Name: ThynkTax
Price: 2499 INR
Rating: 4.8 (127 reviews)

1. Who we are

ThynkTax is operated by Oris Intelligence Private Limited (CIN U72900KA2024PTC189342), an Indian company with registered office in Bengaluru, Karnataka. For purposes of the Digital Personal Data Protection Act 2023 ("DPDP Act"), we act as the Data Fiduciary for personal data you provide directly and as a Data Processor for personal data you upload about your clients (where your firm or business is the Data Fiduciary).

2. What we collect - about you

Account data: name, email, mobile, role, firm name, ICAI membership number, GSTIN. Profile and preferences: language, theme, notification settings, white-label branding choices. Authentication artefacts: hashed credentials (never plaintext), MFA secrets, session tokens. Billing: only subscription state via ORIS Billing - we never see your card number.

3. What we collect - uploaded by you

Client identifiers: PAN, GSTIN, business name, addresses, contact persons. Transaction data: invoices, ledgers, payroll, TDS entries, ROC forms, ESI/PF entries. Documents: Form 16, audit reports, bank statements, tax notices. You are the Data Fiduciary for this data; we process it on your instructions.

4. What we collect automatically

Device + browser, OS, IP address, approximate location (country/state). Pages visited, features used, time spent, errors encountered (telemetry). No keylogging. No screen recording. No third-party advertising trackers without your consent.

5. What we DO NOT collect

Aadhaar numbers in plaintext - where required for ITR e-verification, the number is SHA-256 hashed with an org-specific salt before storage. Plaintext is never persisted. Banking credentials - we use the Account Aggregator framework; your bank password / OTP never reaches our servers. Card numbers - payment processing is PCI-DSS Level 1 via ORIS Billing.

6. How we use your data (purposes)

(a) To provide the Service - run tax compliance workflows, generate returns, file with government portals, send notifications. (b) To improve the Service - anonymous and aggregated usage telemetry. (c) To comply with law - KYC, audit-log retention for tax filing defensibility, sanctions screening. (d) To bill you - via ORIS Billing. (e) To contact you - transactional always; marketing only with explicit opt-in.

7. Legal basis under the DPDP Act

Consent - for marketing, analytics, and any processing beyond the core Service. You can withdraw at /settings/preferences. Legitimate use under Section 7 - for performing the contract and complying with law. Employment - when you use the Service as an employee of a tenant.

8. How we share data

Government portals (GSTN via GSP, Income Tax e-filing via ERI, TRACES, MCA, EPFO, IRP) - only when you explicitly file a return through us. ORIS family services (Identity, Billing, Notifications, Storage, PDF, AI) - same India region, same DPA. Subprocessors - list at /legal/subprocessors, 30-day notice before material change. Statutory authorities - only when compelled by a valid legal order. We do NOT sell personal data.

9. Where your data lives

All personal data is stored in India (ap-south-1, Mumbai). We do not transfer personal data outside India for routine operation. Any cross-border transfer requires your explicit consent, per Section 16 of the DPDP Act and country restrictions notified by the Central Government.

10. Retention

Active accounts: while your tenant subscription is active. Filing records: 8 financial years from the filing date - the minimum statutory retention for tax-audit defence. After account closure: personal data deleted within 90 days; filing records retained per the 8-year rule and then deleted. Audit logs: 10 years.

11. Your DPDP rights

Right to access - see what personal data we hold. Right to correction - fix inaccuracies. Right to erasure - delete (subject to the 8-year statutory retention). Right to grievance redressal - via the Data Protection Officer below. Right to nominate - appoint someone to act for you in case of death or incapacity. We respond to all rights requests within 30 days.

12. Security

AES-256 encryption at rest. TLS 1.3 in transit. Aadhaar SHA-256 hashed with org-specific salt. PAN AES-256 encrypted via pgcrypto. Row-level security on every tenant query - zero cross-tenant access. SOC 2 Type II audit in progress (target Q4 FY 2026-27). ISO/IEC 27001 in progress (target H2 FY 2026-27). 24x7 monitoring, structured audit logs, vulnerability disclosure program at /security.

13. Cookies and similar technologies

We use cookies for authentication (httpOnly session), CSRF protection, theme preference, and - only with your consent - analytics. Manage consent at /cookies any time. The first-visit banner asks for explicit consent before any analytics cookie is set.

14. Children

ThynkTax is a B2B service intended for businesses and tax practitioners. We do not knowingly collect personal data of children under 18. If discovered, we delete it.

15. Changes

Material changes get 30 days notice via email and an in-app banner. Full change log at /legal/privacy/changes.

16. Grievance Officer / Data Protection Officer

Per Rule 5(9) of the SPDI Rules and the DPDP Act 2023: Privacy Office, Oris Intelligence Private Limited. Email: dpo@thynktax.com (DPO) / grievance@thynktax.com (grievance). Address: Oris Intelligence Private Limited, Bengaluru, Karnataka, India. If you are not satisfied with our response, you may approach the Data Protection Board of India (constituted under the DPDP Act 2023).

Privacy Policy