How we handle your personal data

1. Who this policy applies to

This policy (“Policy”) applies to personal data collected by CA Siddharth A Shah & Associates (“we”, “our”, or “us”) through the website casiddharthshah.com and related digital services, including the Compliance Calendar tool and any consultation or subscription forms.

2. Data we collect

We collect only the personal data we need to respond to your request or provide a service you have signed up for:

• Contact data: name, email address, phone number, company name — when you fill out a contact or consultation form.
• Calendar inputs: entity type (Pvt Ltd, LLP, OPC, Proprietor), state, GST turnover band, financial year end, and optional flags (Section 115BAA opt-in, presumptive taxation, etc.) — when you use the Compliance Calendar.
• Entity Chooser inputs: stage, number of founders, expected revenue band, funding plans, liability tolerance, foreign-investment intent, employee plans, industry, compliance tolerance, and long-term goal — when you use the Entity Chooser tool at /tools/entity-chooser.
• Income Tax Calculator inputs: financial year, age band, regime preference, salary, deductions (80C, 80D, 80CCD, 80E, 80G, etc.), HRA details, capital gains buckets, and prepaid taxes — when you use the calculator at /tools/income-tax-calculator. Email is optional and only requested if you want a PDF report.
• Reminder preferences: email address and reminder cadence preferences, where you have opted into email reminders.
• Technical data: IP address, browser type, device type, referring URL, pages visited — collected via server logs and privacy-conscious analytics for security and product improvement.

We do not knowingly collect data from children under 18. We do not process sensitive personal data (biometric, health, financial account credentials) through this website.

3. Purposes for which we use your data

• To respond to your consultation request, proposal query, or other inbound communication.
• To generate and deliver the personalised Compliance Calendar you have requested.
• To send email reminders for compliance deadlines you have opted into.
• To send occasional knowledge-hub updates and firm announcements — only where you have provided explicit consent.
• To maintain the security, availability, and integrity of our services.
• To comply with applicable legal, tax, and regulatory obligations.

4. Legal basis under the DPDP Act, 2023

We process personal data on the basis of your consent (for reminders, marketing, and optional analytics) and legitimate uses recognised under Section 7 of the DPDP Act, 2023 (for responding to requests you have initiated and for security). Consent can be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

5. Sharing your data

We do not sell your personal data. We share data only with:

• Data processors acting under contract on our instructions — for example, our email delivery provider (for reminder emails), our database host (for storing your calendar inputs and preferences), and our analytics provider.
• Legal and regulatory authorities where we are required to disclose by law, court order, or competent authority.
• Professional advisers bound by confidentiality obligations, where necessary for the provision of services to you.

Where processors are located outside India, we ensure that any cross-border transfer complies with the DPDP Act and any rules notified by the Central Government under Section 16 thereof.

6. Retention

• Contact and consultation data is retained for as long as you remain a client or prospect, and for a reasonable period thereafter for legal and audit purposes.
• Compliance Calendar inputs and reminder preferences are retained while your subscription is active. On unsubscribe or account deletion, we retain only the minimum data required for legal compliance (typically erasure is completed within 30 days).
• Server and security logs are retained for up to 12 months unless required for ongoing investigations.

7. Your rights under the DPDP Act

Subject to the DPDP Act, 2023, you have the right to:

• Access a summary of personal data we hold about you and the identities of third parties with whom it has been shared.
• Correction, completion, updation, and erasure of your personal data.
• Grievance redressal through the Data Protection Officer (see contact below).
• Nominate any other individual to exercise your rights in the event of your death or incapacity.
• Withdraw consent at any time. You can unsubscribe from reminder and marketing emails using the unsubscribe link in every email, or by emailing the contact below.

Requests are typically actioned within 30 days.

8. Security

We implement reasonable security practices consistent with the sensitivity of the data processed — encryption in transit (TLS), access controls on the database, logged administrative access, and vendor due diligence for any processor handling personal data on our behalf. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Cookies and tracking

We use a minimal set of first-party cookies strictly necessary for the functioning of the website (such as maintaining your session). Any non-essential analytics cookies are loaded only with your explicit consent. You can disable cookies in your browser settings, which may affect the usability of some features.

10. Changes to this Policy

We may update this Policy from time to time. The updated version will be posted at this URL with a revised “Last updated” date. Material changes affecting your rights will be notified to you by email where we have your contact.

11. Contact us

For any questions, access requests, consent withdrawal, or grievances relating to your personal data: