AboutServicesContactLogin

Privacy Policy

Effective date: 30 April 2026 · Version 2026.04.30

FileMyBooks ("FileMyBooks", "we", "us", "our") respects your privacy. This Privacy Policy explains what personal data we collect when you visit our website at filemybooks.com, sign in to your account, or purchase any of our compliance, legal, or accounting services (the "Services"); how we use that data; with whom we share it; how long we keep it; and the rights you have over it.

We process personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and other Indian laws applicable to us as a Data Fiduciary.

1. About us and this policy

FileMyBooks is operated by [REVIEW: registered legal entity name], a [REVIEW: company type] incorporated in India, having its registered office at [REVIEW: registered office address], CIN [REVIEW: CIN], GSTIN [REVIEW: GSTIN]. For the purposes of the DPDP Act, we are a "Data Fiduciary" — that is, the entity that determines the purpose and means of processing your personal data.

This Privacy Policy applies to (a) visitors to our website, (b) prospective customers who fill out lead-capture forms, (c) registered customers (each a "Data Principal"), and (d) recipients of our marketing communications. It does not apply to third-party websites we link to; those are governed by their own privacy policies.

2. Personal data we collect

2.1 Account and identity data

  • Full name, email address, mobile number, and the one-time codes used to authenticate you (we do not use passwords for customer accounts in the current version of the Service);
  • Optional profile information such as preferred name, role at your business, and time zone.

2.2 Billing and tax data

  • Billing address (line 1, line 2, city, state, PIN code), country;
  • Company name and Goods and Services Tax Identification Number ("GSTIN") where you supply one for input-tax-credit purposes;
  • Tax-invoice fields and the contact email/phone printed on invoices;
  • Razorpay payment metadata that we receive after a payment — Razorpay payment ID, order ID, payment method category (UPI, card, net banking, wallet, AutoPay/e-NACH mandate), success/failure status, refund IDs, and dispute notifications. We do not see, store, or process card numbers, CVVs, UPI PINs, or net-banking credentials. Those remain inside Razorpay's PCI-DSS Level 1 environment.

2.3 Service-delivery data

To deliver the specific Service you have purchased, we collect the documents and information that the relevant statute or registry requires. These vary by Service and may include:

  • For Pvt Ltd Company Registration — directors' PAN, Aadhaar (or Aadhaar VID), passport-size photos, address proofs, DSC token data, proposed company name, MoA/AoA inputs, and registered-office proof;
  • For Annual ROC Compliance — financial statements, board resolutions, shareholder lists, and digital signatures of authorised signatories;
  • For Accounting + GST + TDS Filing — books of account, bank statements, sales and purchase ledgers, GSTIN credentials (only via read-only access where you choose to share), TDS challans, and Form 16/16A inputs;
  • For Trademark Registration — applicant identity proof, MSME or Startup India recognition (where claimed), specimen of mark, class details, and the date of first use;
  • For the Startup Bundle — a combination of the above as relevant to the constituent services.

Where the data we collect amounts to sensitive personal data or information under the SPDI Rules (for example, financial information, biometric information used as identity proof, or other categories notified from time to time), we collect it only with your explicit consent and only for the specific Service you have ordered.

2.4 Communications data

  • Emails, WhatsApp messages, and call notes exchanged with our team for support and service delivery;
  • The content of forms you submit to us, such as the "Contact us" and "Contact our team" lead-capture forms.

2.5 Device, usage, and location data

  • IP address, device type, operating system, browser, screen size, language preference, referrer, pages viewed, and timestamps;
  • Approximate location (city/state) derived from your IP address at the network edge, used to render region-appropriate content and to compute aggregate analytics. We do not collect precise GPS location;
  • Cookies and similar technologies as described in Section 9.

2.6 Information from third parties

  • Razorpay (payment confirmations, settlement metadata, dispute notifications, refund references);
  • Public records of MCA, GSTN, Income Tax, IP India, and similar authorities, accessed in the course of completing filings on your behalf;
  • Where you log in via a single-sign-on provider in a future release, the basic profile information that provider chooses to share in line with your settings on it.

3. Lawful grounds for processing

We rely on the following grounds, recognised by the DPDP Act and the SPDI Rules, for processing your personal data:

  • Consent — for analytics cookies, marketing communications, WhatsApp service updates, and any sensitive personal data we collect for service delivery. You can withdraw consent at any time, though some Services cannot be performed without certain categories of data;
  • Performance of a contract — to provide the Services you have purchased and to keep you informed about their status, including order confirmations, status updates, refunds, and invoice delivery;
  • Compliance with law — to maintain books of account, issue GST-compliant tax invoices, comply with KYC and PMLA-related obligations imposed on our payment processor, comply with income-tax retention rules, and respond to lawful requests from authorities;
  • Legitimate interests — to operate, secure, and improve our website, prevent fraud, abuse, and money-laundering, and contact existing customers about closely-related Services with the ability to opt out at any time.

4. How we use your data

We use personal data to:

  • create and maintain your account and authenticate you with one-time codes;
  • process your order, take payment via Razorpay, and where applicable establish e-mandates (UPI AutoPay or e-NACH on cards) for recurring subscriptions in line with the RBI's framework for processing of e-mandates;
  • deliver the Service, prepare and file documents with the relevant authority, communicate progress, and answer your queries;
  • raise GST-compliant tax invoices and process refunds via Razorpay back to the original payment instrument;
  • secure the Service against fraud, abuse, and unauthorised access (including by rate-limiting, anomaly detection, and audit logging);
  • operate, monitor, and improve the Service, including via consent-gated analytics; and
  • send transactional communications related to your account and orders. Marketing communications are sent only on the basis of your explicit consent or, where permitted, our legitimate interest in contacting existing customers about closely-related Services, with a clear unsubscribe option in every message.

5. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipients, all of whom are bound by written contracts that restrict their use of your data:

5.1 Payment processor

Razorpay Software Private Limited, an RBI-authorised Payment Aggregator, processes payments, mandates, and refunds. Razorpay maintains PCI-DSS Level 1 certification. Card and credential data is shared directly with Razorpay; we receive only payment metadata.

5.2 Hosting and infrastructure

  • Vercel Inc. — web hosting and serverless functions;
  • Supabase Inc. — managed Postgres, authentication, and object storage. The primary database resides in the Mumbai (ap-south-1) region of Amazon Web Services;
  • Upstash Inc. — Redis-based rate limiting and ephemeral counters.

5.3 Communications

  • Resend Inc. — transactional emails (one-time codes, order receipts, invoices, status updates) and marketing emails sent only with consent;
  • Our WhatsApp Business Solution Provider (a Meta-approved BSP) — service-update messages where you have opted in. SMS is not used for marketing.

5.4 Error tracking and analytics

  • Sentry — error monitoring and performance traces, with personal identifiers redacted at source;
  • Google Analytics 4 and Meta Pixel — aggregate website analytics loaded only after you accept analytics cookies;
  • Vercel Analytics — first-party page-view and Core-Web-Vitals measurement.

5.5 Government and statutory authorities

Ministry of Corporate Affairs, GSTN, Income Tax Department, IP India, and similar authorities, only as needed to complete the specific filing you have purchased, or where required by law, court order, or lawful request.

5.6 Professional advisors

Chartered accountants, company secretaries, and lawyers we engage to deliver your Service, under confidentiality obligations.

5.7 Successors and acquirers

In connection with a merger, acquisition, restructuring, or sale of all or part of our business, with notice to you and an obligation on the acquirer to honour this Privacy Policy or one materially as protective.

6. International transfers

Your personal data is primarily processed and stored in the Mumbai (ap-south-1) region. Some processors — particularly error tracking, analytics, and email delivery — may process metadata in the United States, the European Union, or other jurisdictions. When this happens, we rely on (a) the contractual safeguards offered by those processors, (b) transfers permitted under Section 16 of the DPDP Act to countries not restricted by the Central Government of India by notification, and (c) appropriate technical and organisational measures including encryption in transit and at rest.

7. Data retention

CategoryRetention
Account and login dataWhile your account is active, plus 12 months after closure for fraud-prevention and audit purposes
Order, invoice, GST recordsAt least 8 years from the end of the relevant financial year (Income Tax Act and CGST Act)
Service-delivery documentsFor the duration of the engagement plus 7 years, or longer where a statute requires
Communications (email, WhatsApp, support tickets)3 years from last interaction, longer where linked to an open compliance matter
Marketing and analytics events26 months, or until you withdraw consent — whichever is earlier
Server logs, security telemetry30–90 days, longer if needed to investigate a security incident

Once a retention period ends, we either delete the data or irreversibly anonymise it so it can no longer be associated with you.

8. Your rights as a Data Principal

Subject to the conditions in the DPDP Act, you have the right to:

  • Access — obtain a summary of the personal data we hold about you and how it is being processed;
  • Correction and completion — have inaccurate, incomplete, or out-of-date personal data corrected;
  • Erasure — request erasure of personal data that is no longer necessary for the purpose for which it was collected, except where retention is required by law (for example, the 8-year rule for tax records);
  • Withdraw consent — at any time, with effect for the future, by emailing the Grievance Officer below or by using the unsubscribe link in any marketing email;
  • Nominate another person — to exercise your rights in the event of your death or incapacity;
  • Grievance redressal — file a complaint with our Grievance Officer (Section 12) and, if unresolved, escalate to the Data Protection Board of India.

9. Cookies and similar technologies

We classify cookies as follows:

  • Strictly necessary — session cookie, CSRF token, consent-state cookie, cart cookie, geo cookie. These are essential for the site to work; they are not subject to consent.
  • Analytics — Google Analytics 4, Vercel Analytics beyond first-party basics. Loaded only after you accept analytics cookies in our consent banner.
  • Marketing — Meta Pixel and any future ad-tech pixel. Loaded only after you accept marketing cookies.

You can change your cookie choices at any time using the consent control in the site footer.

10. Security of your data

We follow reasonable security practices and procedures within the meaning of Section 43A of the IT Act and the SPDI Rules. These include, without limitation: HTTPS/TLS in transit, encryption at rest provided by our database host, role-based access control, row-level-security policies inside the database, application-level rate limiting on authentication and high-value endpoints, audit logging of sensitive admin actions, vendor due diligence, and regular review of access permissions. Card data, CVVs, UPI PINs, and net-banking credentials are never seen, transmitted, or stored on our servers; they remain inside Razorpay's PCI-DSS Level 1 environment.

Despite these measures, no system can be perfectly secure. We will notify affected Data Principals and the Data Protection Board of India of any personal data breach in the manner and within the timelines prescribed under the DPDP Act and Rules made thereunder.

11. Children

The Services are intended for adults transacting on behalf of themselves or a business. We do not knowingly collect personal data of children under 18. If you believe a child has provided us personal data, please contact us so we can delete it. As required by Section 9 of the DPDP Act, we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

12. Grievance Officer

In compliance with Rule 5(9) of the SPDI Rules and Section 8(9) of the DPDP Act, we have appointed a Grievance Officer to handle complaints about this Privacy Policy and our processing of your personal data:

Grievance Officer
[REVIEW: full name]
FileMyBooks
[REVIEW: registered office address]
Email: grievance@filemybooks.com
General support: support@filemybooks.com

We acknowledge complaints within 72 hours and respond substantively within 30 days, or within the period prescribed by applicable law, whichever is shorter.

13. Notice of changes

We may update this Privacy Policy from time to time to reflect changes in law, our Services, or our processors. The "Effective date" at the top of this page indicates when it was last changed. For material changes — for example, the addition of a new processor or a new processing purpose — we will notify you by email or by a prominent banner on the website at least 7 days before the change takes effect, where notice is reasonably practicable.

14. How to contact us

For any question about this Privacy Policy, please write to privacy@filemybooks.com or to the Grievance Officer at the address above.