DPDP Act Compliance

Our commitment to India's Digital Personal Data Protection Act, 2023.

Last updated: 01 April 2026Effective: 01 April 2026
Privacy PolicyTerms of UseCookie PolicyData SecurityDPDP ActISO 27001GDPR Policy

1. Introduction

Tax Sahayogi is committed to protecting the digital personal data of every individual who uses our platform. We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act), India's comprehensive data protection legislation, and have implemented policies and technical measures to uphold the rights of Data Principals as defined under the Act.

This page explains how we process personal data in accordance with the DPDP Act, the rights available to you as a Data Principal, and how you can exercise those rights.

2. Role as Data Fiduciary

Sahayogi One Private Limited, the company behind Tax Sahayogi, acts as the Data Fiduciary under the DPDP Act. As the Data Fiduciary, we determine the purpose and means of processing your digital personal data and are responsible for ensuring compliance with all obligations under the Act.

We process personal data solely for the purpose of providing and improving our AI-powered tax assistance services for Chartered Accountants. We do not sell, rent, or trade personal data to third parties.

Section 4 — Lawful Purpose

We process digital personal data only for lawful purposes as defined under Section 4 of the DPDP Act. Every processing activity is tied to a specific, clear, and legitimate purpose that is communicated to you at the time of data collection.

Section 6 — Consent Management

Where consent is the basis for processing, we obtain your free, specific, informed, unconditional, and unambiguous consent before collecting or processing your personal data. You may withdraw your consent at any time through your account settings or by contacting us, and we will cease processing data for the relevant purpose within a reasonable timeframe.

Consent requests are presented in clear, plain language and are separate from other terms and conditions. We maintain records of all consent provided and withdrawn.

4. Notice Requirements

In compliance with Section 5 of the DPDP Act, we provide clear and accessible notice to Data Principals before or at the time of collecting personal data. Our notice includes:

  • What data we collect: The specific categories of personal data being collected, such as name, email address, firm details, and usage data.
  • Why we collect it: The specific purpose for which each category of data is processed, such as account creation, service delivery, AI-assisted tax computations, and platform improvement.
  • Your rights: A summary of your rights as a Data Principal under the DPDP Act, including how to exercise them.
  • How to file complaints: Information on how to contact our Grievance Officer and, if necessary, the Data Protection Board of India.

5. Data Principal Rights

Under the DPDP Act, you have the following rights as a Data Principal:

Section 11 — Right to Access Information

You have the right to obtain a summary of the personal data we hold about you, the processing activities being carried out, and the identities of all Data Processors and third parties with whom your data has been shared.

Section 12 — Right to Correction and Erasure

You have the right to request the correction of inaccurate or misleading personal data, the completion of incomplete data, and the erasure of personal data that is no longer necessary for the purpose for which it was collected.

Section 13 — Right to Grievance Redressal

You have the right to register a grievance with our Grievance Officer regarding any aspect of how we process your personal data. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India.

6. How to Exercise Your Rights

We provide dedicated API endpoints and account settings to help you exercise your rights efficiently:

  • Data Export: Request a complete export of your personal data via the /compliance/data-export endpoint or through your account settings. Exports are delivered in a machine-readable format within 30 days.
  • Data Erasure: Request deletion of your personal data via the /compliance/erase endpoint. Upon verification of your identity, we will erase your data within 30 days, except where retention is required by law.
  • Grievance Registration: Submit a grievance via the /compliance/grievance endpoint or by emailing our Grievance Officer directly. All grievances are acknowledged within 48 hours and resolved within 30 days.

You may also exercise any of these rights by writing to us at dpo@sahayogione.com.

7. Data Retention and Erasure

We retain personal data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required by applicable law. Our data retention practices include:

  • Active Account Data: Personal data associated with active accounts is retained for the duration of the account's existence and a reasonable period thereafter.
  • Erasure on Request: When you request erasure of your data, we will delete or anonymise your personal data within 30 days of receiving and verifying your request.
  • Automatic Erasure: Upon withdrawal of consent or deletion of your account, we initiate automatic erasure processes for data that is no longer required.
  • Legal Retention: Certain data may be retained beyond the erasure timeline where required by tax, accounting, or other applicable laws.

8. Cross-Border Data Transfer

Your data is processed primarily within India using our infrastructure hosted on Azure Central India. However, certain AI-powered features of Tax Sahayogi utilise Azure OpenAI Service, which may process data in Microsoft's US-based data centres.

For any cross-border data transfer, the following safeguards are in place:

  • All transfers to Azure OpenAI are governed by Microsoft's Data Processing Addendum (DPA), which includes Standard Contractual Clauses and robust data protection commitments.
  • Data sent to Azure OpenAI for processing is not used by Microsoft to train or improve their AI models.
  • We will comply with any restrictions or conditions on cross-border transfers as notified by the Central Government under the DPDP Act.

9. Grievance Officer

In accordance with the DPDP Act, we have appointed a Grievance Officer to address any concerns or complaints you may have regarding the processing of your personal data.

  • Designation: Data Protection Officer
  • Email: dpo@sahayogione.com
  • Response Time: We will acknowledge your grievance within 48 hours and provide a resolution within 30 days of receipt.

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to file a complaint with the Data Protection Board of India.

10. Contact

For any questions regarding our DPDP Act compliance, please reach out to us: