Privacy Policy

This Privacy Policy (“Policy”) governs the manner in which Zync CA (“Zync CA”, “we”, “us” or “our”), operated by its proprietor in India, collects, uses, stores, discloses and protects personal data processed through its software-as-a-service platform available at zyncca.com and the associated client portals (the “Service”). The Service is provided to chartered accountants, tax practitioners and accounting firms (each a “Firm” or “Controller”) for the purpose of managing client engagements, statutory filings (ITR, GST, TDS and ROC), document collection, reminders and billing.

With respect to data that a Firm uploads or causes its end-clients to upload through the Service (“Firm Data”), Zync CA acts as a data processor or data fiduciary’s processor under applicable law. With respect to account registration, billing and Service operation data, Zync CA acts as a data controller / data fiduciary.

1. Categories of information we collect

Account & identity data. Full name, work email, mobile number, firm name, role, password hash, and authentication tokens (including OAuth identifiers if you sign in with Google).

Firm content. Client records you create (name, contact details, PAN, GSTIN, addresses), filing records, deadlines, notes, tags, custom client groups, team assignments and activity history.

End-client documents. Files uploaded by your clients through secure portal links (e.g. Form 16, bank statements, invoices, balance sheets). These are stored as encrypted objects in Cloudflare R2 and accessed only by your Firm's authenticated users.

Communication metadata. Delivery, open and bounce events for transactional email sent via Resend, and delivery / read receipts for WhatsApp messages sent via Wati on your behalf.

Billing data. Subscription plan, seat count, GSTIN, billing address and payment status. Card and UPI details are collected and stored solely by Razorpay (a PCI-DSS Level 1 service provider). Zync CA never stores raw payment instruments.

Technical data. IP address, user-agent, device identifiers, cookies and similar identifiers strictly necessary for authentication, session management, rate limiting and fraud prevention.

2. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases:

• Performance of contract — to provide, authenticate, secure and support the Service, send transactional notifications, generate invoices and process payments.
• Legitimate interests — to prevent abuse, conduct security monitoring, maintain backups, and improve the reliability of the Service, balanced against the rights and freedoms of data subjects.
• Consent — for any optional communications and, where required, for the processing of personal data of end-clients via portal uploads (consent is obtained by the Firm acting as data fiduciary / controller).
• Legal obligation — to comply with tax, GST and statutory record-keeping requirements applicable to our business.

3. Sub-processors

Zync CA relies on the following sub-processors, each bound by data-processing terms equivalent to those imposed on Zync CA: Supabase (managed PostgreSQL, authentication and edge functions), Cloudflare R2 (encrypted object storage), Vercel (application hosting and CDN), Resend (transactional email), Wati (WhatsApp Business API), and Razorpay (payments). A current sub-processor list is available on request from privacy@zyncca.com.

4. Storage, security and retention

All Firm Data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database access is enforced by row-level security (RLS) policies in PostgreSQL so that each Firm can only read and write its own records. Object storage URLs are short-lived, signed and scoped to the requesting user. Passwords are stored as bcrypt hashes; we never store plaintext passwords.

Firm Data is retained for the lifetime of your subscription and for ninety (90) days thereafter to allow for export and reactivation, after which it is irreversibly purged from production systems. Encrypted backups are retained for up to thirty (30) additional days for disaster-recovery purposes. Statutory records (invoices, GST filings) are retained for the period mandated under the Income-tax Act, 1961 and the CGST Act, 2017.

5. International transfers and data residency

Our primary production database and object storage are configured in the Asia-Pacific region. Where data is transferred outside India or the European Economic Area (for example, transactional email delivery routed via Resend infrastructure), such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) or an equivalent mechanism recognised under the UK GDPR and section 16 of the Digital Personal Data Protection Act, 2023 of India.

6. GDPR and DPDP Act rights

To the extent that the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”) or the EU/UK General Data Protection Regulation (“GDPR”) applies, Data Principals (under the DPDP Act) and data subjects (under the GDPR) have the following rights:

• Right of access and to receive a copy of personal data;
• Right to rectification of inaccurate or incomplete data;
• Right to erasure (“right to be forgotten”);
• Right to restriction of, and objection to, processing;
• Right to data portability in a structured, machine-readable format;
• Right to withdraw consent at any time without affecting prior lawful processing;
• Right to nominate another individual to exercise rights in the event of death or incapacity (DPDP Act, s. 14); and
• Right of grievance redressal under section 13 of the DPDP Act and the right to lodge a complaint with the Data Protection Board of India (DPB) under section 27 of the DPDP Act, or with the relevant national supervisory authority in the EU/UK under the GDPR.

End-clients should generally exercise these rights directly with the Firm that invited them. Where you contact us directly, we will respond within thirty (30) days, or such shorter period as required by applicable law.

7. Breach notification

In the event of a personal data breach likely to result in risk to data subjects, Zync CA will notify affected Firms without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 GDPR and section 8(6) of the DPDP Act.

8. Cookies

The Service uses strictly necessary first-party cookies and local storage for authentication, session continuity and security. We do not use third-party advertising cookies, cross-site trackers or behavioural advertising.

9. Children

The Service is intended for use by professionals and is not directed to persons under the age of eighteen (18). We do not knowingly process personal data of children.

10. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email to Firm administrators at least fourteen (14) days before they take effect.

11. Contact

For privacy enquiries, to exercise any of the rights described above, or to contact our grievance officer designated under rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, write to privacy@zyncca.com.