Privacy Policy

The platform Notice Mitra is owned and operated by Priya Agarwal (sole proprietor, operating as Notice Mitra), based at Jaipur, Rajasthan – 302017, India (not GST-registered; sole proprietorship, no CIN). For the purposes of the DPDP Act, 2023, we act as the Data Fiduciary in respect of personal data you provide. You can reach us at contact@noticemitra.in.

We collect the following categories of information:

• Account information — name, email address, mobile number and password (stored only as a salted hash).
• Notice content — the income tax notice document (PDF or image) you upload, supporting documents, and any text or metadata you provide while filling out the upload form.
• Payment information — when you pay for the CA-Vetted plan, payment is processed by Razorpay. We do not see or store your card or bank credentials. We retain a transaction identifier and the amount paid for invoicing and reconciliation.
• Communication data — messages, attachments and metadata when you contact us via email, the in-app dashboard or WhatsApp.
• Technical data — IP address, browser type, device identifiers, timestamps and server logs collected automatically for security, fraud prevention and diagnostic purposes.

• To create and operate your account and authenticate you.
• To analyse the notice you upload, generate the AI-assisted summary, risk meter, documents checklist and AI draft reply.
• To deliver the CA-Vetted reply when you opt for that plan, including by sharing the notice and supporting documents with the empanelled Chartered Accountant assigned to your case.
• To process payments, issue payment receipts and maintain accounting records.
• To respond to your queries, support requests and grievance complaints.
• To detect, prevent and investigate fraud, abuse and security incidents.
• To comply with applicable law, including responses to lawful requests from public authorities.

We process your personal data on the basis of your consent provided at the time of registration and at the point of upload, and for the legitimate uses recognised under Section 7 of the DPDP Act, 2023 (including to fulfil our contractual obligations to you and to comply with law). You may withdraw your consent at any time by writing to us; please note that withdrawal does not affect processing already carried out.

We do not sell your personal information. We share information only with the following categories of recipients:

• Empanelled Chartered Accountants — when you opt for the CA-Vetted plan, the assigned practising Chartered Accountant is given access to the notice file and supporting documents strictly for the purpose of preparing your reply. The CA's name and ICAI membership number are disclosed in your dashboard. Empanelled CAs are bound by confidentiality and the Chartered Accountants Act, 1949 read with the ICAI Code of Ethics.
• Razorpay — Razorpay Software Private Limited processes payments on our behalf. Razorpay's own privacy policy applies to the data they collect to process the transaction (including the payment instrument details, which we never see).
• Cloud hosting and AI/ML service providers — we use cloud infrastructure providers to host the application and store uploads, and AI/ML service providers to read and analyse your notice. These providers process data only under contract, for the limited purposes we instruct, and may be located outside India.
• Authorities and others — to comply with applicable law, valid legal process, or to protect the rights, property or safety of users, the platform, or the public.

Some of the processors and infrastructure providers we use are located outside India. We disclose them by category and jurisdiction below so you can make an informed decision before granting consent:

• AI processing — Google LLC (via the Gemini API), used to read each notice and produce the AI analysis and draft reply. Processing infrastructure is located in the United States.
• Hosting infrastructure — Hetzner Online GmbH, with our production servers located in Germany (European Union).
• Transactional email — Resend, Inc., used to deliver the CA-vetted reply PDF and account-related emails. Email delivery infrastructure is located in the United States.
• DNS, email routing and edge protection — Cloudflare, Inc., operating from globally distributed infrastructure.
• Database hosting — Railway Corporation, which operates our PostgreSQL database on regional cloud infrastructure (typically the United States or European Union, depending on the region selected).

Where transfers occur, we take reasonable contractual and technical safeguards (including secure transport, access controls and processor agreements). Transfers comply with the DPDP Act, 2023 and any country-restriction notifications issued by the Central Government from time to time. None of the named countries (United States, Germany, European Union) is currently restricted under any such notification.

• Notice files and AI/CA-prepared reply drafts: deleted from our active systems 30 days after delivery to you, unless you ask us to retain them longer.
• Account information: retained while your account is active and for a reasonable period thereafter for security and audit purposes.
• Tax invoices and payment transaction records: retained for the period required under the Goods and Services Tax Act, 2017, the Income Tax Act, 1961 / 2025 and the Companies Act, 2013 (typically 6 to 8 years).
• Server and security logs: retained for up to 12 months unless a longer period is required for an ongoing investigation.

We follow reasonable security practices and procedures as required under Section 8 of the DPDP Act, 2023, including encryption of files in transit and at rest, role-based access control, secure authentication, regular patching of our systems, and audit logging. No method of transmission over the internet is, however, 100% secure; we ask that you also keep your password confidential.

Subject to the DPDP Act, 2023 you have the right to:

• Access a summary of the personal data we hold about you.
• Correct or update inaccurate or incomplete personal data.
• Have your personal data erased once the purposes for which it was collected are no longer served.
• Withdraw your consent and have the consequences of such withdrawal explained.
• Nominate another person to exercise these rights in the event of your death or incapacity.
• File a grievance with our Grievance Officer (see Section 12) and, if unresolved, with the Data Protection Board of India.

We use only strictly-necessary cookies — primarily to keep you signed in (authentication tokens) and to remember session preferences. We do not currently use third-party advertising or behavioural-tracking cookies. If we introduce analytics or other non-essential cookies in future, we will update this policy and obtain your consent where required.

Notice Mitra is intended for taxpayers and Chartered Accountants who are 18 years of age or older. We do not knowingly collect personal data from any person below 18, and the age-confirmation tick-box at the time of registration is the lawful-basis gate for this requirement under section 9 of the Digital Personal Data Protection Act, 2023.

If we become aware that we have inadvertently collected personal data from a person below 18, we will delete it within 30 working days of becoming aware. A parent or guardian who believes that a child's data has been provided to us may write to contact@noticemitra.in from the registered email address; we will action the deletion request and confirm in writing.

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, the contact details of our Grievance Officer are:

Name: Priya Agarwal
Email: contact@noticemitra.in
Address: Jaipur, Rajasthan – 302017, India (full postal address available on written request to the grievance officer)

We will acknowledge a complaint within 48 hours and resolve it within 15 days of receipt, except where law prescribes a different timeline.

In the event of a personal-data breach affecting your information, we will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, in accordance with Section 8(6) of the Digital Personal Data Protection Act, 2023. We will also notify affected users without undue delay through their registered email and a banner in the dashboard, including the nature of the breach, the categories of data affected, the mitigation steps taken, and contact details of the Grievance Officer for queries or complaints.

We may update this Privacy Policy from time to time. The effective date at the top of this page will indicate the date of the most recent update. Material changes will be notified to you in your dashboard or by email.

For any question relating to this policy or your personal data, write to contact@noticemitra.in or to Priya Agarwal, Jaipur, Rajasthan – 302017, India.