Taxayu brand markTaxayu wordmark Home

Legal

Privacy Policy

Last updated 2026-01-01

1. Who we are

Taxayu is a software workspace for Indian Chartered Accountants. This policy describes how we handle personal data and client data when you use the service.

2. Data we collect

  • Account data: name, email, role, hashed password, organisation details (firm name, GSTIN, PAN, address).
  • Workspace content: clients, tasks, invoices, deadlines, uploads, computation snapshots, and any other records you create in the product.
  • Uploaded files: Form 16, tax notices, GST returns, bank statements, and other documents you choose to process. Files are stored only as long as needed to complete the relevant job and are then deleted from disk.
  • Usage telemetry: coarse logs of feature usage, error reports, and IP / user-agent for audit and security.

3. How we use it

  • To deliver the workspace and the modules you actively invoke.
  • To maintain audit trails and computation snapshots required for CA-defensible workflows.
  • To send transactional emails (password reset, invites, deadline reminders).
  • To detect abuse, debug errors, and improve reliability.

We do not sell personal data. We do not use workspace content to train third-party AI models.

4. Sub-processors

Depending on your deployment, Taxayu may share data with the following sub-processors strictly to deliver the service:

  • The database host you configure (for example Neon, Supabase, or self-hosted PostgreSQL).
  • The email provider you configure (Resend, Gmail SMTP, or equivalent).
  • The AI provider you configure for document extraction and drafting (Google Gemini, Anthropic, or OpenAI). When AI is invoked, the relevant document text is sent to that provider under their terms.

If no AI key is configured, no document text is sent to any external AI provider.

5. Retention

Uploaded source files are deleted from disk after processing. Computation results, audit logs, and workspace records are retained for the life of your account. You can delete individual jobs, clients, or the entire workspace at any time from the product.

6. Security

Passwords are stored as bcrypt hashes. Authentication uses NextAuth with server-side sessions. Role-based access controls restrict members to the actions appropriate for their role. We recommend enabling Google SSO and strong passwords for all members.

7. Your rights

You can access, correct, export, or delete your personal data from Settings. For deletions affecting other members of your workspace, contact your firm admin. Requests we cannot satisfy in-product can be sent to the email address listed in Settings.

8. Cookies

We use first-party cookies strictly for authentication and session state. We do not use third-party advertising or cross-site tracking cookies.

9. Changes

Material changes to this policy will be communicated by email or in-product notice at least 14 days before they take effect.

10. Contact

Privacy questions can be sent to the email address listed in your workspace Settings or to the contact address shown on the marketing site.