Privacy Policy

Effective Date: 18 February 2026

Last Updated: 18 February 2026

1. Introduction

BaatLo (“Platform”, “Service”, “we”, “us”, or “our”) is a web-based group expense splitting application accessible at https://baatlo.com, owned and operated by Anand Rao (“Individual”), an individual under the laws of India in Bengaluru, India.

This Privacy Policy (“Policy”) describes how we collect, use, store, process, share, and protect your personal information when you access or use BaatLo. This Policy applies to all users of the Platform, including visitors, registered users, and group members.

This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (“DPDPA”), as applicable.

By creating an account or using BaatLo, you consent to the collection, use, and processing of your personal data as described in this Policy. If you do not agree with this Policy, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use BaatLo, we collect the following information that you voluntarily provide:

  • Account Registration Data: Email address, display name, and password (stored in hashed form) required to create your Account.
  • Profile Information: First name, last name, display name, and profile photograph that you may optionally provide or update.
  • Group Data: Group names, group descriptions, group currency settings, and group thumbnails that you create or contribute to.
  • Expense Records: Expense descriptions, amounts, categories, dates, payer information, split details (who owes what), and any notes attached to expenses.
  • Settlement Records: Payment records between group members, including amounts, dates, payer, payee, and optional settlement notes (e.g., “UPI payment”).
  • Member Data: Email addresses of other users you add to groups, and names of ghost members (name-only placeholders) you create.
  • Communications: Any correspondence, feedback, or support requests you send to us.

2.2 Information Collected Automatically

When you access the Platform, certain information is collected automatically:

  • Log Data: IP address, browser type and version, device type, operating system, referring URLs, pages visited, date and time of access, and session duration.
  • Cookies and Session Data: We use WordPress authentication cookies to maintain your login session. These are essential cookies required for the Platform to function. Details are provided in Section 8.
  • Service Worker Data: As a Progressive Web App (PWA), BaatLo uses a service worker that may cache certain static assets locally on your device for offline viewing and faster load times.
  • Error Logs: In the event of a technical error, we may log anonymised diagnostic information (with personal identifiers such as email addresses masked) to help us identify and fix issues.

2.3 Information from Third Parties

We may receive information from the following third-party sources:

  • Google Ads: Google and its advertising partners may collect information about your interactions with advertisements displayed on the Platform using cookies, pixels, and similar tracking technologies. This may include your IP address, device identifiers, browsing behaviour, and ad interaction data. Google processes this data in accordance with its own privacy policy.
  • WordPress: BaatLo is built on WordPress, which may collect certain technical data through its core functionality.

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeData Used
Provide and operate the ServiceAccount data, profile information, group data, expense and settlement records
Authenticate your identityEmail, password (hashed), session cookies
Send email notificationsEmail address, group membership, notification preferences
Process invite linksEmail address, invite codes, group data
Enable CSV data exportGroup expense and settlement records
Improve the PlatformUsage patterns, error logs, feedback
Ensure securityIP addresses, session data, rate limiting counters
Display advertisementsData collected by Google Ads (see Section 2.3)
Comply with legal obligationsAs required by applicable law
Communicate with youEmail address

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

  • Consent: By creating an account and using the Platform, you provide your consent for us to process your personal data as described in this Policy. Under the DPDPA, you may withdraw your consent at any time by deleting your Account or contacting us.
  • Contractual Necessity: Processing is necessary for the performance of our contract with you (i.e., providing the BaatLo service as described in our Terms and Conditions).
  • Legitimate Interests: We process certain data for our legitimate interests, including improving the Platform, ensuring security, preventing fraud, and displaying relevant advertisements, where such interests are not overridden by your rights and freedoms.
  • Legal Compliance: We may process your data as necessary to comply with applicable laws, regulations, court orders, or government requests under Indian law.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following limited circumstances:

5.1 With Other Group Members

When you join or create a Group, certain information is visible to other members of that Group:

  • Your display name and profile photograph.
  • Expenses you have created or are involved in (amounts, descriptions, categories, dates).
  • Settlement records involving you.
  • Your role within the Group (admin or member).

Your email address is not visible to other group members through the Platform interface. Group administrators can only add members by entering their exact email address; no search or browsing of users is possible.

5.2 With Third-Party Service Providers

We may share data with the following categories of service providers who assist us in operating the Platform:

  • Hosting Providers: Our web hosting provider stores and serves the Platform and its data. All data is hosted on servers located in India (as per https://www.hostinger.com).
  • Email Service: Transactional emails (notifications, password resets) are sent through our hosting provider’s email infrastructure or a third-party email service.

5.3 With Advertising Partners

Google Ads may collect data through cookies and similar technologies when advertisements are displayed on the Platform. This data collection is governed by Google’s Privacy Policy (https://policies.google.com/privacy). We do not share your BaatLo account data, expense records, or financial information with advertising partners.

5.4 As Required by Law

We may disclose your information if required to do so by law or in response to valid legal processes, including court orders, subpoenas, government requests, or to protect our rights, property, or safety, or the rights, property, or safety of others.

5.5 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections as described in this Policy. We will notify you of any such transfer.

6. Data Retention

We retain your personal data for as long as your Account is active or as needed to provide you the Service. Specific retention periods are as follows:

  • Account Data: Retained until you delete your Account. Upon account deletion, your personal information (display name, email, profile photo) is permanently removed.
  • Expense and Settlement Records: After account deletion, your historical expense and settlement records are preserved for the integrity of other group members’ records but are de-identified and attributed to “Deleted User”.
  • Group Data: Group data persists as long as the Group exists and has active members.
  • Error Logs: Diagnostic error logs are retained for a limited period necessary for debugging and are periodically purged. Personal identifiers in logs are masked.
  • Cookies and Session Data: Authentication cookies expire when you log out or when your session ends. We destroy all active sessions across all devices upon logout.

Since we use third party servers, they may retain certain information for longer periods if required by applicable law or to resolve disputes, enforce our agreements, or protect our legal rights. See their Privacy Policy, Terms of Service, and Hosting Agreement.

7. Data Security

We implement reasonable technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Password Hashing: User passwords are stored in salted, hashed form using WordPress’s built-in password hashing mechanism (bcrypt/phpass). We never store plaintext passwords.
  • CSRF Protection: All form submissions are protected with WordPress nonce (number used once) tokens to prevent cross-site request forgery attacks.
  • Rate Limiting: Sensitive actions (login, account deletion, profile updates, adding members) are rate-limited to prevent brute force attacks and abuse.
  • Session Security: All sessions are destroyed across all devices upon logout. Account deletion destroys all active sessions before the account is removed.
  • Input Sanitisation: All user inputs are sanitised and validated before processing to prevent injection attacks.
  • Error Log Protection: Error log files are protected with .htaccess rules to prevent direct access, and personal identifiers (such as email addresses) are masked in log entries.
  • Cache Prevention: The Platform sends no-cache and no-store headers to prevent sensitive dashboard data from being cached by browsers or CDNs.
  • HTTPS: All data transmitted between your browser and our servers is encrypted using TLS/SSL.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and shall not be liable for any breach of security beyond our reasonable control.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

Cookie TypeProviderPurposeDuration
Authentication CookiesBaatLo (WordPress)Maintain your login session and authenticate requestsSession / up to 14 days (if “Remember Me”)
Nonce TokensBaatLo (WordPress)Prevent cross-site request forgery (CSRF) attacks24 hours
Advertising CookiesGoogle AdsServe personalised advertisements, measure ad performance, and track conversionsVaries (see Google’s policy)
Analytics CookiesGoogle (if enabled)Understand how users interact with the PlatformVaries

8.2 Managing Cookies

You can manage or disable cookies through your browser settings. Please note that disabling essential cookies (authentication) will prevent you from logging in to the Platform. For information about managing Google’s advertising cookies, visit https://adssettings.google.com or https://www.youronlinechoices.com.

9. Your Rights

Under applicable Indian law, including the DPDPA, you have the following rights with respect to your personal data:

  • Right to Access: You have the right to obtain confirmation of whether we process your personal data and to request access to such data. You can view your profile information and all your group, expense, and settlement data directly through the Platform.
  • Right to Correction: You have the right to correct any inaccurate or incomplete personal data. You can update your display name, first name, last name, and profile photograph through the Profile section of the Platform at any time.
  • Right to Erasure: You have the right to request the deletion of your personal data. You can delete your Account through the Profile section, which will permanently remove your personal information as described in Section 6. Historical expense records will be de-identified.
  • Right to Data Portability: You can export your group expense data in CSV format through the Platform’s built-in export feature.
  • Right to Withdraw Consent: You may withdraw your consent to the processing of your personal data at any time by deleting your Account or contacting us. Withdrawal of consent will not affect the lawfulness of processing conducted prior to such withdrawal.
  • Right to Grievance Redressal: You have the right to lodge a complaint with our Grievance Officer (see Section 14) or with the Data Protection Board of India established under the DPDPA.
  • Right to Nominate: Under the DPDPA, you have the right to nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights (other than those available directly through the Platform), please contact us at [email protected].

10. Children’s Privacy

BaatLo is not intended for use by individuals under the age of 18 (eighteen) years. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at [email protected], and we will take steps to delete such information from our systems.

Under the DPDPA, processing of personal data of children (individuals below the age of 18) requires verifiable consent from a parent or legal guardian. We do not have mechanisms for obtaining such verifiable parental consent and therefore restrict the Platform to users aged 18 and above.

11. Cross-Border Data Transfers

Your data is primarily stored and processed on servers located in India. In some cases, your data may be processed by service providers or advertising partners located outside India (for example, Google’s infrastructure for ad serving).

Where personal data is transferred outside India, we will ensure that such transfer complies with the applicable provisions of the DPDPA and that appropriate safeguards are in place, including the requirement that data is transferred only to jurisdictions or entities that provide an adequate level of data protection as notified by the Central Government of India.

12. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or advertisements. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party services before providing your personal information. In particular:

  • Google Ads: Advertisements on BaatLo are served by Google Ads. Google’s collection and use of data is governed by Google’s Privacy Policy at https://policies.google.com/privacy.
  • Payment Platforms: BaatLo does not process payments. Any payments between group members (via UPI, bank transfer, cash, or otherwise) are conducted on external platforms and are subject to those platforms’ privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this Policy.
  • Notify you through a prominent notice on the Platform or via email.

We encourage you to review this Policy periodically to stay informed about how we protect your data. Your continued use of BaatLo after any changes to this Policy constitutes your acceptance of the revised Policy.

14. Grievance Officer

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDPA, we have appointed a Grievance Officer to address your concerns regarding data processing:

Name: Surekha Rao

Designation: Grievance Officer

Email: [email protected]

Address: Bengaluru, India

The Grievance Officer shall acknowledge your complaint within 24 (twenty-four) hours and resolve it within 15 (fifteen) days from the date of receipt, in accordance with applicable law. If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India under the DPDPA.

15. Consent

By using BaatLo, you hereby consent to this Privacy Policy and agree to its terms. You specifically consent to:

  • The collection and processing of your personal data as described in Section 2.
  • The use of cookies and tracking technologies as described in Section 8.
  • The display of third-party advertisements and the associated data collection by advertising partners.
  • The sharing of your data with group members as described in Section 5.1.
  • Receiving email notifications related to your groups (which you may disable per group).

You may withdraw your consent at any time by deleting your Account or contacting us. Withdrawal of consent may result in your inability to use the Platform.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

BaatLo

Bengaluru, India

Email: [email protected]

Website: https://baatlo.com

END OF PRIVACY POLICY