DRAFT — pending review This Privacy Policy is a working draft prepared on 2026-05-12. It must be reviewed and finalised by Kakhani & Associates before being treated as the firm's official policy. Bracketed text [like this] marks fields the firm must complete.

Kakhani & Associates

Privacy Policy

Effective date: [DD MMM YYYY] · Last updated: [DD MMM YYYY]

This Privacy Policy describes how Kakhani & Associates ("we", "us", "the firm"), a Chartered Accountancy firm having its office at D-168, Sneh Villa, Azad Nagar, Bhilwara, Rajasthan — 311001, India, handles personal data of visitors to kakhaniandassociates.com ("the site") and of persons who interact with us through the site. We are committed to handling personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA") and the confidentiality obligations applicable to Chartered Accountants under the Chartered Accountants Act, 1949 and the regulations of the Institute of Chartered Accountants of India ("ICAI").

1. Who is the data fiduciary

Kakhani & Associates, the Chartered Accountancy firm identified above, is the Data Fiduciary in respect of personal data collected through the site. Queries about this Policy may be addressed to office@kakhaniandassociates.com.

2. What personal data we collect and why

Context	Data collected	Purpose	Lawful basis
Contact enquiries (form, email, phone, WhatsApp)	Name, phone number, email address, the message you send, and metadata of the enquiry (IP address, timestamp, user agent)	Responding to your enquiry and maintaining a record of the correspondence	Consent (DPDPA § 6); records of correspondence are retained as required by professional conduct rules
Download Returns (when rebuilt under Sprint 2 of our roadmap)	Permanent Account Number (PAN), date of birth, the deliverables you download, IP address, timestamp, user agent, second-factor verification artefacts (e.g., one-time email codes)	Delivering tax-return deliverables to the client to whom they belong; preventing unauthorised access	Performance of professional services to which you are a party; retention of access records is necessary for the security of client data
Site usage	Aggregated, non-identifying analytics (planned: privacy-friendly Plausible analytics — no cookies, no cross-site tracking, no personal data)	Understanding which pages are useful	Legitimate interest in maintaining a functional site; no personal data is processed
Internal practice management (the future Desk module at /desk/, behind authentication)	Information about engagements provided to us by clients (which may include PAN, GSTIN, financial records, identification documents) — handled under our existing professional and statutory confidentiality obligations and not exposed to the public site	Delivering professional services	Performance of the engagement contract with the client; statutory retention under the Income-tax Act, 1961 and GST law

3. Cookies and similar technologies

The public marketing portion of the site does not set tracking cookies. Functional cookies may be set on authenticated areas (the future Desk module) strictly for session management, and these will be scoped to the relevant path, marked HttpOnly, Secure, and SameSite=Strict. We do not use advertising or cross-site tracking cookies.

Third-party resources currently loaded by the site (Google Fonts; the Tailwind CSS CDN; the esm.sh module CDN) may receive your IP address when your browser fetches those resources. We are migrating away from third-party CDNs to self-hosted equivalents to remove this dependency. Until that migration is complete, you may wish to consult the privacy policies of those services.

4. Disclosures to third parties

We do not sell personal data. We may disclose personal data:

To service providers strictly necessary for the operation of the site or our firm (for example, our hosting provider, transactional email provider, or backup provider) under contractual confidentiality obligations;
When required by a court order, regulatory authority, or applicable law (including, but not limited to, the Income-tax Act, 1961, the GST Acts, the Companies Act, 2013, and the Chartered Accountants Act, 1949 read with regulations of ICAI);
To the extent necessary to defend the rights or safety of the firm or of any third party.

5. Cross-border transfer

Personal data is stored in India on our hosting infrastructure. Where any service provider used by us stores data outside India, the transfer is permitted under DPDPA § 16 and is governed by contractual data-protection obligations.

6. Retention

Records related to professional engagements: eight (8) years from the close of the relevant financial year, in line with section 36 of the Income-tax Act, 1961 read with rule 6F and corresponding GST and Companies Act provisions.
Access logs for the Download Returns flow: 24 months, then deleted.
Contact enquiries: retained for 24 months from last correspondence, then deleted, unless they relate to an engagement (in which case they are retained under the engagement retention rule above).
Aggregated analytics: 12 months.

7. Rights of the Data Principal

Subject to DPDPA, you have the right to:

Obtain a summary of the personal data of yours that we process (DPDPA § 11);
Request correction, completion, or update of inaccurate or incomplete data (DPDPA § 12);
Request erasure of data we hold about you, subject to our retention obligations under tax and professional regulations (DPDPA § 12);
Nominate another person to exercise your rights on your behalf or on your demise (DPDPA § 14);
Make a grievance to our designated Grievance Officer (see § 9 below) and, if not satisfied, to the Data Protection Board of India.

Requests should be addressed to the Grievance Officer in writing.

8. Security

We apply technical and organisational measures appropriate to the nature of personal data we process, including: HTTPS for all site traffic; access controls and multi-factor authentication on the practice management module; encryption at rest of identifiers such as PAN, GSTIN, and authentication secrets; access logging on the Download Returns flow; rate limiting; least-privilege database grants; storage of sensitive files outside the public web root; and a documented offboarding playbook for staff. No method is perfectly secure; we keep our controls under review and apply improvements as the threat landscape evolves.

9. Grievance Officer

Name: [To be designated by the firm]
Designation: [e.g., Partner / Designated Partner]
Address: D-168, Sneh Villa, Azad Nagar, Bhilwara, Rajasthan — 311001
Email: office@kakhaniandassociates.com
Phone: +91 94612 41882

We endeavour to acknowledge grievances within seven (7) working days and to resolve them within thirty (30) days.

10. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be highlighted on the site for a reasonable period after the change.