-site tracking).

2. Purpose and lawful basis

We process your personal data for the following purposes, under the lawful bases below:

  • To provide the Services. Performance of contract under the DPDP Act consent framework.
  • To send service updates and product alerts. Consent at sign-up, with opt-out per channel.
  • To improve and audit our AI classification logic. Aggregated, de-identified usage data only. Your specific shipping bills are not used for training.
  • To comply with legal obligations. Tax, accounting, and DPDP-mandated record-keeping.
  • To prevent fraud and abuse. Legitimate interest in maintaining the Services.

3. Where your data is stored

All personal data is stored on Supabase infrastructure hosted in the Mumbai region (ap-south-1). We do not transfer customer personal data outside India for the operation of the Services. The only exception is API calls to Anthropic (for HS classification) which transit to the US and are processed under Anthropic's zero-retention API endpoint where supported. Anthropic does not retain or train on the API content.

Marketing communications (Resend, Gupshup) are delivered through processors with India presence; please see the subprocessor list at /trust/subprocessors.

4. Data retention

  • Active subscription data: retained for the duration of your subscription.
  • Post-cancellation: retained for 90 days to allow re-activation, then permanently deleted.
  • Free audit data (for non-customers): retained for 30 days after report delivery, then deleted.
  • Marketing list: retained until you unsubscribe.
  • Aggregated, de-identified analytics: retained indefinitely.

5. Your rights under the DPDP Act

You have the following rights, exercisable by writing to [email protected]:

  • Right to access. A copy of your personal data we hold, in machine-readable form, within 7 working days.
  • Right to correction and erasure. Correct or delete inaccurate or unnecessary personal data.
  • Right of grievance redressal. Submit a grievance to our DPO. We respond within 7 working days.
  • Right to nominate. Nominate an individual to exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent. Withdraw your consent at any time, with prospective effect.

If our response is unsatisfactory, you may approach the Data Protection Board of India at dpbi.gov.in.

6. Breach notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware of the breach, in the form prescribed by the DPDP Rules.

7. Data Protection Officer

Our Data Protection Officer is contactable at [email protected]. Postal address: ShippingBill Technologies Pvt Ltd, Bengaluru, Karnataka, India (full address available on request).

8. Children

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data of a child, we will delete it promptly.

9. Changes to this notice

Material changes to this notice will be communicated by email and posted on this page with the updated effective date. Non-material changes will be posted with the updated effective date without separate email notice.

10. Subprocessors and security controls

Our current subprocessor list, certifications, and security controls are available at /trust.