Altx Convergence Private Limited (“Altx”, “we”, “us”, “our”) operates Notifyce, an AI-powered tax-notice and compliance dashboard. This Privacy Policy explains what personal data we collect when you visit our website or use Notifyce, why we process it, who we share it with, how long we retain it, and the rights you have as a Data Principal under the Digital Personal Data Protection Act, 2023 (“DPDPA”).
By using our website or Notifyce, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part, please do not use the website or Notifyce.
1. Who Is the Data Fiduciary
Altx Convergence Private Limited — CIN U72900KA2021PTC145024
Altx Convergence Private Limited, #175/176, Dollars Colony, Phase 4, Bannerghatta Main Road, Bengaluru, Karnataka 560078, India
Data Protection Officer: Anitha — dpo@altx.one · +91 81973 19519
Privacy queries: privacy@altx.one · Grievances: grievance@altx.one
2. Two-Tier Processing — Please Read
Notifyce is built primarily for Chartered Accountants, tax professionals, and compliance managers (the “CA Firm”). To deliver the service, two distinct sets of personal data are processed:
(a) CA Firm users — direct subscribers. Altx is the Data Fiduciary (data controller) for the personal data of the CA Firm and its named users: names, business emails, mobile numbers, account credentials, billing, usage, and the government-portal login credentials they provide to enable automation.
(b) End-clients of the CA Firm — secondary Data Principals. When the CA Firm uses Notifyce to retrieve tax notices, file responses, and manage compliance on behalf of its own clients (typically small businesses, professionals, or individuals filing GST / Income Tax / TDS), Altx acts on the CA Firm’s instructions. For that processing of end-client data (PAN, GSTIN, TAN, notice content, financial figures, responses) the CA Firm is the Data Fiduciary; Altx is a Data Processor under a Data Processing Agreement with the CA Firm. The CA Firm warrants to us that it has the lawful basis (typically a CA-client engagement letter and the relevant Power of Attorney) to share that data with Notifyce.
If you are an end-client of a CA Firm and wish to exercise rights over your data held in Notifyce, please contact your CA Firm first. If you cannot reach them, you may contact our DPO at dpo@altx.one and we will assist.
3. Personal Data We Collect
We collect and process the categories of personal data described below. Tier 1 = CA Firm subscribers and named users (direct Data Principals). Tier 2 = end-clients of the CA Firm (secondary Data Principals, processed on CA Firm instructions).
| Tier | Category | Specific Data Points | Mandatory? |
|---|---|---|---|
| Tier 1 | CA Firm account & identity | Firm name, GSTIN, named user, email, mobile, hashed password, role | Mandatory for account creation |
| Tier 1 | Billing | Billing address, GSTIN, plan, invoice history. Payment-card data is captured directly by the payment processor and is not stored on our servers. | Mandatory for paid plans |
| Tier 1 | Government-portal credentials | Encrypted username / password / OTP-receiver email for GST portal, Income Tax e-filing portal, TDS portal — used solely to fetch notices and submit responses on the CA Firm’s behalf | Mandatory for portal-automation features the CA Firm enables |
| Tier 1 | Usage & device data | Pages visited, features used, IP address, device type, browser type, log timestamps | Auto-collected |
| Tier 1 | Communications | Support requests, in-app messages, training session content | Optional — only when you contact us |
| Tier 2 | End-client identifiers | End-client name, PAN, TAN, GSTIN, contact details, business address, ledger locations | Provided by the CA Firm under their engagement with the end-client |
| Tier 2 | Tax notices & statutory correspondence | Notice references, type (Scrutiny / Show-cause / Demand / Assessment), assessment year, sections cited, amounts demanded, due dates, attachments / scanned documents | Auto-fetched from government portals or uploaded by the CA Firm |
| Tier 2 | Notice responses & filings | Draft responses (AI-generated and human-edited), final responses, supporting documents, submission acknowledgements | Generated and submitted on the CA Firm’s instruction |
| Tier 2 | AI-feature outputs | AI-generated Q&A pairs; case-law citations; UI-captured Q&A from the CA Firm user | Generated by the CA Firm’s use of AI analysis |
| Tier 2 | Logs of portal access | Timestamps and outcomes of automated logins to government portals on behalf of an end-client, including any errors. Credentials are never logged in plaintext. | Auto-collected — CERT-In log retention applies |
| — | Children’s data | Not collected. Notifyce is a B2B product for licensed CA professionals; we do not process minors’ data. | Out of scope |
4. How We Use Your Personal Data
We use your personal data for the following specific, clearly described purposes:
- CA Firm account registration & authentication — creating and managing the CA Firm account; user provisioning; secure login; password recovery.
- Government-portal automation — logging into GST / Income Tax / TDS portals on behalf of CA Firm clients using the credentials the CA Firm provides; retrieving notices; downloading attachments; submitting responses.
- Notice management & workflow — storing notices and supporting documents; assigning to firm users; tracking deadlines and review dates; reminders; daily digest.
- AI-powered notice analysis & response drafting — generating notice summaries, suggested responses, Q&A pairs, case-law citations — using a configurable AI provider (Anthropic Claude as primary; OpenAI or Google Gemini as alternates).
- Tax-API integration — calling third-party tax APIs (e.g., TaxPro GST) for filing-status checks and return-data retrieval.
- Subscription & billing — processing payments, invoicing, GST handling.
- Customer support, training, grievance redress — responding to CA Firm support queries; onboarding and training; grievance redress under Section 13 DPDPA.
- Service improvement & analytics — understanding feature usage to improve the product. Aggregated and de-identified data only — never end-client data.
- Security, fraud prevention & abuse detection — detecting credential compromise, abnormal portal-access patterns, abuse, ToS enforcement.
- Legal & regulatory compliance — complying with applicable laws (DPDPA 2023, IT Act 2000 and SPDI Rules 2011, CERT-In Apr-2022 directions, court orders, lawful regulator requests).
5. Legal Basis for Processing
We process personal data on the following legal bases under the DPDPA 2023:
| Basis | When we rely on it |
|---|---|
| Consent — Section 6 | For CA Firm account creation, optional features (e.g., marketing communications), and AI-feature usage. |
| Legitimate Uses — Section 7 | For performance of the subscription contract with the CA Firm, security and fraud prevention, employment-related processing (Altx employees), and compliance with legal obligations. The CA Firm in turn relies on its own engagement letter and Power of Attorney with each end-client for processing end-client data. |
| Legal Obligation | Where we are required to retain or disclose data under Indian law (Income Tax, GST law, CERT-In directions, court orders, lawful regulator requests). |
6. Who We Share Your Data With
We share your personal data only with the categories of recipients listed below, and only for the purposes set out. Every recipient operates under a Data Processing Agreement with us. A current list of sub-processors is published at /sub-processors.html; we will update that list whenever we engage a new sub-processor.
- Amazon Web Services (AWS), region ap-south-1 (Mumbai) — cloud hosting for compute, databases, object storage, transactional email (SES), and secrets management.
- Government portals (Income Tax, GST, TDS) — automated retrieval of notices and submission of responses on the CA Firm’s behalf.
- TaxPro GST API — filing-status checks and GSTR-data retrieval via API.
- Anthropic (Claude API) — primary AI provider for notice analysis and response drafting.
- OpenAI and Google Gemini — alternate AI providers per workload configuration.
- Google Workspace — corporate email, calendar, Drive for support communications and corporate documents (not product data).
- Payment gateway for Notifyce subscriptions (Razorpay or other; confirmed at sign-up).
- Legal / regulatory authorities — on lawful request (court orders, statutory requests, regulator inquiries).
7. Cross-Border Transfers
As of the effective date of this Policy, all primary processing of personal data and end-client tax records is hosted in AWS region ap-south-1 (Mumbai, India). AI providers (Anthropic, OpenAI, Google) and Google Workspace process limited data outside India under their own Data Processing Agreements. We monitor restricted-country notifications issued by the Data Protection Board of India under Section 16 of the DPDPA, and we will update this Policy on any change of region or sub-processor.
8. How Long We Keep Your Personal Data
| Data Category | Retention Period | Basis |
|---|---|---|
| Tier 1 — CA Firm account & identity | Duration of the subscription + 90 days grace period after closure, then erasure | Contract performance; DPDPA Section 8(7) — purpose exhaustion |
| Tier 1 — Billing & financial records | 8 years from the end of the financial year of the transaction | Income Tax Act 1961, Companies Act 2013 |
| Tier 1 — Government-portal credentials | Held in encrypted form only while the CA Firm has the relevant client / portal enabled; decommissioned on disable or account closure | Strictly contract-bound; Section 8(7) |
| Tier 2 — End-client notices, responses, attachments | Held while the CA-Firm-client engagement is active; thereafter, retained for a minimum period as instructed by the CA Firm under the DPA (default 7 years to align with tax-record retention) and then erased | CA Firm instruction; tax-law retention; Section 8(7) |
| Tier 2 — Portal access logs | 180 days minimum (CERT-In); longer if a security investigation is open | CERT-In Apr-2022 directions |
| Behavioural / usage data (Tier 1) | 24 months from collection, then aggregated and de-identified | Service improvement; Section 7 |
| Communications / support tickets | 3 years from ticket closure | Service quality, dispute resolution |
| Erased-data audit trail | 1 year from erasure (anonymised metadata only) | Rule 8(iii) |
9. Your Rights as a Data Principal
Under the DPDPA 2023 you have the rights below. We acknowledge every request within 48 hours and respond substantively within 30 days of receiving a complete request, in line with our published Service Level Agreement.
- Right to access a summary of your personal data — Section 11.
- Right to correction and erasure — Section 12 (subject to legal-hold exceptions).
- Right to grievance redressal — Section 13.
- Right to nominate another individual to exercise your rights in the event of incapacity or death — Section 14.
- Right to withdraw consent at any time, prospectively — Section 6(4).
To exercise any of these rights, please use our Data Rights Request form or write to dpo@altx.one. If you are not satisfied with our response, you may approach the Data Protection Board of India under Section 13: https://dpboard.gov.in (portal to be enabled by the Board).
10. Cookies
We use cookies and similar technologies on this website. Detailed information about the cookies we use, the categories, and how to manage your preferences is in our Cookie Policy. We provide a granular consent banner on your first visit and at any time you may revisit your choices.
11. Children’s Data
Notifyce is a B2B product for licensed Chartered Accountants and tax professionals and is not directed at, or intended for, individuals under 18 years of age. We do not knowingly process children’s personal data. Where a CA Firm uses Notifyce to handle a tax matter that could touch a minor’s data (for example, a HUF return where a minor is a coparcener), the CA Firm is the Data Fiduciary and is responsible for obtaining any required verifiable parental consent.
12. How We Protect Your Personal Data
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 via AWS KMS).
- Role-based access control with the principle of least privilege; multi-factor authentication on all administrative access.
- Security monitoring via AWS GuardDuty and centralised log aggregation; CERT-In-aligned 180-day minimum log retention (we apply a 1-year floor for forensic margin).
- Government-portal credentials encrypted with customer-managed keys; access strictly mediated by our automation service and fully audit-logged.
- Annual security and DPDPA training for every employee and contractor.
- Incident response capability with documented breach-notification procedures (CERT-In within 6 hours of detection; DPBI within 72 hours under Rule 7).
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our technology, our service offering, or applicable law. When we make a material change, we will notify you via email or via an in-product banner. The “Last Updated” date at the top of this Policy will be revised. For significant changes that introduce a new purpose, a new sensitive data category, a new cross-border transfer, or a new sub-processor handling sensitive data, we will obtain fresh consent before the change takes effect.
14. Contact Us
Data Protection Officer: Anitha
Email: dpo@altx.one
Privacy queries: privacy@altx.one
Grievance redressal (Section 13): grievance@altx.one
Phone: +91 81973 19519 (Mon–Fri, 10:00–18:00 IST)
Postal: Altx Convergence Private Limited, #175/176, Dollars Colony, Phase 4, Bannerghatta Main Road, Bengaluru, Karnataka 560078, India
If you are not satisfied with our response, you may escalate to the Data Protection Board of India at https://dpboard.gov.in.