Legal
Privacy Policy
- Effective date
- 2026-05-15
- Last updated
- 2026-05-09
- Entity
- Tax Shift AI Private Limited
1. Who we are
Tax Shift AI Private Limited (the "Company", "we", "us") operates TaxShift AI at taxshiftai.com. We are an Indian private limited company and act as a data fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act").
If you have a privacy question or want to exercise your DPDP rights, write to privacy@taxshiftai.com. For grievances, write to our Grievance Officer at grievance@taxshiftai.com.
2. Scope
This Privacy Policy covers data processed by TaxShift AI when you:
- Visit our public site at
taxshiftai.com. - Create a TaxShift AI account as a Chartered Accountant, tax consultant, or accountant.
- Add your business clients' GSTINs to your account and authorise GSTN access on their behalf.
- Use any capability on TaxShift AI to fetch, view, analyse, or export GST data.
Our business clients' data is the personal and business data of your clients. You, the CA, are the party who onboards each GSTIN; TaxShift AI acts as a processor of that data under your instructions for the purpose of delivering the service.
3. Data we collect
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Account data | Name, email, firm name, phone, password hash | Signup form | Authenticate you, contact you about the service |
| Billing data | Invoice address, GSTIN of your firm, payment method reference | Checkout flow | Process payments, issue GST invoices |
| Client data (your clients) | GSTIN, GST username, business name, trade name, state code, filing preference | Manual entry by you | Establish GSTN session and deliver the service |
| GSTN session data | Session token (txn), authenticated-at timestamp, session status | GSTN via Whitebooks | Make authenticated API calls on your client's behalf |
| Notice and return data | Notice list and details, PDFs, GSTR summaries (1, 3B, 2A, 2B, 9), comparison data, ledger balances | GSTN APIs via Whitebooks | Core product delivery |
| AI chat history | Messages exchanged with the Notice Reply Assistant for each notice | Your interaction in-app | Deliver and improve the feature |
| Usage analytics | Page views, CTA clicks, scroll depth | Google Analytics 4 (only after consent) | Understand how visitors use the public site |
| Demo request data | Name, email, optional firm name and firm GSTIN, free-text message | Demo form on /demo | Schedule and run the demo |
We do not ask for or store your clients' GST portal passwords. Authorisation is by OTP only.
4. Legal basis for processing
- Contract performance — account data, client data, GSTN session data, notice and return data, and AI chat history are processed to deliver the service you signed up for.
- Legitimate interest — limited service-side logging used to debug and secure the service.
- Consent — Google Analytics 4 and any future non-essential tracking load only after you accept our cookie consent banner.
5. Retention
- Account data — retained for the life of your account and for up to twelve months after account closure, then deleted.
- Client data and GSTN session data — retained for the life of the client in your account. Deletion of the client from your account cascades to the underlying records.
- Notice and return data — retained for at least as long as the retention period required by the Income-tax Act and CGST Act for tax records .
- AI chat history — retained for the life of the notice. You can delete a thread from the notice detail page.
- Backups — follow the same retention policy as the primary store, on a rolling window defined by our hosting provider.
6. Sub-processors
TaxShift AI uses the following sub-processors. Each is bound by a Data Processing Agreement where available.
| Sub-processor | Purpose | Region |
|---|---|---|
| Whitebooks | GST Suvidha Provider gateway to GSTN | India |
| Resend | Transactional email delivery | USA and EU |
| OpenRouter | AI model gateway for the Notice Reply Assistant | USA |
| Railway | Application and database hosting | See below for current region |
| Google Analytics 4 | Consent-gated usage analytics | USA |
- Whitebooks — GSP gateway to GSTN. Based in India.
- Resend — transactional email delivery. Based in the USA and EU.
- OpenRouter — AI model gateway for the Notice Reply Assistant. Based in the USA.
- Railway — application and database hosting. Current region: .
- Google Analytics 4 — consent-gated usage analytics. Based in the USA.
Cross-border transfers to the USA and EU are disclosed here as required under DPDP Section 16. None of these jurisdictions are currently restricted for transfer by notification.
7. Data residency and security
Application and database workloads run on Railway in the region listed in Section 6. Notice PDFs are stored on a Railway volume in the same region.
Where available, data is encrypted in transit over HTTPS and at rest by the underlying hosting provider's managed encryption. TaxShift AI does not currently hold SOC 2, ISO 27001, or equivalent third-party attestations. When a certification is awarded, we will update this section and the Security page.
8. Your rights under the DPDP Act
You have the right to:
- Request access to the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure of your personal data, subject to statutory retention obligations.
- Raise a grievance with our Grievance Officer at
grievance@taxshiftai.com. - Nominate another person to exercise these rights on your behalf in specified circumstances.
To exercise a right, write to privacy@taxshiftai.com from the email address on file. We will respond within the timeline required by applicable law.
9. Cookies
We set only three named cookies on the public site:
taxshift_token— your JWT session token, stored inlocalStorage(not a cookie). Strictly necessary for login.taxshift_locale— your language preference, one year,SameSite=Lax. Strictly necessary for locale routing.taxshift_consent— your cookie consent choice, one year,SameSite=Lax,Secure. Strictly necessary.
Google Analytics 4 loads only after you accept the consent banner. If you reject, no GA4 cookies are set and no telemetry is sent to Google.
You can change your cookie choice at any time from the footer link or the "Change cookie preferences" control on this page.
10. Children
TaxShift AI is a service for Chartered Accountants, tax consultants, and accountants. It is not directed at minors and we do not knowingly process children's personal data.
11. Changes to this policy
We will update this policy when our practices change. For material changes that affect your rights, we will notify you by email at least fourteen days before the change takes effect. The "last updated" date at the top always reflects the most recent revision.
12. Contact
For anything that is not urgent, email privacy@taxshiftai.com. For grievances, email grievance@taxshiftai.com. Our postal address will be published once the entity registration is complete.
Questions? Write to privacy@taxshiftai.com.