Privacy Policy

DRAFT — pending legal review. Effective date will be set on publication. This policy is drafted for alignment with the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.

Who we are

Finance Compliance OS is operated by MarshallRidge Consulting Private Limited, Unit No. 52, 2nd Floor, C-39A, Gami Industrial Park, MIDC, Thane, Navi Mumbai 400705, India ("MarshallRidge", "we"). For anything in this policy: contact@marshallridgeconsulting.in · +91 77188 66506.

What personal data we process, and why

• Account data (your name, email, role): to authenticate you, scope what you can see, and attribute actions in the tamper-evident audit trail. Legal basis: performance of our contract with your organisation.
• Business records your organisation uploads (vendor master, invoices, payments, agreements, GSTR-2B data, evidence documents): processed solely to compute MSME payment compliance, TDS and related statutory positions, on your organisation's instructions. Where these records identify individuals — for example a proprietor's PAN or Udyam registration — we process them as a processor for your organisation, under the data processing terms of our customer agreement.
• Technical logs (IP address, request metadata): security monitoring, rate limiting and statutory log retention (CERT-In directions, 2022).

What we do not do

• No sale of personal data, no advertising use, no profiling beyond the compliance computations you ask for.
• No tracking cookies — the application uses browser storage only to keep you signed in.
• No transfer outside India in the ordinary course: production systems run in AWS Mumbai (ap-south-1).

AI features

The Tax Copilot answers questions strictly from your organisation's own data, via Anthropic's Claude API. Inputs are not used to train models. Document OCR uses AWS Textract in the Mumbai region.

Security

Encryption in transit (TLS) and at rest, tenant isolation enforced at the database layer (row-level security), role-based access, scrypt-hashed credentials, login rate limiting, an append-only hash-chained audit trail, and SHA-256 integrity hashes on every uploaded document. Full details: SECURITY.md in our repository and our security architecture documentation.

Retention and erasure

Data is retained while your organisation's subscription is active. On offboarding (or on a verified request), we provide a complete machine-readable export and then erase the tenant's data; a minimal record that erasure occurred (when, and how many records) is kept. Statutory logs are retained for 180 days as required by CERT-In directions.

Your rights

Under the DPDP Act you may request access to, correction of, or erasure of your personal data, and may nominate a person to exercise these rights. Write to contact@marshallridgeconsulting.in. We respond within the timelines prescribed under the DPDP Rules. If unsatisfied, you may escalate to the Data Protection Board of India.

Grievance officer

Grievance & data-protection contact: MarshallRidge Consulting Private Limited, contact@marshallridgeconsulting.in, +91 77188 66506.

Breach notification

Personal-data breaches are notified to affected users and the Data Protection Board as required by the DPDP Act and Rules, and cyber incidents are reported to CERT-In within the mandated six hours of noticing.