Privacy Policy
The Finance Laboratory (“TFL”) · Operated by Radha Emporium (Sole Proprietorship)
Last updated: 17 May 2026 · DPDP Act 2023 Compliant
1. Introduction
1.1. The Finance Laboratory (“TFL,” “Platform,” “we,” “us,” or “our”), operated by Radha Emporium, a sole proprietorship registered under the laws of India, is committed to protecting the privacy and security of personal data processed through our Platform.
1.2. This Privacy Policy explains how we collect, use, store, share, and protect your personal data and other information when you use the TFL Platform at thefinancelaboratory.com and associated subdomains.
1.3. This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all other applicable Indian data protection and privacy laws.
1.4. By using the Platform, you consent to the collection, processing, and use of your data as described in this Privacy Policy. If you do not agree, please do not use the Platform.
2. Definitions
“Data Principal” means the individual to whom the personal data relates, as defined under the DPDP Act, 2023. In the context of TFL, the Data Principal is the registered Member (Chartered Accountant).
“Data Fiduciary” means the entity that determines the purpose and means of processing personal data. TFL (operated by Radha Emporium) is the Data Fiduciary.
“Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
“Processing” includes collection, storage, use, analysis, disclosure, erasure, or any other operation performed on personal data.
“Member” means a registered user of TFL, being a practicing Chartered Accountant or a person associated with a CA firm.
“Client Data” means any documents, information, or data relating to the Member's clients (assessees) that are uploaded to the Platform by the Member.
“AI Processing” means the analysis and generation of outputs by artificial intelligence models integrated into the Platform.
3. Data We Collect
3.1. Information You Provide Directly
| Category | Data Points | Purpose |
|---|---|---|
| Account Information | Full name, email, phone, ICAI Membership Number, firm name | Account creation, authentication, professional validation |
| Professional Information | ICAI membership status, Certificate of Practice details, firm registration | Eligibility verification |
| Billing Information | Billing address, GSTIN, state of registration | GST invoice generation, tax compliance |
| Communication Data | Support queries, feedback, feature requests | Customer support, product improvement |
3.2. Information Generated Through Platform Use
| Category | Data Points | Purpose |
|---|---|---|
| Engagement Data | Case metadata (assessee name, AY, section, forum, status) | Core platform functionality |
| Document Data | Uploaded tax notices, orders, supporting documents | AI parsing and processing |
| AI Interaction Data | Strategy sessions, express strategy inputs, drafting preferences | AI-assisted output generation |
| Draft and Output Data | Strategy memos, draft submissions, paperbooks | Core platform functionality |
| Edit Telemetry | Changes made in Word (additions, deletions, citation changes, duration) | Draft quality improvement |
| Usage Analytics | Features used, pages visited, time spent, workflow patterns | Product improvement |
3.3. Information Collected Automatically
| Category | Data Points | Purpose |
|---|---|---|
| Device Information | Browser type, operating system, device type | Compatibility, troubleshooting |
| Log Data | IP address, access timestamps, pages accessed, error logs | Security, debugging, abuse prevention |
| Cookies | Session cookies, authentication tokens | Session management, authentication |
3.4. Client Data (Uploaded by Members)
Members upload documents and information relating to their clients (assessees) for processing by the Platform. This Client Data may include names, addresses, and identification details (PAN, GSTIN), financial information, assessment and appellate order details, correspondence with tax authorities, and any other information contained in uploaded documents.
Important: TFL processes Client Data solely on the instructions of and for the purpose of providing services to the Member. The Member is responsible for ensuring they have appropriate authority and consent to upload Client Data as specified in our Terms of Service (Section 5.2).
4. How We Use Your Data
4.1. Lawful Basis for Processing
| Purpose | Lawful Basis |
|---|---|
| Core services (parsing, strategy, drafting) | Consent + performance of contract |
| Account creation and authentication | Performance of contract |
| Subscription billing and GST invoicing | Performance of contract + legal obligation |
| AI processing of documents | Consent + performance of contract |
| Customer support | Consent + legitimate interest |
| Product improvement and analytics | Legitimate interest |
| Security and fraud prevention | Legitimate interest + legal obligation |
4.2. Specific Uses
(a) Core Service Delivery:
- Parsing and extracting data from uploaded tax notices and orders
- Generating litigation strategy recommendations
- Researching and retrieving verified case law citations
- Generating draft submissions with verified citations
- Assembling paperbooks and annexures
- Managing engagement lifecycles and compliance deadlines
- Facilitating document editing via Microsoft Word/OneDrive integration
(b) AI Processing:
- Your uploaded documents and engagement data are processed by AI models (Anthropic's Claude) to generate Platform outputs
- AI processing involves temporary transmission of document content to Anthropic's API for inference
- Anthropic does not retain your data after processing and does not use it for model training
- All AI processing uses deterministic settings (temperature=0) for consistent, reproducible outputs
(c) Billing and Accounting:
- Processing subscription payments via Razorpay
- Generating GST-compliant invoices via Zoho Books
- Maintaining accounting records as required by Indian tax law
(d) Product Improvement:
- Analysing aggregated, anonymised usage patterns to improve Platform features
- Tracking edit telemetry (which citations CAs keep, remove, or add) to improve AI drafting quality over time
- This analysis uses aggregated data and does not identify individual clients or assessees
(e) Communication:
- Sending transactional emails (account confirmation, pipeline completion, deadline reminders)
- Responding to support queries
- Sending product updates and feature announcements (with opt-out option)
5. Data We Do NOT Collect or Use
5.1. We do NOT use your data to train AI models. Your documents, client data, engagement information, and any other data uploaded to TFL is never used to train, fine-tune, or improve any artificial intelligence model — whether our own or any third party's (including Anthropic). This is a non-negotiable commitment.
5.2. We do NOT sell your data. Your personal data and Client Data are never sold, rented, or traded to any third party for marketing, advertising, or any other purpose.
5.3. We do NOT profile you for advertising. TFL does not serve advertisements and does not create advertising profiles based on your data.
5.4. We do NOT share Client Data between Members. Each Member's data is strictly isolated. One Member cannot access another Member's engagements, documents, or outputs.
5.5. We do NOT retain AI processing inputs permanently at our AI provider. Document content sent to Anthropic for AI processing is not permanently stored by Anthropic after the API response is generated.
6. Data Sharing and Disclosure
6.1. We share your data only with the following categories of recipients, and only to the extent necessary:
6.1.1. Service Providers (Data Processors)
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Anthropic (Claude AI) | Document content, engagement context (temporary) | AI processing | API only; no permanent storage |
| Supabase | All platform data | Database, auth, file storage | Mumbai, India |
| Razorpay | Payment info, email, subscription details | Payment processing | India |
| Zoho Books | Name, firm, email, GSTIN, billing address | Invoice generation | India |
| Microsoft (OneDrive) | Draft documents (DOCX files) | Document editing via Word | Per Microsoft's policies |
| Indian Kanoon | Search queries (no client PII) | Case law research | India |
| Vercel | Frontend assets (no user data) | Frontend hosting | Global CDN |
| Railway | Backend code, env vars | Backend hosting | Applicable region |
6.1.3. Legal and Regulatory Disclosure
We may disclose your data if required by a court order, subpoena, or other legal process; applicable law or regulation; a lawful request by a government authority; the need to protect TFL's legal rights, safety, or property; or the need to prevent fraud or security threats.
6.1.4. Business Transfers
In the event of a merger, acquisition, reorganisation, or transfer of business (including the planned migration from Radha Emporium to TFL LLP), your data may be transferred to the successor entity. You will be notified of any such transfer and the successor will be bound by this Privacy Policy or a substantially similar one.
6.2. We do NOT share your data with any party not listed above without your explicit consent.
7. Data Storage and Security
7.1. Data Residency
All primary data storage is in India (AWS ap-south-1, Mumbai region, via Supabase). This includes all database records, uploaded documents, generated outputs, user account information, and vector embeddings.
7.2. Security Measures
(a) Encryption:
- All data in transit encrypted using TLS 1.2 or higher (HTTPS)
- All data at rest encrypted using AES-256 (provided by Supabase/AWS)
- Database connections use encrypted channels
(b) Access Controls:
- Role-based access control (RBAC) at the application level
- Row Level Security (RLS) at the database level — each Member can only access their own data
- Service Role Keys used only for server-side operations; never exposed to clients
- Supabase Auth with JWT-based authentication
(c) Application Security:
- Input sanitisation before AI processing (prompt injection defence)
- Sandboxed AI agent execution — agents cannot receive or execute instructions from uploaded document content
- Rate limiting on API endpoints
- CORS restrictions limiting cross-origin requests
(d) Document Security:
- Finalised documents are hashed using SHA-256 for immutability verification
- Document access restricted to the owning Member's account
- Uploaded documents stored in isolated storage paths per engagement
7.3. Breach Notification
In the event of a personal data breach that is likely to cause harm to Data Principals, TFL will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDP Act, 2023. TFL will notify affected Members without unreasonable delay. Notification will include the nature of the breach, data affected, measures taken, and recommended actions.
7.4. Security Limitations
While TFL implements commercially reasonable security measures, no system is completely secure. TFL cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.
8. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Active account + 30 days post-termination | Service provision; data export window |
| Engagement and case data | Active account + 30 days post-termination | Service provision |
| Uploaded documents | Active account + 30 days post-termination | Service provision |
| Billing and invoice records | 8 years from transaction date | Indian tax and GST law obligation |
| Edit telemetry (aggregated) | Indefinite (anonymised) | Product improvement |
| Support communications | 3 years from date of communication | Service quality, dispute resolution |
| Server and error logs | 90 days | Security, debugging |
Deletion After Account Termination: Upon account termination, you have 30 days to request export of Your Content. After 30 days, all Your Content will be permanently deleted. Billing records are retained for 8 years as required by law. Aggregated, anonymised analytics data may be retained indefinitely.
You may request deletion of specific documents or engagements at any time through the Platform interface. Deletion is permanent and cannot be reversed.
9. Your Rights Under the DPDP Act, 2023
As a Data Principal under the DPDP Act, 2023, you have the following rights:
9.1. Right to Access Information
You have the right to obtain a summary of the personal data being processed, the processing activities being carried out, the identities of all third parties with whom your data has been shared, and any other information as may be prescribed under the DPDP Act.
9.2. Right to Correction and Erasure
You have the right to correct inaccurate or misleading personal data, complete incomplete personal data, and request erasure of personal data that is no longer necessary for the purpose for which it was collected. To exercise this right, contact us at guptakaran.1501k@gmail.com. We will act on your request within 30 days.
9.3. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format. TFL provides data export functionality through the Platform. You may also request a full data export by contacting support.
9.4. Right to Grievance Redressal
If you have any grievance regarding the processing of your personal data, you may contact our Grievance Officer (details in Section 14). We will acknowledge your grievance within 48 hours and resolve it within 30 days.
9.5. Right to Nominate
In the event of your death or incapacity, your nominated person shall have the right to exercise your data protection rights on your behalf, to the extent permitted by applicable law.
9.6. Right to Withdraw Consent
You may withdraw your consent to the processing of your personal data at any time by deleting your account or contacting us at guptakaran.1501k@gmail.com. Withdrawal of consent may result in the inability to provide the Platform's services. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
10. Children's Data
10.1. TFL is designed for use by qualified professionals (Chartered Accountants) and is not intended for use by individuals under the age of 18.
10.2. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected personal data from a minor, we will take steps to delete such data promptly.
11. Cookies and Tracking
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential/Session Cookies | Authentication, session management, CSRF protection | Session (deleted on browser close) |
| Authentication Tokens | Maintaining logged-in state | Until logout or token expiry |
Cookies We Do NOT Use: No advertising or tracking cookies. No third-party analytics cookies. No social media tracking pixels. No cross-site tracking.
We use only essential cookies required for the Platform to function. No consent banner is required for essential cookies under Indian law, but we disclose their use here for transparency.
12. Third-Party Links
12.1. The Platform may contain links to third-party websites, particularly Indian Kanoon (indiankanoon.org) for case law verification. These links are provided for your convenience and professional verification.
12.2. TFL is not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party website you visit.
13. Changes to This Privacy Policy
13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
13.2. Material changes will be communicated to you via email and/or a prominent notice on the Platform at least 15 days before taking effect.
13.3. Your continued use of the Platform after changes take effect constitutes your acceptance of the updated Privacy Policy.
14. Grievance Officer
In accordance with the DPDP Act, 2023 and the Information Technology Act, 2000, the details of the Grievance Officer are:
Name: Karan Gupta
Designation: Proprietor and Grievance Officer
Email: guptakaran.1501k@gmail.com
Phone/WhatsApp: +91 9163045425
The Grievance Officer shall acknowledge your grievance within 48 hours and resolve it within 30 days of receipt.
15. Consent Declaration
By registering for and using TFL, you hereby:
- Consent to the collection, processing, storage, and use of your personal data as described in this Privacy Policy;
- Confirm that you have read and understood the specific categories of data collected (Section 3), purposes of processing (Section 4), and recipients of data (Section 6);
- Confirm that you have the authority to upload Client Data to the Platform and that you have obtained appropriate consent from your clients, or have a lawful basis, to do so;
- Acknowledge that AI processing of your data involves temporary transmission to Anthropic's API as described in Sections 4.2(b) and 6.1.1;
- Understand that you may withdraw your consent at any time as described in Section 9.6, subject to the consequences stated therein.
16. Contact Us
The Finance Laboratory (TFL)
Operated by: Radha Emporium
Email: guptakaran.1501k@gmail.com
WhatsApp: +91 9163045425
Website: thefinancelaboratory.com
This Privacy Policy is effective as of the date stated above and applies to all users of The Finance Laboratory platform.
© 2026 Radha Emporium. All rights reserved.