Privacy policy
This policy explains how ComplAI (operated by GetComplAI Technologies Private Limited, "we", "us") collects, uses, and protects your personal data. It is published in compliance with the Digital Personal Data Protection Act 2023 (DPDPA) and the Information Technology Act 2000.
1. Who this policy applies to
This policy applies to all users of the ComplAI platform — including organisation admins, staff users, and company officers whose data is entered into the platform by their organisation.
2. Data we collect and why
| Category | Data collected | Purpose |
|---|---|---|
| Account data | Name, email address, mobile number, password (hashed) | Authentication, account management, notifications |
| Director / officer data | Full name, DIN, PAN (encrypted), Aadhaar (encrypted), passport number, date of birth, gender, residential address, email, mobile | MCA statutory compliance filings (Companies Act 2013) |
| Company data | CIN, registered address, shareholding details, financial records | Statutory register maintenance and MCA filing preparation |
| Usage data | IP address, browser/device type, pages visited, actions taken | Security monitoring, audit trail (legal obligation under Companies Act) |
| Documents | Uploaded PDFs and supporting documents | Compliance case documentation |
We collect only the data necessary for the stated purpose (data minimisation).
3. Legal basis for processing
We process personal data on the following bases under DPDPA 2023:
- Consent (S.6) — obtained at account creation for processing account and usage data.
- Legitimate use (S.7(b)) — processing director and company data is necessary for compliance with the Companies Act 2013 and MCA obligations, which constitute a legal obligation.
- Contract (S.7(a)) — processing necessary to deliver the services you have subscribed to.
4. Third parties we share data with
| Third party | Data shared | Purpose |
|---|---|---|
| Probe42 (MCA data provider) | Company CIN only | Fetching public MCA registry data for compliance pre-fill |
| Brevo (email provider) | Recipient email address and name | Transactional emails (consent requests, notifications) |
| Amazon Web Services | All data — hosted on AWS ap-south-1 (Mumbai, India) | Cloud infrastructure. All data stays within India. |
We do not sell personal data. We do not transfer personal data outside India.
5. Data storage and security
- All data is stored on AWS servers in Mumbai, India (ap-south-1). Disaster recovery copies are maintained in Hyderabad, India (ap-south-2).
- Sensitive identifiers (Aadhaar, PAN) are encrypted at rest using AES-256-GCM.
- All data in transit is encrypted using TLS 1.2+.
- Access is controlled by role-based access control (RBAC) with organisation-level data isolation.
- Every data access and modification is recorded in an immutable audit log.
6. How long we keep your data
| Data type | Retention period | Reason |
|---|---|---|
| Audit logs | 180 days | Compliance and security investigation |
| Activity logs | 90 days | Operational monitoring |
| Account data (active users) | Duration of subscription + 1 year | Contractual obligation |
| Statutory compliance records | 8 years | Companies Act 2013 requirement |
| Database backups | 90 days (weekly snapshots), 30 days (daily dumps) | Disaster recovery |
7. Your rights as a data principal
Under the DPDPA 2023, you have the following rights:
- Right to access (S.11) — request a copy of your personal data held by us.
- Right to correction (S.11) — request correction of inaccurate or incomplete data.
- Right to erasure (S.13) — request deletion of your personal data (subject to legal retention obligations).
- Right to data portability (S.12) — request your data in a structured, machine-readable format.
- Right to withdraw consent (S.6) — withdraw consent at any time (this will not affect lawfulness of prior processing).
- Right to grievance redressal (S.13(7)) — raise a complaint with us and, if unresolved, with the Data Protection Board of India.
To exercise any of these rights, use our data request form or email privacy@getcomplai.com. We will respond within 30 days.
8. Cookies
We use strictly necessary session cookies for authentication. We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by our platform.
9. Changes to this policy
We will notify registered users by email at least 15 days before any material changes to this policy. Continued use of the platform after the effective date constitutes acceptance.
10. Contact
Data Protection Officer
GetComplAI Technologies Private Limited
Email: privacy@getcomplai.com
For grievances: Submit a data request