Floating Sage Floating Sage Business
Floating Sage  /  Business  /  Privacy

Privacy Policy

Last updated: 10 May 2026 · Effective date: 10 May 2026

1.Who we are

Floating Sage Business is a point-of-sale, inventory, GST invoicing, and business management application. The app and this website are operated by Neha Yadav, an individual proprietor trading as “Floating Sage”, based in Mumbai, Maharashtra, India.

The app operates entirely on your device. There is no cloud account, no central backend storing your business data, and no remote login. This policy describes what data the app handles, where it is stored, and your rights under India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

2.What data we handle

The following categories of data are stored locally on your device:

  • Customer details — names, phone numbers, email addresses, and UPI VPA identifiers you choose to record.
  • Financial records — sales, invoices, GST amounts, payment methods, UPI transaction references.
  • Service and queue data — service types, walk-in queue entries, appointment times, and any customer notes you record.
  • Staff and admin credentials — usernames and passwords. Passwords are stored only as one-way cryptographic hashes; the plain password is never stored.
  • Business profile — business name, GSTIN, address, owner details that you enter during setup.
  • Inventory — product names, batch numbers, expiry dates, stock levels.
  • Device-local technical data — a device ID generated on first launch, app session tokens, and per-device sync state.

We do not collect advertising identifiers, location, contacts, microphone, camera, or browsing history.

3.Where your data is stored

All data is stored in a local database on your device, encrypted at rest. The encryption key is held in your device’s secure hardware-backed storage and never leaves the device.

We do not run servers that hold your business or customer data. Backup files that you create are saved to your chosen destination (Google Drive, WhatsApp, an SD card, a connected computer, etc.) — we have no access to those files.

4.Data sharing with third parties

Floating Sage Business does not sell or share your data with third parties for advertising, analytics, or profiling. The following narrow exceptions apply only when you explicitly use the relevant feature:

  • WhatsApp Business API (optional, opt-in). If you enable WhatsApp messaging from within the app, customer phone numbers and the invoice or message content you send are transmitted to Meta Platforms via the WhatsApp Business API. This is governed by Meta’s privacy policy. The feature is disabled by default.
  • SMS (optional). If you choose to send a customer notification by SMS, the message is composed by your device’s system SMS app and sent by your mobile carrier. The app does not read your existing SMS messages.
  • Local network sync. When you connect multiple of your own devices for sync, business data is replicated between them across your local network only. The data does not pass through Floating Sage servers or any cloud relay during this flow.
  • Off-network relay (optional). If you enable sync between devices that aren’t on the same network, encrypted sync messages are routed through a third-party relay. The relay sees only opaque encrypted data and routing tokens — it cannot read your business data.

5.Permissions the app uses

Internet
For the optional WhatsApp Business API feature, the optional off-network sync relay, and outbound HTTPS only.
Access WiFi state & network state
To detect your local network for multi-device sync.
Foreground service (connectedDevice type)
To keep the local sync connection running with the screen off, so your other devices can stay in sync. A persistent notification is shown while it’s active. Read more.
Wake lock
To maintain the sync connection while the device screen is off.
Read / write external storage (Android 12 and below only)
To create backup files on devices running Android 12 or older. Modern Android versions use scoped storage and do not require this permission.
Vibrate
For brief haptic feedback on button taps.

6.Data security

We take reasonable, industry-standard steps to protect the data on your device:

  • The on-device database is encrypted at rest using strong, modern encryption. The encryption key is held in your device’s secure hardware-backed storage and never leaves the device.
  • Staff and admin passwords are stored only as one-way cryptographic hashes — the plain password is never written to disk and cannot be recovered, only matched.
  • Sensitive third-party credentials (WhatsApp Business API token, sync relay credentials) are kept in your device’s secure hardware-backed storage — never in the application database, and never transmitted to other devices.
  • Session tokens are cryptographically signed so they cannot be forged.
  • All external internet traffic uses HTTPS.
  • Sync between your own devices uses an encrypted, device-local connection. The credentials used to secure that connection are generated on your device, stay on your device, and never cross the public internet.
  • Backup files are encrypted and tamper-evident. A backup file with even one byte modified will fail to restore.

No system is perfectly secure. If you discover a security issue, please email business-privacy@floatingsage.com and we will respond.

7.Your rights under the DPDP Act 2023

Under India’s Digital Personal Data Protection Act, 2023, you have the right to:

  • Access a summary of personal data being processed about you.
  • Request correction or completion of inaccurate or incomplete personal data.
  • Request erasure of your personal data, subject to legal retention obligations.
  • Withdraw any consent you have given, at any time.
  • Nominate another person to exercise these rights in case of your death or incapacity.
  • Make a grievance — see Section 10.

Because all data is stored on your device, you exercise most of these rights directly within the app: edit a customer to correct it, delete a customer to erase their record, uninstall the app to wipe everything. For requests that need our assistance, contact the Grievance Officer below.

8.Data retention

Data is retained on your device until you delete it or uninstall the app. Floating Sage does not enforce automatic deletion. Backup files you have shared to external services are governed by those services’ retention policies.

Indian tax law may require you to retain financial records for a minimum period (commonly 6–8 years for GST records). The app does not delete on your behalf, so you remain in control.

9.Children’s privacy

Floating Sage Business is a tool for businesses, intended for adults. We do not knowingly process personal data from children below 18 years of age as users of the app. Where you, as a business operator, record customer data of a minor, you are responsible for obtaining the consent of their parent or legal guardian as required under the DPDP Act.

10.Grievance Officer (DPDP Act §8(10))

For grievances regarding the processing of your personal data under this policy or the DPDP Act 2023, you may contact the Grievance Officer:

Grievance Officer
Neha Yadav (Founder, Floating Sage)
Email
business-privacy@floatingsage.com
Postal address
Mumbai, Maharashtra, India — full postal address available on request.
Response time
Acknowledgement within 7 working days; substantive response within 30 days, as required by the DPDP Act.

If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India under §27 of the DPDP Act.

11.Data deletion

This section explains how to delete data created or stored by Floating Sage Business.

Delete a single customer / record (within the app)

  • Open the customer or record in the app.
  • Tap the menu (…) → Delete.
  • Confirm. The record is removed from your device’s database immediately.
  • If multi-device sync is enabled, the deletion replicates to your other connected devices.

Delete all of your business data

  • Open the app → More → Manage Data → Wipe All Data.
  • Confirm with your admin PIN. The on-device database, in-app backup files, and any keys held in your phone’s secure storage are wiped.
  • Or simply uninstall the app — Android removes the entire app sandbox, including the encrypted database and any secure-storage entries the app created.

Customer deletion request that you have received

If your customer (a data principal under the DPDP Act) asks you to erase their personal data from your records, you, the business, are the “Data Fiduciary” under the Act and are responsible for fulfilling the request. Use the single-record delete flow above. The app makes this easy by design.

Request our help with deletion

If you cannot access the device (for example, the device is lost, stolen, or broken), email business-privacy@floatingsage.com with a description of your situation. Note that we cannot delete data we never held — if your data was only ever on your device, the device itself holds the only copy. We can help you re-install on a new device and restore from any backup files you still hold, or guide you through a remote-wipe if your device supports it.

12.Changes to this policy

We may update this policy as the app evolves or as the law changes. Material changes will be reflected in the “Last updated” date at the top of this page and announced inside the app on the next launch following the change.

13.Contact

For privacy questions, data deletion requests, or grievances:

Email (privacy)
business-privacy@floatingsage.com
Email (general support)
business-support@floatingsage.com
Hosted policy URL
https://floatingsage.com/business/privacy
Data deletion URL
https://floatingsage.com/business/data-deletion