Privacy Policy

Finucity Technologies Private Limited ("Company", "Finucity", "we", "us", "our"), incorporated under the Companies Act, 2013, with its registered office in Pune, Maharashtra, India, operates the Finucity platform ("Platform").

Under the Digital Personal Data Protection Act, 2023 ("DPDPA 2023"), the Company is classified as a Data Fiduciary as defined under Section 2(5) of the Act. As Data Fiduciary, we determine the purpose and means of processing your personal data and bear primary responsibility for compliance with all data protection obligations under the DPDPA 2023.

We also operate in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended 2025).

Identity & Verification Data:

• Full name, email address, mobile number, city/state
• PAN (Permanent Account Number) — encrypted at rest
• GSTIN (Goods and Services Tax Identification Number)
• ICAI Membership Registration Number (MRN) — for Practitioners
• Certificate of Practice (COP) number — for Practitioners
• Aadhaar (masked, last 4 digits only) — for identity verification

Financial & Business Documents:

• Form 16 / Form 16A — salary income certificates
• Annual Information Statement (AIS) — from Income Tax portal
• Bank statements — for income verification and reconciliation
• Trade logs, capital gains statements — for F&O/crypto taxation
• GST returns and invoices — for compliance services
• Balance sheets, P&L statements — for business clients

Technical & Device Data:

• IP address, browser type, operating system
• Device identifiers, screen resolution
• Cookies and session data (see Section 8)
• Usage analytics (pages visited, features used, time spent)
• AI chat conversation logs

Under DPDPA 2023, all data processing must be purpose-bound. We process your data for the following specific purposes:

• Identity Verification: PAN, ICAI MRN, and GSTIN are used to verify the identity and credentials of Practitioners via Surepass API integration.
• Escrow Payment Processing: Financial data is processed through RazorpayX nodal escrow accounts for secure payment collection, holding, and release.
• AI Document Parsing: Uploaded documents (Form 16, AIS, bank statements) are processed by our Groq-powered AI pipeline to extract relevant financial data for tax computation and review.
• Service Delivery: Contact details and documents are shared with your assigned CA for service execution.
• Legal Compliance: Data retention to comply with IT Act 2000, Prevention of Money Laundering Act 2002, and Income Tax Act 1961 requirements.
• Platform Improvement: Anonymized usage analytics to improve platform features and user experience.

Encryption Standards:

• At Rest: AES-256 encryption for all personal and financial data stored in our databases
• In Transit: TLS 1.3 for all data transmitted between your browser/device and our servers
• Sensitive Fields: PAN, Aadhaar (last 4), and banking details are additionally encrypted at the application layer before database storage

Server Localization: All data is stored exclusively on servers located in India, specifically in the ap-south-1 (Mumbai) region through our infrastructure provider. No personal data is stored on or transferred to servers outside India.

Database Security: We utilize Supabase with Row Level Security (RLS) policies ensuring that: (a) Users can only access their own data; (b) Practitioners can only access data shared with them by their clients; (c) Administrative access requires multi-factor authentication and is logged in an immutable audit trail.

Infrastructure: Our infrastructure includes regular security audits, automated vulnerability scanning, DDoS protection, and Web Application Firewall (WAF) rules.

Standard Retention: Personal data is retained for a minimum of one (1) year and a maximum of three (3) years after the termination of the business relationship, unless a longer retention period is required by applicable law.

Legal Exceptions:

• PMLA (Prevention of Money Laundering Act, 2002): Transaction records may be retained for up to ten (10) years as required for anti-money-laundering compliance.
• Income Tax Act, 1961: Financial records relevant to tax proceedings may be retained for up to eight (8) assessment years.
• IT Act, 2000: Certain logs and records as specified under the Act and the Information Technology (Intermediary Guidelines) Rules, 2021.

Erasure SLA: Upon receiving a valid erasure request from a Data Principal, the Company commits to completing data deletion within thirty (30) days, subject to legal retention requirements and ongoing dispute resolution obligations.

Document Retention Notice: Uploaded financial documents are retained according to service context, legal obligations, and dispute requirements. Users may request erasure at any time, and valid requests are processed within thirty (30) days subject to statutory retention duties.

The Company engages the following third-party Data Processors, each bound by a Data Processing Agreement (DPA) that complies with DPDPA 2023 requirements:

No third-party processor is authorized to use your data for purposes beyond those specified in their DPA. The Company conducts annual compliance audits of all Data Processors.

Under the DPDPA 2023, you (as a "Data Principal") have the following rights:

• Right to Access (Section 11): Request a summary of your personal data being processed and the processing activities related to it.
• Right to Correction & Erasure (Section 12): Request correction of inaccurate or misleading data, completion of incomplete data, updating of outdated data, and erasure of data no longer needed for the purpose it was collected.
• Right to Consent Withdrawal (Section 6(4)): Withdraw any previously granted consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
• Right to Nominate (Section 14): Nominate an individual to exercise your data rights in the event of your death or incapacity.
• Right to Grievance Redressal (Section 13): File a complaint with our Data Protection Officer or escalate to the Data Protection Board of India.

To exercise any of these rights, contact our Data Protection Officer at hello@finucity.com. We will acknowledge your request within 48 hours and fulfill it within 30 days.

Essential Cookies (Required): Session management, authentication, CSRF protection, load balancing. These cookies are necessary for the Platform to function and cannot be disabled.

Functional Cookies (Optional): Theme preferences (dark/light mode), calculator history, recently viewed CAs. These improve your experience but are not required.

Analytics Cookies (Optional): Anonymized usage analytics to understand platform usage patterns, feature adoption, and performance metrics. No personally identifiable information is collected through analytics cookies.

Cookie preferences are managed through our consent banner on first visit. You can accept all, reject non-essential cookies, or save category-level preferences. For signed-in users, optional cookie preference changes are recorded in the consent ledger.

The Company does not transfer personal data of Indian Data Principals outside the territory of India, except: (a) where the Data Principal has provided explicit, informed consent for such transfer; (b) where the transfer is to a country or territory notified by the Central Government under Section 16(1) of the DPDPA 2023 as permitting such transfers; (c) where the transfer is necessary for the performance of a contract to which the Data Principal is a party.

For AI processing: all document parsing is performed using APIs that process data in-memory without persistent storage. The AI model provider does not retain, store, or train on user-uploaded documents.

In case of a confirmed personal data breach that is likely to result in significant harm to Data Principals, the Company will issue breach notifications without undue delay and, where reasonably feasible, within seventy-two (72) hours of confirmation.

Notifications may include: (a) nature of the breach; (b) likely impact categories; (c) mitigation steps already taken; (d) actions Data Principals should take; and (e) grievance escalation details.

The Company will preserve forensic logs, coordinate containment actions, and maintain an incident record for regulatory reporting and audit purposes.