Privacy Policy

Capitalised terms in this Privacy Policy carry the meanings assigned in this Section and, where consistent with statute, the meanings assigned in the relevant statute.

Act

The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023), enacted by the Parliament of India and notified in the Gazette of India on 11 August 2023.

Board

The Data Protection Board of India constituted under Chapter V of the Act.

Data Fiduciary

Any person who, alone or in conjunction with others, determines the purpose and means of processing of Personal Data, as defined in Section 2(i) of the Act. We are the Data Fiduciary for Personal Data processed through the Service.

Data Principal

The natural person to whom the Personal Data relates, as defined in Section 2(j) of the Act. You are the Data Principal in relation to your own Personal Data.

Data Processor

Any person who processes Personal Data on behalf of a Data Fiduciary, as defined in Section 2(k) of the Act. The processors we engage are listed at Section 7.

Personal Data

Any data about an individual who is identifiable by or in relation to such data, as defined in Section 2(t) of the Act.

Sensitive Personal Data or Information

The category defined in Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules"), retained as a transitional reference until the DPDPA Rules are fully notified. We treat PAN, Aadhaar, bank account number, IFSC, and date of birth as Sensitive Personal Data and apply field-level encryption to them.

Service

The ElevateFinance web platform, application programming interfaces, mobile interfaces (where deployed), email and document workflows, computation engine, and customer-support channels operated under the brand "ElevateFinance".

we / us / our / the Company

ElevateFinance, a sole proprietorship registered as a Micro Enterprise under the Udyam Registration framework administered by the Ministry of Micro, Small and Medium Enterprises, Government of India, having its registered office at Pune, Maharashtra 411058, India, and acting through its sole proprietor Priyesh Mishra.

you / your / the User

Any natural person who accesses or uses the Service, whether or not registered for an account, including individual customers, Chartered Accountants empanelled on the Service, and authorised personnel of an enterprise customer.

ElevateFinance is operated by Priyesh Mishra, sole proprietor, registered as a Micro Enterprise under the Udyam Registration framework, Ministry of Micro, Small and Medium Enterprises, Government of India. The registered postal address is Pune, Maharashtra 411058, India. The publicly listed contact channel for all privacy matters is support@elevatefinance.co; communications relating to grievance redressal must include the literal token "[Grievance]" in the subject line so that intake routing meets the timelines in Section 12. We act as the Data Fiduciary for all Personal Data processed through the Service.

This Policy applies to Personal Data we collect when you visit any page hosted on the ElevateFinance web property, when you sign up for an account, when you use the Service to compute or file an Income Tax Return, when you upload supporting documents to our storage layer, when you correspond with our support function, when a Chartered Accountant working on your filing accesses your Personal Data through their assigned workspace, and when an enterprise administrator manages members or Restricted Stock Unit grants on behalf of a customer organisation. This Policy does not cover Personal Data you submit directly to a third-party website (for example the Income Tax Department portal at incometax.gov.in) even if that submission was triggered from a workflow that began on the Service; in such cases the recipient is the Data Fiduciary for that submission and its own privacy notice governs.

We process Personal Data in the categories listed below. Where a category includes Sensitive Personal Data or Information, the column "Protective measure" identifies the specific safeguard we apply.

Category	Examples	Purpose	Protective measure
Identity data	name, email address, mobile number, date of birth	account creation, authentication, communication	TLS 1.3 in transit; database access controls at rest; field-level encryption for date of birth
Government identifiers	Permanent Account Number (PAN), Aadhaar number	Income Tax Return preparation under Section 139 of the Income-tax Act 1961	AES-256-GCM application-level encryption; access logged on every read; never displayed in full in audit logs or analytics
Tax-filing inputs	salary breakup, Form 16, Annual Information Statement (AIS), Tax Information Statement (Form 26AS), house-property income, capital gains, deductions claimed under Chapter VI-A	computation of tax liability, generation of ITR XML, generation of Schedule FA / Schedule CG / Form 67 attachments	TLS 1.3 in transit; encrypted database; access scoped to assigned Chartered Accountant and the customer
Restricted Stock Unit (RSU) grant data	grant identifier, vesting schedule, fair market value at vest, sale proceeds	computation of perquisite under Section 17(2)(vi) of the Income-tax Act and capital gains under Section 45	TLS 1.3 in transit; encrypted database; sale-side bank-account-number encrypted
Financial account data	bank account number, IFSC, account holder name (for refund credit)	enabling Income Tax refund credit to your designated account	AES-256-GCM application-level encryption; never transmitted to any party other than the Income Tax Department through the official ITR submission channel
Document uploads	Form 16 PDFs, investment proofs, rent receipts, salary slips, broker statements	evidentiary review by the assigned Chartered Accountant	magic-byte file-type verification; TLS 1.3 to Cloudflare R2 (AWS Mumbai region equivalent zones); server-side encryption at rest; retention bound to the AY + 7-year window
Payment metadata	Razorpay order identifier, payment identifier, refund identifier, payment status	order placement, settlement, refund processing, dispute handling	we do not collect or store full card numbers, CVV, UPI PIN, or net-banking credentials; Razorpay is the PCI-DSS-compliant Data Processor
Audit log data	identifier of the actor, action taken, timestamp, IP address, user-agent string	detection of unauthorised access, fraud prevention, and post-incident investigation, in line with Section 8(5) of the Act	append-only log; access restricted to the Data Fiduciary and to authorised investigators
Consent records	purpose, version of notice, IP address at the moment of consent, user-agent, timestamp	discharge of the Data Fiduciary obligation to demonstrate consent under Section 6 of the Act	append-only consent ledger; cryptographic time-stamping; retained for the life of the account plus three years
Usage data	pages viewed, features used, time on page, error events	security monitoring, defect detection, capacity planning	first-party only; no third-party advertising trackers; no cross-site identifiers

We do not process biometrics, caste, religion, political opinion, sexual orientation, health or genetic data, or trade-union membership data. The Service is not offered to children below the age of eighteen years; if we discover that we have inadvertently processed Personal Data of a child, we delete that Personal Data promptly and at any rate within thirty days of discovery.

Section 6 of the Act requires us to obtain free, specific, informed, unconditional, and unambiguous consent before processing Personal Data, except in the categories of "legitimate use" enumerated in Section 7. The bases on which we rely are listed below. Where more than one basis applies to a given operation, the listed basis is the primary one we rely on.

• Consent (Section 6).Account creation, optional uploads, marketing communications, and the use of any feature labelled "optional" inside the Service.
• Legitimate use, performance of a contract (Section 7(a)). All processing necessary to compute, generate, or transmit the Income Tax Return that you have instructed us to prepare. The lawful basis for this processing is the contract you accept on sign-up read with Section 7(a) of the Act.
• Legitimate use, compliance with judgment, decree, or order (Section 7(d)). Disclosures we are compelled to make pursuant to a written notice issued by the Income Tax Department under Sections 131, 133, or 142(1) of the Income-tax Act, by a court of competent jurisdiction, or by a regulator empowered by statute.
• Legitimate use, fraud prevention (Section 7(g) read with the IT Act 2000 due diligence obligations). Audit-log generation, abuse-pattern detection, account-suspension actions, and rate-limit enforcement.
• Legitimate use, employment context (Section 7(i)). Processing of Restricted Stock Unit grant data on behalf of an enterprise customer, where the employer-employee relationship is the relevant lawful basis and the employee remains the Data Principal in respect of their own data.

Where we rely on consent, we present a Section 5 notice in clear and plain language, in English, with a Hindi translation available on request, identifying (a) the Personal Data sought, (b) the purpose for which it will be processed, (c) the manner in which it will be processed, (d) the rights available to the Data Principal, (e) the procedure for grievance redressal, and (f) the procedure for filing a complaint with the Board. Consent is captured through an unambiguous affirmative action and recorded in an immutable consent ledger together with the version number of the notice you saw, the time, your IP address, and your user-agent string. You may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal; withdrawal is exercised through the in-product "/settings > Privacy choices" path or by email to support@elevatefinance.co.

We engage the following Data Processors. Each is bound by a written contract that contains the data-protection terms required of a processor under the Act, including purpose limitation, confidentiality, security obligations, sub-processor controls, breach notification, audit rights, deletion-on-termination, and a flow-down of the rights of the Data Principal.

Category	Examples	Purpose	Protective measure
Razorpay Software Private Limited	order, payment, and refund metadata	payment gateway services	India; PCI-DSS Level 1; RBI Payment Aggregator licensee
Resend (Resend Inc.)	recipient email address, delivery status	transactional email (sign-in codes, filing notifications, receipts)	United States with EU Standard Contractual Clauses; recipient metadata only; no payload retention beyond delivery confirmation
Neon (Neon Inc.)	encrypted database storage of all categories at Section 4	managed PostgreSQL hosting	AWS Mumbai region (ap-south-1); encryption at rest using AES-256; encryption in transit using TLS 1.3
Cloudflare (Cloudflare R2 object storage)	document uploads in the categories at Section 4	object storage for Form 16 PDFs, investment proofs, and similar artefacts	India-located bucket; server-side encryption; pre-signed PUT URLs scoped per upload; magic-byte verification on every put
Auth.js (the open-source authentication library) + Google LLC	email address, name, profile-picture URL where you sign in via Google OAuth	identity-provider integration	OAuth 2.0; only the openid, email, and profile scopes are requested; no contacts, no calendar, no drive scopes
Independent Chartered Accountants (where CA review is enabled)	all Personal Data necessary to review the specific filing assigned to them	professional review of the return prior to e-filing, where the User has elected the optional, paid CA-review feature and a Chartered Accountant has been retained for that filing	access scoped to the specific assigned filing; written confidentiality undertaking; ICAI Code of Ethics applies; communication audit-logged. The Service operates in software-only mode by default; CA review is not engaged unless the User elects it for a particular filing.

We do not sell, rent, or trade Personal Data. We do not use Personal Data for third-party advertising. We do not enrol Personal Data in any data broker or data cooperative. The list of Data Processors above is exhaustive at the date of this Policy; we will update the list at least seven days before adding a Data Processor that processes Personal Data outside India, and at least thirty days in advance for a category that introduces a new lawful basis.

Personal Data is hosted, by default, in the AWS Mumbai region. Transfers of Personal Data outside India are made only to the Data Processors listed at Section 7 and only for the purposes set out there. Each cross-border transfer is governed by either (a) a model contract incorporating the European Commission Standard Contractual Clauses, where the recipient operates from the European Economic Area or the United Kingdom, or (b) an equivalent transfer mechanism that achieves a level of protection no less than that under the Act. The Central Government of India may, under Section 16 of the Act, restrict transfers to a country it specifies; we will comply with any such restriction within the time the Government allows.

We retain Personal Data only for as long as the purpose for which it was collected subsists, or for the period that statute requires, whichever is longer. The retention windows are summarised below. At the close of a retention window we either delete the Personal Data or, where deletion would compromise an active obligation, we anonymise it irreversibly so that the residual record cannot be associated with a Data Principal.

• Account-level identity data: the life of the account plus one hundred and eighty days, after which the account is fully purged.
• Tax-filing inputs and the corresponding ITR XML: the relevant Assessment Year plus seven years, in line with Section 149 read with Section 139 of the Income-tax Act 1961.
• Payment metadata: eight years from the date of the relevant transaction, in line with Section 36 of the Central Goods and Services Tax Act 2017.
• Audit log: three years, with secure deletion thereafter.
• Consent ledger: the life of the account plus three years.
• Backups: a sliding window of ninety days; after that horizon, deleted Personal Data is unrecoverable from backup.

Where a Data Principal exercises the right to erasure under Section 12 of the Act, we honour the request within the timelines set in Section 11 below, subject only to the carve-outs the statute itself permits (continuing legal obligation, performance of contract, public interest, or research carried out under appropriate safeguards).

We have adopted reasonable security safeguards calibrated to the nature, scope, context, and purposes of the processing, and to the risk of varying likelihood and severity for the rights of Data Principals. The list below is illustrative and is not a representation that any particular control is the controlling one in any particular incident; the controlling standard is the cumulative posture, not any single line item.

• Transport security using TLS 1.3 for all customer connections, with strong ciphers only and modern cipher suites.
• Application-level field encryption using AES-256-GCM for PAN, Aadhaar, bank account number, IFSC, and date of birth, with a distinct authenticated-encryption key separate from database access credentials.
• Password hashing using Argon2id or an algorithm of equivalent strength.
• Hash-based message authentication on all signed receipts (HMAC-SHA256), enabling independent verification of any computation artefact long after issuance.
• Role-based access control with the principle of least privilege; Chartered Accountant access is scoped to the specific assigned filing.
• Append-only audit logging with immutable, time-stamped event entries.
• Step-up re-authentication on destructive or high-risk operations (PAN edit, Aadhaar edit, role change, payment-order creation), bound to the specific purpose so that a token issued for one purpose cannot be replayed against another.
• Magic-byte verification on every uploaded file, refusing payloads whose declared content type does not match the byte signature.
• Server-Side Request Forgery (SSRF) protection on all server-fetched URLs, with an allow-list of permitted hostnames.
• Sliding-window rate limiting on authentication endpoints, with separate rate buckets for sign-in, sign-up, password reset, and step-up code issuance.
• A safe logger that strips Personally Identifiable Information from application logs prior to write.
• Strict Content Security Policy with per-request nonces for inline scripts.
• Continuous dependency-vulnerability auditing and weekly Dependabot pull requests; gitleaks pre-commit and pre-push secret-scanning.

Sections 11 to 14 of the Act confer the following rights on every Data Principal. We honour each right within the statutory timelines and at no charge. Where a request is manifestly unfounded or excessive, we may either decline it with a reasoned response or charge a fee that reflects only the administrative cost; the Act and its Rules govern this exercise of discretion.

• Right of access (Section 11). A consolidated machine-readable export of the Personal Data we process about you, identification of the Data Processors with whom we have shared it, and the purposes of processing. Acknowledged within forty-eight hours; fulfilled within seven working days.
• Right to correction and erasure (Section 12). Correction of inaccurate data; completion of incomplete data; updating of out-of-date data; erasure of Personal Data that is no longer necessary for the purpose for which it was collected. Erasure is implemented through a seven-day soft-hold, after which the purge is irreversible across primary and backup tiers within ninety days.
• Right to grievance redressal (Section 13). A clear, time-bound, cost-free channel to raise a concern about the processing of your Personal Data. See Section 12 of this Policy for the specific procedure and timelines.
• Right to nominate (Section 14).A Data Principal may nominate any other individual who shall, in the event of death or incapacity, exercise these rights on the Data Principal's behalf. The nomination is captured through the in-product "/settings > Nominate" path.
• Right to withdraw consent (Section 6(4)). Exercisable at any time, with the same ease as the giving of consent; a single in-product action suffices.
• Right to portability. A structured machine-readable export in JSON, plus a human-readable PDF rendering of every Income Tax Return you have generated through the Service.

Email support@elevatefinance.cowith the literal token "[Grievance]" in the subject line. The intake routing is calibrated to detect that token within thirty minutes during business hours. We acknowledge every grievance within forty-eight hours of receipt and provide a written substantive response within fifteen calendar days, in line with Section 13(3) of the Act and Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. If the grievance is not resolved to the Data Principal's satisfaction, the Data Principal may approach the Data Protection Board of India once the Board is operational, or, in the interim, any court or forum of competent jurisdiction.

On becoming aware of a Personal Data breach that is likely to result in a risk to the rights of any Data Principal, we will notify the Data Protection Board of India and the affected Data Principals without undue delay and, in any event, within seventy-two hours, in line with Section 8(6) of the Act and the timelines published by the Indian Computer Emergency Response Team (CERT-In) under the Direction of 28 April 2022. The notification will describe the nature of the breach, the approximate categories and number of Data Principals affected, the likely consequences, and the measures taken or proposed to mitigate the breach. Where the breach is likely to result in significant harm, we will provide notification to each affected Data Principal individually using the email address on file.

We use only strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies, cross-site identifiers, or behavioural profiling. If at any future date we introduce first-party analytics, this Policy will be updated at least seven days in advance, the data collected will be limited to aggregate counters that cannot single out any Data Principal, and an explicit opt-out mechanism will be provided. The Service does not respond to the deprecated "Do Not Track" signal, because we already do not track.

The Service is not directed to, and we do not knowingly collect Personal Data from, any child below the age of eighteen years. If a parent, lawful guardian, or any other person becomes aware that a child has supplied Personal Data, please contactsupport@elevatefinance.cowith the subject "[Child Data]"; we will delete the Personal Data within thirty days and confirm in writing.

Notices to you under this Policy will be sent to the email address you provide at sign-up or to any updated address you have registered with us. Notices to us must be sent to support@elevatefinance.co or to our registered postal address. The English text of this Policy is the controlling text; any translation is a convenience copy and, in the event of conflict, the English text governs.

We may update this Policy from time to time. Material changes will be notified to you on the email address on file at least seven calendar days before the changes take effect. Routine clarifications, typographical corrections, or restructurings that do not change the substance of any right or obligation will be published with a revised version stamp at the top of this page. The Policy in force at the time of a particular processing operation governs that operation; archived versions are available on request.

If any provision of this Policy is held to be unenforceable, the remaining provisions remain in full force. This Policy, read with our Terms and Conditions and the Refund Policy, constitutes the entire understanding between us with respect to the processing of Personal Data through the Service.

For any privacy question, request, complaint, or breach notification, write tosupport@elevatefinance.co. Our registered postal address is published on the contact page.