Privacy Policy

Effective date: 1 June 2025  ·  Last updated: 10 June 2026

1. Data Fiduciary

itrfa.in is operated as a personal tool for Indian residents to generate Schedule FA disclosures for their ITR-2/ITR-3. Contact for privacy matters: laybacklabs@gmail.com (Grievance Officer).

2. Personal Data Collected

When you upload CSV files, we process:

• Stock holdings — acquisition dates, quantities, cost basis per lot
• Transaction history — RSU vests, ESPP purchases, dividends, sale proceeds, dates and amounts
• Account / participant number (if entered on review screen)
• Email address (if entered for file delivery)

We do not collect your name, PAN, Aadhaar, or any government identifier. We use Google Analytics for anonymous usage statistics (see Sections 9–10); we do not use your data for advertising and we do not set advertising cookies.

3. Purpose of Processing

Sole purpose: compute Schedule FA (Table A2, A3, F) values from your Fidelity CSV exports and generate an ITR-ready JSON + Excel file for your personal use. Data is not shared with third parties, analysed in aggregate, or used for any other purpose.

4. Legal Basis (DPDPA Section 4)

Processing is based on your explicit consent given on the upload page before any data is processed. You may withdraw consent at any time by requesting deletion of your data (see Section 7).

5. Storage Location & Cross-Border Transfers

All data is stored exclusively in Google Cloud Platform, asia-south1 region (Mumbai, India):

• Uploaded CSV contents: Google Cloud Storage bucket (asia-south1)
• Metadata and parsed data: Google Cloud Firestore (asia-south1)
• Generated JSON/Excel outputs: Google Cloud Storage bucket (asia-south1)

Your uploaded financial data and generated files never leave India (Mumbai region). The only exception is anonymous, aggregated usage analytics collected via Google Analytics (see Section 9), which Google may process on its global infrastructure — this contains no uploaded financial data, name, or government identifier.

6. Data Retention

All uploaded data and generated outputs are automatically deleted after 30 days from the date of upload via:

• Google Cloud Storage object lifecycle rules (30-day age-based deletion)
• Firestore document TTL policy on the expire_at field

You are responsible for downloading your generated files before the 30-day window expires. We do not keep backups beyond this window.

7. Your Rights (DPDPA Chapter III)

• Right to access — your data is accessible via the review and result pages for your session
• Right to correction — re-upload corrected CSVs at any time
• Right to erasure — email laybacklabs@gmail.com with your upload URL and we will delete all associated data within 72 hours (usually done same day)
• Right to withdraw consent — stop using the service; your data auto-deletes in 30 days, or request immediate deletion as above
• Right to grievance redressal — contact the Grievance Officer at laybacklabs@gmail.com; we will respond within 48 hours

8. Security Measures

• All data in transit: TLS 1.2+ (HTTPS enforced)
• All data at rest: AES-256 encryption (Google Cloud default)
• Access: no human operator has routine access to uploaded files
• Uploaded files stored under UUID-named paths — not guessable
• No secrets, tokens, or PII are logged

9. Third-Party Services

• Google Cloud Platform (GCP) — storage and compute infrastructure, India region
• Google Analytics 4 — anonymous usage analytics (page views, button clicks); sets first-party analytics cookies; no uploaded financial data, name, or government identifier is sent
• Razorpay — payment processing (for paid downloads); Razorpay's own privacy policy applies to payment data
• Resend — transactional email delivery (download links); only your email address and file links are shared
• yfinance / Yahoo Finance API — historical stock prices (no personal data sent)

SBI TTBR exchange rates are fetched from public sources (SBI, FBIL, RBI). No personal data is transmitted in these requests.

10. Cookies & Tracking

We use Google Analytics 4 for anonymous usage statistics (page views and button clicks). GA4 sets first-party analytics cookies and an anonymised client identifier. We do not use advertising cookies, Meta Pixel, or remarketing, and analytics is never linked to your uploaded financial data. You can block analytics with any cookie/script blocker without affecting the tool.

11. Changes to This Policy

Material changes will be posted on this page with an updated date. Continued use after the update date constitutes acceptance.

Back to home