GDPR Policy

How we protect the rights of individuals under the General Data Protection Regulation.

Last updated: 01 April 2026Effective: 01 April 2026
Privacy PolicyTerms of UseCookie PolicyData SecurityDPDP ActISO 27001GDPR Policy

1. Introduction

Tax Sahayogi is committed to protecting the privacy and personal data of all individuals, including those located in the European Union (EU) and European Economic Area (EEA). While Tax Sahayogi is primarily designed for Chartered Accountants in India, we recognise that our platform may be accessed by users in the EU/EEA, and we are committed to complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) where applicable.

This policy explains how we collect, process, and protect personal data in accordance with GDPR requirements, and outlines the rights available to data subjects.

2. Data Controller

Sahayogi One Private Limited is the Data Controller responsible for determining the purposes and means of processing personal data collected through the Tax Sahayogi platform.

We process personal data only when we have a valid legal basis under Article 6 of the GDPR. The legal bases we rely on include:

  • Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose, such as marketing communications or optional analytics. You may withdraw consent at any time.
  • Contract Performance (Article 6(1)(b)): Processing that is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes providing our AI-powered tax assistance services, managing your account, and processing payments.
  • Legitimate Interests (Article 6(1)(f)): Processing that is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include improving our services, ensuring platform security, preventing fraud, and conducting analytics to enhance user experience.

We do not process special categories of personal data (Article 9) unless explicit consent is obtained and such processing is strictly necessary.

4. Data Subject Rights

Under the GDPR, you have the following rights in relation to your personal data:

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure (Article 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. Where our AI features involve automated processing, we ensure meaningful human oversight and provide you with the right to request human review.

5. How to Exercise Your Rights

To exercise any of your rights under the GDPR, please contact our Data Protection Officer:

When submitting a request, please provide sufficient information to verify your identity. We will respond to all legitimate requests within 30 days of receipt. If your request is particularly complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

There is no fee for exercising your rights. However, if your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on it, in accordance with Article 12(5) of the GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

6. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our compliance with the GDPR and to serve as a point of contact for data subjects and supervisory authorities.

  • Designation: Data Protection Officer
  • Email: dpo@sahayogione.com
  • Company: Sahayogi One Private Limited

You may contact the DPO with any questions or concerns regarding the processing of your personal data or the exercise of your rights under the GDPR.

7. International Data Transfers

Tax Sahayogi's primary infrastructure is hosted on Microsoft Azure in Central India. As our services are provided from India, personal data of EU/EEA users is transferred outside the European Economic Area.

To ensure adequate protection of your personal data during international transfers, we implement the following safeguards:

  • Standard Contractual Clauses (SCCs): Where personal data is transferred from the EU/EEA to India or other countries, we rely on European Commission-approved Standard Contractual Clauses to provide appropriate safeguards for the transfer.
  • Microsoft Data Processing Addendum: Transfers to Azure and Azure OpenAI services are governed by Microsoft's Data Processing Addendum, which includes Standard Contractual Clauses and supplementary measures.
  • Supplementary Measures: We implement additional technical and organisational measures, including encryption and access controls, to ensure that the level of protection provided by the GDPR is not undermined by the transfer.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will take the following actions in accordance with Articles 33 and 34 of the GDPR:

  • Notification to Supervisory Authority: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
  • Notification to Data Subjects: Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, providing a description of the breach, its likely consequences, and the measures we have taken or propose to take to address it.
  • Documentation: All data breaches are documented, including the facts of the breach, its effects, and the remedial actions taken. This documentation is maintained for regulatory review.
  • Root Cause Analysis: Following any breach, we conduct a thorough investigation and implement corrective measures to prevent recurrence.

9. Changes to This Policy

We may update this GDPR Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify registered users via email or in-app notification of any significant changes.
  • Where required by law, obtain your consent to any material changes in how we process your personal data.

We encourage you to review this policy periodically to stay informed about how we protect your personal data.

10. Contact

For any questions or concerns regarding this GDPR Policy or our data protection practices, please contact us: