AutoFS
HomeFeaturesPricingSecuritySupport
Start free
HomeFeaturesPricingSecuritySupportStart free
Legal

Privacy Policy

How AutoFS handles personal data, what we retain, who we rely on, and how to make a privacy request.

Last updated 2026-07-16 · Version 1.2

Who we are

AutoFS ("we", "us") provides cloud-hosted software for Chartered Accountants in India to prepare financial statements of eligible Non-Corporate Entities. For account, billing, security, and direct service-relationship data, we determine the relevant processing purposes and act as the Data Fiduciary. For client financial data uploaded or pulled by a CA firm, that firm normally determines the purpose and means of processing and we act as its Data Processor on documented instructions, except where law requires us to process data for an independent purpose.

What we collect

  • Firm-user data — email, full name, role, MFA secret (encrypted), session metadata.
  • Client data uploaded by the firm — entity profile (PAN, GSTIN, address), trial balances, working papers, generated financial statements, UDIN records.
  • Operational metadata — audit events, error traces, request logs.

Why we collect it

Solely to provide the service the Data Fiduciary has subscribed to. We do not sell or rent personal data to any party. We do not use customer data to train AI models.

Sub-processors

We rely on the following sub-processors. The full, continuously-updated list lives at /subprocessors.

  • Google Cloud Platform — compute, database, object storage (asia-south1).
  • Stripe — payments + tax-invoice processing.
  • Resend — transactional email.
  • Sentry — error tracking.
  • Firebase Cloud Messaging — Android push notifications.

Cross-border transfer

Primary data residency is India (asia-south1). Some sub-processors (Stripe, Resend, Sentry, FCM) operate outside India; processing under those services may transfer data to the United States or European Union. We have signed the standard processing agreements offered by each vendor.

Retention

Audit engagement documentation and related audit trails are retained for at least seven years from the auditor's report under ICAI SA 230. Customers remain responsible for identifying and observing every entity- and engagement-specific record retention duty. Account metadata is retained for 30 days after subscription termination and then permanently deleted unless an applicable record-retention duty or legal hold applies.

Privacy requests and DPDP rights

We make the channels below available now. Rights and obligations under the DPDP Act and Rules apply according to their notified, phased commencement schedule.

  • Access — request a copy of personal data we hold about you via privacy@autofs.in.
  • Correction — request correction of inaccurate or outdated data.
  • Erasure — request deletion, subject to the applicable record-retention requirements above.
  • Withdrawal of consent — at any time, via the same email.
  • Grievance — first raise with our privacy grievance contact below. We aim to respond within 30 days. Where an applicable law provides a further complaint route, we will explain it in our response.

Privacy grievance contact

Privacy grievance contact, AutoFS
Email: grievance@autofs.in

Chrome extension and Tally data

The AutoFS Tally Connector communicates only with TallyPrime's HTTP interface on the user's own computer. It stores the AutoFS pairing token and selected Tally port in Chrome local storage so the user does not need to reconnect on every visit. The extension does not read browsing history or unrelated website content.

  • Company, ledger-master and Trial Balance data is retrieved only after the user starts a pull from AutoFS.
  • Retrieved data is returned only to the user's authenticated AutoFS workspace and stored there to provide financial-statement preparation features.
  • AutoFS does not sell this data, use it for advertising, or use it to train AI models.
  • AutoFS personnel do not read customer financial data except with specific support consent, when necessary for security, or when required by law.
  • Disconnecting the extension removes its locally stored pairing token. Workspace data remains subject to the retention and deletion terms below.

The connector's use and transfer of information received from Chrome APIs complies with the Chrome Web Store User Data Policy, including its Limited Use requirements. Data is used and transferred only as necessary to provide the connector's user-facing purpose.

Security

We follow industry best practices for secure software engineering, including TLS 1.2+ in transit, AES-256-GCM at rest for sensitive fields, MFA enforcement at the firm level, and audit-log hash-chaining for tamper-evidence. Our security disclosure policy lives at /security.

Notifications

Cyber-security incidents that fall within the CERT-In Directions of 28 April 2022 are reported to CERT-In within 6 hours. When the relevant DPDP breach-notification provisions apply, affected Data Principals will be notified without delay; the Data Protection Board will receive the initial intimation without delay and detailed information within the prescribed 72-hour period or any extension allowed by the Board.

Changes to this policy

Material changes are notified by email and by an in-app banner. Continued use after a 30-day notice constitutes acceptance. This is Version 1.2; earlier versions are available on request at legal@autofs.in.

AutoFSFinancial Statements

From Tally or Trial Balance to review-ready financial statements.

Made in India • autofs.in

Product

HomeFeaturesPricingSecuritySupport

Resources

DocumentationHelp centreRoadmapChangelog

Company

AboutContactBook a demo

Legal

TermsPrivacyRefundDPA

© 2026 AutoFS. All rights reserved.

Built for Indian finance teams