# Privacy Policy
Effective from 9 May 2026. Version 1.1.0.
This Privacy Policy describes how ElevateFinance Private Limited ("**ElevateFinance**", the "**Supplier**", "**we**", or "**us**") collects, uses, stores, discloses, and protects Personal Data under the Digital Personal Data Protection Act 2023 (the "**DPDP Act**") and allied Indian law. It is read together with the Cookie Policy, the Terms of Service, the Acceptable Use Policy, the Master Services Agreement (the "**MSA**"), the Data Processing Agreement (the "**DPA**"), the Sub-Processor List, the Refund Policy, the Disclaimer, the Service Level Agreement, the Responsible Disclosure Policy, and the DPDP Grievance Redressal page.
The version published at `/privacy-policy` in the Platform is the controlling text from the moment it is presented to the Data Principal at consent capture. Where this file and the Platform differ, the Platform controls.
## Defined terms
In this Policy:
- "**Data Principal**" means a natural person to whom Personal Data
relates, within the meaning of Section 2(j) of the DPDP Act.
- "**Data Fiduciary**" has the meaning given in Section 2(i) of the
DPDP Act. ElevateFinance is the Data Fiduciary in respect of the Personal Data described at clause 2.
- "**Data Processor**" has the meaning given in Section 2(k) of the
DPDP Act.
- "**Personal Data**" has the meaning given in Section 2(t) of the
DPDP Act.
- "**Customer**" means a Chartered Accountant firm or other entity
bound by the MSA.
- "**End-User**" means a natural person whom a Customer authorises
to use the Platform under the Customer's tenant.
- "**Platform**" or "**Service**" means the software-as-a-service
product operated under the apex domain `elevatefinance.co` and every white-label tenant subdomain configured under the MSA.
- "**Confidential Information**" has the meaning given in
clause 11 of the MSA.
- "**Applicable Law**" means every law, rule, regulation, circular,
notification, order, judgment, or directive in force in India and applicable to the use of the Platform.
- "**Working Day**" means a day other than a Saturday, Sunday, or
declared public holiday at ElevateFinance's principal place of
business.
## 1. Parties
**Plain-language summary.** ElevateFinance is the Data Fiduciary that decides how the Personal Data described in this Policy is processed. The Data Principal is the natural person whose Personal Data is processed.
1.1 ElevateFinance is incorporated under the Companies Act 2013, with its principal place of business in Bengaluru, Karnataka, India.
1.2 ElevateFinance is the Data Fiduciary under Section 2(i) of the DPDP Act in respect of the Personal Data described at clause 2.
1.3 The Data Principal is the natural person whose Personal Data is
processed.
1.4 In respect of Personal Data that the Customer or its End-Users upload through the Platform on the Customer's account, the Customer is the Data Fiduciary and ElevateFinance is the Data Processor. That arrangement is governed by the DPA.
## 2. Personal Data we process and the lawful basis for each
**Plain-language summary.** The table below sets out the categories of Personal Data ElevateFinance processes, the purposes, the lawful basis under the DPDP Act, and the broad retention principle. Day- level retention values follow the regulatory minimum applicable to each category and are set in operational policy that is updated as the law changes.
| Category | Examples | Lawful basis | Retention principle |
| ---------------------- | ------------------------------------------------------------------ | ------------------------------------ | ------------------------------------------------------------------ |
| Identity | name, email, mobile number, date of birth | consent (Sec 6); contract (Sec 7(a)) | for the life of the account, plus a short safety window |
| Government identifiers | PAN, Aadhaar (encrypted) | contract (Sec 7(a)) | for the assessment-year window required by the Income-tax Act 1961 |
| Tax-filing inputs | salary, AIS, 26AS, deductions, capital gains | contract (Sec 7(a)) | as for government identifiers |
| Bank account data | account number, IFSC (encrypted) | contract (Sec 7(a)) | as for government identifiers |
| RSU grant data | grant identifier, vesting schedule, FMV at vest | contract (Sec 7(a)) | as for government identifiers |
| Document uploads | Form 16, investment proofs, broker statements | contract (Sec 7(a)) | as for government identifiers |
| Payment metadata | order, payment, refund identifiers from the listed payment partner | contract (Sec 7(a)) | for the period required by the CGST Act 2017 |
| Audit log | actor, action, timestamp, network metadata | fraud and security (Sec 7(g)) | for the regulatory minimum |
| Consent ledger | purpose, version, network metadata, timestamp | discharge of Sec 6 obligation | for the life of the account, plus a short safety window |
| Usage data | pages viewed, error events | legitimate use (Sec 7(g)) | short rolling window |
ElevateFinance does not knowingly process biometrics, caste, religion, political opinion, sexual orientation, health or genetic data, or trade-union membership data.
ElevateFinance does not knowingly process the Personal Data of children under eighteen years of age. Where such Personal Data is discovered, it is deleted promptly under the DPDP Act.
## 3. Sub-processors
**Plain-language summary.** ElevateFinance engages a small set of infrastructure and service providers to deliver the Platform. The current list is published in the Sub-Processor List, which is incorporated by reference. Each provider is bound by a written processor contract that imposes materially equivalent data- protection obligations.
3.1 ElevateFinance engages the sub-processors listed in the
Sub-Processor List. Each sub-processor is bound by a written
processor contract that imposes materially equivalent data-
protection obligations to those set out in this Policy and in the
DPA.
3.2 Empanelled Chartered Accountants who deliver the CA Review service are independent professionals subject to the ICAI Code of Ethics. Their access is scoped to the specific assigned filing.
3.3 Where the GST offering is enabled for a Customer's tenant, the Customer's GST-portal credentials are stored under an encrypted envelope and used only as described in the DPA addendum at `legal/sub-processors-gst.md`.
3.4 Where the TDS offering is enabled for a Customer's tenant, the arrangements for the NSDL Protean and TRACES portals are described in the DPA addendum at `legal/data-flow-tds.md`.
## 4. Cross-border transfers
**Plain-language summary.** Personal Data is processed within India where the sub-processor offers an Indian region. Where data must transit a global edge or a non-Indian region, the transfer is governed by an appropriate transfer mechanism (such as the EU Standard Contractual Clauses) and is reviewed against Section 16 of the DPDP Act.
4.1 Personal Data is hosted by default in an Indian region where the sub-processor offers that region.
4.2 Cross-border transfers occur only to sub-processors listed in the Sub-Processor List and only for the purposes published.
4.3 Each cross-border transfer is governed by either the European Commission Standard Contractual Clauses (where the recipient operates from the European Economic Area or the United Kingdom) or an equivalent transfer mechanism that achieves a level of protection no less than that under the DPDP Act.
4.4 Section 16 of the DPDP Act preserves the Central Government's power to restrict transfers to specified jurisdictions. ElevateFinance complies with any such restriction within the time the Government allows.
## 5. Rights of the Data Principal
**Plain-language summary.** Under the DPDP Act, the Data Principal has the rights to access, correct, complete, update, erase, and nominate, and the right to grievance redressal. Each right is exercised in-product or through the Grievance Officer.
5.1 Under Sections 11 to 14 of the DPDP Act, the Data Principal
has the right to:
(a) access a summary of the Personal Data processed and the
processing activities carried out;
(b) seek correction, completion, updation, and erasure;
(c) nominate another individual to exercise the rights in the
event of death or incapacity, in line with Section 14 of the DPDP
Act; and
(d) grievance redressal through the Grievance Officer.
5.2 Rights are exercised through:
(a) the in-product `Settings to Privacy and Data` paths; or
(b) email to `support@elevatefinance.co` with the literal token
`[Grievance]` in the subject line.
5.3 ElevateFinance acknowledges access requests and grievances within three (3) Working Days of receipt. Substantive responses are issued within fifteen (15) calendar days of receipt, in line with the DPDP Act and Rule 5(9) of the IT (Intermediary Guidelines) Rules 2021.
## 6. Security posture
**Plain-language summary.** Security is operated as a cumulative posture, not as a list of named tools. The cumulative posture is the controlling standard. Specific algorithm names, key locations, and threshold values are not enumerated here so that an attacker who reads this Policy gains no advantage.
6.1 ElevateFinance maintains a layered security posture covering,
without limitation:
(a) transport-layer encryption of every connection between the
User and the Platform;
(b) application-layer encryption at rest of the sensitive
Personal Data fields described at clause 2 (including
government identifiers, bank account data, and stored portal
credentials);
(c) modern memory-hard password hashing with per-record salt;
(d) tamper-evident receipts and invoices issued under a keyed
authentication primitive;
(e) role-based access control with least-privilege defaults
across the OrgMember model;
(f) immutable audit logging of every privileged mutation;
(g) step-up re-authentication on every destructive or sensitive
action, with purpose-bound short-lived tokens consumed
atomically by the action;
(h) magic-byte file-type verification on every upload;
(i) server-side defence against server-side request forgery on
every server-fetched resource;
(j) sliding-window rate limiting on authentication endpoints
and other abuse-prone surfaces;
(k) safe-logger Personal-Data redaction;
(l) strict Content Security Policy with per-request nonces;
(m) routine dependency-vulnerability scanning and pre-commit
secret scanning; and
(n) a documented incident-response runbook, including the CERT-In runbook at `legal/cert-in-runbook.md`.
6.2 The cumulative posture is the controlling standard. Specific
parameters, key locations, and thresholds are not enumerated in
this Policy.
## 7. Personal Data breach notification
**Plain-language summary.** Two clocks run in parallel after ElevateFinance becomes aware of a breach: the CERT-In clock and the DPDP clock. The earlier deadline binds. The internal runbook is held in source.
7.1 Where a Personal Data breach falls within the CERT-In
Direction of 28 April 2022, ElevateFinance reports to the Indian
Computer Emergency Response Team within the timeline that
Direction prescribes.
7.2 Where a Personal Data breach falls within Section 8(6) of the DPDP Act, ElevateFinance notifies the Data Protection Board of India and affected Data Principals within the timeline the DPDP Act and the Rules prescribe.
7.3 Both clocks run in parallel from the moment ElevateFinance becomes aware of the breach. The earlier deadline binds.
7.4 The operational runbook is held in source as a non-public artefact. External researchers and partners reach the runbook through the `[Breach]` intake at `support@elevatefinance.co`.
## 8. Grievance Officer and statutory escalation
**Plain-language summary.** Every grievance has a named human
owner. If the Data Principal is not satisfied, the matter
escalates to the Data Protection Board of India once it is
operational.
8.1 Grievance Officer:
| Field | Value |
| ------- | ------------------------------------------------ |
| Name | Priyesh Mishra |
| Role | Founder; Grievance Officer of the Data Fiduciary |
| Address | Bengaluru, Karnataka, India |
| Email | `support@elevatefinance.co` with `[Grievance]` |
8.2 Statutory escalation paths:
(a) the Data Protection Board of India once operational under
Sections 28 to 34 of the DPDP Act;
(b) the consumer forum applicable to the Data Principal's place of residence under the Consumer Protection Act 2019; and
(c) the courts of competent jurisdiction at Bengaluru, Karnataka, subject to the dispute-resolution clause of the MSA (for Customers) or the Terms of Service (for retail Users).
## 9. Changes to this Policy
**Plain-language summary.** ElevateFinance updates this Policy from time to time. Material changes are notified in advance.
9.1 ElevateFinance may amend this Policy from time to time.
9.2 Material changes are notified by email to the registered email address of each affected User and through an in-product banner at least seven (7) calendar days before they take effect.
9.3 The version stamp at the top of the published Policy at
`/privacy-policy` controls in the event of any inconsistency with
this file.
## 10. Cross-references
This Policy is read together with:
- Cookie Policy
- Terms of Service
- Acceptable Use Policy
- Master Services Agreement
- Data Processing Agreement
- Sub-Processor List
- Sub-Processors -- GST offering (DPA addendum)
- Data flow -- Income-tax TDS offering (DPA addendum)
- Refund Policy
- Disclaimer
- Service Level Agreement
- Responsible Disclosure Policy
- DPDP Grievance Redressal
- CERT-In Incident Runbook
- ICAI "Holding-Out" Audit
- SEBI (Investment Advisers) Regulations 2013 -- Safe-Harbour Mapping
---
By using the Platform, the Data Principal acknowledges this Policy.