How we handle your personal information.

This Privacy Policy explains how Octet Logic OPC Private Limited, having its registered office in Hyderabad, Telangana, India (“Octet Logic”, “we”, “us”, “our”), collects, uses, shares and protects the personal information of individuals who interact with our GST compliance platform GSTFiler — available at www.gstfiler.com and app.gstfiler.com (the “Service”).

We act as the Data Fiduciary (in the language of the Digital Personal Data Protection Act, 2023 — the “DPDP Act”) for the personal information described in this Policy. We follow the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) where they continue to apply, and the DPDP Act as its provisions come into force.

This Policy covers personal information about:

• visitors to our marketing website at www.gstfiler.com;
• individuals who sign up for a trial or paid plan;
• authorised users of a workspace (including team members invited by a workspace Owner);
• individuals who contact us by email, telephone or in-app chat for sales or support.

This Policy does not cover the business data you upload to the Service — your books, invoices, returns, GSTIN data, e-invoices and similar artefacts. Those are governed by our separate Data Policy, which sets out residency, retention, encryption and access terms. Where the business data you upload happens to contain personal information about your customers, vendors or employees, you act as the Data Fiduciary for that data and we act as a Data Processor processing it on your written instructions.

You give us

• Account details — first name, last name, work email, mobile number, password (stored only as a salted bcrypt hash), and a one-time password (OTP) used to verify your email or to file a GST return.
• Profile details — designation, firm name, country, state, GSTIN where you choose to provide one, and (for tax-consultants) the GSTINs of clients you are authorised to act for.
• Billing details — billing name, billing address, GSTIN (for input-tax credit on our invoice), and a token returned by our payment gateway. We do not store card numbers, CVV, UPI PINs or net-banking passwords — these are held by the payment gateway.
• Communications — the contents of any email, chat, ticket or form you send us, including any attachments.

We collect automatically

• Sign-in and session events — timestamps, IP address, user-agent string, device type, browser, operating system, and the geographic city / country inferred from the IP.
• Usage events — pages visited, features used, return types prepared, error reports, and similar product-analytics signals. We do not run third-party behavioural or session-replay analytics inside the authenticated app.
• Cookies and similar technologies — see clause 8 below.

We receive from others

• From the GSTN, in response to lookups you initiate — the registered name, status, jurisdiction and other publicly-available particulars of a GSTIN.
• From our payment gateway — payment status, last four digits of the card or UPI handle used, and gateway-side fraud signals (if any).
• From the workspace Owner — if you were invited to a workspace, the Owner shared your name, email and role with us.

Under the DPDP Act we must tell you the purpose of every processing activity. We use your personal information for the following purposes, each based on the lawful ground stated:

• Provide the Service — create your account, authenticate sign-in, enforce single-session security, render pages, file returns through the GSP channel on your instruction, send transactional emails. Lawful ground: performance of the contract you have entered into with us by accepting the Terms of Use.
• Bill and account — issue tax invoices, process payments, recover dues, maintain records required by the GST and Income-tax laws. Lawful ground: performance of contract and compliance with a legal obligation.
• Support and customer success — answer your questions, run training, investigate incidents. Lawful ground: consent (where you contact us) and legitimate interest in operating the Service.
• Security and abuse-prevention — detect bot traffic, abuse of free trials, fraud, credential-stuffing and unauthorised access. Lawful ground: our legitimate interest in protecting the Service and other customers, and compliance with a legal obligation.
• Product analytics and improvement — understand which features are used, find bugs, prioritise the roadmap. We use first-party aggregate metrics; we do not sell this data. Lawful ground: our legitimate interest in improving the Service.
• Marketing — send product news, release notes and offers to your registered email. You can unsubscribe at any time using the link in each email. Lawful ground: consent (which you may withdraw at any time without affecting prior lawful processing).
• Legal and regulatory — respond to lawful requests from authorities, defend ourselves in disputes, comply with tax-record-keeping rules. Lawful ground: compliance with a legal obligation.

We share personal information only as set out below. We do not sell personal information.

• The GSTN, NIC and our GSP partner — when you initiate a filing, fetch GSTR-2A/2B, or verify a GSTIN, the necessary identifiers (your GSTIN, the OTP, the return payload) are transmitted to the GSTN through our NIC-approved GSP channel.
• Sub-processors — cloud-infrastructure providers in the Mumbai region, email provider (Postmark), transactional-SMS provider, and CDN/edge-network providers. Each is bound by a written data-processing agreement and is listed in the Data Policy, clause 6.
• Payment gateway — for processing subscription payments and refunds.
• Your workspace — the workspace Owner and Administrators can see your name, email, sign-in timestamp, role and audit-log entries for actions you take in their workspace. If you do not want this, do not join that workspace.
• Professional advisers — auditors, lawyers, accountants and similar, where reasonably needed and under confidentiality obligations.
• Authorities, courts and law-enforcement — where compelled by valid legal process, or where disclosure is reasonably necessary to protect the rights, property or safety of Octet Logic, you, our customers or the public.
• In a corporate transaction — if Octet Logic is involved in a merger, acquisition, financing or sale of all or substantially all of its assets, personal information may be transferred, subject to the acquirer’s commitment to honour this Policy.

Your personal information is stored on encrypted infrastructure in the Asia-Pacific region: our production database is held in a managed Postgres cluster in APAC (encrypted at rest with AES-256, in transit with TLS 1.3), and document storage (for any attachment that may contain personal information) is held in India in the Mumbai region.

A limited set of administrative tools (for example, our email-deliverability provider Postmark) may process metadata such as email envelope, delivery status and bounce reports outside the Asia-Pacific region. Every cross-border processing arrangement is supported by a written data-processing agreement and is made only to countries that are not subject to a notified restriction under the Digital Personal Data Protection Act, 2023.

We keep personal information only for as long as we need it for the purposes set out in this Policy.

• Account information — while your account is active, and for up to 90 days after you delete the account, to enable account recovery and dispute resolution.
• Billing and tax records — for the period required by the Income-tax Act, 1961, the CGST Act, 2017 and other applicable tax / corporate laws (currently up to 8 years from the end of the relevant financial year).
• Sign-in events and security logs — up to 12 months by default; longer where needed for an open security investigation.
• Support communications — for the duration of your account plus 24 months.
• Marketing consent records — until you withdraw consent, plus 12 months to evidence the prior lawful processing.

When the retention period ends, we delete or de-identify the data so it can no longer be associated with you. Backups may persist for up to 30 days after deletion, after which the encrypted backup itself ages out.

We use a small number of cookies:

• Strictly necessary — the qb_auth session cookie (httpOnly JWT) and the qb_onboarded routing hint cookie. Without these you cannot stay signed in.
• Functional — preferences such as theme, last-used company, and dismissed banners.
• Security — CSRF tokens, anti-bot challenges (Cloudflare Turnstile when active).

We do not set advertising cookies and we do not embed third-party behavioural analytics or session-replay scripts inside the authenticated app. On the marketing site we may set first-party analytics cookies to count visitors; you can block these in your browser without affecting your ability to use the Service.

Under the DPDP Act and (where applicable) other privacy laws, you have the following rights with respect to your personal information:

• Right to access — ask us for confirmation that we process your personal information and for a summary of that processing.
• Right to correction and erasure — ask us to correct inaccurate, incomplete or out-of-date information, or to erase information that we no longer need.
• Right of grievance redressal — raise a complaint about how we handle your personal information with our Grievance Officer (clause 13). If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted.
• Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent — where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect lawful processing carried out before withdrawal.

To exercise any of these rights, write to support@octetlogictech.com. We may ask you to verify your identity before we act on your request. We will respond within the time required by law and, in any event, will acknowledge your request within 7 working days.

The Service is not directed to children under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

We take reasonable security measures to protect personal information, including:

• TLS 1.3 for all data in transit;
• AES-256 encryption for data at rest;
• password storage using salted bcrypt hashing;
• role-based access controls and the principle of least-privilege within Octet Logic;
• quarterly access reviews and on-boarding/off-boarding controls for our team;
• peer code review on every change and automated security scanning in continuous-integration;
• daily encrypted backups with point-in-time recovery for the last 30 days.

No system is perfectly secure. If you become aware of any compromise of your account or of the Service, please contact us at support@octetlogictech.com without delay. We will notify affected individuals and the Data Protection Board of India of a notifiable personal data breach within the timelines required by law.

We may amend this Policy from time to time. When we do, we will revise the Effective Date and Version number at the top, and (for material changes that affect how we use your personal information) notify you by email or in-app banner at least 15 days before the changes take effect. The current version is always published at www.gstfiler.com/privacy.

In accordance with the Information Technology Act, 2000, the rules made thereunder, and the DPDP Act, 2023, the contact details of the Grievance Officer for any complaints relating to your personal information are:

Grievance Officer
Octet Logic OPC Private Limited
Hyderabad, Telangana, India
Email: support@octetlogictech.com
Telephone: +91 98490 11005

We aim to acknowledge complaints within 48 hours and to resolve them within 30 days.

If you have any questions about this Policy or our privacy practices, please write to us at support@octetlogictech.com or call +91 98490 11005. Postal address: Octet Logic OPC Private Limited, Hyderabad, Telangana, India.