Home/Privacy Policy
Privacy & Data Protection

Privacy Policy

Last updated: 22 March 2026  ·  Applicable law: DPDP Act 2023, IT Act 2000 & IT (SPDI) Rules 2011

🇮🇳
India-Region Servers
Your data is stored in India-region infrastructure only.
🔐
Encrypted at Rest
All financial data encrypted with AES-256.
🚫
No Data Selling
We never sell your personal or financial data.
🗑️
Right to Delete
Request full data deletion at any time.

1. Who We Are

TaxWala (taxwalaai.com) ("we", "us", "our") is a tax preparation workspace for salaried Indian taxpayers. We act as the data fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) for personal data you provide while using our services. Our registered correspondence address and grievance contact are listed in Section 12 below.

2. Categories of Data We Collect

We collect data in the following categories:

2.1 Identity & Contact Data

  • Name, email address, mobile number (for OTP authentication)
  • PAN (Permanent Account Number) — required for tax computation and CA handoff
  • Date of birth (for age-based exemption computation)

2.2 Financial & Tax Data (Sensitive Personal Data — SPDI)

The following constitute Sensitive Personal Data or Information (SPDI) under IT (SPDI) Rules, 2011 and sensitive personal data under DPDP Act 2023:

  • Salary information — CTC, basic salary, HRA, special allowances, perquisites, LTA
  • TDS details — TDS deducted, TDS challan numbers, employer TAN
  • Form 16 data — extracted employer and income details from uploaded PDF
  • Form 26AS / AIS data — tax credit details uploaded for reconciliation
  • Investment proofs — Section 80C (PPF, ELSS, LIC), 80D (health insurance), NPS, home loan certificates
  • Bank account details — account number and IFSC for refund pre-fill (stored encrypted, not used for payment debits)
  • Capital gains data — trade history, LTCG/STCG records entered manually or uploaded
  • Crypto transaction data — VDA trade history for tax computation

2.3 Technical & Usage Data

  • IP address, browser type, device type
  • Pages visited, features used, session duration
  • Error logs for debugging

2.4 Payment Data

Payment card or UPI details are processed directly by Razorpay. TaxWala does not store full card numbers or UPI credentials. We retain Razorpay order IDs and payment status for billing records.

3. How We Collect Data

  • Directly from you — account registration, form inputs, document uploads, manual salary entry
  • PDF extraction — AI/OCR processing of Form 16 PDFs you upload
  • Third-party authentication — Google OAuth (if you choose to sign in with Google), which provides name and email address
  • Automatically — cookies, server logs, and analytics tools for platform performance

4. Purposes and Lawful Basis

We process your data under the following lawful bases (DPDP Act 2023, Section 4):

PurposeData UsedLawful Basis
Tax computation & regime comparisonSalary, deductions, other incomeConsent
Form 16 extraction & document preparationForm 16 PDF, AIS, 26ASConsent
CA review handoff (paid plans)All tax data + PANConsent + Contract
Account management & authenticationEmail, phone, nameContract
Payment processingOrder ID, amountContract
Legal compliance (IT Act, DPDP Act)Logs, user recordsLegal obligation
Platform security & fraud preventionIP, device dataLegitimate interest
Product improvement (aggregated, de-identified)Usage analyticsLegitimate interest

5. Consent Mechanism

For SPDI (financial and tax data), we collect your explicit consent at the point of:

  • Account registration (checkbox acceptance of these Terms and Privacy Policy)
  • Form 16 upload (in-product consent prompt before processing)
  • CA handoff (explicit confirmation before sharing your draft with a CA)

You may withdraw consent at any time by contacting us at [email protected]. Withdrawal may prevent you from using certain features.

6. Data Sharing and Third Parties

We do not sell your personal or financial data. We share data only in the following limited circumstances:

6.1 CA Professionals (on request)

When you engage CA Connect, your prepared tax data (salary, deductions, PAN, draft values) is shared with the assigned CA Professional for review and filing. You explicitly consent to this sharing before it occurs.

6.2 Payment Processor — Razorpay

Payment processing is handled by Razorpay Financial Solutions Pvt. Ltd., an RBI licensed payment aggregator. Their privacy policy is available at razorpay.com/privacy.

6.3 Infrastructure Providers

We use the following India-region infrastructure (these providers process data as data processors under our instructions):

  • Supabase — Database and file storage hosted on AWS ap-south-1 (Mumbai)
  • Vercel — Application hosting with India-region edge nodes

6.4 Legal Requirements

We may disclose data if required by law, court order, or a competent government authority under the IT Act 2000, DPDP Act 2023, or other applicable Indian legislation.

7. Data Storage and Retention

  • Account data — Retained as long as your account is active plus 3 years after deletion (for legal/audit compliance).
  • Tax data and documents — Retained for the filing season (April to September of the relevant AY) plus 3 years. You may request earlier deletion (see Section 10).
  • Form 16 PDFs and investment proofs — Deleted automatically 6 months after the ITR filing deadline for that Assessment Year, unless you request earlier deletion.
  • Payment records — Retained for 8 years under the Companies Act and GST Act requirements.
  • Technical logs — Retained for 90 days for security and debugging purposes.

8. Security Measures

We implement security measures proportionate to the sensitivity of the data processed:

  • Transit encryption — All data in transit uses TLS 1.2+ (HTTPS enforced; HSTS enabled).
  • At-rest encryption — Database and file storage encrypted using AES-256.
  • Access control — Row-level security (RLS) ensures each user can only access their own data. CA Professionals see only cases explicitly assigned to them.
  • Authentication — Supabase Auth with email/password or Google OAuth. Passwords hashed using bcrypt.
  • Infrastructure security — Hosted on SOC 2 Type II certified cloud providers (AWS via Supabase, Vercel).
  • PAN masking — PAN is stored and displayed in masked format (AXXXXXX1234) except where required for CA handoff.

Despite our security measures, no system is perfectly secure. You are responsible for keeping your account credentials confidential.

9. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to affected data principals, we will:

  • Notify the Data Protection Board of India (when constituted under DPDP Act 2023) within 72 hours of becoming aware, as required by applicable rules.
  • Notify affected users via email to their registered address without undue delay, describing the nature of the breach, data affected, and steps taken.
  • Maintain an internal breach log and take remediation steps promptly.

10. Your Rights as a Data Principal

Under the DPDP Act 2023 and IT (SPDI) Rules, you have the following rights:

  • Right of access — Request a summary of personal data we hold about you.
  • Right of correction — Request correction of inaccurate or incomplete data.
  • Right of erasure (deletion) — Request deletion of your account and associated data, subject to retention obligations under applicable law.
  • Right to grievance redressal — Lodge a complaint with our Grievance Officer (Section 12) and, if unresolved, with the Data Protection Board of India.
  • Right to withdraw consent — Withdraw consent for processing at any time (this may affect service availability).
  • Right to nominate — Nominate another individual to exercise your rights in the event of death or incapacity.

To exercise any of these rights, email [email protected] with your account email and the specific request. We will respond within 30 days.

11. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies — Authentication sessions and security tokens. Required for the platform to function. Cannot be disabled.
  • Analytics cookies — Aggregated usage data (e.g., page views) using privacy-safe analytics. No individual profiling.
  • Preference cookies — Language and locale preferences.

We do not use third-party advertising cookies or behavioural tracking for ad targeting.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 (Section 43A), IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, the Grievance Officer for TaxWala is:

Grievance Officer

TaxWala (taxwalaai.com)

Email: [email protected]

Response time: Within 30 days of receiving a grievance

[Grievance Officer name and physical address will be updated upon company incorporation]

13. Children's Privacy

TaxWala is intended for individuals 18 years of age and older. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy periodically. When we do, we will revise the "Last updated" date. For material changes (e.g., new categories of data collection, new sharing with third parties), we will notify registered users by email and display a prominent notice on the platform at least 14 days before the changes take effect.

15. Contact Us

For privacy-related questions, data requests, or to exercise your rights, contact:

Terms of Service← Back to Home