Privacy Policy
Last updated: 02 May 2026 ยท Compliant with the Digital Personal Data Protection Act 2023 (India)
โ
Template notice for the launch team: Have a privacy lawyer review this document before launch. The DPDP Act 2023 mandates a registered Data Protection Officer for Significant Data Fiduciaries โ your first 1000 users may be small enough to use a Grievance Officer, but verify thresholds.
1. Who we are
VyaparComply Technologies Private Limited ("VyaparComply", "we", "us") is the Data Fiduciary for personal data processed through the VyaparComply platform. We are incorporated in India and our registered office is at 123 Business Hub, Pune, Maharashtra 411001.
2. What data we collect
2.1 Information you provide
- Account information: name, email, phone, ICAI membership number, firm name, password (stored as a bcrypt hash)
- Billing information: billing address, GSTIN, PAN. Card and bank details are handled exclusively by Razorpay; we never see or store them
- Customer data: client GSTINs, invoices, returns, notices, books data you upload to use the Service
- Communication: support tickets, contact form submissions, emails to our support team
2.2 Information collected automatically
- Usage data: features used, actions taken, timestamps
- Device and connection: IP address, browser type, OS, device identifiers
- Cookies: session cookies for authentication; analytics cookies only with consent
2.3 Information from integrations
If you connect Tally, Vyapar, or the GST Portal to VyaparComply, we receive transactional data from those systems. We process this data only as instructed by you.
3. How we use your data
We use your data to:
- Provide, operate, and maintain the Service
- Authenticate users and prevent fraud
- Process payments via Razorpay
- Send transactional emails (account, billing, security alerts)
- Send product updates and marketing โ only with explicit consent and easy unsubscribe
- Respond to support inquiries
- Improve the Service through aggregated, anonymized analytics
- Comply with legal obligations and respond to lawful requests
4. Lawful basis for processing
Under the DPDP Act 2023, we process your data on the following grounds:
- Consent โ you opted in by creating an account and accepting these terms
- Contract performance โ necessary to deliver the Service you signed up for
- Legal compliance โ to meet tax, KYC, and regulatory obligations
- Legitimate interests โ fraud prevention and Service security
5. Data sharing & sub-processors
We do not sell your personal data. We share data only with these sub-processors under strict data processing agreements:
- Amazon Web Services (Mumbai region) โ hosting and storage
- Razorpay โ payment processing (PCI-DSS Level 1 certified)
- SendGrid / AWS SES โ transactional email delivery
- Anthropic โ AI-powered notice replies and reconciliation insights (data sent under their zero-data-retention agreement)
- WhatsApp Business API โ client message delivery, only when you enable it
- Sandbox.co.in (GSTN TSP) โ for GSTN data fetch and return filing, with your explicit OTP authorization per client session
We may also disclose data when required by Indian law (court order, government investigation, regulatory directive) or to protect our legal rights.
6. Data localization & cross-border transfers
All Customer Data is stored on AWS servers in the Mumbai (ap-south-1) region. We do not transfer Customer Data outside India except: (a) when AI processing is requested by you, where data is processed in transit and not retained by the AI provider; (b) where required by law.
7. Data retention
- Account data: retained while your account is active
- Customer Data: retained per your subscription. After cancellation, we retain it for 30 days to allow recovery, then permanently delete
- Billing records: retained for 8 years to meet Income Tax Act 1961 and GST Act 2017 record-keeping requirements
- Logs: 90 days for application logs, 1 year for security audit logs
8. Your rights under the DPDP Act 2023
As a Data Principal, you have the right to:
- Access your personal data and obtain a copy
- Correct inaccurate or incomplete data
- Erase your data, subject to legal retention obligations
- Withdraw consent at any time (this may limit Service availability)
- Nominate another individual to exercise these rights on your behalf
- Lodge a complaint with the Data Protection Board of India
To exercise these rights, email privacy@vyaparcomply.in. We will respond within 30 days.
9. Security
We implement reasonable security practices and procedures, including:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- bcrypt password hashing with strong salt
- Two-factor authentication available on all accounts
- Role-based access controls within firms
- Tamper-proof audit logs of every action
- Regular vulnerability scans and penetration testing
No system is perfectly secure. In case of a personal data breach affecting your data, we will notify you and the Data Protection Board within 72 hours of becoming aware, per Section 8(6) of the DPDP Act.
10. Cookies
We use:
- Strictly necessary cookies for login sessions (no consent required)
- Analytics cookies to understand product usage (only with your explicit consent)
You can manage cookies via your browser settings. Disabling necessary cookies will prevent login.
11. Children
The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe we have, contact privacy@vyaparcomply.in and we will delete it promptly.
12. Changes to this policy
We may update this policy. Material changes will be notified by email at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.
13. Grievance Officer
In accordance with Section 5(8) of the DPDP Act 2023 and Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021:
Grievance Officer: [Name to be appointed]
Email: grievance@vyaparcomply.in
Address: VyaparComply Technologies Pvt. Ltd., 123 Business Hub, Pune, Maharashtra 411001
Response time: Acknowledgement within 24 hours, resolution within 15 days.