Privacy Policy
Accountrix AI
Version: 1.0 · Effective date: [to be set on publication] · Last updated: 19 June 2026
Owner: Palak Jaggi & Aayush Agarwal (Privacy Leads & Grievance Officers) · Review cycle: annual or on material change
1. Introduction and scope
Accountrix AI ("Accountrix AI", "we", "our", "us") operates an AI-assisted accounting, financial-statement and compliance software-as-a-service platform made available at www.accountrixai.com and associated sub-domains, applications and the Accountrix AI Tally Connector (collectively, the "Platform").
This Privacy Policy explains what personal data we collect, why we collect it, the legal bases on which we process it, with whom we share it, where it is processed, how long we keep it, how we protect it, and the rights available to you. It applies to all visitors, account holders, the chartered accountants and businesses who use the Platform, and the individuals whose data those users upload.
This Policy is governed by the laws of India, including the Information Technology Act, 2000 and the rules made under it (the SPDI Rules, 2011, in force until 13 May 2027), the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, as and when their respective provisions take effect.
2. Definitions
- Personal Data — any data about an individual who is identifiable by or in relation to such data.
- Sensitive Personal Data or Information (SPDI) — as defined in Rule 3 of the SPDI Rules, including
passwords and financial information such as payment-instrument details.
- Data Principal — the individual to whom the personal data relates.
- Data Fiduciary — the person who determines the purpose and means of processing personal data.
- Data Processor — a person who processes personal data on behalf of a Data Fiduciary.
- Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
- Sub-processor — a third party we engage to process personal data to provide the Platform.
3. Who we are — our roles
Accountrix acts in two distinct roles depending on the data:
(a) As a Data Fiduciary for the personal data of our account holders and visitors — for example, the
name, email, firm details and billing information of a chartered accountant or business owner who creates
an Accountrix account. We decide the purposes and means of this processing.
(b) As a Data Processor for the client and financial data that an account holder (typically a CA firm or business) uploads to the Platform to prepare financial statements. In that case the account holder is the Data Fiduciary, and we process that data only on their documented instructions through the Platform.
Where we act as a Processor, the account holder remains responsible for the lawful basis, notice and
consent applicable to the underlying individuals.
4. Personal data we collect
We practise data minimisation — we collect only what is necessary for the purposes described below.
(a) Account and identity data: name, email address, password (stored only as a one-way bcrypt hash —
never in plain text), firm or business name, role, and (optionally) phone number.
(b) Onboarding and profile data: firm type, professional role, and the preferences and consents you
provide at first sign-in and in your profile.
(c) Billing and transaction data: billing legal name, address, GSTIN, the modules and credits you
purchase, invoices, and payment metadata returned by our payment gateway. We do not store your full card - number (PAN), CVV or card expiry — card data is collected and processed directly by our PCI-DSS-compliant, payment gateway, Razorpay.
(d) Client and financial data (processed on your instruction): trial balances, ledger names and groups, financial statements, and related accounting records you upload or fetch via the Tally Connector. This data may incidentally contain the names of third parties (for example, a debtor or creditor ledger named after a person or firm).
(e) Technical and security data: IP address, device/browser information, log and audit records of
security-relevant actions (sign-in, consent, export, grievance, erasure, nominee), and error-diagnostic
events. These are retained to keep the Platform secure and to comply with law.
(f) Communications: the content of grievances, support requests and emails you send us.
5. How we collect data
We collect data directly from you (when you register, configure your profile, upload data, purchase, or contact us), automatically (server and security logs, cookies — see our Cookie Policy), and from the Tally Connector that you install and authorise to transmit accounting data from your TallyPrime instance.
6. Purposes and legal bases
We process personal data for the following purposes and on the following bases:
| Purpose | Legal basis |
|---|---|
| Create and operate your account; authenticate you; provide the Platform | Performance of contract / consent |
| Prepare financial statements and run AI-assisted ledger classification | Your instruction (we act as Processor) / consent |
| Process payments, issue invoices and meet tax/GST obligations | Performance of contract / compliance with law (legitimate use) |
| Keep the Platform and your data secure; prevent fraud and abuse; maintain audit and security logs | Our legitimate use and statutory security duties |
| Respond to grievances, support requests and rights requests | Consent / compliance with law |
| Send transactional and (where you opt in) product communications | Consent / contract |
| Comply with lawful directions, court orders and regulatory obligations | Compliance with law |
Where we rely on consent, you give it through an itemised, versioned, purpose-by-purpose consent screen at first sign-in, and you may withdraw consent for any optional purpose as easily as you gave it (withdrawal does not affect processing already carried out, nor processing we are legally required to continue).
7. Sensitive personal data
We process two categories of SPDI: (i) passwords, which are stored only as salted one-way bcrypt hashes and are never accessible to us in plain text; and (ii) financial information in the form of payment metadata, with full card details handled solely by Razorpay. We apply the security safeguards in Section 13 to all SPDI.
8. Cookies and similar technologies
We use strictly necessary cookies and local storage to keep you signed in and to operate the Platform
securely. We do not use third-party advertising cookies. See our Cookie Policy for details and controls.
9. How we use Artificial Intelligence
A core feature of Bank Match is AI-assisted reading of bank statements. We have engineered this with strict data minimisation: when a bank statement cannot be parsed by our deterministic engine, only its text is sent to our AI sub-processor (Anthropic) to extract the transaction rows. All matching, BRS computation and tamper checks are performed by deterministic code — never by AI. AI output is advisory: every reconciliation requires review and sign-off by a qualified chartered accountant before it can be relied upon or exported. We do not use AI to make any legal or significant decision about a Data Principal without human review.
10. Disclosure of data and our sub-processors
We do not sell personal data. We disclose personal data only: (a) to the sub-processors listed below, strictly to provide the Platform; (b) where you direct us to; (c) to comply with law, a court order or a lawful government direction; or (d) to protect our rights, users or the security of the Platform.
Our current sub-processors are:
| Sub-processor | Role | Data shared | Location |
|---|---|---|---|
| Anthropic (Claude API) | AI ledger classification | Ledger name, group, Dr/Cr side, entity type (no amounts, no identity) | United States |
| Razorpay | Payments & GST invoicing | Billing data, payment metadata (no card PAN) | India |
| MongoDB Atlas | Primary database | All application data | India (ap-south-1) [CONFIRM cluster region before publishing] |
| Railway | Backend hosting / compute | Data in transit and in memory | United States |
| Amazon Web Services (S3) | Encrypted database backups | Full database backups | India (ap-south-1) |
| Sentry | Error monitoring | Diagnostic events (personal-data scrubbing enabled) | United States |
| ZeptoMail | Transactional email | Email address, message content (when enabled) | India [CONFIRM before enabling email] |
| Vercel | Frontend content delivery | Minimal/no financial data | Global edge |
| GitHub | Source code & CI/backup orchestration | Source code, CI secrets (not user data) | United States |
*The legal characterisation of each relationship and the executed data-processing agreements are being
finalised with counsel.* Each sub-processor is, or will be, bound by a data-processing agreement requiring
confidentiality, security and a restriction on onward disclosure.
11. Cross-border transfer
Some of our sub-processors process data outside India (notably in the United States). We make such
transfers in accordance with applicable law: under the SPDI Rules (until 13 May 2027) we transfer only where the recipient ensures the same level of protection that we are required to maintain, and only where necessary; under the DPDP Act we will not transfer to any country or territory that the Central Government restricts by notification. We disclose this cross-border processing to you here and obtain your consent where required. Our database backups are hosted in India (ap-south-1). We are completing migration of our primary database to India and executing equivalent-protection agreements with all overseas processors.
12. Data retention and erasure
We keep personal data only for as long as is necessary for the purpose for which it was collected or as required by law. In particular:
- Raw trial-balance uploads are automatically deleted 90 days after fetch.
- Financial, tax and invoicing records are retained for the period required by applicable tax and company
law (generally up to 8 years), after which they are erased or anonymised.
- Security and audit logs are retained for the minimum period required by the CERT-In Directions and the DPDP Rules.
When the purpose is served, when you withdraw the consent on which processing depends, or when you close your account, we erase your personal data and cause our processors to do so, except where we are required by law to retain it (in which case we restrict and, where possible, anonymise it). Our full schedule is in the internal Data Retention & Erasure Schedule.
13. How we protect your data
We implement appropriate technical and organisational security measures, including: encryption of data in transit (TLS) and encryption at rest — our daily database backups use server-side AES-256 encryption, and database storage is hosted on our managed provider’s encrypted infrastructure; one-way bcrypt password hashing; signed, algorithm-pinned session tokens; two-factor authentication for administrators with step-up re-authentication for sensitive actions; a strong password policy; strict per-tenant data isolation; HTTP security headers, an origin allow-list, tiered rate-limiting and request-size limits; formula-injection and XML-entity safeguards; append-only security and audit logs with client-IP capture; daily encrypted database backups with periodic restore drills; and data minimisation throughout. We operate an ISO/IEC 27001-aligned information-security programme. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
14. Your rights as a Data Principal
Subject to applicable law, you have the right to:
(a) obtain a summary of the personal data we process about you and the processing activities, including the identities of the sub-processors with whom your personal data has been shared (listed in Section 10);
(b) correct, complete or update your data;
(c) request erasure of your data;
(d) withdraw consent;
(e) nominate another individual to exercise your rights in the event of death or incapacity (DPDP s.14); and
(f) an effective grievance redressal. You can exercise these rights directly inside the Platform through the Data-Principal Rights Centre (export, correction, erasure request, grievance and nomination), or by contacting our Grievance Officer (see Section 16). We will respond within the timelines published in our Grievance Redressal Policy. We may ask you to verify your identity before acting on a request. You also have duties under DPDP s.15 — including not impersonating another person, not suppressing material information, and not filing false or frivolous complaints. These duties are set out in our Terms of Use.
15. Children
The Platform is a business tool intended for use by adults (18 years and above). We require an age confirmation at first sign-in and do not knowingly process the personal data of children, nor direct any feature, tracking or advertising at children. If you believe a child's data has been provided to us, contact the Grievance Officer and we will erase it.
16. Grievances, our Grievance Officer, and the Data Protection Board
If you have any grievance about our processing of your personal data, contact our Grievance Officer:
If you are not satisfied with our response, you may approach the Data Protection Board of India — the official complaint channel will be published here once notified by the Government.
17. Changes to this Policy and periodic notice
We may update this Policy from time to time. Material changes will be notified in-app and/or by email, and the "Last updated" date above will change. We will also periodically (at least once a year) prompt you to review this Policy and our Terms.
18. Contact
General queries, Privacy, Grievances, Security: founders@accountrixai.com
