Privacy Policy

Last updated: 11 May 2026

ComplySmart AI ("we", "our", "us") is operated by Devarajan P (proprietor) from India. We are the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) in respect of the personal data of users and assessees described below. This policy explains what we collect, why, where it lives, who we share it with, and how you can delete it.

0. Data Fiduciary, DPO & Grievance Officer

Under Sections 5 and 8 of the DPDP Act, we publish the following contacts. You can write to them at any time about access, correction, deletion, consent withdrawal, or any grievance:

• Data Fiduciary: Devarajan P (sole proprietor), operating ComplySmart AI, India. Email: reachme@devarajan.in.
• Data Protection Officer / Grievance Officer: Devarajan P, ComplySmart AI. Email: support@complysmartai.com (preferred — monitored daily) / reachme@devarajan.in.
• Response timeline: we acknowledge requests within 3 working days and resolve them within 30 days as required by the DPDP Act. If unresolved you may escalate to the Data Protection Board of India.

0a. Your consent

By signing up to ComplySmart AI you provide explicit consent under Section 6 of the DPDP Act to process your personal data and the personal data of your clients/assessees that you upload, for the specific purposes set out in Section 2 below. You confirm you are 18 or older. Consent can be withdrawn at any time via Settings → Delete account or by emailing the Grievance Officer; we will stop processing within a reasonable period.

Where you upload notices or details relating to a third-party assessee (a client), you confirm that you have the authority and the assessee's consent to do so.

1. Information we collect

• Account data. Email address, full name, phone number, firm name. You enter these directly.
• Notice files. PDFs of Income Tax or GST notices you upload. Stored as files plus extracted text (OCR) and structured allegations.
• Assessee / client data. Names, PANs, GSTINs and contact details of clients you add. Treated as confidential client information.
• Conversations. Messages exchanged with the ComplySmart Assistant chat. Stored against your account so you can resume the conversation later.
• Payment metadata. Razorpay order, payment, and signature IDs. We do not store card numbers or UPI handles — those live with Razorpay.
• Usage / billing telemetry. Token counts, OCR pages processed, API call counts — used for cost tracking and product improvement.

2. Why we collect it

• To deliver the notice-response service you signed up for.
• To debug failures and prevent abuse (rate-limiting, fraud).
• To improve the AI for your own future drafts: we derive per-account signals from your finalized replies (citation preferences, writing-style hints, draft exemplars) so each subsequent notice is sharper. These signals are scoped to your account by default.
• Optional — cross-account improvements: we are rolling out granular toggles (Settings → Privacy controls) that will let you decide whether an anonymized subset of your finalized drafts may seed a global exemplar pool that helps other CAs draft similar notices. Until those toggles ship, no cross-account use of your data is occurring — if it changes before the toggles are live, we will notify you here and over email.
• To process payments and issue receipts.

3. Where the data lives

• Databases + files: Supabase, AWS Mumbai (ap-south-1). Encrypted at rest.
• OCR processing: Sarvam AI (Bengaluru, India) and Anthropic (US). Notice PDFs and supporting documents are sent to these providers for text extraction and reasoning. They are contractually bound to use the data only to fulfil our request.
• Embeddings (vector search): Voyage AI (US). When you finalize a reply, individual paragraphs of that reply are sent to Voyage for embedding (a numeric fingerprint used by our retrieval system). Whether those embeddings are then usable by other CAs depends on your training-consent settings (see §9 — default is “own use only”). Voyage uses the data only to compute and return the embedding.
• Case-law lookup: Indian Kanoon API (India). We send search queries; we do not send your notice content there.
• Transactional email: Resend (ap-northeast-1, Tokyo). Used for sign-in links + receipts. Does not see notice content.
• Payments: Razorpay (India). Standard payment-card-industry compliance applies.

Cross-border transfers: Anthropic, Voyage, and Resend process data outside India (US and Japan respectively). None of these jurisdictions is currently on the Government of India’s restricted list under s.16 of the DPDP Act. We will update this notice if that changes.

4. Who we share it with

We do not sell your data. We share it only with the service providers listed above, strictly to operate the product. We do not share with any data broker, advertiser, or unrelated third party.

5. How long we keep it

• Active notices + clients: for as long as your account is active.
• Chat threads on closed notices: deleted automatically 180 days after the notice is marked closed (filed / exported / finalised).
• Audit log + billing records: retained for 8 years, the minimum period required for tax record-keeping under Indian law.

6. Your rights

Under the DPDP Act, you can:

• Access the personal data we hold about you.
• Correct anything inaccurate (via Settings, or by email).
• Delete your account and all associated data. Use Settings → Delete account, or email support@complysmartai.com.
• Withdraw consent for data processing at any time.
• Nominate a person to exercise these rights on your behalf if you are unable to.
• File a grievance with the Data Protection Board of India.

7. AI-generated content disclaimer

ComplySmart AI generates draft responses, summaries, and research notes using large language models. These are drafts for professional review, not legal advice and not a substitute for your judgement as a Chartered Accountant. You are responsible for verifying every authority cited and every figure stated before filing.

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Row-level security in the database isolates each user's data. Admin access is restricted to a named list of emails. Payment processing is delegated to Razorpay; we never see card details.

9. Privacy controls — training consent

We derive several signals from your finalized drafts to make the AI work better. Each one is a separate, withdrawable consent under DPDP s.6. Toggle individually at Settings → Privacy controls.

• Global exemplar pool — your finalized paragraphs are embedded and added to a pool that helps other CAs draft similar notices. Sent to Voyage AI (US) for the embedding step. Off by default.
• Voice profile distillation — your last 20 finalized drafts are sent to Anthropic Claude (US) to distil a short style guide that nudges future drafts to sound like you. Cross-border processing. Off by default.
• Citation preference memory — we aggregate which Indian Kanoon citations you accept, dismiss, or swap, then re-rank future candidates accordingly. Never leaves your account. On by default.
• Failure payload capture — when a pipeline step errors, we record the surrounding context so the issue can be diagnosed and prevented. Required for us to keep the product safe and to honour any future regulatory enquiry. On by default.

Withdrawing a consent takes effect within ~1 minute. "Clear my training data" in the same Settings panel additionally deletes the artefacts already derived (global-pool embeddings of your paragraphs, your distilled voice profile). Every grant + withdrawal is logged to an append-only audit table.

10. Children

The product is intended for licensed Chartered Accountants and businesses. We do not knowingly process the personal data of anyone under 18.

11. Changes

We may update this policy. Material changes will be notified by email and on this page. The "Last updated" date above always reflects the current version.

12. Breach notification

If we discover a personal data breach affecting your data, we will notify you and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act and any rules issued under it. Our internal incident response procedure:

• Detection & triage — incidents are triaged within 24 hours of discovery.
• Containment — affected access paths are disabled; relevant secrets rotated.
• User notification — affected users are notified by email at the address on their account, with the nature of the breach, the categories of data involved, and the steps we are taking, within 72 hours of confirmation where feasible.
• Board notification — concurrently filed with the Data Protection Board of India per the prescribed format.
• Post-incident review — a written report is retained for at least 8 years.

13. Contact

For privacy questions, data access / correction / deletion requests, consent withdrawal, or to contact the Grievance Officer: support@complysmartai.com. Officer details are in Section 0 above.