Privacy Policy

Last reviewed: 12 May 2026 — Compliant with the Digital Personal Data Protection Act, 2023 (India)

This Privacy Policy explains how Swaptions Advisory LLP ("we", "us") collects, uses, and protects personal data when you use the Audit Suite platform ("Service"). It applies to subscribing CA firms ("Customers"), individual staff members of those firms ("Users"), and audit clients of those firms who use the client portal ("Portal Users").

1. Who controls your data

For account data, billing data, and platform usage logs, Swaptions Advisory LLP is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

For Customer Data (audit working papers, client records, time entries, etc.) that subscribing firms upload, the subscribing firm is the Data Fiduciary and we act as a Data Processor on their behalf.

2. What data we collect

Category	Examples	Purpose
Account	Name, email, phone, ICAI registration number, firm address	Identification, billing, support
Authentication	Username, hashed password, session tokens	Secure access control
Customer Data	Audit clients' names, financials, working papers, time entries, materiality, letters — whatever you upload	Service delivery as instructed by you
Communications	Emails sent through your SMTP, WhatsApp click-to-chat metadata	Operational logs only — message bodies not stored
Usage logs	IP, browser, login/logout times, audit-log actions	Security, abuse prevention, regulatory compliance
Cookies	HTTP-only authentication cookie (12-hour expiry); long-lived tenant-slug cookie	Keep you signed in; route to your firm subdomain

3. How we use your data

To provide and operate the Service (mandatory)
To process payments and send billing reminders
To respond to support requests
To detect and prevent fraud, abuse, and security incidents
To comply with legal obligations (e.g. responding to lawful government requests)

We do not sell personal data to third parties. We do not use Customer Data to train AI models. We do not use Customer Data for advertising.

4. Where data is stored

Audit Suite is hosted on servers operated by Hetzner Online GmbH, located in Nuremberg, Germany (European Union). Data is stored in encrypted SQLite databases on those servers, with sensitive credentials (SMTP passwords, API keys) further encrypted at rest using AES-256-GCM.

Under Section 16 of the DPDP Act, the Central Government has not (as of this revision date) restricted transfer of personal data to Germany.

5. Sharing & disclosures

We share data only with:

Service providers who help us operate the Service (Hetzner — hosting; your chosen SMTP relay — email delivery; payment processor — TBD). Each is bound by data processing agreements.
Law enforcement when required by valid Indian legal process. We notify you unless legally prohibited.
Successor entities in the event of a merger, acquisition, or sale — bound by this Policy.

We will never share your audit clients' financial data with third parties for commercial purposes.

6. Security measures

HTTPS / TLS 1.2+ for all traffic (wildcard certificate from Let's Encrypt)
Bcrypt-hashed passwords (cost factor 10) — we never store plaintext passwords
AES-256-GCM encryption for SMTP / WhatsApp / Anthropic credentials
JWT authentication with 12-hour rotating session tokens
Tenant isolation — separate SQLite database file per CA firm
Audit log of all sensitive actions (logins, deletions, role changes)
Rate limiting on login endpoints
Self-service password reset with single-use, hashed reset tokens

No system is perfectly secure. If you discover a vulnerability, please email info@swaptionsadvisory.com — we will treat it confidentially.

7. Your rights under the DPDP Act

As a Data Principal you have the right to:

Access — request a copy of your personal data we hold
Correction — update inaccurate or incomplete information
Erasure — request deletion (subject to record-keeping obligations)
Withdraw consent for any processing you previously consented to
Grievance redressal — complain to our Grievance Officer (see Section 10) and, if unresolved, to the Data Protection Board of India
Nominate a representative to exercise these rights in case of death or incapacity

To exercise any right, email info@swaptionsadvisory.com. We will respond within 30 days.

8. Data retention

Active subscriptions — data retained for the duration of the subscription
Cancelled subscriptions — full data export available for 30 days, then archived
Archived tenants — retained for [7 years] to comply with the Companies Act 2013 and Income Tax Act audit-record requirements, then permanently deleted
Login & audit logs — retained for [12 months]

9. Children

Audit Suite is not directed at children under 18. We do not knowingly collect data from anyone under 18.

10. Grievance Officer

In accordance with Section 8(7) of the DPDP Act:

Name: Vanga Dinesh Kumar Goud
Designation: Founder & Principal
Email: info@swaptionsadvisory.com
Address: Swaptions Advisory LLP, 1st Floor, 1-2-6 Gaganmahal Road, Liberty Circle, Himayatnagar, Hyderabad – 500029

11. Changes to this Policy

We will notify you at least 14 days in advance of any material change by email to the account contact and via an in-app banner.

12. Contact

For any privacy-related questions, write to info@swaptionsadvisory.com or use the Contact page.

Swaptions Advisory LLP — 1st Floor, 1-2-6 Gaganmahal Road, Liberty Circle, Himayatnagar, Hyderabad – 500029.