Legal
Privacy Policy
1.Our Commitment
Reakon is committed to protecting the privacy and security of your personal and business data. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and what rights you have — in plain language.
We operate as a Data Fiduciary under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 (notified 13 November 2025). We are committed to full compliance by the 13 May 2027 regulatory deadline and are implementing all requirements ahead of schedule.
2.What Data We Collect and Why
We collect only what we genuinely need. Nothing more.
A. Account and Identity Data
What: Name, business name, email, WhatsApp number, GSTIN, business address, CA firm name (if applicable).
Why: Create and manage your account, verify identity, communicate service updates, connect to GST portal.
Retention: Duration of account + 3 years after termination, or as required by law.
B. Invoice and Financial Data
What: Purchase bill images/PDFs, extracted invoice fields (vendor name, GSTIN, invoice number, date, amounts, HSN codes, tax rates, place of supply).
Why: Build your purchase register, validate GST compliance, perform ITC reconciliation, surface money owed to you.
Retention: Duration of account + 7 years post-termination (required under CGST Act Section 36).
C. GST Portal Data (via WhiteBooks)
What: GSTR-2A (real-time vendor filing data), GSTR-2B (static ITC statement), GSTIN verification data for your vendors.
Why: Reconcile your purchases against government records, identify your ITC position.
Retention: Duration of account + 7 years (consistent with CGST Act requirements).
D. Usage and Technical Data
What: IP address, device type, browser, access logs, feature usage patterns, error logs.
Why: Maintain security, troubleshoot, improve the platform, detect fraudulent use.
Retention: 12 months from collection.
E. Communications Data
What: Messages sent to and from our WhatsApp number, emails to our support team.
Why: Provide support, maintain conversation history for context, improve product.
Retention: 3 years from collection.
F. Customer Contact Data (Receivables Feature)
What: Names and WhatsApp/phone numbers of your customers provided for payment reminders.
Why: Send payment reminders on your behalf.
Retention: Deleted within 30 days of your request or account termination, whichever is earlier.
3.Legal Basis for Processing
Under the DPDP Act, 2023, we process your data on the following legal bases:
Consent
For all data processing not strictly necessary to deliver core Services — including marketing communications, optional product features, and third-party integrations. You may withdraw consent at any time.
Contractual Necessity
Processing your invoice data, GST data, and account data is strictly necessary to deliver the Services you subscribed to. Without this processing, we cannot provide the Services.
Legitimate Use
For fraud prevention, security monitoring, and legal compliance, we may process certain data under the DPDP Act's legitimate use provisions where explicit consent is not required.
4.How We Use Your Data
We use your data only for:
- Providing core Services: ITC reconciliation, receivables chasing, monthly money summaries, ITC-at-risk alerts.
- Communicating with you about your account, ITC position, deadlines, and important service alerts.
- Improving AI extraction accuracy using anonymised, aggregated, non-identifiable data only — never your identifiable data.
- Detecting and preventing fraud, abuse, and security incidents.
- Complying with legal obligations, including responding to lawful government requests.
- With your explicit additional consent: offering future features such as working-capital financing or credit scoring.
5.WhiteBooks Integration — Data Flows
We use WhiteBooks (operated by BVM IT Consulting Services India Private Limited) as our exclusive GSP for all GST portal connectivity. Here is exactly how data flows:
Outbound (us → WhiteBooks)
Your GSTIN and portal-authorised credentials to authenticate requests. Tax period for which GSTR-2A/2B is requested.
Inbound (WhiteBooks → us)
GSTR-2A, GSTR-2B, and taxpayer details for vendor GSTINs. This data is not used for any other purpose.
6.How We Share Your Data
WhiteBooks / BVM IT Consulting Services India Private Limited
To fetch GSTR-2A, GSTR-2B, and taxpayer data from GSTN on your behalf. They are our licensed data processor for GST connectivity.
Twilio / Meta (WhatsApp)
Message content and phone numbers exchanged via our WhatsApp Business interface. We limit what we share to what is operationally necessary for message delivery.
Cloud Infrastructure
We host on [AWS Mumbai / GCP Mumbai Region]. All data is stored on servers physically in India.
AI Processing (Anthropic)
Invoice images/PDFs are sent to the Anthropic Claude API for field extraction. We do not send your GSTIN, business name, or personally identifying information in AI requests. Anthropic does not use your data to train their models.
Legal Requirements
We may disclose your data if required by a valid court order, applicable law, or a direction from a competent government authority. We will notify you to the extent the law allows.
7.Data Storage and Security
Storage Location
Technical Security Measures
- Encryption in transit: TLS 1.3 for all data transmissions.
- Encryption at rest: AES-256 for all stored invoice and financial data.
- Role-based access controls with minimum necessary access principle.
- Two-factor authentication required for all internal system access.
- Regular security audits and annual penetration testing by an independent firm.
- Data minimisation: we process only what is strictly necessary.
Breach Notification
8.GST Data — Special Confidentiality
GST data carries specific legal confidentiality protections under the CGST Act, 2017. We:
- Access GSTR data exclusively to reconcile your input register and identify your ITC position — never for any other purpose.
- Do not share GSTR data with any financial institution, lender, credit bureau, or insurer without your explicit consent.
- Do not share GSTR data with your vendors, customers, or any other business entity.
- Do not use GSTR data for automated credit-scoring without a separate, explicit consent flow.
9.Your Rights Under the DPDP Act, 2023
To exercise any of these rights, email krishna@reakon.in with subject "Data Rights Request" and your registered GSTIN or email address.
10.Contact and Grievance Officer
| Privacy queries | krishna@reakon.in |
| Grievance Officer | Krishna Bhatnagar |
| Grievance email | krishna@reakon.in |
| Phone | +91 98102 22569 |
| Address | [REAKON ADDRESS], Gurgaon, Haryana |
| Hours | Monday–Friday, 10:00 AM – 6:00 PM IST |
| Response SLA | 15 business days |