Your data, handled with care.

• Account & identity: your name, email, and authentication details.
• Company profile: entity type, state, turnover band, and statutory identifiers you provide — including GSTIN, PAN and CIN/LLPIN — plus registration flags (GST, PF, ESI, etc.).
• Compliance content: tasks, statuses, comments, and the documents and evidence you upload (returns, challans, certificates, agreements).
• Inbound email (optional): if you forward compliance emails to your inbox address, their contents and attachments.
• Collaborators: details of CAs, CSs, lawyers and team members you invite.
• Usage & device data: log data, IP address, and basic analytics needed to run and secure the service.

• To determine what compliance applies to you and generate your calendar, due dates and reminders.
• To store your evidence and verify it against your identifiers and authoritative sources.
• To enable collaboration with your advisors and produce diligence reports you choose to generate.
• To operate, secure, support and improve the service, and to process billing if you subscribe.
• To send service communications (and reminders / WhatsApp only where you opt in).

We process your data on the basis of your consent and to provide the service you have signed up for.

To ground your profile in reality, we may send your GSTIN or CIN to a verification provider (Sandbox / Quicko) and check GST return-filing status. These calls return data already held in the public GST / MCA registries (legal name, registration status, whether a return was filed) — we do not transmit your uploaded documents to these providers.

AI helps classify documents, extract fields, summarise notices and draft plain-language explanations. The deterministic rules engine — not AI — decides what applies to you. We do not use your data to train AI models, and AI outputs always carry a “confirm with your CA, CS, or lawyer” disclaimer.

We do not sell your data. We share it only with the people you authorise (your team and invited advisors) and with the vetted sub-processors that run the service:

• Supabase — Managed Postgres database, authentication and the evidence file store (hosted in India — ap-south-1, Mumbai).
• Vercel — Application hosting and serverless compute.
• Cloudflare — DNS and bot protection (Turnstile) on sign-in / sign-up.
• Resend — Transactional email (sign-in, reminders, advisor invites) and the optional compliance inbox.
• Razorpay — Subscription billing — used only if you subscribe to a paid plan.
• Sandbox (Quicko) — GST/MCA verification — we send a GSTIN or CIN and receive public registry data (legal name, status, filing status).
• Anthropic & OpenAI — AI that classifies documents, extracts fields, summarises notices and drafts explanations.
• Meta (WhatsApp) — Reminder messages — only if you opt in and add a number.

We may also disclose data where required by law, or to protect rights, safety and the integrity of the service.

Your data and uploaded documents are stored in a managed database and private file store hosted in India (Mumbai region). We keep your data for as long as your account is active and as needed to provide the service or meet legal obligations. When you delete a company, its tasks, documents and evidence are removed; you can also request deletion of your account.

Subject to applicable law (including India's Digital Personal Data Protection Act, 2023), you may:

• access and review the data we hold about you;
• correct or update inaccurate data;
• request erasure of your data;
• withdraw consent and close your account; and
• raise a grievance with us.

You can export an organised diligence pack of your records at any time, and revoke any read-only share link instantly.

We use cookies that are strictly necessary to keep you signed in and to secure the service. We do not use third-party advertising cookies.

We protect your data with encryption in transit and at rest, a private evidence vault, role-scoped access and row-level isolation. Read more on our Security page.

ComplianceStack is a business tool not directed to children, and is not intended for anyone under 18.

We may update this policy from time to time. Material changes will be reflected here with a new “last updated” date.

For privacy questions or to exercise your rights, email privacy@compliancestack.in. To raise a grievance under the DPDP Act, contact our grievance officer at grievance@compliancestack.in.

Ventuno Technologies Private Limited, Chennai, Tamil Nadu, India.