Corpfy AI ™
Corpfy AI ™

Privacy Policy

CorpFy AI ™ — Effective: 1 January 2026 | Compliant with DPDP Act 2023 & IT Rules 2011

1. Introduction

Welcome to CorpFy AI ™. We are committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal information. Our AI-powered SaaS platform provides end-to-end support for startups in India, including company registration, legal assistance, tax and compliance, HR and payroll, investor collaboration, and intellectual property protection. This Privacy Policy is compliant with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Information Technology Act, 2000.

2. Information We Collect

We may collect the following categories of information:

  • Personal Information: Name, email address, phone number, date of birth, identification details (e.g., PAN, Aadhaar, GSTIN, Director Identification Number).
  • Business Information: Company name, incorporation documents, MCA filings, tax records, payroll data, investor details, share cap table data.
  • Financial Information: Payment details, bank account information (for payroll), invoices, compliance filings.
  • Sensitive Personal Data or Information (SPDI): Financial information, passwords, and biometric data where collected, governed under the IT (SPDI) Rules, 2011.
  • Usage Data: Log files, IP addresses, browser type, device information, session duration, and activity logs on our platform.
  • AI-Generated Insights: Compliance recommendations, alerts, and document drafts generated by our AI engine.
  • Cookies & Tracking Data: Please refer to Section 11 (Cookie Policy) below.

3. Legal Basis for Processing

We process your personal data on the following legal grounds as applicable under the DPDP Act, 2023 and Indian law:

  • Consent: You have provided explicit consent for specific processing activities (e.g., marketing communications, sharing data with VC partners).
  • Contract Performance: Processing is necessary to deliver the Services you have subscribed to (e.g., company registration, payroll processing).
  • Legal Obligation: Processing is required to comply with applicable Indian laws (e.g., GST filings, MCA reporting, IT Act compliance).
  • Legitimate Interests: Processing is necessary for our legitimate business interests, including platform security, fraud prevention, and service improvement, provided these do not override your rights.

4. How We Use Your Information

We use your information to:

  • Provide and improve our SaaS services, AI features, and user experience.
  • Facilitate company registration, legal filings, tax compliance, and HR/payroll processing.
  • Enable collaboration with investors and venture capital partners (with your explicit consent).
  • Protect intellectual property and manage trademark applications.
  • Ensure regulatory compliance under Indian law (MCA, GST, Income Tax Department, etc.).
  • Communicate service updates, compliance alerts, and (with consent) promotional offers.
  • Enhance platform security, detect fraud, and prevent unauthorized access.
  • Train and improve AI models in an anonymized and aggregated manner only.

5. Data Sharing & Disclosure

We do not sell your personal data. We may share information only in the following circumstances:

  • Regulatory Authorities: MCA, Startup India, GST Network, Income Tax Department, SEBI, and other applicable regulators.
  • Legal & Tax Advisors: For compliance, advisory, and representation purposes.
  • Third-Party Service Providers: Payment gateways (e.g., Razorpay), cloud hosting providers, HR/payroll processors — governed by data processing agreements.
  • Investors/VC Partners: Only with your prior explicit written consent and through our secure data room.
  • Law Enforcement & Courts: When required by applicable law, court order, or lawful government request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred subject to equivalent privacy protections.

All third-party processors are contractually bound to process data only as instructed and in compliance with applicable data protection laws.

6. Sensitive Personal Data or Information (SPDI)

In accordance with the IT (SPDI) Rules, 2011, the following categories of information are treated as Sensitive Personal Data or Information and are subject to heightened protection:

  • Financial information including bank account and payment card details.
  • Passwords and authentication credentials.
  • Tax identification numbers (PAN, Aadhaar) where used for identity verification.

We collect SPDI only where strictly necessary for the delivery of Services and only with your explicit consent. SPDI is never shared with third parties except as required by law or to deliver the contracted service.

7. Data Security

We implement industry-standard security measures, including:

  • 256-bit SSL/TLS encryption for all data in transit.
  • AES-256 encryption for sensitive data at rest.
  • Secure cloud hosting within India (data centres located in India).
  • Role-based access controls and least-privilege principles.
  • Multi-factor authentication for administrative access.
  • Regular security audits, penetration testing, and vulnerability assessments.
  • ISO 27001 certified information security management practices.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the Data Protection Board of India (once established) in accordance with the DPDP Act, 2023 within the prescribed timeframe.
  • Affected users will be notified promptly via email at the address registered on the platform, with details of the nature of the breach, data affected, and remedial actions taken.
  • We maintain an internal data breach response procedure and will take immediate steps to contain and remediate any breach.

9. Data Retention

We retain your information for as long as necessary to:

  • Fulfill contractual and service obligations.
  • Comply with legal, tax, and statutory requirements (e.g., Companies Act mandates 8 years for certain records).
  • Support your ongoing business operations and resolve disputes.

Once retention periods expire or your account is deleted (subject to legal holds), data is securely deleted or irreversibly anonymized.

10. Your Rights

As a Data Principal under the DPDP Act, 2023, you have the following rights:

  • Right to Access: Obtain confirmation of whether your data is being processed and a summary of such data.
  • Right to Correction & Erasure: Request correction of inaccurate data or erasure of data no longer required, subject to legal retention obligations.
  • Right to Grievance Redressal: Have your grievances addressed by our Grievance Officer (see Section 14).
  • Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of your death or incapacity.
  • Right to Withdraw Consent: Withdraw consent for non-essential processing at any time without affecting the lawfulness of prior processing.
  • Right to Complain: Lodge complaints with the Data Protection Board of India once established under the DPDP Act, 2023.

To exercise these rights, please contact us at contact@corpfy.in. We will respond within 30 days.

11. Cookie Policy

CorpFy AI ™ uses cookies and similar tracking technologies to enhance your experience on our platform.

Types of Cookies We Use

  • Strictly Necessary Cookies: Required for core platform functionality (e.g., session management, authentication). These cannot be disabled.
  • Performance & Analytics Cookies: Help us understand how users interact with the platform (e.g., page views, feature usage). Used in anonymized, aggregated form.
  • Functional Cookies: Remember your preferences and settings to personalise your experience.
  • Marketing Cookies: Used only with your explicit consent to deliver relevant communications and track campaign effectiveness.

Managing Cookies

You may control cookie preferences through your browser settings or our in-platform cookie consent manager. Disabling strictly necessary cookies may impair platform functionality. For more information, please contact support@corpfy.in.

12. Marketing Communications & Opt-Out

We may send you promotional emails, newsletters, or product updates where you have consented to receive such communications. You may opt out at any time by:

  • Clicking the "Unsubscribe" link in any marketing email.
  • Updating your notification preferences in your account settings.
  • Writing to contact@corpfy.in with the subject line "Marketing Opt-Out".

Opting out of marketing communications will not affect transactional or service-related notifications.

13. Data Localization

Our services are designed with data sovereignty in mind. Primary data storage and processing occurs within India on servers located in Indian data centres. Where data processing is performed outside India (e.g., by certain AI processing partners), we ensure appropriate contractual safeguards, including standard contractual clauses, are in place to maintain equivalent data protection standards in compliance with applicable cross-border data transfer requirements.

14. Grievance Officer

In accordance with the IT Act, 2000, IT Rules, 2021, and the DPDP Act, 2023, CorpFy AI ™ has appointed a Grievance Officer for privacy-related concerns:

  • Name: Grievance Officer, CorpFy AI ™
  • Email: contact@corpfy.in
  • Address: Hyderabad, Telangana, India
  • Acknowledgement Timeframe: Within 24 hours of receipt.
  • Resolution Timeframe: Within 15 days of receipt, as required by applicable law.

15. International Data Transfers

Our services are handcrafted in Bharat and primarily hosted in India. Where data is transferred outside India, we ensure compliance with applicable cross-border data protection requirements, including obtaining consent where required under the DPDP Act, 2023.

16. Children's Privacy

Our platform is not intended for individuals under the age of 18. We do not knowingly collect data from minors. If we become aware that data has been collected from a minor without parental consent, we will delete such data promptly.

17. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or platform announcements with at least 15 days' prior notice. Continued use of the platform following notification constitutes acceptance of the revised policy.

For enquiries: contact@corpfy.in