How we handle your data

We collect information necessary to provide and improve our platform services. This falls into the following categories:

Account and firm information

When you register your firm on Privasa, we collect your firm name, your name, email address, phone number, GSTIN (if provided), type of firm, and the password you set. This information is used to create and manage your account, identify your organisation, and communicate with you.

Client and contact data

Your firm's admin and employees may upload or input client information including client names, company names, email addresses, phone numbers, PAN numbers, GSTIN, business addresses, and other identifying details. This data is entered by your firm and remains under your firm's control as the data controller.

Financial and transactional data

We collect invoice data, payment records, fee amounts, bank account details (including IFSC codes and UPI IDs entered by you), and transaction history for invoices sent through the platform. This information is used to generate PDF invoices, track payments, and provide your firm with a financial record of services rendered.

Documents and files

Files uploaded through the platform — including tax documents, compliance filings, scanned certificates, and other client-facing documents — are stored on Google Cloud Storage. We collect file names, upload timestamps, file types, and associated metadata to organise and display files correctly.

Usage and activity data

We collect activity logs of actions performed in the portal such as invoice creation, document uploads, query responses, and employee assignments. These logs are used for audit trails, internal reporting, and security monitoring. We also collect standard server-side access logs including IP addresses and request timestamps.

Communications within the platform

Messages exchanged between your firm's team and clients through the helpdesk (Queries) feature, along with internal notes, are stored in our database. This data is accessible only to authorised members of your organisation and to Privasa for support purposes.

Cookies and browser data

We use session-based authentication tokens stored in your browser via Supabase Auth. We do not use third-party advertising cookies. Basic browser and device information may be captured as part of standard HTTP request logs.

The security and integrity of your firm and client data is our highest priority. We use industry-standard infrastructure and practices to ensure data remains safe, available, and confidential.

Database storage

All structured data (client records, invoices, queries, compliance tasks, notifications) is stored in a PostgreSQL database hosted on Supabase. Supabase is an open-source Firebase alternative built on AWS infrastructure in the ap-south-1 (Mumbai) region by default. Data is encrypted at rest using AES-256 and encrypted in transit using TLS 1.2+.

Row-Level Security (RLS)

We enforce Supabase Row-Level Security on all tables. Every record in the database is scoped to an organisation ID, meaning your firm's data is logically isolated from all other firms on the platform. Even if two firms use the same database instance, neither can read or write the other's data.

File storage

Uploaded documents and files are stored on Google Cloud Storage (GCS). Files are stored in a private bucket, accessible only via authenticated, time-limited signed URLs generated server-side. Files are never publicly accessible by default.

Authentication and access tokens

User authentication is handled by Supabase Auth, which uses industry-standard JWT tokens. Passwords are hashed using bcrypt and never stored in plain text. Admin and employee sessions are validated server-side on every sensitive API request using the user's Bearer token.

API security

All API routes that handle sensitive data require a valid authenticated session token. Our service-role credentials (which have elevated database access) are never exposed to the client browser — they are used only in server-side Next.js API routes. All API endpoints run over HTTPS.

Data retention

We retain your data for as long as your firm account remains active. If your account is cancelled or deleted, we will delete all associated firm data within 30 days. Backup retention may extend up to 7 days post-deletion before being permanently purged from backup storage.

Access to your data within the Privasa platform is tightly controlled and role-based. Here is exactly who can access what:

Your firm's admin

The admin user for your organisation has full read and write access to all data associated with your firm: client profiles, invoices, compliance tasks, queries, documents, and employee records. The admin can add and remove employees, manage client relationships, and configure firm settings. Data from other organisations is never visible to your admin.

Your firm's employees

Employees you add to your portal have access only to the clients they are assigned to and the general firm data necessary to do their work (such as viewing queries and uploading documents). Employees cannot access billing or administrative settings. Employee access can be revoked at any time by the admin.

Your clients

Clients log into their own client portal view and can only see their own invoices, documents, compliance tasks, and query history. Clients cannot see other clients' data, employee information, or any administrative details of your firm.

Privasa support staff

Privasa's own team (accessible via the superadmin account) can access organisation-level metadata such as firm name, registration date, and plan information for the purpose of billing and support. We do not routinely access your client data, invoice content, or internal communications unless you request technical support that requires it, in which case we will notify you before accessing your data.

Infrastructure providers

Supabase (database and auth) and Google Cloud Platform (file storage) are our infrastructure providers. They have access to the infrastructure hosting your data but are contractually bound by their own data processing agreements and industry-standard security certifications. Neither Supabase nor GCP processes or analyses your content data.

We do not sell, rent, trade, or otherwise disclose your personal or firm data to any third party for marketing, advertising, or commercial purposes. Your data belongs to you and your firm.

Sub-processors we use

To provide the platform, we use a limited set of trusted sub-processors:

• Supabase — database, authentication, and real-time infrastructure
• Google Cloud Platform — file storage (Google Cloud Storage)
• Anthropic Claude API — powering the in-portal AI assistant; only the query text you type is sent, not client data
• Nodemailer / Gmail SMTP — for sending automated emails such as welcome emails and invoice notifications

Each of these processors is bound by a Data Processing Agreement (DPA) and handles your data solely to provide the technical services described above.

Legal requirements

We may disclose data if required to do so by a valid order from a court of competent jurisdiction, a regulatory body, or law enforcement authority in India. We will make reasonable efforts to notify you before disclosing, unless we are legally prohibited from doing so.

Business transfers

In the event of a merger, acquisition, or sale of all or part of Privasa's assets, your data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice in the portal at least 30 days before any such transfer and before your data becomes subject to a different privacy policy.

Aggregated and anonymised data

We may use anonymised, aggregated data (e.g., total number of invoices processed per month, average query response time) for internal analytics and product improvement. This data cannot be used to identify your firm, your clients, or any individual.

Under applicable Indian data protection law and general principles of fairness, you have the following rights regarding your personal and firm data held by Privasa:

Right to access

You may request a complete export of all data associated with your firm account at any time. This includes client records, invoice data, compliance tasks, uploaded documents, and query history. Submit your request by emailing privasa.ms@gmail.com with the subject line "Data Access Request". We will fulfil your request within 30 days.

Right to correction

If any data we hold about you or your firm is inaccurate or incomplete, you have the right to have it corrected. You can update most of your firm's data directly from the Admin Settings panel in the portal. For data that cannot be self-corrected, contact us at privasa.ms@gmail.com.

Right to deletion ("right to be forgotten")

You may request deletion of your firm account and all associated data. To do so, email privasa.ms@gmail.com with the subject line "Account Deletion Request" from the email address registered to your admin account. We will delete your data within 30 days of receiving your request. Note that deletion is irreversible — once deleted, we cannot recover your data. Certain data may be retained for up to 7 additional days in backup systems before permanent removal.

Right to data portability

You can request your data in a machine-readable format (JSON or CSV). This includes all structured data — client profiles, invoices, compliance tasks, and activity logs. Documents stored on Google Cloud Storage can be downloaded directly from the portal at any time.

Right to object to processing

If you believe we are processing your data in a manner inconsistent with your consent or this policy, you have the right to object. Contact us at privasa.ms@gmail.com and we will investigate and respond within 15 business days.

Cookies and tracking opt-out

Because we only use essential session cookies required for authentication, we do not offer a cookie opt-out — the portal cannot function without a valid session. If you wish to end your session, you can log out at any time from the portal, which will invalidate your session cookie.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes via email and by displaying a notice in the portal at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

Contact our data team at privasa.ms@gmail.com or write to us at: Privasa Management Services, Hyderabad, Telangana, India. We aim to respond to all data requests within 30 days.