Data Policy

TaxClue Consultech Private Limited operates a comprehensive data governance framework aligned with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and international best practices. This Policy sets out how we collect, process, store, protect, and dispose of data in connection with our services and website operations.

Our data collection practices are governed by the following principles:

• Purpose Limitation (Section 4(1), DPDP Act): Data is collected only for clearly stated and specific purposes — primarily service delivery, legal compliance, and communication.
• Data Minimisation: We collect only the minimum data necessary to deliver the specific service engaged. We do not collect data speculatively.
• Accuracy: We take reasonable steps to ensure data accuracy and provide mechanisms for correction.
• Storage Limitation: Data is retained only as long as necessary to fulfil the stated purpose or as required by law.
• Integrity and Confidentiality: Data is protected against unauthorised access, loss, destruction, and processing through technical and organisational safeguards.
• Accountability: TaxClue accepts responsibility for compliance with these principles and maintains records to demonstrate compliance.

We process the following categories of data, depending on the service engaged:

• Identity Data: Full name, PAN, Aadhaar, DIN, DPIN, passport, voter ID, driving licence — as mandated by the specific government filing.
• Contact Data: Email address, mobile number, landline number, residential/business address, emergency contact.
• Financial Data: Bank account details, income details, financial statements, tax returns, GST returns, TDS certificates, investment details — for tax, accounting, and compliance services.
• Business Data: Company name, CIN, GSTIN, LLPIN, business type, shareholding patterns, registered address, director details, compliance history.
• Technical Data: IP address, browser type, operating system, device identifiers, cookies, session data, pages visited, referring URLs — collected automatically through server logs and analytics.
• Communication Data: Email correspondence, WhatsApp messages, call recordings (with consent), meeting notes, form submissions.
• Portal Credentials: Government portal login credentials and DSC details shared for filing purposes — encrypted and used solely for authorised service delivery.

We process data on the following lawful bases:

• Performance of Contract (Section 4(a), DPDP Act): Processing necessary to deliver services contracted by the Client.
• Legal Obligation (Section 4(b), DPDP Act): Processing required to comply with statutory obligations under the Income Tax Act, 1961; Companies Act, 2013; CGST Act, 2017; FSSAI Act, 2006; IT Act, 2000; and other applicable statutes.
• Consent (Section 6, DPDP Act): Processing based on freely given, specific, informed consent — applicable to marketing communications, optional analytics, and non-essential cookies.
• Legitimate Interest: Processing necessary for fraud prevention, security monitoring, service improvement, and internal analytics — balanced against the Data Principal's rights.

All data is stored on infrastructure located within the territory of India:

• Cloud Infrastructure: AWS (Mumbai region) and/or Google Cloud Platform (Mumbai region) with ISO 27001 and SOC 2 Type II certifications.
• Encryption at Rest: AES-256 encryption for all stored data, with encryption keys managed through dedicated key management services.
• Encryption in Transit: TLS 1.3 encryption for all data transmitted between client devices and our servers.
• Backup and Disaster Recovery: Automated encrypted daily backups with geographically redundant disaster recovery within India. Recovery Point Objective (RPO): 24 hours. Recovery Time Objective (RTO): 4 hours.
• Access Logging: Comprehensive audit trails for all data access, modification, and deletion events.

As an integral part of our service delivery, we submit information and file applications on your behalf with government portals, including but not limited to:

• MCA V3 Portal — Company and LLP registrations, annual filings, changes.
• GST Portal — GST registration, returns (GSTR-1, GSTR-3B, GSTR-9, GSTR-9C), amendments.
• Income Tax e-Filing Portal — ITR filing, TDS returns, PAN/TAN applications.
• FSSAI FoSCoS — FSSAI registration, licences, renewals, amendments.
• IP India (Trade Marks Registry, Patent Office) — Trademark/patent applications, objection replies.
• DGFT / ICEGATE — IEC, e-RCMC, customs-related filings.
• BIS Manak Online — BIS CRS, FMCS, ISI Mark applications.
• EPFO / ESIC Portals — ESI and PF registrations, returns.
• Startup India Portal / DPIIT — Startup recognition.

All filings are made solely pursuant to your explicit authorisation and using credentials/DSC that you provide or authorise us to use. We do not file or access any portal without your knowledge and consent.

In accordance with Chapter III of the DPDP Act, 2023, you have the following rights:

• Right to Access (Section 11): Obtain a summary of your data and processing activities.
• Right to Correction (Section 12): Request correction of inaccurate or incomplete data.
• Right to Erasure (Section 12): Request deletion of data no longer necessary — subject to legal retention requirements.
• Right to Withdraw Consent (Section 6(6)): Withdraw consent at any time without affecting prior lawful processing.
• Right to Grievance Redressal (Section 13): Lodge a complaint with our Grievance Officer.
• Right to Nominate (Section 14): Nominate an individual to exercise your rights in case of death/incapacity.

Requests must be submitted in writing to info@taxclue.in with the subject "Data Rights Request — [Your Name]". Identity verification may be required. We will respond within 30 days.

We adhere to the following retention schedule:

• Active Engagement Data: Retained for the duration of the engagement plus 8 years — per Income Tax Act (Section 149), Companies Act (Section 128), and CGST Act (Section 36) retention requirements.
• Inactive Client Data: Progressively minimised after 3 years of inactivity; non-essential data erased after 8 years.
• Website Analytics: Anonymised and retained indefinitely for aggregate trend analysis.
• Communication Records: Retained for 3 years from the last communication or as required for active/anticipated legal proceedings.
• Payment Records: Retained for 8 years per tax and accounting requirements.

Upon expiry, data is securely destroyed using NIST 800-88 compliant methods.

For data-related queries, concerns, access requests, or to exercise your rights under the DPDP Act, contact:

Grievance Officer: Mr. Deepak Gaur
Designation: Director, TaxClue Consultech Private Limited
Email: info@taxclue.in (Subject: "Data Protection Request")
Address: Shop No 1, FCA 32/1, Near Patel Chowk Main Bandh Road, SGM Nagar, Faridabad, Haryana — 121001, India

Grievances are acknowledged within 48 hours and resolved within 30 days. Unresolved grievances may be escalated to the Data Protection Board of India.

TaxClue Consultech Private Limited is committed to full and continuous compliance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and all applicable data protection regulations as they evolve. We continuously review and update our data practices, security measures, and internal policies to align with regulatory requirements, industry standards, and technological advancements.

For queries, grievances, or requests relating to this Data Policy, please write to:

TaxClue Consultech Private Limited
CIN: U74999HR2021PTC095657
📍 Shop No 1, FCA 32/1, Near Patel Chowk Main Bandh Road, SGM Nagar, Faridabad, Haryana — 121001, India
📧 info@taxclue.in
📞 +91 98914 64610
🌐 www.taxclue.in