Privacy Policy

1. Information we collect

We collect only what we need to provide our services. This falls into two categories:

1.1 Information you provide directly

When you fill an enquiry form, book a call, or engage our services, we collect:

• Identity information: Full name, PAN number, Aadhaar number (where required)
• Contact details: Email address, WhatsApp/mobile number
• Financial information: Income details, bank statements, salary slips, invoices, trading statements, GST returns, Form 16, Form 26AS, AIS/TIS
• Government portal credentials: Income tax portal login, GST portal login, MCA login — shared with your explicit consent solely for the purpose of filing
• Business information: Company details, incorporation documents, FEMA/ODI related documents
• Payment information: Transaction details processed via Razorpay, Wise, or Stripe — we do not store card numbers or bank account credentials ourselves
• Communications: Emails, WhatsApp messages, and notes from calls

1.2 Information collected automatically

When you visit www.pillowtax.com, we may automatically collect:

• Device and browser information: IP address, browser type, operating system
• Usage data: Pages visited, time spent, referral source
• Cookie data: Session cookies and analytics cookies (see Section 6)

2. How we use your information

We use your information only for the following purposes:

• To provide the services you have engaged us for — tax filings, GST compliance, FEMA advisory, incorporations, and related work
• To communicate with you about your engagement — document requests, filing updates, deadline reminders
• To verify your identity and comply with Know Your Client (KYC) requirements where applicable
• To process payments and issue GST invoices
• To send you compliance reminders relevant to your engagement (e.g. advance tax dates, ITR deadlines)
• To improve our website and services through anonymised usage analytics
• To comply with legal and regulatory obligations under Indian law

We do not use your information for unsolicited marketing, profiling for advertising purposes, or any purpose not listed above. We will always seek your consent before using your data for a new purpose.

3. What we do not do with your data

We want to be explicit about this:

• We do not sell, rent, license, or trade your personal or financial data to any third party
• We do not share your data with advertisers or marketing platforms
• We do not use your PAN, Aadhaar, or financial data for any purpose other than your engagement
• We do not use Google AdSense or serve targeted advertisements based on your data
• We do not access your government portal credentials for any purpose beyond the specific filing you have engaged us for

4. When we share your information

We share your information only in the following limited circumstances:

4.1 Service delivery

We may share your information with professional associates, sub-contractors, or team members who work directly on your engagement. All such parties are bound by equivalent confidentiality obligations.

4.2 Legal and regulatory requirements

We may disclose your information to government authorities, courts, or regulators when required to do so by law — for example, in response to a statutory notice, court order, or compliance audit. We will notify you of such disclosure wherever legally permitted to do so.

4.3 Payment processors

Payment transactions are processed by Razorpay (for Indian clients), Wise, or Stripe (for international/NRI clients). These platforms operate under their own privacy policies and are compliant with applicable data protection laws. We do not store your payment credentials.

4.4 Third-party tools

We use the following tools in our operations, each of which processes limited data on our behalf:

• Calendly — for scheduling discovery calls (name, email)
• Google Drive / Notion — for document storage and client management
• WhatsApp Business — for client communications
• Brevo / Mailchimp — for transactional and compliance reminder emails
• Zapier — for workflow automation between tools

We select tools that maintain appropriate security standards. We do not authorise any of these tools to use your data for their own marketing or profiling purposes.

5. How long we retain your data

We retain your personal and financial data for as long as necessary to provide our services and meet our legal obligations. Specifically:

• Active engagement data: Retained for the duration of your engagement and for 7 years after its conclusion, in accordance with professional standards applicable to Chartered Accountants in India
• Government portal credentials: Deleted or revoked immediately upon completion of the specific filing for which they were shared
• Enquiry data (non-converted leads): Retained for 12 months, then deleted
• Payment records: Retained for 7 years as required under tax and accounting regulations
• Website analytics data: Anonymised and aggregated; retained for up to 24 months

After the applicable retention period, your data will be securely deleted or anonymised.

6. Cookies & website tracking

Our website uses cookies to function correctly and to understand how visitors use the site. We use the following types of cookies:

Strictly necessary cookies

Required for the website to function. These cannot be disabled. They include session management and form security tokens.

Analytics cookies

We use Google Analytics to understand how visitors interact with our website — which pages are visited, how long visitors stay, and where they come from. This data is anonymised and aggregated. It helps us improve the site. You can opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout.

Functionality cookies

These remember your preferences (such as language settings or previously entered form data) to improve your experience.

You can control and delete cookies through your browser settings. Please note that blocking strictly necessary cookies may affect the functionality of our website. We do not use advertising or targeting cookies.

7. How we protect your data

We take the security of your personal and financial information seriously. Our security measures include:

• All documents shared with us are stored in access-controlled cloud storage (Google Drive with restricted sharing)
• Client communications containing sensitive information are conducted over WhatsApp (end-to-end encrypted) or encrypted email
• Government portal credentials shared with us are used exclusively for the agreed purpose and are not stored in plain text
• Our team operates under strict internal confidentiality obligations
• We do not store complete payment card details — all payment processing is handled by PCI-DSS compliant payment gateways

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying you in the event of a data breach that affects your personal information, as required under the Digital Personal Data Protection Act, 2023.

8. Your rights

Under the Digital Personal Data Protection Act, 2023 (India) and applicable law, you have the following rights with respect to your personal data:

Right to access

You can request a copy of the personal data we hold about you at any time.

Right to correction

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to erasure

You can request deletion of your personal data, subject to our legal retention obligations (e.g. we cannot delete records required for tax compliance purposes during the mandatory retention period).

Right to withdraw consent

Where we process your data based on consent (e.g. access to government portals), you can withdraw that consent at any time. Withdrawal will not affect the legality of processing prior to withdrawal.

Right to grievance redressal

If you believe your data rights have been violated, you can raise a grievance with us (see Section 13). If unresolved, you may approach the Data Protection Board of India once it is constituted under the DPDP Act.

To exercise any of these rights, please contact us at contact@pillowtax.com. We will respond within 30 days.

9. Children's privacy

Our services are intended for adults (18 years and above). We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has submitted data to us, please contact us immediately.

10. External links

Our website may contain links to third-party websites, tools, or platforms such as Topmate, Razorpay, Calendly, and government portals. Clicking these links takes you to platforms governed by their own privacy policies. We are not responsible for the privacy practices or content of any external site. We encourage you to review the privacy policy of any third-party site you visit.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. The updated Policy will be posted on our website with a revised effective date. For material changes, we will notify active clients via email to the address on record. Your continued use of our services after an update constitutes acceptance of the revised Policy.

12. Legal compliance

This Privacy Policy is published in compliance with:

• The Digital Personal Data Protection Act, 2023 (India)
• The Information Technology Act, 2000 and the IT (Amendment) Act, 2008
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Chartered Accountants Act, 1949 and the ICAI Code of Ethics regarding client confidentiality

This document constitutes an electronic record within the meaning of the Information Technology Act, 2000 and does not require a physical or digital signature.

13. Grievances & contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Grievance Officer: