Privacy Policy
Last updated: 12 May 2026
This Privacy Policy explains what information ITCPulse (“ITCPulse”) collects when you use ITC360, how we use it, who we share it with, and the rights you have over it. It is written to align with the Digital Personal Data Protection Act, 2023 (India) and applies to all visitors and users of the Service.
1. Information We Collect
We collect the following categories of information:
- Account information — name, email address, phone number (optional), organisation name, PAN, and GSTIN(s) you register.
- Authentication data — password hash (we never store plaintext passwords), Google account identifier if you sign in with Google, JWT session tokens.
- Business data you upload — GSTR-2B files, purchase registers, vendor contact details, and the structured invoice records derived from them. These are stored in your organisation's isolated workspace.
- Billing information — subscription plan, invoice quotas, payment history. Card and bank details are collected and stored by our payment processor (Razorpay) — we never see your full card number.
- Communications — emails you send us, in-app chat with our support assistant, and metadata about emails we send to your vendors on your behalf.
- Usage and device data — IP address, browser type, pages visited, timestamps. We use this for security, debugging, and aggregate analytics.
2. How We Use Your Information
We use the information above to:
- provide the Service — run reconciliations, store results, generate vendor reminders, surface dashboards;
- authenticate users and protect against fraud and abuse;
- process payments and manage your subscription;
- send you transactional emails (account, billing, password resets, vendor-reminder delivery confirmations);
- respond to support requests;
- understand product usage in aggregate to improve the Service;
- comply with legal obligations and respond to lawful requests.
We do not sell your data, do not share it for marketing purposes, and do not use Customer Data to train AI models.
3. Sub-processors
We rely on a small number of third-party processors. Each one is bound by a data-processing agreement (or equivalent terms) and is chosen for its security and reliability:
- Amazon Web Services (AWS) — cloud infrastructure and S3 storage, hosted in the AWS Mumbai region (ap-south-1). Holds your account data, uploaded files, and reconciliation results.
- Razorpay — payments processing. Receives transaction amounts, your email, and a customer identifier; we do not pass them your business data.
- SMTP email provider — transactional emails and vendor reminders sent on your behalf.
- Anthropic PBC — powers the optional in-app chat assistant when enabled. The messages you send to the chat assistant are processed by Anthropic to generate replies. We do not send your reconciliation data to the assistant unless you explicitly invoke a tool that reads it (for example, asking “which vendors should I chase”).
4. Where Your Data Is Stored
Your account data, uploaded files, and reconciliation results are stored in India (AWS ap-south-1 region in Mumbai). Some processors may transfer limited operational data outside India in line with their own infrastructure (for example, AI chat messages may transit through Anthropic infrastructure). We rely on the standard contractual protections offered by each processor for such transfers.
5. Security
We protect your data with industry-standard controls: TLS for data in transit, encryption at rest for files in S3, Argon2id password hashing, RS256-signed JWT tokens, isolated per-organisation workspaces, and audit logging for sensitive actions. No system is perfectly secure; we will notify affected users without undue delay if we become aware of a data breach that materially affects them, as required by law.
6. Data Retention
We retain your account and business data for as long as your account is active. If you delete your account, we will delete your Customer Data within 30 days, except where retention is required by law (for example, invoice records for the period prescribed under Indian tax law). Backups are overwritten on a rolling schedule and deleted data is removed from backups within 90 days.
7. Your Rights
Subject to the DPDP Act 2023 and other applicable law, you have the right to:
- access the personal data we hold about you;
- correct inaccurate personal data through your settings, or by contacting us;
- erase your personal data — subject to legal retention requirements;
- port your data — reconciliation results can be exported as Excel from within the app;
- withdraw consent for processing that is consent-based;
- nominate another individual to exercise these rights on your behalf.
To exercise any of these rights, email itcpulse@gmail.com. We will respond within thirty (30) days.
8. Cookies
We use only essential cookies needed to sign you in and protect your session: an HttpOnly access-token cookie, a CSRF token, and a short-lived state cookie used during Google sign-in. We do not use third-party advertising cookies or cross-site tracking. The chat assistant stores a short conversation history in your browser's localStorage; you can clear it at any time using the “Clear chat” control in the widget.
9. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.
10. Vendor Reminders — Special Note
When you use ITC360 to send a reminder email to a vendor, we send the email on your behalf using your organisation's identity. The vendor's email address and the invoice details you choose to include are processed for that purpose only. We log delivery and download events to help you track follow-up; we do not send the vendor any marketing or use their contact details for any other purpose.
11. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated by email or in-app notice at least fifteen (15) days before they take effect. The “Last updated” date at the top of this page always reflects the current version.
12. Contact
For any privacy question, request, or complaint, write to itcpulse@gmail.com. If you are unsatisfied with our response, you may also approach the Data Protection Board of India under the DPDP Act, 2023, or any other authority with jurisdiction over your complaint.
See also our Terms of Service and Refund Policy.