Privacy Policy

ReconGST ("we," "us," or "our") is an AI-powered GST reconciliation platform designed for Chartered Accountants, tax professionals, and Indian businesses. This Privacy Policy explains how we collect, use, store, protect, and disclose your personal and financial information when you access our website, dashboard, WhatsApp bot, APIs, or any other service (collectively, the "Services").

By using the Services, you consent to the practices described in this policy. If you do not agree, please discontinue use immediately.

2.1 Account Information

• Full name, email address, phone number
• Firm/organization name
• Login credentials (password stored as salted hash; we never store plaintext passwords)
• Google SSO tokens (if you sign in via Google)

2.2 Client & Financial Data

• Client firm names and GSTINs
• Purchase register data — supplier names, invoice numbers, dates, taxable values, HSN codes
• GSTR-2B portal JSON files
• Invoice images/photographs uploaded for OCR extraction
• Tally XML exports and Zoho Books data

2.3 Usage & Technical Data

• IP address, browser type, device identifiers
• Pages visited, session duration, click patterns
• Error logs and crash reports

2.4 Payment Data

• Subscription plan and billing cycle
• Payment method metadata (we do not store full card numbers; payments are processed by Razorpay, a PCI-DSS Level 1 certified gateway)

Our AI processing operates on a "need-to-know" basis — the model receives the minimum data required to perform reconciliation, and nothing more.

Retention Schedule

We use collected information solely to:

• Provide, operate, and improve the Services (AI reconciliation, OCR, mismatch detection)
• Process payments and manage subscriptions
• Send transactional emails (e.g., verification, reconciliation reports)
• Provide customer support via WhatsApp, email, or in-app channels
• Detect and prevent fraud, abuse, and security incidents
• Comply with applicable Indian laws and regulations (GST Act, IT Act, DPDP Act)

We do not sell, rent, or trade your personal or financial data to any third party for marketing or advertising purposes. Ever.

We implement industry-standard security measures including:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2/1.3
• Encryption at Rest: Sensitive data at rest is encrypted using AES-256
• In-Memory Processing: Raw invoice files are processed in volatile memory (RAM-disks) where possible, minimizing persistent disk writes
• Access Controls: Role-based access control (RBAC) ensures only authorized personnel access production data
• Row-Level Security: Our database uses Supabase Row-Level Security (RLS) policies, ensuring users can only access their own data
• Regular Audits: We conduct periodic security assessments and vulnerability scans
• Secure Payments: Payment processing is handled by Razorpay (PCI-DSS Level 1 certified) — we never store full card details

All primary data processing and storage occurs within Indian data centers (Google Cloud — Mumbai region, asia-south1). Your data never leaves Indian territorial borders for storage.

For AI processing, data may be transmitted to models hosted within Google Cloud infrastructure. In all cases, PII scrubbing (Section 3) is performed before transmission, ensuring only non-identifying financial data is processed.

We integrate with the following third-party services, each governed by their own privacy policies:

• Supabase — Authentication, database, and storage (hosted in Mumbai)
• Google Cloud Platform — Infrastructure and AI model hosting
• Razorpay — Payment gateway (PCI-DSS Level 1)
• Meta/WhatsApp Business API — WhatsApp bot integration for document uploads and notifications

We do not share your data with these providers beyond what is necessary to deliver the Services.

ReconGST is committed to compliance with the Digital Personal Data Protection (DPDP) Act, 2023 of India. In accordance with this Act:

• We process personal data only for lawful purposes with your explicit consent
• We collect only the minimum data necessary for the stated purpose (data minimization)
• We provide you the right to access, correct, and delete your personal data
• We maintain reasonable security safeguards to protect your data
• We will notify you and the relevant Data Protection Board in the event of a data breach as required by law
• We do not process data of children (users must be 18+ to create an account)

As a user, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your account and all associated data (subject to legal retention requirements)
• Portability: Request an export of your reconciliation data in machine-readable format
• Withdraw Consent: Withdraw your consent for data processing at any time (this may affect your ability to use the Services)
• Grievance Redressal: File a complaint with our Grievance Officer or the Data Protection Board of India

To exercise any of these rights, please contact us at privacy@recongst.in.

We use essential cookies and browser local storage to:

• Maintain your authentication session
• Remember your theme preference (light/dark mode)
• Store temporary upload state

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral analytics cookies.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, RECONGST AND ITS AFFILIATES SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, RESULTING FROM YOUR USE OF THE SERVICES.

You agree to indemnify, defend, and hold harmless ReconGST, its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, and expenses (including legal fees) arising out of or related to:

• Your use or misuse of the Services
• Your violation of this Privacy Policy or Terms of Service
• Your violation of any applicable law or regulation
• Any data you upload that you do not have the right to share

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date and, where appropriate, via email or in-app notification.

Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts located in Hyderabad, Telangana, India.

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data practices, please contact our designated Grievance Officer: