Privacy Policy

Last updated: March 2026 | Effective: March 1, 2026

GST Notice AI ("we", "us", "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, store, and share information when you use our AI-powered GST notice response platform at gstnoticeai.com and our associated services (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you register, we collect:

  • CA firm name and contact details
  • Your name and email address
  • Phone number (optional)
  • Password (stored as a secure hash, never in plaintext)

1.2 Client & Notice Data

To provide our services, we process:

  • Client names, GSTINs, PANs, and business details
  • GST notice documents (PDFs uploaded by you)
  • Notice metadata: notice number, dates, demand amounts, officer details
  • Response drafts generated by you or by AI
  • Tally data (vouchers, ledger entries) uploaded by you

1.3 Usage Data

We automatically collect:

  • IP address, browser type, operating system
  • Pages visited, features used, and timestamps
  • AI usage metrics (tokens consumed, operations performed)
  • Error logs for debugging and service improvement

1.4 Payment Information

Payments are processed by Razorpay. We do not store your full card number or bank details. Razorpay's privacy policy governs payment data processing.

2. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Generate AI-powered notice analysis and response drafts
  • Verify GSTINs and taxpayer details via Sandbox.co.in APIs
  • Send deadline reminders via email and WhatsApp (with your consent)
  • Process payments and manage subscriptions
  • Respond to support requests and communicate updates
  • Detect fraud, abuse, and ensure platform security
  • Analyse usage patterns to improve AI accuracy and features

3. Data Storage & Security

Your data is stored on secure servers with the following protections:

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Database access is restricted to authorized services with network-level firewalls
  • Multi-tenant architecture: all data is scoped by firm_id, ensuring complete isolation between firms
  • Automated daily backups with 30-day retention
  • Role-based access control: Admin, Manager, and Staff roles with distinct permissions
  • JWT-based authentication with secure token expiry

4. Third-Party Services

We integrate with the following third-party services to provide our features:

4.1 Groq AI (AI Analysis)

We use Groq's LPU inference platform to power our AI notice analysis and response drafting. Notice text is sent to Groq's API for processing. Groq does not retain your data after processing. See: Groq Privacy Policy.

4.2 Sandbox.co.in (GSTIN & KYC Verification)

We use Sandbox.co.in APIs to verify GSTINs, check GST return filing status, and perform KYC verification. Only the specific identifiers (GSTIN, PAN) are shared. See: Sandbox Privacy Policy.

4.3 Razorpay (Payments)

Payment processing is handled by Razorpay. We do not directly handle or store payment card data.

4.4 WhatsApp / WATI (Notifications)

If you opt in, we send deadline reminders via WhatsApp using WATI's Business API. Only your phone number and notice deadline details are shared.

5. Cookies

We use minimal cookies:

  • Authentication cookie: Stores your session JWT for login persistence
  • Preference cookie: Stores your theme preference (light/dark)

We do not use third-party tracking cookies or advertising cookies. We do not participate in ad networks.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 90 days of account closure upon written request.
  • Notice data & documents: Retained for 8 years from upload date to comply with GST record-keeping requirements under Section 35 of the CGST Act, 2017.
  • AI usage logs: Retained for 1 year for billing and analytics purposes.
  • Server logs: Retained for 90 days for security and debugging.

7. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your account and personal data (subject to legal retention requirements)
  • Data Portability: Request export of your data in a machine-readable format (JSON/CSV)
  • Withdraw Consent: Opt out of WhatsApp notifications or marketing communications at any time
  • Grievance Redressal: File a complaint with our Grievance Officer (details below)

To exercise any of these rights, email us at hello@gstnoticeai.com. We will respond within 30 days.

8. Legal Compliance

This Privacy Policy is designed to comply with:

  • Information Technology Act, 2000 (India) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  • Digital Personal Data Protection Act, 2023 (DPDPA) — we are preparing for full compliance as the rules are notified by the Central Government
  • CGST Act, 2017 — Section 35 (record retention requirements for GST data)

9. Children's Privacy

Our Service is designed for business professionals and is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification. The "Last updated" date at the top reflects the most recent revision.

11. Grievance Officer & Contact

For any privacy-related concerns, questions, or to exercise your rights:

  • Email: hello@gstnoticeai.com
  • Grievance Officer: Available via the same email. Complaints will be acknowledged within 48 hours and resolved within 30 days as per the IT Act, 2000.
  • Address: Mumbai, Maharashtra, India