Privacy Policy

RocPrompt Technologies Pvt. Ltd. (“RocPrompt”, “we”, “us”, or “our”) operates the RocPrompt MCA Compliance Platform (the “Service”), available at rocprompt.in and its sub-domains.

We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, why we collect it, how we use it, and what rights you have in relation to it. It applies to all users of the Service — including CA and CS firm owners (“Tenants”), their employees (“Users”), and their clients (“Clients”).

By accessing or using our Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree with any part of this Policy, please do not use the Service.

The data controller responsible for your personal data is:

3.1 Information You Provide Directly

• Account registration: Firm name, owner name, email address, phone number, and password when you sign up for a RocPrompt account.
• Firm profile: PAN, GSTIN, registered address, city, state, and firm type (CA / CS / Enterprise).
• Client records: Company or LLP names, CIN, LLPIN, PAN, GSTIN, registered office address, director/partner details (names, DIN, PAN, contact information), and financial year data entered by your firm.
• Employee accounts: Names and email addresses of team members (associates, senior associates) you add to your firm account.
• Service requests: Details of compliance jobs raised, including service type, assigned employees, documents uploaded, and status notes.
• Communications: Email and WhatsApp messages sent through the platform between your firm and your clients.
• SMTP / email configuration: If you configure your own SMTP server for client communications, we store your SMTP host, port, username, and an encrypted password. We never use these credentials for any purpose other than sending emails on your behalf.
• Payment information: We do not store credit/debit card numbers. Payment processing is handled by our payment gateway partner and is subject to their privacy policy.

3.2 Information Collected Automatically

• Log data: IP address, browser type, operating system, pages visited, time and date of access, and time spent on pages.
• Device information: Device type, screen resolution, and browser version.
• Cookies and similar technologies: We use session cookies for authentication. We do not use tracking or advertising cookies. See Section 9 for details.
• Usage data: Features accessed, actions taken, and errors encountered — used to improve the Service.

3.3 Information from Third Parties

• MCA / GSTN data: We display publicly available data from the Ministry of Corporate Affairs (MCA21) portal. We do not independently collect this data — it is fetched from official government sources.
• WhatsApp Business API: If you enable WhatsApp messaging, Meta (WhatsApp) may provide delivery and read receipts for messages sent. No message content is stored by Meta on our behalf beyond what WhatsApp’s own policies govern.

We use the information we collect for the following purposes:

We do not sell your personal information to third parties. We do not use your data for advertising purposes.

We do not sell, trade, or rent your personal data. We share data only in these limited circumstances:

• Service Providers (Sub-processors): We use trusted third-party vendors to operate the Service. Each is bound by data processing agreements and may only process data on our instructions:
  • Amazon Web Services (AWS), AP-SOUTH-1 (Mumbai): Cloud hosting, database, file storage, and email delivery (SES). AWS Privacy Policy
  • Meta / WhatsApp Business API: WhatsApp message delivery (only if enabled by your firm). WhatsApp Privacy Policy
  • Razorpay: Payment processing. Razorpay Privacy Policy
• Within your firm account: Firm owners (Tenant Owners) can see all data within their account. Employees (Users) see data as per their role permissions. Clients see only their own data via the client portal.
• Legal requirements: We may disclose your information if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of RocPrompt, our users, or others.
• Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

All data is stored on servers located in India (AWS AP-SOUTH-1, Mumbai). We do not transfer your personal data outside of India except where required by the sub-processors listed above (e.g., WhatsApp message routing), in which case appropriate safeguards apply.

We implement the following security measures:

• All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
• Passwords are hashed using bcrypt with salt rounds. We never store plaintext passwords.
• JWT tokens are used for session management with configurable expiry.
• Tenant SMTP passwords are stored encrypted at rest.
• Database access is restricted to application servers via VPC security groups.
• File uploads are stored in private S3 buckets with signed URL access only.
• Regular security patches are applied to all infrastructure components.
• Access to production systems is restricted to authorised RocPrompt personnel only.

While we implement industry-standard security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

We retain your data for as long as your account is active or as needed to provide you the Service:

• Active account dataRetained for the lifetime of your subscription.
• After account closureData is retained for 90 days to allow for account recovery. After 90 days, it is permanently deleted from our systems.
• Communication logsEmail and WhatsApp message logs are retained for 3 years for compliance and audit purposes.
• Billing recordsRetained for 7 years as required under the Income Tax Act, 1961 and Companies Act, 2013.
• Server logsAutomatically deleted after 30 days.

You may request early deletion of your data at any time (see Section 10 — Your Rights), subject to our legal retention obligations.

When you (a CA/CS firm) use RocPrompt, you enter personal data about your clients — company directors, partners, contact details, and financial information. In this context:

• You are the data controller for your clients' personal data.
• RocPrompt acts as a data processor — we process this data only as directed by you and only to provide the Service.
• You are responsible for ensuring you have the appropriate legal basis (e.g., consent, legitimate interest, or contractual necessity) to enter and process your clients' personal data on our platform.
• You must inform your clients about how their data is processed, in line with applicable Indian data protection laws.

The client portal allows your clients to view their own service requests, compliance status, and uploaded documents. Clients cannot access other clients’ data.

We use minimal cookies strictly necessary to operate the Service:

We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that identify individual users. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking scripts.

Under applicable Indian data protection law and best practices, you have the following rights regarding your personal data:

To exercise any of these rights, please email us at privacy@rocprompt.in. We will respond within 30 days. We may need to verify your identity before processing requests.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at privacy@rocprompt.in and we will delete it promptly.

Our Service may contain links to third-party websites (such as MCA21, GSTN, RBI portals). We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Post the updated Policy on this page with a new “Last Updated” date.
• Send an email notification to the registered email of all Tenant Owner accounts.
• Display an in-app banner for 30 days after the change.

Continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the name and contact details of the Grievance Officer are provided below:

If you have any questions, concerns, or requests about this Privacy Policy or our data practices, please contact us: