Legal Documentation
Terms, Policies &
Legal Framework
This document constitutes the complete legal framework governing the use of the BaseUPI platform. It covers your rights, obligations, our limitations of liability, and the regulatory context under Indian law. Please read each section carefully.
Section 1 of 6
Terms of Service
1.1
Definitions
- a."Platform" refers to the BaseUPI software suite, including the web dashboard, API endpoints, and the Android Companion Application.
- b."Merchant" or "You" refers to any individual or entity that deploys, configures, or operates an instance of the BaseUPI software.
- c."Customer" or "Payer" refers to any individual who initiates a UPI payment to a Merchant using a checkout page or payment link generated by the Platform.
- d."Service" refers to the automated payment verification process facilitated by the Platform through SMS reading and order matching.
- e."We", "Us", or "BaseUPI" refers to the developers and maintainers of the BaseUPI open-source project.
1.2
Nature of Service
- a.BaseUPI is a software automation toolkit. It is NOT a payment gateway, payment aggregator, escrow service, banking institution, or financial intermediary of any kind.
- b.The Platform does not hold, process, transfer, or have custody of any funds at any point during a transaction. All payments flow directly from the Customer to the Merchant via the UPI network operated by NPCI.
- c.BaseUPI does not require or hold any RBI Payment Aggregator (PA) license, as it does not pool or handle merchant funds. The software merely automates the verification of incoming payments by reading bank SMS notifications.
- d.The Platform operates as a "technology layer" that sits between the Merchant's bank account and their application, providing automated reconciliation only.
1.3
Merchant Obligations & Eligibility
- a.You must be at least 18 years of age and legally capable of entering into binding agreements under Indian law.
- b.You must operate a legitimate, lawful business registered in India or in a jurisdiction where UPI transactions are permitted.
- c.You are solely responsible for the configuration, security, hosting, and maintenance of your BaseUPI instance, including all associated infrastructure (Supabase, hosting provider, domain, SSL certificates).
- d.You must ensure that your UPI VPA (Virtual Payment Address) is valid, active, and correctly configured in your profile settings. BaseUPI is not responsible for payments sent to incorrect VPAs.
- e.You must comply with all applicable laws, rules, and regulations, including but not limited to the Payment and Settlement Systems Act (2007), Information Technology Act (2000), RBI guidelines on digital payments, and NPCI's UPI procedural guidelines.
- f.You are responsible for filing all applicable taxes on income received through UPI payments, including GST, Income Tax, and TDS as required by Indian law.
1.4
Prohibited Activities & Businesses
- a.You may NOT use BaseUPI for any business or activity classified as illegal under Indian law or the laws of your jurisdiction.
- b.Specifically prohibited categories include: (a) Gambling, betting, lotteries, or games of chance; (b) Adult content, pornography, or escort services; (c) Multi-level marketing (MLM), pyramid schemes, or "get-rich-quick" programs; (d) Sale or distribution of narcotics, controlled substances, or drug paraphernalia; (e) Weapons, ammunition, explosives, or hazardous materials; (f) Counterfeit goods, stolen property, or items that infringe intellectual property rights; (g) Cryptocurrency exchanges, unauthorized virtual asset trading, or speculative financial instruments not regulated by SEBI; (h) Money laundering, hawala transactions, or any form of terrorist financing.
- c.You may not use the BaseUPI API as a "Payment-Gateway-as-a-Service" by reselling API access to third-party merchants, unless you independently hold a valid RBI Payment Aggregator license. This is in strict compliance with NPCI directives on API usage.
- d.Any violation of these terms may result in immediate termination of your access to BaseUPI support channels and removal from any community platforms.
1.5
Intellectual Property
- a.The BaseUPI source code is licensed under the terms specified in the repository LICENSE file (e.g., MIT License). You may use, modify, and redistribute the code in accordance with that license.
- b.The "BaseUPI" name, logo, brand identity, and associated trademarks are proprietary. You may not use these marks to imply endorsement, affiliation, or sponsorship without prior written consent.
- c.Derivative works must not be marketed or presented in a way that creates confusion with the official BaseUPI project.
1.6
Modifications to Terms
- a.We reserve the right to modify these Terms of Service at any time. Changes will be reflected on this page with an updated revision date.
- b.Continued use of the Platform after modifications constitutes acceptance of the revised terms.
- c.It is your responsibility to periodically review these terms for changes.
Section 2 of 6
Privacy Policy
2.1
Scope & Applicability
- a.This Privacy Policy applies to all data processed by your self-hosted BaseUPI instance, including the web dashboard, API endpoints, and the Android Companion Application.
- b.This policy is drafted in compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology (Reasonable Security Practices and Procedures) Rules, 2011.
- c.As a self-hosted solution, YOU are the "Data Fiduciary" (controller) under the DPDP Act. BaseUPI developers are not data processors and have no access to your instance.
2.2
Data Collection — What We Collect
- a.Merchant Data: Business name, owner name, email address, phone number, UPI VPA (Virtual Payment Address), business address, and API key hashes.
- b.Customer/Payer Data: Customer name (optional), email (optional), UPI VPA of the payer (extracted from SMS), transaction amount, and transaction reference number.
- c.Device Data: Android device identifier, OS version, last-seen timestamp, and connection status of the Companion App.
- d.SMS Data: The Companion App reads ONLY transactional SMS messages from recognized bank sender IDs. It extracts: amount received, UTR/reference number, and sender VPA. Personal, promotional, or non-banking messages are NEVER read, processed, or transmitted.
- e.Order Data: Order IDs, amounts (in paise), line items, metadata, status history, and webhook delivery logs.
2.3
Data Storage & Sovereignty
- a.ALL data is stored exclusively within your own Supabase PostgreSQL instance. BaseUPI developers have zero access to your database credentials, tables, or records.
- b.If you host your Supabase instance in India (recommended), your setup complies with RBI's data localization requirements for payment data.
- c.You are responsible for implementing appropriate backup, encryption-at-rest, and access control policies for your database.
- d.No data is transmitted to BaseUPI servers, analytics platforms, or any third-party services by the core application. The only outbound network calls are: (a) Webhook deliveries to YOUR configured merchant endpoints; (b) Supabase authentication flows.
2.4
Data Retention & Deletion
- a.As the Data Fiduciary, you are responsible for determining data retention periods in compliance with applicable laws.
- b.Under the DPDP Act, you must delete personal data once the purpose of processing is fulfilled, unless retention is required by law.
- c.BaseUPI provides database-level access, allowing you to implement automated cleanup, anonymization, or archival processes as required.
- d.Customers (Data Principals) have the right to request erasure of their personal data. You must honor such requests in compliance with the DPDP Act.
2.5
Third-Party Services
- a.Supabase: Used for authentication (GoTrue) and database management. Their privacy policy governs data processed on their infrastructure. See: supabase.com/privacy.
- b.Hosting Providers: Your choice of hosting provider (Vercel, Netlify, AWS, etc.) may process request metadata (IP addresses, headers). Their respective privacy policies apply.
- c.No advertising, analytics, or tracking SDKs are included in the BaseUPI codebase.
Section 3 of 6
Acceptable Use Policy
3.1
Permitted Use
- a.BaseUPI is intended for legitimate, lawful commercial transactions where the Merchant provides genuine goods or services in exchange for payment.
- b.You may integrate BaseUPI into your website, application, or workflow using the provided APIs and SDKs.
- c.You may white-label the checkout experience with your own branding as permitted by the software license.
3.2
Prohibited Conduct
- a.Artificially generating orders to manipulate transaction records or inflate business metrics.
- b.Using the SMS ingest endpoint to stress-test, DDoS, or overload banking infrastructure or NPCI systems.
- c.Attempting to reverse-engineer the payment matching algorithm to exploit the paisa-offset system for fraudulent purposes.
- d.Sharing API keys, webhook secrets, or SMS hook tokens with unauthorized third parties.
- e.Circumventing rate limits, idempotency checks, or other security mechanisms built into the Platform.
- f.Using BaseUPI to facilitate transactions that violate anti-money laundering (AML) or combating the financing of terrorism (CFT) regulations.
3.3
API Usage Guidelines
- a.API rate limits are enforced per-merchant and per-IP. Default limits are: 60 requests/minute for order creation, 60 requests/minute for SMS ingest, and 20 requests/minute for webhook endpoints.
- b.All API requests must use HTTPS. Plain HTTP requests will be rejected.
- c.Idempotency keys should be used for all order creation requests to prevent duplicate charges.
- d.Webhook endpoints must respond with a 2xx status code within 15 seconds. Failure to do so will trigger the retry mechanism (up to 10 attempts with exponential backoff over 72 hours).
Section 4 of 6
Risk Disclosure & Liability
4.1
"As-Is" Disclaimer
- a.THE PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR UNINTERRUPTED SERVICE.
- b.We do not warrant that: (a) the Platform will meet your specific requirements; (b) the Platform will be error-free, uninterrupted, or free of viruses or other harmful components; (c) the results obtained from the Platform will be accurate or reliable; (d) any defects will be corrected in a timely manner.
4.2
SMS & Network Reliability
- a.The payment verification mechanism depends entirely on: (a) your mobile carrier's SMS delivery speed and reliability; (b) your bank's SMS notification system; (c) the Android device's ability to read and forward SMS in real-time; (d) internet connectivity between the device and your hosted API.
- b.Delays or failures in any of these components may result in legitimate payments not being detected, causing orders to remain in "CREATED" status or time out.
- c.You MUST implement a manual payment verification process (e.g., checking your bank statement) as a fallback for any mission-critical transactions.
- d.Network outages, phone restarts, battery optimizations killing the Companion App, or SIM deactivation may all interrupt the service without notice.
4.3
Financial & Bank Risk
- a.BaseUPI IS NOT LIABLE for any direct, indirect, incidental, special, consequential, or punitive damages, including but not limited to: loss of revenue, loss of profits, loss of business, loss of data, or cost of procurement of substitute services.
- b.Receiving high volumes of UPI payments may trigger automated fraud detection systems at your bank. This could result in: (a) temporary holds on incoming funds; (b) requests for KYC re-verification; (c) account restrictions or freezing; (d) in extreme cases, account closure.
- c.You acknowledge and accept that using automated payment tools carries inherent risks with banking institutions, and you assume full responsibility for any bank-imposed actions.
- d.BaseUPI does not provide any guarantee of payment accuracy due to the "paisa offset" system. While the unique amount mechanism reduces collision probability, it does not eliminate it entirely.
4.4
Indemnification
- a.You agree to indemnify, defend, and hold harmless the BaseUPI developers, contributors, and maintainers from any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorney fees) arising from: (a) your use or misuse of the Platform; (b) your violation of these Terms; (c) your violation of any applicable law or regulation; (d) any third-party claims related to your business operations conducted through the Platform.
4.5
Limitation of Liability
- a.IN NO EVENT SHALL THE TOTAL AGGREGATE LIABILITY OF BASEUPI, ITS DEVELOPERS, CONTRIBUTORS, OR MAINTAINERS EXCEED THE AMOUNT OF ZERO RUPEES (₹0), REFLECTING THE FREE AND OPEN-SOURCE NATURE OF THE SOFTWARE.
- b.This limitation applies regardless of the legal theory (contract, tort, strict liability, or otherwise) and even if BaseUPI has been advised of the possibility of such damages.
Section 5 of 6
Refund & Dispute Policy
5.1
Merchant Responsibility
- a.Since payments flow directly from Customer to Merchant via UPI, BaseUPI has no ability to initiate, process, or manage refunds.
- b.All refund decisions, policies, and executions are the sole responsibility of the Merchant.
- c.Merchants must clearly communicate their refund policy to Customers before checkout.
5.2
Customer Disputes
- a.Customers seeking refunds must contact the Merchant directly. BaseUPI has no customer database and cannot mediate disputes.
- b.For UPI-level disputes (e.g., payment debited but service not received), the Customer should raise a complaint with their UPI app provider or bank, as per NPCI's dispute resolution framework.
- c.Merchants are obligated to cooperate with bank-initiated dispute or chargeback requests.
Section 6 of 6
Governing Law & Jurisdiction
6.1
Applicable Law
- a.These Terms shall be governed by and construed in accordance with the laws of India, without regard to its conflict-of-law provisions.
- b.Key applicable legislation includes: (a) The Payment and Settlement Systems Act, 2007; (b) The Information Technology Act, 2000; (c) The Digital Personal Data Protection Act, 2023; (d) The Indian Contract Act, 1872; (e) The Consumer Protection Act, 2019.
6.2
Dispute Resolution
- a.Any dispute arising out of or in connection with these Terms shall first be attempted to be resolved through good-faith negotiation between the parties.
- b.If negotiation fails within 30 days, the dispute shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996, conducted in English.
- c.The courts of New Delhi, India shall have exclusive jurisdiction over any disputes not resolved through arbitration.
6.3
Severability
- a.If any provision of these Terms is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.
- b.The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable, while preserving the original intent.
6.4
Entire Agreement
- a.These Terms, together with the Privacy Policy, Acceptable Use Policy, and Risk Disclosure, constitute the entire agreement between you and BaseUPI regarding the use of the Platform.
- b.These Terms supersede all prior agreements, representations, and understandings, whether written or oral.
Notice to Financial Regulators & Law Enforcement
BaseUPI is an open-source software toolkit licensed under permissive terms. It does not provide financial services, hold deposits, or process payments. All funds move directly via the NPCI UPI rail from payer to payee.
Merchants deploying this software are independently responsible for obtaining all necessary licenses, registrations, and clearances required by the RBI, NPCI, SEBI, or any other regulatory body applicable to their specific business model and jurisdiction.
For compliance inquiries, please contact the individual Merchant operating the instance in question. The open-source project maintainers do not have access to, or control over, any deployed instances.