Privacy Policy

GST filing data — pulled from GSTN via your explicit digital consent. This includes your GST returns (GSTR-1, GSTR-3B), turnover figures, and filing history.

Bank statement data — provided by you through our secure data connection flow. We read inflow/outflow patterns, EMI obligations, and average balances to perform coherence analysis.

Business information — your GSTIN, business name, sector, city, and self-reported revenue range that you enter directly into BYB. UPI transaction patterns are extracted from your bank statement where present.

Your data is used to generate your FundMap Capital Report and BYB Trust Score — a verified financial identity that helps you access institutional credit faster.

We use anonymised and aggregated data to improve our sector benchmark models. Your individual data is never shared in identifiable form for this purpose.

We do not sell your data to third parties, advertisers, or data brokers — under any circumstance.

Every data connection — whether GST or banking — requires your explicit consent logged with a timestamp. Consent is granular: you approve each data source separately before BYB accesses it.

You can revoke consent at any time by emailing hello@bybsystems.com. Revocation stops further data pulls immediately. Existing reports remain accessible to you but are not shared further.

We maintain a DataConsentLog entry for every data access event — recording the data source, timestamp, and consent version accepted. This log is available to you on request.

FundMap submissions and Capital Reports are retained for 24 months from the date of generation. Trust Score history is retained for 36 months.

You may request complete deletion of your data at any time by emailing us. Deletion requests are processed within 30 days in line with DPDPA requirements.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Our infrastructure is hosted on RBI-compliant cloud providers with data localisation in India.

Every Trust Score output includes a SHA-256 cryptographic hash of the source data used to generate it. This hash is embedded in the Credit Passport PDF, ensuring the document is tamper-evident and verifiable by any recipient.

As a data principal under DPDPA 2023, you have the right to access a summary of your personal data held by BYB, correct any inaccuracies, and erase your data upon request.

You have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. You also have the right to nominate a representative to exercise these rights on your behalf.

For grievance redressal, BYB will respond to all data-related complaints within 30 days of receipt. If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India.