Privacy Policy

1. Identity of the Data Fiduciary

Altereme (a sole proprietorship registered and operating in India, hereinafter the "Data Fiduciary", "we", "us", or "our") is a financial compliance, audit intelligence, and ERP platform accessible at altereme.com and its sub-domains.

Altereme may act in different legal roles depending on the nature of the data and the purpose for which it is processed.

For account registration, authentication, billing, platform usage, support, marketing, security, and service administration data, Altereme acts as the Data Fiduciary because it determines the purpose and means of processing such data.

For client financial data, invoices, GST records, Tally data, uploaded documents, and other information uploaded or synced by a professional user on behalf of their clients, Altereme generally acts as a Data Processor / technology service provider, processing such data on the user's instructions, unless Altereme independently determines the purpose and means of processing for a specific activity.

You, the individual accessing or using our services, are the Data Principal under Section 2(j) of the DPDP Act in relation to your own personal data. Where you process client data through the Platform, you are responsible for ensuring that you have the necessary authority, consent, or legal basis to do so.

2. Definitions

3. Notice and Consent — Our Obligations Under the DPDP Act, 2023

Under Section 5 of the DPDP Act, 2023, we are required to give you a clear and plain-language notice before or at the time of collecting your personal data, describing: (a) the personal data being collected and the purpose of its processing; (b) the manner in which you may exercise your rights as a Data Principal; and (c) how you may withdraw consent and file a complaint.

Under Section 6 of the DPDP Act, 2023, we process your personal data only upon obtaining your free, specific, informed, unconditional, and unambiguous Consent, which you give by:

• Submitting a beta access request form;
• Creating an account on the Platform; or
• Continuing to use the Platform after this policy has been made available to you.

Right to withdraw consent: You may withdraw your consent at any time by contacting us at karan@altereme.com or via WhatsApp at +91 96191 76008. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal. Upon a valid withdrawal request, we will cease processing and initiate deletion subject to our legal retention obligations in Section 9.

Where processing is based on a ground other than consent (such as a legal obligation or compliance with a court order), we will clearly state that ground at the point of collection.

4. Personal Data We Collect and the Purpose of Collection

We collect only such personal data as is necessary for the specified purpose and do not retain it beyond what is required — consistent with the data minimisation principle under the DPDP Act, 2023 and Rule 5(2) of the SPDI Rules, 2011.

4.1 Data You Provide Directly

• Account and beta access registration: full name, work email address, organisation or firm name, professional role, and whether you use Tally locally. Purpose: account creation, authentication, and onboarding communications.
• Support and communications: information provided when contacting us. Purpose: responding to queries and grievances.
• Billing information: billing contact name, address, and payment method details. Payment card data is processed exclusively by our PCI-DSS compliant payment gateway; Altereme does not store, process, or transmit full card numbers, CVV, or PINs. Purpose: subscription management and GST-compliant invoicing.

4.2 Sensitive Personal Data or Information (SPDI)

The following information processed through our Platform constitutes SPDI under Rule 3 of the SPDI Rules, 2011, and is subject to enhanced protection obligations under Rule 6 (disclosure with consent only) and Rule 8 (reasonable security practices):

• Financial information: bank account details, GST invoice data, TDS records, payment entry data, and related financial records synced via Tally or uploaded directly.
• Passwords and credentials: account passwords (stored as salted cryptographic hashes — never in plaintext) and GSTN/GSP credentials (stored using application-level encryption).

We collect SPDI only with your express consent and only to the extent strictly necessary to provide the Service. We do not transfer SPDI to any third party except with your prior consent or as required by law [Rule 6, SPDI Rules, 2011].

4.3 Financial and Compliance Data You Upload

• Tally sync data: sales invoices, purchase invoices, credit notes, debit notes, ledger entries, and GST data from your local Tally instance. Purpose: GSTR-2B reconciliation, ITC checks, audit findings generation.
• GSTR-2B data: JSON or file uploads from the GSTN portal. Purpose: ITC mismatch detection, Section 16(2) and 17(5) checks.
• Uploaded documents: invoices, certificates, and financial statements uploaded for OCR processing. Purpose: document intelligence and audit trail generation.
• GSTN credentials: GSP/ASP access credentials where you opt to enable live GSTN integration. Purpose: automated GSTR-2B retrieval at your express direction.

All data in this section is your data and your clients' data. We have no proprietary claim over it. We process it solely to render the Platform services to you.

4.4 Data Collected Automatically

• Usage data: features accessed, API calls, session duration, and navigation patterns. Purpose: security, debugging, and anonymised product improvement.
• Device and technical data: IP address, browser type, operating system, and device identifiers. Purpose: fraud prevention, security monitoring, and service delivery.
• Server logs: request timestamps, HTTP status codes, and error events. Purpose: system reliability and incident investigation.

5. Cookies and Tracking Technologies

We use the following cookies on our Platform in accordance with the IT Act, 2000:

• Strictly necessary cookies: required for authentication, session management, and security. These cannot be disabled without impairing core functionality. No consent is required for these under applicable law.
• Functional cookies: retain your preferences and in-platform settings. Used with your implied consent on continued use.
• Analytics cookies: collect anonymised, aggregated data on feature usage. You may opt out at any time via your account settings or by emailing us.

We do not use advertising cookies, cross-site tracking cookies, or any third-party behavioural profiling technology.

6. Lawful Basis for Processing

We process personal data on the following lawful bases under the DPDP Act, 2023:

• Consent [S.6, DPDP Act]: the primary basis for processing personal data for service delivery, communications, and analytics.
• Certain legitimate uses [S.7, DPDP Act]: including compliance with any law or order of a court or tribunal in India; prevention or detection of fraud; and processing for the performance of a function of the State or a statutory obligation — where applicable.
• Contractual necessity: processing necessary to perform the contract for the provision of the Platform services to you.
• Legal obligation: compliance with Indian law including the Income Tax Act 1961, CGST Act 2017, Companies Act 2013, and lawful orders of government authorities.

7. Sharing and Disclosure of Personal Data

We do not sell, trade, rent, or share your personal data or your clients' financial data with any third party for commercial purposes. Disclosure occurs only as follows:

7.1 Data Processors (Sub-Processors)

We use the following third-party service providers to process data for platform operations. Where legally required or commercially available, we rely on their applicable data processing terms, security terms, or written agreements.

We may provide additional information about specific service providers or subprocessors to enterprise customers, auditors, or regulators where required by law, contract, or due diligence process.

We do not use User Content to train Altereme-owned AI models without express consent. External AI providers may process submitted prompts and outputs under their own service terms, data processing terms, and retention configurations. Users should avoid uploading unnecessary personal, sensitive, or confidential information unless required for the requested feature.

7.2 GSTN / GSP Integration

Where you enable live GSTN portal integration, we transmit your GSTIN credentials and queries to a GSTN-authorised GSP/ASP to retrieve your own government-held filings. This is at your express direction and constitutes your use of a government service.

7.3 Client Share Links

If you generate a client share link, the named recipient gains read-only access to the specific audit report you choose to share. Links are HMAC-SHA256 signed, read-only, and expire after 7 days. You control who receives these links.

7.4 Legal Disclosure

We may disclose personal data when required by a court order or competent government or regulatory authority in India — including under the Income Tax Act, Prevention of Money Laundering Act 2002, or any order of the Data Protection Board of India under the DPDP Act, 2023. We will notify you where legally permitted.

7.5 Business Transfer

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity subject to it assuming equivalent obligations. We will notify you at least 30 days before such a transfer.

8. Cross-Border Transfer of Personal Data

Under Section 16 of the DPDP Act, 2023, the Central Government may restrict transfers of personal data to certain countries or territories. We will comply with all such restrictions as notified.

Certain Data Processors (including LLM inference providers) are located outside India. For such cross-border processing:

• Some AI features may transmit OCR text, document excerpts, or structured financial context to LLM providers located outside India for inference. Where technically feasible, we minimise unnecessary identifiers in AI prompts; however, uploaded documents or financial records may contain personal, business, tax, or banking identifiers that are processed as part of the requested AI/OCR feature.
• All cross-border transfers are governed by data processing agreements requiring equivalent protection standards.
• We will update this Policy if the Central Government notifies restricted countries under Section 16 of the DPDP Act.

9. Data Retention

We retain personal data only as long as necessary for the stated purpose or as required by law — consistent with the DPDP Act, 2023 and the SPDI Rules, 2011.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised such that it can no longer be attributed to an identifiable individual.

10. Security of Personal Data

Under Section 8(5) of the DPDP Act, 2023 and Rule 8 of the SPDI Rules, 2011, we implement reasonable security practices. Our measures include:

• Production services are intended to be served over HTTPS/TLS. Minimum TLS versions depend on deployed infrastructure configuration.
• Selected sensitive credentials are encrypted at the application layer. Database and cloud hosting and infrastructure provider encryption at rest depend on configured infrastructure.
• JWT-based authentication with ES256 signatures validated against the authentication provider's signing keys. Tokens expire automatically.
• Most production app routes enforce application-level organisation checks. Some legacy, test, or helper routes may require additional hardening.
• GSTN portal passwords are encrypted before storage; related metadata and session fields may be stored separately. Account passwords are handled by the authentication provider and are not stored in plaintext by Altereme application code.
• Client share links signed with HMAC-SHA256 and expire after 7 days.
• Production infrastructure and personal data accessible only to authorised personnel on a need-to-know basis.
• In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principal(s) in the manner prescribed under the DPDP Act, 2023 and applicable rules.

11. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights. To exercise any of them, write to karan@altereme.com with the subject line "Data Principal Rights Request — [Your Name]". We will acknowledge within 48 hours and respond within 7 days.

11.1 Right to Access Information [S.11]

You may obtain: (a) a summary of personal data being processed and the processing activities undertaken; (b) the identities of all Data Processors and Data Fiduciaries with whom your data has been shared; and (c) any other information as prescribed.

11.2 Right to Correction and Erasure [S.12]

You may: (a) correct inaccurate or misleading personal data; (b) complete incomplete data; (c) update data that is out of date; and (d) request erasure of data where it is no longer necessary for the purpose of collection — subject to our legal retention obligations in Section 9.

11.3 Right to Withdraw Consent [S.6(4)]

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing. We will cease processing and initiate deletion upon receipt of a valid withdrawal, subject to retention obligations.

11.4 Right to Grievance Redressal [S.13]

You have the right to have grievances relating to our processing of your personal data addressed by our Grievance Officer within the timeframe in Section 13 below.

11.5 Right to Nominate [S.14]

You may nominate any individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

11.6 Right to Complain to the Data Protection Board

If you are unsatisfied with our grievance resolution, you may file a complaint with the Data Protection Board of India established under Section 18 of the DPDP Act, 2023.

12. Duties of the Data Principal [S.15, DPDP Act]

Under Section 15 of the DPDP Act, 2023, as the Data Principal you have the following statutory duties:

• Not to impersonate another person while providing personal data for any specified purpose;
• Not to suppress material information while providing personal data for any document, proof of identity, or address;
• Not to register a false or frivolous grievance or complaint with us or the Data Protection Board; and
• To furnish only authentic information while exercising the right to correction.

13. Grievance Officer

In accordance with Rule 3(2)(d) of the IT (Intermediary Guidelines) Rules, 2021 and Section 13 of the DPDP Act, 2023:

14. Children's Data [S.9, DPDP Act]

The Platform is a professional financial services tool not directed at children. Under Section 9 of the DPDP Act, 2023, processing of personal data of children requires verifiable parental consent. We do not knowingly collect personal data from individuals under 18 years of age and will delete any such data immediately upon becoming aware of it.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, regulatory requirements, or our services. For material changes, consistent with Section 5 of the DPDP Act, 2023:

• We will notify you by email at least 30 days before the revised policy takes effect;
• Display a prominent notice within the Platform; and
• Obtain fresh consent where the change involves a new purpose of processing or a new category of personal data.

Effective date: 1 June 2026 · Last updated: 1 June 2026