Privacy Policy

Stickman ("we", "our", "us") is a SaaS invoicing platform operated under Indian law. Registered address and operator details are available on request at support@stickman.space. We act as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA) with respect to data you provide while using our service.

Account data: your name, email address, and hashed password when you register. Business profile data: business name, GST Identification Number (GSTIN), PAN, address, bank account details, and UPI ID — entered voluntarily by you for invoice generation. Client data: names, email addresses, GST numbers, and addresses of your clients — entered by you and processed solely on your behalf. Payment data: transaction IDs, plan type, and subscription status. We do not store full card numbers; card payment processing is handled by a PCI-DSS compliant payment gateway. Usage data: pages visited, features used, and error logs — collected via server-side analytics and stored in anonymised form. Device data: IP address, browser type, and operating system — collected automatically for security and fraud prevention.

We process your personal data on the following lawful grounds under the DPDPA 2023 and, where applicable, the Information Technology Act 2000: • Contractual necessity: to create your account, generate invoices, and provide subscription services. • Legitimate interests: fraud prevention, security monitoring, and service improvement. • Legal obligation: tax record-keeping as required by the Income Tax Act 1961 and GST laws. • Consent: for marketing communications (you may withdraw at any time).

• Provide, maintain, and improve the Stickman platform. • Send transactional emails: invoice delivery, password resets. • Process subscription payments securely. • Respond to support queries sent to support@stickman.space. • Detect and prevent fraud, abuse, or security threats. • Comply with applicable Indian tax and financial regulations. We do NOT use your data or your clients' data for advertising, profiling, or sale to third parties.

We share data only with service providers strictly necessary to operate Stickman: • Resend Inc. — transactional email delivery. • Neon Inc. — PostgreSQL database hosting (data stored in AWS us-east region, encrypted at rest with AES-256). • Application hosting and edge network providers used to operate the Stickman website. All processors are bound by data processing agreements. We do not share data with any other third party without your explicit consent, except where required by law or a valid court/government order.

Account and invoice data is retained for the lifetime of your account plus 7 years thereafter (as required by Indian GST and income-tax record-keeping rules under Section 36 of the CGST Act 2017 and Section 128 of the Income Tax Act 1961). On account deletion, all personal data is purged from active systems within 30 days. Anonymised, aggregated usage statistics may be retained indefinitely.

• All data transmitted over HTTPS/TLS 1.3. • Passwords stored as bcrypt hashes (cost factor 12) — never in plaintext. • Database encrypted at rest (AES-256). • Access to production systems restricted to authorised personnel with MFA. • Security incidents will be reported to affected users and, where required by law, to regulatory authorities within 72 hours of discovery.

You have the following rights as a Data Principal: • Right of Access: request a copy of all personal data we hold about you. • Right to Correction: request correction of inaccurate or incomplete data. • Right to Erasure: request deletion of your account and associated personal data. • Right to Grievance Redressal: lodge a complaint with our Grievance Officer. • Right to Nominate: nominate another individual to exercise your rights in the event of incapacity or death. To exercise any right, email support@stickman.space with subject line "DPDPA Data Request". We will respond within 30 days.

We use essential cookies for authentication, security, and account access. These include HttpOnly, Secure, SameSite=Lax session cookies that are required for login and cannot be disabled without affecting the Service. With your consent, we also use first-party analytics and referral cookies/local storage to understand page visits, referral attribution, and product usage. These are not used for third-party advertising, do not include advertising pixels, and do not involve browser fingerprinting. You can choose Accept or Deny in the cookie banner. If you deny, Stickman will not create optional analytics or referral tracking cookies/local storage, and any existing optional referral or analytics session values will be cleared from your browser.

Stickman is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact support@stickman.space and we will delete the account immediately.

Some processors, including database, email, hosting, and edge network providers, are based outside India. Data may be stored or processed in the United States or other jurisdictions. Such transfers are governed by contractual clauses that provide protections equivalent to Indian law. By using Stickman you consent to these transfers.

We may update this policy from time to time. Material changes will be notified by email or via an in-app banner at least 14 days before taking effect. Continued use after the effective date constitutes acceptance of the revised policy.