Privacy Policy

Bhargav Rajurkar & Co., Practising Company Secretaries (the firm, we, us) collects and processes personal data through this portal and through direct communication with you. We act as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (the DPDP Act) for the personal data we hold about you. We collect and process personal data to deliver the professional services you engage us for and to comply with applicable Indian law.

We collect, broadly:

• Identity: full name, gender, date of birth, PAN, Aadhaar (last four digits stored; OTP-verified), passport (foreign founders), photograph from KYC.
• Contact: email address, mobile number.
• Address: permanent and current residential addresses; registered office of the proposed entity.
• Entity details: proposed entity name, shareholding, contribution, business description.
• Documents: PAN, Aadhaar / utility bill / passport copies, office utility bill, NOC from owner, photos.
• Financial: Razorpay transaction reference; we do not store card or UPI details.
• Communications: emails, WhatsApp messages, and notes you exchange with us.

• Performance of the engagement: filing forms with the Ministry of Corporate Affairs and other authorities you have engaged us to file with.
• Statutory compliance: the Prevention of Money Laundering Act, 2002 (PMLA) for client KYC retention; the Income Tax Act and the Companies Act for record-keeping.
• Account operation: authenticating you and partners on the dashboard; sending you status updates by email and WhatsApp.

We do not process your personal data for marketing without your explicit consent.

The following processors handle your data on our behalf, under contractual safeguards:

• Supabase (United States / global): database hosting and document storage, encrypted in transit and at rest, access controlled by Row-Level Security.
• Vercel (United States / global): hosting of this website and the application that serves it.
• Razorpay (India): payment processing.
• Zoho Mail and Zepto Mail (India): transactional and inbox email.
• Google (Gemini API, global): AI suggestion of likely NIC code categories from your business description (informational only — paralegal confirms before filing).

We use AI to suggest likely NIC business-activity codes from your business description. This suggestion is informational; a human paralegal reviews and confirms the final NIC code before any government filing. No legal or fiscal effect arises from the automated suggestion alone.

Required cookies — used to keep you signed in and to maintain your session — are always on. They are necessary to operate the portal and cannot be declined without losing the ability to log in.

Analytics cookies — Google Analytics 4, configured with Consent Mode v2 — are off by default and only run if you click Accept in the consent banner shown on your first visit. The analytics signal is aggregated and is never used to identify you individually or sold to third parties. If you click Reject, no analytics identifiers are stored and GA4 receives only modelled, cookieless signals. You can change this choice at any time by clearing the cs-portal-consent-v1 entry in your browser's local storage; on the next visit you will be prompted again.

We do not use advertising or third-party retargeting cookies.

We retain your records for the periods required by Indian law, typically eight years from completion of the engagement (per Companies Act 2013 and PMLA record-keeping rules). You may request earlier erasure of data not subject to a statutory retention obligation by writing to the Grievance Officer, or by filing a deletion request from your dashboard (Settings → Delete account).

If you cancel an engagement before completion: KYC documents and personal data uploaded for that engagement are retained for 90 days from the cancellation date (to allow for re-activation) and then purged. Any filings already submitted to MCA on your behalf continue to be retained for the full statutory period because we are legally obligated to preserve them.

Our primary processors (database, payments, KYC, email) are accessed within India. Some processors (Supabase, Vercel, Google) operate globally and may store backups outside India in jurisdictions permitted under applicable Indian law. We do not transfer to restricted jurisdictions.

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

Connections to this portal are encrypted with TLS. The database is encrypted at rest and access is gated by Row-Level Security. We follow the principle of least privilege for staff access. Where we suspect a personal data breach, we will notify affected persons and the appropriate authorities as required by Indian law.

As a Data Principal you have the following rights in respect of the personal data we hold about you. Some rights are limited where law mandates retention (for example PMLA-mandated KYC records and Companies Act records).

• Right to access (§11): request a summary of the personal data we hold about you, the processing activities we have undertaken, and the processors and entities with whom it has been shared. A self-serve JSON snapshot is available from your dashboard at Settings → Portability; you may also write to the Grievance Officer for a written summary.
• Right to correction and erasure (§12): request correction of inaccurate or incomplete data; request erasure of data not subject to a statutory retention obligation. We will action correction requests within seven working days where the data is not on a filed government form; for data already in a filing, we will record the correction in our records and reflect it in the next applicable filing.
• Right to portability: download a machine-readable export of your data from Settings → Portability on the dashboard.
• Right of grievance redressal (§13): raise a grievance with the Grievance Officer below. We respond within seven working days.
• Right to nominate (§14): nominate another individual who may exercise these rights on your behalf in the event of your death or incapacity. Write to the Grievance Officer with the nominee's details to record a nomination.
• Right to withdraw consent: withdraw any previously-granted consent (for example, the analytics-cookie consent). Withdrawal does not affect the lawfulness of processing already carried out under consent, and does not affect processing required for the performance of an active engagement or for statutory compliance.

If you are not satisfied with our response, you may complain to the Data Protection Board of India once that authority is in operation. Until then, the Grievance Officer is the first-instance redressal channel.

Material changes will be reflected here with a new effective date. The latest version is always at this URL.