Skip to main content
CA
AskCApro
Legal

Privacy Policy

Effective Date: [DATE — UPDATE BEFORE LAUNCH]   |  Last Updated: [DATE — UPDATE BEFORE LAUNCH]   |   Governing Law: India

1. Overview

Ledgr ("Ledgr", "we", "us", or "our") is a practice management Software-as-a-Service (SaaS) platform built exclusively for Chartered Accountant (CA) firms and practitioners registered under the Institute of Chartered Accountants of India (ICAI). We understand that our platform handles some of the most sensitive financial and personal data in existence — GST credentials, income tax records, PAN and Aadhaar details, bank information, and client financial histories.

This Privacy Policy explains what personal data we collect, how we process it, with whom we share it, how long we retain it, and the rights you have in relation to your data. We are committed to full compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

This policy applies to: (a) CA firms and practitioners who register for a Ledgr account ("Firms"); (b) staff members and authorised users invited to a firm's Ledgr workspace; and (c) visitors to our marketing website at askcapro.in.

Note for CA Firms: When you upload client data to Ledgr — including PAN numbers, financial statements, or GST credentials — you act as the Data Fiduciary under the DPDP Act 2023, and Ledgr acts as the Data Processor. Our Data Processing Agreement (DPA) governs this relationship. Please review the Data Processing Agreement alongside this Privacy Policy.

2. Who We Are

Data Fiduciary (for platform account data):
Ledgr Technologies Pvt. Ltd. [UPDATE BEFORE LAUNCH — confirm CIN and registered address]
Registered Office: [ADDRESS — UPDATE BEFORE LAUNCH]
Email: privacy@askcapro.in

For purposes of the DPDP Act 2023, Ledgr Technologies Pvt. Ltd. is the Data Fiduciary in respect of account registration data and platform usage data, and a Data Processor in respect of client personal financial data uploaded by CA firms.

3. Data We Collect

3.1 Account & Firm Registration Data

When a CA firm registers for Ledgr, we collect:

  • Firm name, registered address, and ICAI membership number
  • Firm admin name, designation, and professional email address
  • Mobile number (for OTP-based authentication and critical alerts)
  • GST registration number of the firm (if applicable)
  • Payment details processed via Razorpay (we do not store full card numbers; tokenisation is handled by Razorpay)
  • Billing address for invoicing under GST

3.2 Staff & User Data

For each user account created within a firm workspace:

  • Full name and work email address
  • Role and permission level assigned by the firm admin
  • Profile photograph (optional, user-uploaded)
  • Login timestamps and session activity for audit purposes

3.3 Client Financial Data (uploaded by CA firms)

CA firms upload and process client data on our platform. This data is owned by the CA firm and processed by Ledgr on their behalf. It may include:

  • Client PAN number and Aadhaar number (last 4 digits only for display; full Aadhaar is never stored unmasked)
  • Client name, address, date of birth, and contact information
  • GST Identification Number (GSTIN) and GST portal credentials (encrypted at rest)
  • Income Tax portal credentials (encrypted at rest using AES-256)
  • GST return data: GSTR-1, GSTR-3B, GSTR-9, GSTR-9C, GSTR-2B reconciliation data
  • TDS return data: Form 24Q, 26Q, 27Q, 27EQ; TDS certificates; TAN details
  • Income tax return data: ITR forms, AIS / Form 26AS data, advance tax computation
  • Bank account numbers and bank statements (uploaded for reconciliation purposes)
  • Financial statements, books of account, and supporting documents uploaded for compliance purposes
  • ROC / MCA filings, FEMA/RBI declarations, PF/ESI challans and returns
  • Digital Signature Certificate (DSC) expiry information

3.4 Usage & Technical Data

We automatically collect technical information when you use the platform:

  • IP address, browser type and version, operating system
  • Pages viewed, features used, and actions taken within the platform (for product improvement)
  • Session duration and navigation paths
  • Error logs and crash reports (processed via Sentry, our error monitoring provider)
  • API request logs (retained for security and audit purposes)

3.5 Communications Data

If you contact our support team or respond to surveys, we retain those communications to improve our service and to resolve disputes.

4. How We Use Your Data

We process personal data only for the following legitimate purposes:

PurposeLawful Basis
Providing the Ledgr SaaS service, including all compliance workflow featuresPerformance of contract (ToS)
User authentication, session management, and account securityPerformance of contract; legitimate interests
Processing subscription payments via RazorpayPerformance of contract
Sending compliance deadline reminders, filing notifications, and critical alertsPerformance of contract; legitimate interests
Responding to support tickets and resolving disputesLegitimate interests
Detecting, investigating, and preventing fraud, abuse, or security incidentsLegitimate interests; legal obligations
Improving the platform through aggregated, anonymised usage analyticsLegitimate interests (data is anonymised before analysis)
Complying with legal obligations: court orders, tax laws, regulatory requirementsLegal obligation
Sending product updates, feature announcements, and billing notificationsLegitimate interests (opt-out available)

We do not use client financial data uploaded by CA firms for any purpose other than delivering the contracted service. We do not build advertising profiles, sell data to data brokers, or use client financial data to train machine learning models without explicit written consent.

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data or your clients' data to any third party. Data is shared only in the following circumstances:

5.1 Sub-Processors (Service Providers)

We engage the following trusted sub-processors who process data on our behalf under data protection agreements:

Sub-ProcessorPurposeData TransferredLocation
Amazon Web Services (AWS)Cloud infrastructure, encrypted storage, database hostingAll platform dataIndia (ap-south-1, Mumbai)
RazorpayPayment processing and subscription billingBilling contact details, payment tokensIndia
SentryError monitoring and crash reportingError stack traces, anonymised session contextEU (data minimised)

All sub-processors are bound by contractual obligations equivalent to the protections in this Privacy Policy and the DPDP Act 2023. We review sub-processor agreements on an annual basis and will update this list when sub-processors change.

5.2 Legal Disclosures

We may disclose data if required to do so by law, court order, or a request from a government or regulatory authority with jurisdiction (including the Income Tax Department, GSTN, SEBI, RBI, or ICAI), provided such request is lawful and specific. We will, where legally permissible, notify affected firms before disclosing their data.

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, data may be transferred to the successor entity. We will provide at least 30 days' notice via email and in-app notification before any such transfer. If the successor entity's privacy practices are materially different, you will have the right to terminate your account and export your data.

5.4 With Your Explicit Consent

We share data in any other circumstances only with your prior, specific, and informed written consent.

6. Data Retention

We retain data for as long as necessary to deliver the service and meet our legal obligations:

Data CategoryRetention PeriodBasis
Active account & firm dataDuration of subscription + 7 years post-terminationCA firms are subject to statutory record-keeping obligations under the Chartered Accountants Act 1949 and IT Act
Client financial data (GST, TDS, ITR records)Duration of subscription + 7 yearsSection 44AA Income Tax Act; GST audit provisions; CA firm professional obligations under ICAI
Audit logs (login history, data access, changes)7 yearsIT Act 2000 s. 67C; DPDP Act 2023; standard forensic retention
Payment and billing records8 yearsCompanies Act 2013; GST Act (input tax credit reconciliation)
Support communications3 years from resolutionLimitation Act 1963 (dispute window)
Error logs and crash reports90 daysOperational; deleted on rolling basis
Marketing communications (if opted in)Until opt-out + 30 daysConsent-based

Upon account termination or subscription expiry, active processing ceases immediately. Data is moved to secure archival storage for the applicable retention period and then permanently and irreversibly deleted using NIST-compliant data destruction methods. Firms may request early deletion of specific data sets (subject to legal minimum retention requirements) by contacting privacy@askcapro.in.

7. Security Measures

Given the sensitivity of financial data processed on our platform, we implement layered security controls across people, processes, and technology:

  • Encryption at rest: All data stored on AWS is encrypted using AES-256. Database-level encryption is enabled on all RDS instances. Credential fields (GST passwords, IT portal passwords) are encrypted using an additional application-layer encryption key managed via AWS KMS, separate from the storage encryption key.
  • Encryption in transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or TLS 1.3. HTTP connections are permanently redirected to HTTPS. HSTS is enforced.
  • Access controls: Role-based access control (RBAC) is enforced at the application layer. Database and infrastructure access is restricted to authorised engineering staff using multi-factor authentication (MFA) and time-limited credentials via AWS IAM. No employee has standing access to production databases.
  • Audit logging: Every data access, modification, export, and deletion event is logged with timestamp, user ID, IP address, and action taken. Audit logs are immutable and stored separately from primary application data.
  • Penetration testing: We conduct annual third-party penetration tests. Critical and high-severity findings are remediated within 30 days of identification.
  • Employee data handling: Staff who access production data undergo background checks and are bound by confidentiality agreements. Access is reviewed quarterly and revoked immediately upon departure.
  • Incident response: We maintain a documented incident response plan. In the event of a data breach, affected parties will be notified within 72 hours of us becoming aware, as required by the DPDP Act 2023.
  • Vulnerability management: Dependencies are scanned continuously. Security patches are applied within 7 days of release for critical vulnerabilities.

While we implement industry-standard security measures, no system is completely immune to attack. We strongly recommend that firm admins enable MFA for all workspace users and immediately report any suspected unauthorised access to security@askcapro.in.

8. Cookies & Tracking

We use a minimal, privacy-respecting set of cookies. We do not use third-party advertising cookies or tracking pixels.

Cookie Name / TypePurposeDurationType
ledgr_sessionAuthentication session token — identifies logged-in userSession (expires on logout or after 8 hours of inactivity)Strictly necessary — httpOnly, Secure, SameSite=Strict
ledgr_csrfCSRF protection token — prevents cross-site request forgerySessionStrictly necessary — httpOnly, Secure
ledgr_prefsUser interface preferences (e.g., sidebar state, display density)1 yearFunctional — first-party
_sentry_sessionSentry error monitoring — anonymous session identifier for error groupingSessionFunctional — anonymised, no PII

Authentication cookies are set as httpOnly and Secure, meaning they cannot be accessed by JavaScript and are only transmitted over HTTPS. We do not use Google Analytics, Meta Pixel, or any advertising network scripts on the authenticated platform.

Our marketing website (askcapro.in) may use anonymised analytics. A cookie consent banner will obtain your consent before any non-essential cookies are set, in line with Indian data protection norms.

9. Your Rights Under DPDP Act 2023

The Digital Personal Data Protection Act, 2023 grants the following rights to Data Principals (individuals whose data is processed). These rights apply to personal data held by Ledgr about you as an account holder, firm admin, or staff user:

  • Right to Access (Section 11): You may request a summary of the personal data we hold about you and information about how it has been processed. We will respond within 30 days.
  • Right to Correction and Erasure (Section 12): You may request correction of inaccurate personal data or erasure of personal data that is no longer necessary for the purpose for which it was collected. Erasure requests are subject to our legal retention obligations (see Section 6).
  • Right to Grievance Redressal (Section 13): You have the right to readily available means of grievance redressal in respect of any act or omission by Ledgr concerning your personal data. Grievances will be addressed within 30 days of receipt.
  • Right to Nominate (Section 14): You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.
  • Right to Withdraw Consent: Where processing is based on consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing. Withdrawal of consent for processing necessary to deliver the service will result in account termination.

To exercise any of these rights, please submit a written request to privacy@askcapro.in with subject line "DPDP Rights Request". We will verify your identity before processing the request. We aim to respond within 30 days; complex requests may take up to 72 hours additional processing time.

Note for CA Firms regarding client data: If your end-clients (whose financial data you upload to Ledgr) exercise data rights, those requests are directed to you as the Data Fiduciary. Ledgr, as Data Processor, will assist you in fulfilling such requests within 72 hours as provided in our Data Processing Agreement.

If you believe your rights under the DPDP Act have been violated and your grievance has not been addressed satisfactorily, you may lodge a complaint with the Data Protection Board of India once it is constituted under the DPDP Act 2023.

10. Third-Party Links

The Ledgr platform may contain links to government portals (GSTN, Income Tax e-filing portal, MCA21) and other third-party websites for your convenience. We are not responsible for the privacy practices of those sites. We recommend reviewing their privacy policies before submitting any data. Ledgr does not store credentials used to log into government portals; any such credentials entered into Ledgr's credential vault are stored in encrypted form and used solely for automated filing operations on your behalf.

11. Children's Privacy

Ledgr is a B2B professional services platform intended solely for registered CA firms and their authorised staff. It is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. If we become aware that a user under 18 has registered without authorised parental or guardian consent, we will delete that account immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as introducing new data processing purposes, adding new sub-processors, or changes affecting your rights — we will provide at least 30 days' advance notice by:

  • Email to the registered firm admin email address
  • Prominent in-app notification on login
  • Publishing the updated policy on this page with a revised "Last Updated" date

Your continued use of the platform after the effective date of changes constitutes acceptance of the revised policy. If you do not accept material changes, you may terminate your account and export your data before the effective date.

13. Contact & Grievance Redressal

For any privacy-related queries, rights requests, or complaints, contact our designated Privacy Officer:

Privacy Officer — Ledgr Technologies Pvt. Ltd.

Name: [NAME — UPDATE BEFORE LAUNCH]

Email: privacy@askcapro.in

Address: [ADDRESS — UPDATE BEFORE LAUNCH]

Response time: Within 30 days of receipt

For urgent security incidents or suspected data breaches, contact security@askcapro.in. We treat security reports as high priority and will acknowledge receipt within 4 hours during business hours (Mon–Sat, 9am–7pm IST).

This Privacy Policy is governed by the laws of India. Any disputes arising from this policy are subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.