This Privacy Policy explains how Panalinks Infotech ("we", "us", "our") collects, uses, stores, and protects information in connection with CAFirmHQ ("the Platform"). By using the Platform, you agree to the practices described in this Policy.
This Policy applies to all users of the Platform, including Chartered Accountancy firms ("CA Firms"), their team members, company accountants invited by CA Firms, and Solo Accountants using the Platform independently.
1. Information We Collect
1.1 Information you provide directly
- Name and email address (when you register or accept an invitation)
- Company details: company name, GSTIN, address, state, mobile number, email
- GST reconciliation data: Tally Inwards Register exports, GSTR-2B downloads
- Remarks and notes entered against invoice rows
- Support tickets and communications submitted to us
1.2 Information collected automatically
- Login activity: timestamps, authentication method (Google OAuth or magic link)
- Session tokens (stored server-side, hashed — not the raw token)
- API request logs: endpoint accessed, HTTP status code, timestamp
- Browser type and IP address (collected by our server infrastructure)
1.3 Information from third parties
- Google OAuth: if you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password or any other Google account data.
- Razorpay: if you subscribe to a paid plan, Razorpay processes your payment. We receive subscription status, plan ID, and payment confirmation from Razorpay. We do not store your card number, UPI ID, or bank details — these are handled entirely by Razorpay.
2. How We Use Your Information
We use the information we collect to:
- Provide and operate the Platform, including running GST reconciliation jobs and storing results
- Authenticate your identity and maintain your session securely
- Send you magic link login emails and system notifications via Resend.com
- Enforce plan limits, trial periods, and subscription status
- Respond to your support requests
- Improve the Platform based on usage patterns (aggregate, not individual-level)
- Comply with applicable Indian laws and regulations
We do not use your GST data — invoice numbers, supplier GSTINs, taxable values, or ITC amounts — for any purpose other than providing the reconciliation service to you. We do not sell, license, or share this data with third parties for advertising or analytics.
3. GST Data — Special Handling
GST reconciliation data is sensitive financial data. It reveals your supplier relationships, purchase volumes, tax paid and claimed, and invoice-level transaction details. We treat this data with additional care:
- Your GST data is isolated by tenant — no CA Firm can access another CA Firm's data, and no company can access another company's data
- Uploaded Excel files (Inwards Register and GSTR-2B) are processed in memory and deleted from the server immediately after the reconciliation job completes — only the structured results are stored in the database
- AI-assisted features, where available, use anonymised or summarised data for prompts — raw GSTINs, invoice numbers, and amounts are never sent to external AI APIs
- Our infrastructure runs on Hetzner Cloud. All data in transit is encrypted via HTTPS (TLS 1.2+). All data at rest is stored on encrypted PostgreSQL volumes
4. Data Sharing
We share data only as described below:
- Resend.com: we use Resend.com to send transactional emails (magic links, invitations, notifications). Resend receives the recipient email address and email content. Resend does not use this for advertising.
- Razorpay: subscription and payment processing. Razorpay receives your name, email, and plan details to process payments. Razorpay is PCI-DSS compliant.
- Hetzner Cloud: our infrastructure provider. Your data is stored on Hetzner servers. Hetzner does not have access to the application layer or your data content.
- Legal compliance: we may disclose information if required by Indian law, court order, or lawful government authority.
We do not share your data with advertisers, data brokers, or any party for commercial purposes.
5. Data Retention
- Account data (name, email, role) is retained for as long as your account is active
- Reconciliation job data (results, remarks, history) is retained for as long as your account is active
- You may request deletion of your account and all associated data by contacting us at support@gstsettle.com. We will complete deletion within 30 days.
- Billing records are retained for 7 years as required under Indian financial regulations
- Support tickets are retained for 2 years from resolution
6. Your Rights
As a user of CAFirmHQ, you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Request deletion of your account and data
- Export your reconciliation data (Excel export is available from the Platform at any time)
- Withdraw consent to data processing (by closing your account)
To exercise any of these rights, contact us at support@gstsettle.com. We will respond within 15 business days.
7. Cookies and Local Storage
CAFirmHQ uses browser session storage (not cookies) to store your authentication token on your device. This token is used to keep you logged in across sessions. It does not track your browsing activity across other websites. You can clear this by logging out or clearing your browser storage.
The marketing website (cafirmhq.com) does not use tracking cookies or analytics tools that share data with third parties.
8. Children's Privacy
CAFirmHQ is a professional financial compliance platform intended for use by businesses and professionals. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The effective date at the top of this document will always reflect the most recent version. Continued use of the Platform after changes are posted constitutes acceptance of the updated Policy.
10. Contact Us
If you have questions about this Privacy Policy or how we handle your data: