Privacy policy
1. Scope
This policy applies to personal data we process when you visit our website, register a firm account, use the secured workspace, subscribe to paid plans, contact support, or otherwise interact with AuditAudire. It does not govern how your firm processes its clients’ data inside the product; your firm remains responsible for that processing under applicable law and professional obligations.
2. Key definitions
- Personal data — data about an identifiable individual, as defined under the DPDP Act.
- Data principal — the individual to whom personal data relates (for example, a firm owner, staff user, or contact person).
- Data fiduciary — the entity that determines the purpose and means of processing personal data. For account, billing, and platform-operation data described below, we act as data fiduciary.
- Data processor — an entity that processes personal data on behalf of a fiduciary. For client engagement files and working papers uploaded by your firm, we generally process data on your firm’s instructions as a processor or technical service provider.
3. Categories of personal data we collect
Depending on how you use the service, we may collect:
- Identity and contact data — name, work email, phone, firm name, designation, and authorised signatory details provided at registration or in your profile.
- Account and authentication data — login identifiers, password hashes, session tokens, role assignments, and security logs.
- Subscription and billing data — plan selection, invoices, payment status, and limited billing contact details. Card or UPI credentials are handled by our payment partner and are not stored by us in full.
- Usage and technical data — IP address, browser type, device information, timestamps, feature usage, error reports, and audit trails needed to operate and secure the platform.
- Communications — support tickets, emails, and feedback you send to us.
- Firm-uploaded content — client names, financial records, tax identifiers, and other information your firm uploads for audit workflows. Your firm is responsible for ensuring a lawful basis to upload this data.
We do not knowingly seek to collect personal data of children under 18 without verifiable parental or guardian consent. The service is intended for professional CA firms and authorised adults.
4. Lawful grounds and consent
We process personal data where:
- you give consent (for example, by accepting this policy and our legal terms at registration, subscribing to marketing where offered, or enabling optional features);
- processing is necessary to perform a contract with you or your firm (providing the service, billing, support);
- processing is necessary for compliance with law (tax, accounting, court orders, regulatory requests);
- processing is necessary for legitimate uses permitted under the DPDP Act, such as security, fraud prevention, and service improvement, where not overridden by your rights.
You may withdraw consent for optional processing by contacting us. Withdrawal does not affect processing already completed or processing required to provide core services you continue to use.
5. Purposes of processing
- creating and administering firm and user accounts;
- delivering audit workflow, document parsing, rule checks, and related features;
- authentication, access control, and tenant isolation;
- subscription management, invoicing, and payment reconciliation;
- customer support, training, and service communications;
- monitoring performance, debugging, and protecting against abuse or security incidents;
- complying with legal obligations and responding to lawful requests;
- improving the product through aggregated or de-identified analytics where feasible.
6. Sharing and subprocessors
We do not sell personal data. We may share personal data with:
- Infrastructure and hosting providers that store and run the application;
- Email and notification providers for transactional messages;
- Payment processors (such as Razorpay) for subscription payments;
- Professional advisers (legal, accounting, security) under confidentiality obligations;
- Authorities when required by applicable Indian law or a valid legal process.
Subprocessors are engaged under contracts requiring appropriate confidentiality and security measures consistent with this policy and applicable law.
7. Cross-border transfers
Your data may be processed on servers located in India and, where necessary for hosting, backups, or support tooling, in other countries. Where personal data is transferred outside India, we take steps reasonably required under applicable law, including contractual safeguards and transfer assessments as the DPDP framework and related rules require.
8. Retention
We retain personal data only as long as needed for the purposes above, including:
- while your firm account is active and for a reasonable period after closure to resolve disputes, enforce terms, and meet legal retention duties;
- for billing and tax records, as required under Indian commercial and tax law;
- for security logs, for a limited period appropriate to incident investigation;
- for firm-uploaded engagement data, according to your firm’s instructions where we act as processor, subject to backup cycles and technical deletion limits.
We may anonymise or aggregate data so it no longer identifies individuals and retain it for analytics.
9. Security safeguards
We implement reasonable technical and organisational measures designed to protect personal data, including access controls, encryption in transit where supported, tenant separation, logging, and staff confidentiality obligations. These measures are intended to meet the “reasonable security practices and procedures” standard under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable. No method of transmission or storage is completely secure; you are responsible for safeguarding your credentials and notifying us of suspected unauthorised access.
10. Your rights as a data principal
Subject to the DPDP Act and applicable exceptions, you may have the right to:
- access information about personal data we process about you;
- correction of inaccurate or incomplete personal data;
- erasure when retention is no longer necessary or consent is withdrawn, subject to legal and contractual limits;
- grievance redressal through our grievance officer (see below);
- nominate another individual to exercise your rights in the event of death or incapacity, as permitted by law.
For data your firm uploaded about its clients or staff, direct your request to your firm first; we will assist the firm as processor where appropriate. To exercise rights relating to your platform account, email nitinbetharia@gmail.com with sufficient detail to verify your identity. We aim to respond within timelines prescribed or contemplated under the DPDP Act and rules.
11. Personal data breach notification
If we become aware of a personal data breach that is likely to affect you, we will take steps to contain and investigate the incident and, where required under the DPDP Act and applicable rules, notify the Data Protection Board of India and affected data principals in the manner and timeframe prescribed by law.
12. Cookies and similar technologies
We use essential cookies and session mechanisms to keep you signed in and to protect the service. We do not use non-essential tracking cookies for third-party advertising on the secured workspace. You can control browser cookie settings; disabling essential cookies may prevent login.
13. Grievance officer
In accordance with Indian law, you may contact our grievance officer for privacy-related complaints or requests:
- Email: nitinbetharia@gmail.com
- Subject line: “Privacy grievance — AuditAudire”
- Jurisdiction: Nagpur, Maharashtra, India
If you are not satisfied with our response, you may have the right to approach the Data Protection Board of India or other remedies available under law once fully operational under the DPDP framework.
14. Changes to this policy
We may update this policy to reflect legal, technical, or business changes. Material updates will be posted on this page with a revised version date. Where required, we will seek fresh consent or give notice before changes take effect for existing users.
15. Governing law
This policy is governed by the laws of India. Disputes relating to privacy are subject to the dispute-resolution and jurisdiction provisions in our legal terms, without prejudice to your statutory rights.