Privacy Policy

1. Introduction & Scope

1.1. This Privacy Policy ("Policy") is published in compliance with Section 43A of the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1.2. This Policy applies to all users ("You," "Your," "User") who access or use the website www.blackpapers.in ("Platform"), mobile applications, and all services offered by BlackPapers, a brand operated by Tributaries Unicorn LLP (LLP Identification Number: To be updated), having its registered office in Delhi, India ("We," "Us," "Our," "Company").

1.3. By accessing or using the Platform, you expressly consent to the collection, use, storage, disclosure, and processing of your information (including personal data) in accordance with this Policy. If you do not agree with any provision herein, you must immediately cease use of the Platform.

1.4. This Policy must be read in conjunction with our Terms of Use and Refund Policy.

2. Definitions

For the purposes of this Policy:

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
• "Sensitive Personal Data or Information" (SPDI) includes financial information (bank account details, credit/debit card data), passwords, biometric data, health data, sexual orientation, and any data as specified under Rule 3 of the IT (SPDI) Rules, 2011.
• "Data Fiduciary" means BlackPapers / Tributaries Unicorn LLP, which determines the purpose and means of processing personal data.
• "Data Principal" means the individual (You) to whom the personal data relates.
• "Data Processor" means any person or entity that processes personal data on behalf of the Data Fiduciary, including third-party service providers.
• "Processing" includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction of data.
• "Cookies" means small text files placed on your device by the Platform to store browsing preferences and session data.

3. Information We Collect

3.1. Information You Provide Directly

When you register, place an order, or interact with our team, we collect:

• Identity Data: Full legal name, date of birth, gender, father's/spouse's name, nationality, photographs, and signatures.
• Contact Data: Email address, phone number(s), residential address, and registered office address.
• Government Identifiers: PAN (Permanent Account Number), Aadhaar Number (where legally mandated for government filings), DIN (Director Identification Number), DPIN, GSTIN, TAN, CIN, and LLPIN.
• Financial Data: Bank account details, cancelled cheque images, income tax returns, balance sheets, profit & loss accounts, and other financial statements required for statutory compliance.
• Business Data: Memorandum of Association (MOA), Articles of Association (AOA), partnership deeds, board resolutions, share certificates, cap tables, and other corporate documents.
• Communication Data: Emails, chat transcripts, call recordings (with prior notice), feedback, and any other correspondence exchanged between You and BlackPapers.

3.2. Information Collected Automatically

When you browse our Platform, we automatically collect:

• Device Information: Device type, operating system, unique device identifiers, and mobile network information.
• Log Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, access dates and times, and referring URLs.
• Usage Data: Pages visited, time spent on pages, click-through rates, search queries, and navigation paths.
• Location Data: Approximate geographic location derived from IP address.

3.3. Information from Third Parties

• Payment Processors: Transaction status and payment confirmations from Razorpay or other gateway partners.
• Government Portals: Data fetched from MCA, GSTN, Income Tax e-Filing portals, and DPIIT Startup India portal on your behalf with your consent.
• Professional Partners: Reports, certificates, and filings prepared by our network of Chartered Accountants, Company Secretaries, and Advocates.

4. Purpose of Data Collection

We process your personal data strictly for the following lawful purposes:

• 4.1. Service Delivery: To execute the compliance, registration, taxation, and legal services you have engaged us for, including filing documents with MCA, Income Tax Department, GST Network, Trademark Registry, and other statutory authorities.
• 4.2. Account Management: To create and manage your user account, verify your identity, and enable secure login.
• 4.3. Payment Processing: To process payments, issue invoices, manage subscriptions, and handle refunds through our payment gateway partners.
• 4.4. Communication: To send transactional updates (order confirmations, filing status, compliance deadlines), respond to inquiries, and provide customer support.
• 4.5. Marketing (with Consent): To send promotional materials, newsletters, blog updates, and service offers. You may opt out at any time by clicking "Unsubscribe" in any email or emailing us at connect@blackpapers.in.
• 4.6. Legal Compliance: To comply with applicable laws, regulations, legal proceedings, or enforceable governmental requests, including KYC/AML obligations.
• 4.7. Analytics & Improvement: To analyse usage patterns, improve Platform functionality, personalise user experience, and develop new features.
• 4.8. Dispute Resolution: To resolve disputes, enforce our agreements, and protect the rights and safety of BlackPapers and its users.

5. Lawful Basis for Processing

Under the DPDP Act, 2023, we process your data based on the following grounds:

• 5.1. Consent: Where you have provided explicit consent for the processing of your personal data (e.g., marketing emails, cookie preferences).
• 5.2. Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party (e.g., service agreements).
• 5.3. Legal Obligation: Where processing is necessary for compliance with a legal obligation (e.g., filing returns, maintaining records under the Companies Act, 2013).
• 5.4. Legitimate Uses: As specified under Section 7 of the DPDP Act, including processing necessary for the State, compliance with judgments, and medical emergencies.

6. Cookies & Tracking Technologies

6.1. Our Platform uses cookies and similar tracking technologies (web beacons, pixels, local storage) to enhance your browsing experience.

6.2. Types of Cookies Used:

• Strictly Necessary Cookies: Essential for the Platform to function (session management, authentication). These cannot be disabled.
• Analytics Cookies: Collect anonymous data about how visitors use the Platform (powered by Vercel Analytics). Helps us understand traffic patterns.
• Functional Cookies: Remember your preferences (language, region, theme).
• Marketing Cookies: Track your activity across websites to deliver targeted advertisements. These are only enabled with your explicit consent.

6.3. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality.

7. Data Sharing & Third-Party Disclosure

7.1. We do not sell, rent, or trade your personal data to any third party for their independent marketing purposes.

7.2. We may share your data with the following categories of recipients, strictly on a need-to-know basis:

• Professional Service Providers: Chartered Accountants (CAs), Company Secretaries (CS), Advocates, Tax Consultants, and Registered Valuers who execute services on your behalf.
• Payment Processors: Razorpay, banks, and financial institutions for processing payments. We do not store your credit/debit card numbers on our servers.
• Government Authorities: MCA, Income Tax Department, GST Network, DPIIT, RBI, SEBI, Trademark Registry, and any other regulatory body where filing is required as part of our service.
• Technology Partners: Cloud hosting providers, email service providers, and analytics platforms that process data on our behalf under strict data processing agreements.
• Legal Requirements: When required by law, court order, subpoena, or government investigation.

7.3. All third-party processors are contractually bound to maintain the confidentiality and security of your data and are prohibited from using it for any purpose other than the service for which they are engaged.

8. Data Retention

• 8.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.
• 8.2. Financial records and compliance documents are retained for a minimum period of 8 (eight) years from the date of the relevant transaction, in accordance with the Income Tax Act, 1961 (Section 44AA) and the Companies Act, 2013.
• 8.3. Communication records (emails, chat logs) are retained for 3 (three) years from the date of the last interaction.
• 8.4. Upon expiry of the retention period, or upon a valid erasure request (where no legal obligation overrides), data is securely deleted or anonymised.

9. Data Security Measures

We implement comprehensive technical and organizational measures to protect your data:

• 9.1. Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3 (HTTPS). Sensitive documents at rest are encrypted using AES-256 encryption.
• 9.2. Access Controls: Role-based access control (RBAC) ensures that only authorised personnel can access your data, strictly on a need-to-know basis.
• 9.3. Authentication: Multi-factor authentication is available for user accounts. Passwords are stored using industry-standard bcrypt hashing algorithms and are never stored in plaintext.
• 9.4. Infrastructure: Our Platform is hosted on enterprise-grade cloud infrastructure with firewalls, intrusion detection systems, and regular security patches.
• 9.5. Incident Response: We maintain a data breach response plan. In the event of a breach, affected users and the Data Protection Board of India will be notified within 72 hours, as required under the DPDP Act.
• 9.6. Employee Training: All employees and contractors with access to personal data undergo regular training on data privacy and security best practices.

10. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights:

• 10.1. Right to Access: You have the right to obtain a summary of your personal data being processed and the processing activities undertaken.
• 10.2. Right to Correction: You have the right to request correction of inaccurate or misleading personal data, and completion of incomplete data.
• 10.3. Right to Erasure: You have the right to request erasure of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
• 10.4. Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
• 10.5. Right to Grievance Redressal: You have the right to file a complaint with our Grievance Officer (details in Clause 13) and, if unresolved, with the Data Protection Board of India.
• 10.6. Right to Nominate: You have the right to nominate another individual to exercise your rights in case of your death or incapacity, as provided under Section 14 of the DPDP Act.

To exercise any of these rights, please email us at connect@blackpapers.in with the subject line "Data Principal Rights Request." We will respond within 30 days.

11. Cross-Border Data Transfers

11.1. Your personal data is primarily stored and processed within the territory of India.

11.2. In limited circumstances, data may be transferred to servers located outside India (e.g., cloud hosting providers with global infrastructure). Such transfers are only made to countries or entities that the Central Government has not restricted under Section 16(1) of the DPDP Act, 2023.

11.3. We ensure that any cross-border transfer is subject to appropriate contractual safeguards, including Standard Contractual Clauses (SCCs) or equivalent data protection agreements.

12. Children's Privacy

12.1. Our Platform and services are not directed at individuals below the age of 18 years. We do not knowingly collect personal data from minors.

12.2. If we become aware that we have inadvertently collected personal data from a child without verifiable parental consent, we will take immediate steps to delete such data.

12.3. In accordance with Section 9 of the DPDP Act, processing of a child's personal data shall only be done with verifiable consent from the parent or lawful guardian.

13. Grievance Officer

In accordance with the IT Act, 2000 and DPDP Act, 2023, the details of our Grievance Officer are:

14. Changes to This Policy

14.1. We reserve the right to update or modify this Privacy Policy at any time. Any changes will be posted on this page with an updated "Last Revised" date.

14.2. Material changes (such as changes in the types of data collected or new third-party sharing) will be communicated to registered users via email at least 15 days prior to the change taking effect.

14.3. Continued use of the Platform after any modifications constitutes your acceptance of the revised Policy.

15. Governing Law & Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in New Delhi, India.