Privacy Policy

Last updated: 2026-04-29 · Effective date: 2026-04-29

This Privacy Policy describes how AI4CA ("we", "our", "us") collects, uses, stores, and protects your information when you use our website builder, marketing tools, and related services at ai4ca.in and its subdomains (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Who we are

AI4CA is operated by CA Trainee Web (the "Operator"), based in India. For privacy-related queries, contact depen337@gmail.com.

2. Information we collect

2.1 Information you provide

When you create an account or use the Service, we collect:

Account information: name, email, phone (optional), profession (CA / Lawyer / CS / Tax Professional)
Authentication identifiers, depending on how you sign in: email + password (we store only a salted PBKDF2 hash, never your password); Google account (Google ID, name, email, profile photo via Sign in with Google ID token); Telegram account (Telegram user ID, username, profile photo via Telegram Login Widget); Facebook (Meta) account (Facebook user ID, name, email, profile photo via Facebook Login)
Firm information: firm name, address, services, branding, logos, content for your published website
Practice management data (paid plans): client records, tasks, invoices, payments, compliance dates entered by you for your business operations
Payment information: handled by Razorpay; we receive only a transaction reference and do not store card numbers or banking credentials

2.2 Information we receive from third parties

Sign in with Google: name, email, profile photo, Google account ID
Sign in with Facebook (Meta): name, email (if you grant email permission), public profile information, profile photo, Facebook user ID. If you grant page management permissions, page identifiers and access tokens.
Telegram Login Widget: Telegram user ID, first name, last name, username, profile photo, Telegram authorization timestamp

2.3 Information collected automatically

Visitor analytics on websites you publish: page views, referrer, UTM parameters, scroll depth, time on page, anonymous session ID. Collected from visitors to your published sites so you can see traffic and lead source data.
Service usage logs: API requests, error logs, IP address, user agent. Used for security and debugging only. Retained up to 90 days.

3. How we use your information

We use the information for:

Providing the Service (hosting, sending emails on your behalf, processing payments, executing your marketing automations)
Account management (authentication, recovery, communication of service updates)
Customer support (responding to your queries)
Service improvement (aggregate usage analytics, no personal identification)
Legal compliance (Digital Personal Data Protection Act 2023 (India), Information Technology Act 2000, applicable tax/financial regulations)

We do NOT: sell or rent your personal information; use your data to train AI models without explicit consent; show you third-party advertising; share data with marketing aggregators.

4. How we store and protect your information

Storage location: Cloudflare D1 (SQLite-based) database in the Asia-Pacific region. Some assets in Cloudflare R2 object storage.
Encryption in transit: HTTPS / TLS 1.3 enforced.
Encryption at rest: portal credentials and connected-account access tokens are encrypted with AES-256-GCM before being written to the database. Authentication passwords are stored as salted PBKDF2 hashes only.
Access controls: only authorized AI4CA personnel can access production systems, with audit logging.
Data retention: account data retained until you delete your account. Visitor analytics retained 12 months. Service logs retained 90 days.

5. How we share your information

We share information only with:

Service providers we use to deliver the Service: Cloudflare (hosting, CDN, database, storage, edge compute), Brevo (transactional email — verification, password reset, notifications), Razorpay (payment processing), GoDaddy (domain registration), Google (Sign in with Google identity verification), Meta / Facebook (Sign in with Facebook, Pages and Instagram management when enabled), Telegram (Sign in with Telegram identity verification, optional bot messaging)
Legal authorities if required by law, lawful process, or to protect rights and safety

We do not transfer your data outside India except to the third-party processors above for the operational purposes of the Service.

6. Your rights under the DPDP Act 2023

If you are a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the right to:

Access: request a copy of the personal data we hold about you
Correction: request correction of inaccurate or incomplete data
Erasure: request deletion of your data (subject to legal retention obligations)
Withdraw consent: revoke previously granted consent for any processing
Grievance redressal: contact our Data Protection Officer at depen337@gmail.com

To exercise any of these rights, email depen337@gmail.com with proof of identity. We will respond within 30 days as required by the DPDP Act.

7. Data deletion

You can delete your account and all associated personal data at any time. See our Data Deletion Instructions for the full process. When you delete your account: your record, profile, and linked authentication identifiers are removed within 30 days; published website data within 30 days; practice management data within 30 days; service logs containing your IP address are anonymized within 90 days; backup copies are retained an additional 30 days for disaster recovery, then purged.

Some information may be retained longer where legally required (e.g., financial transaction records for tax purposes — typically 8 years under the Income Tax Act, 1961).

8. Cookies and similar technologies

We use essential cookies only (auth_token): required for you to stay logged in. We do not use advertising cookies, third-party tracking pixels, or Google Analytics on the dashboard. The websites you publish to your visitors may include analytics scripts you configure — those are subject to your own privacy policy on those sites.

9. Children's privacy

The Service is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact depen337@gmail.com and we will delete it.

10. International users

The Service is operated from India. If you access the Service from outside India, you consent to the transfer and processing of your information in India.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and a banner on the dashboard at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent version.

12. Contact

For privacy questions, data subject requests, or grievance redressal: depen337@gmail.com with subject line "Privacy / Data Request". For Meta/Facebook-specific data inquiries you may also reach us via the App Contact in our Facebook App listing.