Privacy Policy
This policy describes how Econicial Intelligence collects, uses, stores, and protects your information when you use Shrixa and our related services. We are DPDP Act 2023 compliant by architecture, not just by policy.
Shrixa provides professional-grade TDS intelligence, financial modeling, compliance checklists, and regulatory awareness tools for Chartered Accountants. All outputs are for informational and professional use and do not replace advice from a qualified CA, tax adviser, or lawyer where required by law.
Who We Are
Econicial Intelligence ("we", "us", "our") is a Bengaluru-based technology company and the developer of the Shrixa mobile and web application. Shrixa is published on Google Play under the application ID com.shrixa.android and is available on iOS and web at shrixa.com.
Econicial Intelligence operates from Bengaluru, Karnataka, India. Our parent website is econicial.com. This Privacy Policy applies to all users of Shrixa and our related services.
Information We Collect
We collect the following categories of information:
- Account and profile information: Name, phone number, email address, professional credentials (such as ICAI membership number), and other details you provide at registration or in your profile.
- Authentication data: Credentials and verification data processed through Firebase Authentication (magic link and OTP) to secure your account.
- Financial and tax-related inputs: Data you enter into TDS calculators, income tax workspaces, financial models, or documents you upload for parsing — including salary figures, deduction estimates, capital gains data, business income, PAN-linked payee details, and P&L or cash-flow assumptions. This is sensitive financial information you voluntarily provide.
- Client data (CA users only): If you are a Chartered Accountant using Shrixa to manage your practice, you may input or upload data relating to your clients. See Section 13 on CA Professional Data for your specific obligations.
- Usage and diagnostics: How you interact with the app — screens opened, features used, crash reports, and performance data — where enabled and in line with your device or in-app privacy settings.
- Technical data: IP addresses, device type, operating system, app version, and similar technical identifiers needed for security monitoring, support, and compatibility.
- Biometric authentication: If you use fingerprint or face unlock, processing is performed entirely by your device's secure subsystem. We do not receive or store raw biometric data on our servers.
- Locally stored data: Some preferences and offline data may be cached on your device to improve speed and reduce unnecessary server calls.
How We Use Information
We use the information above solely to:
- Provide, operate, and improve Shrixa — including TDS workspaces, income tax computations, compliance checklists, financial modeling, and document-assisted workflows.
- Authenticate users, protect accounts, detect fraud or abuse, and monitor for unauthorised access.
- Generate AI-assisted features — including compliance risk alerts, TDS anomaly detection, and the Daily Regulatory Pulse — in a secure, isolated processing context.
- Send service-related communications — security alerts, account notices, deadline reminders, and responses to support requests.
- Comply with legal obligations under the Income Tax Act, DPDP Act 2023, and other applicable Indian law.
- Analyse aggregated or de-identified usage patterns to improve reliability and user experience, where permitted.
We do not use your financial inputs, client data, or uploaded documents to train any AI model — ours or anyone else's. AI-assisted features are generated in an isolated processing context. Your client's P&L is not our training set.
AI & Automation
Where Shrixa offers AI-assisted features — including TDS section suggestions, Finance Act citations, anomaly detection, the Daily Regulatory Pulse, and document understanding — we use the Anthropic Claude API (models: claude-sonnet-4-6 for complex reasoning and claude-haiku-4-5 for lightweight tasks).
All AI processing is subject to the following safeguards:
- Processing runs in an isolated, KMS-protected context — your inputs are not shared across user sessions.
- We use prompt caching on the Finance Act and Income Tax Act 2025 context only — never on user-specific data.
- Anthropic's usage policies prohibit training on API inputs. Your data is not used to improve public foundation models.
- Every AI output in Shrixa that references tax law includes a cited section reference. We do not present AI output as definitive legal advice.
Legal Bases
For users in India, we process personal data under the Digital Personal Data Protection (DPDP) Act, 2023 on the following bases: performance of a contract (providing the Services you signed up for), legitimate interests (securing the platform, preventing fraud, improving reliability), consent where required (optional analytics or marketing communications), and legal obligation (compliance with applicable Indian tax and data laws).
For users in the EEA, UK, or similar jurisdictions, we rely on equivalent legal bases under applicable data protection law including GDPR where relevant.
Infrastructure & Third-Party Providers
Shrixa is built on the following infrastructure. All providers are bound by contract to process data only for defined purposes:
Data Residency — India
For users in India, all personal and financial data is processed and stored within India using AWS Mumbai (ap-south-1). We do not use any other AWS region for primary data storage. This is a hard architectural constraint, not a policy preference.
Our compliance program is designed in line with the Digital Personal Data Protection (DPDP) Act, 2023 and related rules, including purpose limitation, data minimisation, access controls, and security safeguards. Compliance is reviewed as regulations and guidance evolve.
AWS ap-south-1 (Mumbai) · AES-256 encryption at rest · TLS in transit · KMS-managed keys · Zero cross-border transfer for Indian user data
How We Share Information
We do not sell your personal information. We share information only as follows:
- Service providers: Infrastructure vendors (listed in Section 6) that help us host, authenticate, and operate Shrixa, bound by contractual obligations.
- CA-to-client mapping: When a CA adds a client in Shrixa, the client receives a consent request and must explicitly approve before any data mapping occurs. Consent is stored and revocable at any time.
- Processing you direct: When you use AI features or document parsing, your inputs are transmitted to the relevant provider solely to deliver that feature.
- Legal and safety: When disclosure is required by law, regulation, court order, or to protect the rights and safety of users or Econicial Intelligence.
- Business transfers: In connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards and notice.
International Transfers
Indian user data is stored exclusively in AWS ap-south-1 (Mumbai) and is not transferred internationally for primary storage. Certain processing — specifically Anthropic Claude API calls and Azure Document Intelligence OCR — may involve transmission to servers outside India. These transmissions are limited to the specific feature invoked, are encrypted in transit via TLS, and are subject to the data processing terms of Anthropic and Microsoft Azure respectively, both of which prohibit training on API inputs.
Retention
We retain your information for as long as your account is active or as necessary to provide the Services, meet legal obligations, resolve disputes, and enforce our agreements. TDS calculations and financial model data may be retained for a minimum of 7 years in line with Indian tax record-keeping obligations.
You may request deletion of your account or specific data at any time via the in-app settings or at econicial.com/account-deletion.html. Deletion is subject to applicable legal retention requirements.
Security
We implement the following technical and organisational measures to protect your information:
- AES-256 encryption at rest for all data stored in RDS PostgreSQL and S3.
- TLS encryption in transit for all data transfers between client and server.
- KMS-managed encryption keys with role-based access controls.
- VPC isolation for backend infrastructure — Lambda functions and RDS are not publicly accessible.
- Firebase Authentication with magic link — no passwords stored on our servers.
- Presigned S3 URLs for all document access — no direct public bucket access.
- IAM enforcement via dedicated Lambda with least-privilege policy.
No method of transmission or storage is 100% secure. We encourage you to use strong authentication and to report any suspected security issues to security@econicial.com.
Your Choices & Rights
Under the DPDP Act 2023 and applicable law, you have the right to:
- Access, correct, or update your personal information via in-app settings.
- Delete your account and associated data — see account deletion page.
- Withdraw consent for optional data processing (analytics, marketing) at any time from Settings.
- Object to or restrict certain processing where permitted by law.
- Receive your data in a portable, machine-readable format where required by law.
- Lodge a complaint with the Data Protection Board of India or applicable supervisory authority.
All optional consent items in Shrixa are unchecked by default in line with DPDP Act 2023 requirements. Account security and OTP communications are mandatory and cannot be disabled as they are required to operate the service.
CA Professional Data & Client Data Fiduciary
This section applies specifically to Chartered Accountants using Shrixa to manage their practice.
When you input or upload data relating to your clients — including PAN numbers, TDS figures, income details, or financial statements — you are acting as the data fiduciary for that data under the DPDP Act 2023. Econicial Intelligence acts as a data processor on your behalf. You are responsible for ensuring you have the lawful basis to process your clients' personal data using Shrixa.
Shrixa's CA-to-client data mapping feature requires explicit consent from the client before any data mapping occurs. This consent is recorded with purpose, data categories, and expiry, and is revocable by the client at any time from their settings. Econicial Intelligence does not share one CA's client data with any other CA or practice.
By using Shrixa to process client data, you represent that you have obtained all necessary consents and authorisations from your clients and that your use complies with your professional obligations under ICAI guidelines and applicable Indian law.
Children
Shrixa is a professional tool for Chartered Accountants and finance professionals. It is not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have done so inadvertently, please contact us at privacy@econicial.com and we will promptly delete the information.
Cookies & Similar Technologies
Our mobile apps (Android and iOS) do not use browser cookies. The Shrixa web app at shrixa.com and our marketing website at econicial.com may use session cookies for authentication and performance. We do not use third-party advertising cookies. Any analytics are aggregated and de-identified.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will post the updated policy with a new "Last updated" date. Where changes are material, we will notify you via in-app notification or email before the changes take effect. Continued use of Shrixa after the effective date constitutes acceptance of the updated policy where permitted by law.
Contact Us
For privacy questions, data access requests, consent withdrawal, or complaints regarding Shrixa or Econicial Intelligence: