Privacy Policy

Effective date: 5 May 2026 · The Co Passenger · thecopassenger.com

🔒 The Short Version — Zero-Knowledge Architecture

GST360 is built on a zero-knowledge architecture. This means your business data — invoices, customers, transactions, GSTIN details — is encrypted on your device before it ever reaches our server. We cannot read it. Our engineers cannot read it. Even if our server is breached, the attacker gets useless encrypted data.

Your passcode is the only key. It is derived locally on your device using Argon2 (64MB memory, 3 iterations) and never transmitted to us. We do not store it. We cannot recover it.

This is not a marketing claim — it is a mathematical guarantee enforced by AES-256-GCM encryption. The same architecture used by ProtonMail and Signal.

📱 Cross-platform: This policy applies to all versions of GST360 — Web (Chrome, Edge, Firefox, Safari), Android app, iOS app, and Desktop (Windows/Mac). All platforms use the same zero-knowledge encryption and the same server.

1. Who We Are

GST360 is a product of The Co Passenger, operating at thecopassenger.com. We build zero-knowledge billing software for Indian businesses.

For privacy questions or data deletion requests, contact us at: privacy@thecopassenger.com

2. What We Collect — and What We Never Touch

What we store on our server

Data	Form stored	Why
Mobile number	HMAC-SHA256 hash (one-way, with server secret)	OTP delivery + account lookup
Email address	HMAC-SHA256 hash + AES-encrypted copy for OTP sending	OTP delivery + account lookup
Plan type	Plain text (Free / Mode 1 Pro / Mode 2)	Feature access control
Plan expiry date	Plain timestamp	Subscription management
Device last-sync timestamp	Plain timestamp	Sync conflict detection
App version	Plain text (e.g. "1.0.0")	Safe format migration — know which users are on old versions before changing file format
Approximate city + state	Derived from IP at signup only	Product analytics — understand which regions use GST360
Device platform + browser	Plain text (e.g. "Android / Chrome 124")	Product analytics — where to invest in app quality
Mode 2 encrypted blob	AES-256-GCM ciphertext — we cannot read it	Cloud sync for Mode 2 users
Access log events	Event type + device hint + SHA-256(IP) — never plain IP	Security audit — user can view in Settings → Security

What we NEVER store

Data	Status	Why
Your passcode / PIN	NEVER	Derived locally on device only — never transmitted
Your AES encryption key	NEVER	Lives in device memory only — cleared on lock
Invoices	NEVER	Encrypted in .gst360 file — we cannot read it
Customer names	NEVER	Same — inside encrypted blob
Transaction amounts	NEVER	Same — inside encrypted blob
Business GSTIN	NEVER	Same — inside encrypted blob
Company name	NEVER	Same — inside encrypted blob
Stock levels / inventory	NEVER	Same — inside encrypted blob
Plain IP address	NEVER	Only SHA-256(IP) stored in access log — cannot be reversed

Even if our server is breached or we receive a government data order: we can hand over email hash, mobile hash, plan type, and encrypted blobs. None of that reveals your business data. The encryption key exists only on your device.

3. IP-Based Location Detection

At signup, we detect your approximate city and state from your IP address (e.g. "Nagpur, Maharashtra"). We use this to understand which regions use GST360 so we can prioritise regional language support and local partnerships.

We do not store your precise location. We do not track your movements. We do not share location data with any third party. The city/state is stored once at signup and never updated.

4. How We Use Your Data

OTP delivery — send login and verification codes to your mobile/email
Account management — plan status, subscription, device management
Security — detect suspicious login patterns, rate-limit OTP attempts
Product improvement — understand which platforms and regions use GST360
Support — respond to your queries (we cannot see your business data)

We do not sell your data. We do not use your data for advertising. We do not share it with third parties except as required by law.

5. Cross-Platform Data Handling

All four platforms use the same server, the same encryption, and the same privacy guarantees.

Platform	Local file storage	Passcode storage	Server contact
Web (Chrome / Edge)	.gst360 file via File System Access API	IndexedDB (encrypted wrapped key)	OTP + Mode 2 sync only
Web (Firefox / Safari)	.gst360 downloaded on every save	IndexedDB (encrypted wrapped key)	OTP + Mode 2 sync only
Android	.gst360 via FileBridge.java (app-private storage)	Android Keystore (TEE / Secure Enclave)	OTP + Mode 2 sync only
iOS	.gst360 via Capacitor Filesystem plugin	iOS Keychain (Secure Enclave)	OTP + Mode 2 sync only
Desktop (Windows / Mac)	.gst360 via Electron file system	OS Credential Manager	OTP + Mode 2 sync only

Mode 1 (local file): After initial OTP login, the app makes zero server requests when you save data. Your .gst360 file never leaves your device.

Mode 2 (cloud sync): The encrypted blob is uploaded to our server. The server stores ciphertext only — it cannot decrypt or read your data.

6. Encryption — Technical Details

For users who want to verify our claims:

Key derivation: PBKDF2 (310,000 rounds, SHA-256, salt = uid) → Passcode-Derived Key (PDK)
Data key: AES-256-GCM random key, generated once per user, never changes
Key wrapping: PDK wraps the data key (AES-GCM). Changing passcode = re-wrap only, no data re-encryption
Data encryption: AES-256-GCM with random 12-byte IV per save
Identity hashing: HMAC-SHA256 with server-side secret — not plain SHA-256 (which is brute-forceable for 10-digit mobiles)
IP hashing: SHA-256(IP) in access log — cannot be reversed to plain IP
Transport: HTTPS enforced, HSTS max-age=31536000

7. Staff Access — Important Limitation

⚠️ Staff access controls are enforced by the application, not by cryptography. In the current version (Phase 1), a staff member's sub-key gives access to the full encrypted blob. Role restrictions (Sales-only, View-only, etc.) are enforced in the app UI only. A technically skilled staff member who extracts their sub-key could bypass role limits. True per-module cryptographic enforcement is planned for Phase 4.

This limitation is disclosed here and in the app. If you require cryptographic role enforcement, do not grant staff access until Phase 4 is released.

8. Data Retention

Data	Retention
Mode 2 encrypted blob	Deleted immediately on account deletion request
Blob version history	7-day rolling window — auto-deleted
Access log events	7 days — auto-deleted
OTP records	Deleted on expiry (10 min email / 5 min mobile)
Device tokens	90-day expiry, revocable at any time
Email hash + mobile hash + plan data	Deleted within 30 days of account deletion request (DPDP Act 2023)
Subscription audit trail	Retained for 7 years (GST compliance requirement)

9. Your Rights — India DPDP Act 2023

Under the Digital Personal Data Protection Act 2023, you have the right to:

Access — know what personal data we hold about you
Correction — correct inaccurate personal data
Erasure — request deletion of your personal data within 30 days
Grievance redressal — raise a complaint with our Data Protection Officer
Nominate — nominate a person to exercise rights on your behalf in case of death or incapacity

To exercise any of these rights, email us at privacy@thecopassenger.com with subject line "DPDP Data Request — [your request type]". We will respond within 30 days.

Account deletion: You can delete your account directly from the app — Settings → Account → Delete Account. This immediately deletes your encrypted blob and schedules all identity data for deletion within 30 days.

10. Cookies and Local Storage

We use the following browser storage — no third-party tracking cookies:

HttpOnly cookie — JWT session token (billing_token). Secure, SameSite=Lax. Cleared on logout.
localStorage — JWT token copy, PIN hash (SHA-256), passcode hint, UI preferences. Never contains business data.
IndexedDB — Encrypted data key (wrapped with your passcode), file handle, audit log. The data key is useless without your passcode.
sessionStorage — JWT token for current tab session only.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts on the billing app.

11. Third-Party Services

Service	Purpose	Data shared
Razorpay	Payment processing (Pro subscription)	Payment amount, order ID. No business data.
Fast2SMS	SMS OTP delivery	Mobile number + OTP only. No business data.
SMTP provider	Email OTP delivery	Email address + OTP only. No business data.
Google Sign-In	Optional login method	Email address only. No business data.
Hostinger VPS	Server hosting	Encrypted blobs (unreadable), hashed identities.

We do not use OpenAI, Google AI, or any external AI API for the billing app. BuyRight India (Phase 2) uses Amazon PA-API and Flipkart affiliate feeds only.

12. Children's Privacy

GST360 is a business tool intended for adults operating registered businesses. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us at privacy@thecopassenger.com.

13. Changes to This Policy

We will notify you of material changes via in-app notification and email (if you have provided one). The effective date at the top of this page will be updated. Continued use of GST360 after the effective date constitutes acceptance.

📬 Contact — Data Protection

The Co Passenger

Email: privacy@thecopassenger.com

Website: thecopassenger.com

For DPDP Act 2023 grievances, use subject line: "DPDP Grievance — [description]".
Response time: within 30 days.

← Back to GST360