1. Scope & agreement
This Privacy Policy ("Policy") explains how Roktim Saha, trading as Piveth ("Piveth," "we," "us," or "our"), collects, uses, stores, shares, and protects information when you visit piveth.com, create an account, use our applications, dashboards, voice features, chat, APIs, or related services (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read this Policy and our Terms of Service. If you do not agree, do not use the Service.
If you use the Service on behalf of a company or organization, you represent that you have authority to bind that entity, and "you" includes that entity.
This Policy applies to personal data and other information we process as a data controller (or equivalent role under applicable law). It does not apply to third-party websites, apps, or services that we do not control—even if linked from the Service or used via credentials you provide (such as OpenAI or Google).
2. Who we are
Data controller / operator: Roktim Saha, trading as Piveth.
Privacy contact: [email protected]
General support: [email protected]
Legal notices: [email protected]
We are established in India. For users in jurisdictions that require a local representative or contact point, contact us at [email protected] and we will respond as required by applicable law.
3. About the Service
Piveth is an AI-assisted finance organization platform for founders, entrepreneurs, and small business operators. The Service helps you track capital, expenses, revenue, burn, runway, cash flow, and project-wise finances; log entries via text or voice; view dashboards, calendars, and reports; run scenarios; receive alerts; and collaborate in shared workspaces.
Piveth is not a bank, payment processor, accounting firm, tax adviser, or regulated financial institution. We do not connect to your bank accounts by default, do not hold customer funds, and do not provide certified statutory accounts. Financial figures in the Service reflect data you or your team enter or instruct the AI to record.
Parts of the Service use a bring-your-own-key ("BYOK") model: you may supply API keys for providers such as OpenAI (required for AI features) and Deepgram (optional for voice). Those providers process data under their own terms and privacy policies.
4. Information we collect
Depending on how you use the Service, we may collect the following categories of information:
4.1 Account & identity data
- Email address, display name, password hash (if you register with email/password);
- Google account identifier and profile information if you sign in with Google OAuth;
- Email verification status, password-reset tokens (hashed), and session identifiers;
- Locale, onboarding preferences (e.g., audience type, how you heard about us, interaction mode); and
- Account activity such as last login time and account status.
4.2 Workspace & collaboration data
- Workspace name, slug, currency, timezone, fiscal settings, and plan;
- Team membership, roles (owner, admin, member, viewer), and invite records (email, role, status);
- Activity feed entries describing actions within a workspace; and
- Notification preferences (workspace invites, weekly summaries, product updates).
4.3 Financial & business data you provide ("User Content")
- Projects, capital allocations, ledger entries (expenses, revenue, capital movements), categories, notes, and dates;
- Reports, exports, scenarios, and dashboard snapshots derived from your entries;
- Chat messages, AI prompts, AI responses, and voice transcripts related to finance logging; and
- Any other content you submit through forms, imports, or AI instructions.
User Content may include personal data about you or third parties (e.g., vendor names, employee references, invoice details). You are responsible for ensuring you have a lawful basis to submit such data.
4.4 Credentials & integration data
- Encrypted API keys you store for AI or speech providers (e.g., OpenAI, Deepgram), plus non-secret key hints (such as last characters) for display;
- Selected AI provider preferences; and
- OAuth tokens or identifiers received from authentication providers.
4.5 Technical, usage & diagnostic data
- IP address, browser type, device type, operating system, language, and timezone;
- Pages viewed, features used, timestamps, and referral URLs;
- Server logs, security events, and rate-limiting records;
- Client-side error reports (JavaScript errors, failed requests, stack traces, page path, viewport, user agent, and limited session hints such as user or workspace identifiers when logged in); and
- CSRF tokens and session cookies necessary for authentication.
4.6 Communications
- Emails we send (verification, password reset, workspace invites, alerts, weekly summaries) and delivery metadata;
- Support correspondence if you contact us; and
- Records of your marketing or notification opt-in/opt-out choices.
4.7 What we do not intentionally collect
We do not intentionally collect government ID numbers, full payment card numbers, or bank account credentials through the core Service. We do not require access to your bank accounts for standard operation. Do not submit special-category data (health, biometrics for identification, etc.) unless strictly necessary and lawful—and we discourage doing so.
5. How we collect information
- Directly from you — registration, onboarding, dashboard entries, chat, voice commands, settings, exports, and support emails;
- Automatically — cookies, session management, server logs, and error-reporting scripts when you use the Service;
- From authentication providers — when you use Google Sign-In or similar OAuth;
- From workspace members — when owners or admins invite colleagues or when members act within a shared workspace; and
- From third-party AI/speech providers — only to the extent needed to deliver features you request (e.g., transcription results returned to us when you use voice).
6. How we use information
We use information for the following purposes:
- Provide, operate, maintain, and secure the Service;
- Create and manage accounts, workspaces, and role-based access;
- Process ledger entries, generate dashboards, reports, runway/burn calculations, scenarios, and alerts;
- Enable AI chat, parsing, voice logging, and automation you request;
- Send transactional emails (verification, security, invites, operational notifications);
- Send optional product updates or weekly summaries if you opt in;
- Detect, prevent, and investigate fraud, abuse, security incidents, and Terms violations;
- Debug errors, improve reliability, and develop new features;
- Comply with legal obligations, respond to lawful requests, and enforce our Terms; and
- Protect the rights, property, and safety of Piveth, our users, and the public.
We do not sell your personal data. We do not use your private financial ledger content to train public foundation models owned by Piveth. AI processing of your prompts and context is performed to deliver the Service to you, including transmission to third-party AI providers using keys you supply, subject to those providers' policies.
7. Legal bases (EEA, UK, India & similar regimes)
Where applicable law requires a legal basis for processing, we rely on one or more of the following:
- Contract — processing necessary to provide the Service you request (account, workspace, ledger, AI features, support);
- Legitimate interests — securing the Service, preventing abuse, improving reliability, sending essential service communications, and limited analytics/diagnostics, balanced against your rights;
- Consent — where required for optional marketing emails, non-essential cookies (if any), or voice/microphone access on your device;
- Legal obligation — compliance with applicable law, tax, or regulatory requests; and
- Vital interests / public interest — only where strictly required by law.
Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and rules thereunder (as applicable), we process personal data for lawful purposes with appropriate notice and, where required, consent. You may withdraw consent for optional processing without affecting the lawfulness of prior processing.
If you are in the European Economic Area or United Kingdom, you have rights described in Section 15. California and other U.S. state residents may have additional rights described there as well.
8. AI, voice & bring-your-own-key processing
8.1 AI chat & automation
When you use AI features, we may send your messages, recent chat history, workspace context (such as project names, balances, or ledger summaries needed to answer), and instructions to AI providers (e.g., OpenAI) using credentials you provide. Providers may log, retain, or use data per their policies. You choose to enable AI by supplying keys and using the feature.
8.2 Voice
Voice features may capture audio from your device microphone and send it to speech-to-text or text-to-speech services (e.g., Deepgram, browser APIs, or AI providers). Enable voice only if you consent to this processing. Do not record other individuals without lawful consent.
8.3 Accuracy & human review
AI outputs may be incorrect. Automated parsing may misclassify entries. We may review aggregated or anonymized usage to improve prompts and reliability, but we do not guarantee human review of your private workspace data except where needed for support, security, or legal compliance.
8.4 Your control
You can update or delete API keys in settings, switch interaction modes, edit or delete ledger entries, and request account deletion (see Section 15). Discontinuing use of AI features limits—but may not eliminate—all third-party processing if residual logs exist on provider systems.
10. Workspaces & team data
Shared workspaces are controlled by workspace owners and administrators. If you invite others, you determine their roles and what they can view or edit. Piveth processes team data to provide collaboration features but is not responsible for how workspace admins configure access or for disputes between members regarding visibility, edits, or financial decisions.
If you are invited to a workspace, the inviter's organization may process your email and activity within that workspace. Contact the workspace owner for questions about their use of your data in that context.
12. Data retention
We retain information for as long as necessary to provide the Service, comply with law, resolve disputes, and enforce our agreements. Typical retention practices include:
- Active accounts — data retained while your account is active and you use the Service;
- Closed accounts — upon deletion request or termination, we delete or anonymize personal data within a reasonable period, except where retention is required for legal, tax, audit, security, or backup integrity purposes;
- Backups — residual copies may persist in encrypted backups for a limited period before rotation;
- Logs & error reports — retained for a shorter operational window unless needed for security investigations; and
- Legal holds — extended retention when required by litigation or regulatory obligation.
Soft-deleted ledger entries may remain recoverable for a period to support undo, audit trails, or workspace integrity before permanent purge, as implemented in the Service.
13. Security
We implement administrative, technical, and organizational measures designed to protect information, including:
- Encryption at rest for sensitive fields (such as email, display names, notes, and encrypted API keys) where implemented in our systems;
- Hashed passwords and hashed lookup values for email login;
- HTTPS in production, HttpOnly session cookies, CSRF protection, and access controls;
- Role-based workspace permissions; and
- Monitoring, logging, and incident response procedures.
If you believe your account or data has been compromised, contact [email protected] promptly.
14. International transfers
Piveth is operated from India. Your information may be processed in India and in other countries where we or our service providers maintain facilities (including the United States or other regions where AI providers operate).
Where required by law (e.g., EEA/UK GDPR), we implement appropriate safeguards for cross-border transfers, such as standard contractual clauses or equivalent mechanisms, upon request where applicable.
By using the Service, you understand that data may be transferred to jurisdictions that may not provide the same level of data protection as your home country, subject to the safeguards described in this Policy and applicable law.
15. Your privacy rights
Depending on your location, you may have some or all of the following rights, subject to legal exceptions:
- Access — request confirmation and a copy of personal data we hold about you;
- Correction — request correction of inaccurate or incomplete personal data (you can also update many fields in account settings);
- Deletion — request deletion of personal data, subject to retention exceptions;
- Restriction / objection — object to or request restriction of certain processing;
- Portability — receive personal data you provided in a structured, commonly used format where technically feasible;
- Withdraw consent — where processing is based on consent (e.g., optional marketing);
- Opt out of sale/sharing — we do not sell personal data; California residents may contact us to confirm;
- Non-discrimination — we will not discriminate against you for exercising privacy rights where prohibited by law; and
- Lodge a complaint — with a supervisory authority (EEA/UK) or the Data Protection Board of India under the DPDP Act, where applicable.
To exercise rights, email [email protected] from your registered email address with sufficient detail for us to verify your identity. We may request additional information to prevent unauthorized disclosure. We will respond within timelines required by applicable law (typically 30 days, extendable where permitted).
Account deletion requests may be sent to [email protected] or [email protected]. Deletion may not immediately remove all backup copies or workspace data visible to other members until workspace ownership is transferred or the workspace is deleted by an authorized owner.
16. Children
The Service is not directed to individuals under 18 (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact [email protected] and we will take steps to delete it where required.
17. Your responsibilities
You agree that:
- You will provide accurate account information and keep credentials secure;
- You have lawful grounds to submit User Content, including personal data of employees, contractors, vendors, or others;
- You will not submit unnecessary sensitive personal data or regulated financial account credentials;
- You are responsible for workspace access controls and removing members when they leave your organization;
- You will comply with applicable data protection laws when using Piveth as a controller of your team's or customers' data; and
- You will indemnify Piveth as described in our Terms for claims arising from your unlawful or unauthorized data submissions or misuse of the Service.
If you process personal data of others through Piveth, you may be an independent controller or processor. We act as a processor only to the extent we handle personal data solely on your documented instructions within your workspace—and as a controller for account, billing, security, and platform operations.
18. Third-party links & services
The Service may link to third-party sites or integrate with services we do not operate. Their privacy practices govern their handling of your information. Review policies for OpenAI, Deepgram, Google, hosting providers, and any future integrations before use.
We are not responsible for the data practices, availability, security incidents, or policy changes of third parties, including AI providers processing data via keys you supply.
19. Changes to this Policy
We may update this Policy from time to time. We will post the revised Policy on piveth.com with an updated "Last updated" date. Material changes may also be notified by email or in-app notice where practicable and required by law.
Continued use after changes become effective constitutes acknowledgment of the updated Policy where permitted by law. If you do not agree, stop using the Service before the effective date and request account deletion if applicable.
20. Contact & complaints
Privacy questions, rights requests, or complaints:
- Privacy: [email protected]
- Support: [email protected]
- Legal: [email protected]
India users may also have rights to grievance redressal under the DPDP Act. We will acknowledge and address verified grievances in accordance with applicable law.
21. Relationship to Terms of Service
This Policy is incorporated by reference into our Terms of Service. Disclaimers, limitations of liability, indemnification, dispute resolution, and governing law in the Terms apply to privacy-related claims to the fullest extent permitted by law, without limiting non-waivable statutory privacy rights.
Governing law and jurisdiction for disputes are set out in the Terms (India; courts in Kolkata, West Bengal, subject to mandatory consumer protections and non-waivable data protection rights in your jurisdiction).