Privacy Policy

Account data — when you sign up, we store your full name, work email, the firm or company name you enter, and a salted bcrypt hash of your password. Optionally, you provide a GSTIN at signup; if you do, we validate the check digit but keep it as written.

Books data from TallyPrime— the agent you install on your Windows machine reads vouchers (purchase invoices, sales invoices, debit/credit notes), masters (vendor list, customer list, ledger details), and metadata (Tally company name, which user is logged in) and pushes them to our server. The data leaves your machine over TLS, signed with an HMAC-SHA256 key that lives in your machine's encrypted secret store; the network path is HTTPS only.

Portal data from the GST Network (GSTN) — when you authorise the GST portal connection, we fetch GSTR-2B, GSTR-2A, GSTR-1, and GSTR-3B for the GSTINs and periods you select. The fetch goes through a licensed GST Suvidha Provider (GSP) under our subscription; we never see or store your GSTN portal password. The portal-issued session token is encrypted at rest with AES-256-GCM, bound to your tenant, and rotated every six hours.

Reconciliation outputs — match results, workbook download records, claim-history records created from filing-workbook downloads, and vendor follow-up notifications. These are derived from your books + portal data and stored against your tenant.

Operational telemetry — server access logs (IP address, request path, response code, user-agent), client-side error events, and feature usage counters. Used for debugging and capacity planning. Retained for 90 days.

• Account data — to authenticate you, scope your access to your own tenant, and contact you about your subscription or service issues.
• Books + portal data — to run the reconciliation engine and produce the filing workbook. This is the core service.
• Reconciliation outputs — to give you the workpapers you came to GST Reco for, and to power vendor follow-up.
• Operational telemetry — to keep the service up and to fix bugs.

We do not use your books or portal data for advertising, market research, training third-party models, or anything outside the reconciliation use case you signed up for.

• Books + portal data — retained for the duration of your subscription plus 90 days, so a tenant that comes off-trial can resume without re-syncing. After 90 days post-cancellation, the data is hard-deleted.
• Account data — until you delete your account or 24 months after last login, whichever is sooner.
• Operational telemetry — 90 days, rotated.
• Backups — encrypted Supabase point-in-time backups for 7 days, then aged out.

We share data only with sub-processors required to run the service. Today these are:

• Supabase (USA / Singapore) — Postgres hosting + auth + object storage. Encryption at rest, TLS in transit, Row-Level Security per tenant.
• Vercel (USA / EU) — application hosting + edge function execution. No persistent customer data.
• Sandbox.co.in (India), via Quicko Infosoft — licensed GSP for portal access. Your GSTN session token passes through their gateway; we have a data processing agreement with them.
• Sentry (USA) — client + server error telemetry. We strip PII before sending; if a stack trace accidentally captures a GSTIN or invoice number we treat that as an incident and remediate.

We never sell your data. We never share it with advertisers, data brokers, or model trainers.

• TLS 1.2+ on every connection. HSTS preloaded.
• HMAC-SHA256 request signing on the agent → server boundary.
• AES-256-GCM encryption at rest for the agent's pairing secret and the GSP session token. Key derivation via HKDF-SHA256.
• Postgres Row-Level Security on every multi-tenant table. Cross-tenant reads are physically impossible at the database layer.
• Service-role keys live only on our server; the browser client uses a session-scoped JWT.
• Code review on every change; SECURITY DEFINER policy functions tested via JWT claim impersonation before apply.

You can ask us to:

• Access the personal data we hold about you.
• Correct data that is wrong or out of date.
• Erase your data and close your account.
• Port your data — we will export your books, reconciliation runs, and workbook history in JSON or .xlsx.
• Withdraw consent for any processing that is based on consent (e.g., marketing emails, optional telemetry).
• Nominate a representative to exercise these rights on your behalf in case of incapacity or death.
• Complain to the Data Protection Board of India if you believe we have violated DPDP.

Reach us at privacy@m2ai.ai. We respond within seven business days.

We use first-party cookies for authentication (a Supabase session cookie) and a local-storage flag for theme preference (light / dark). We do not use third-party analytics cookies. We do not use cross-site tracking.

GST Reco is a B2B service for registered Indian businesses and their tax advisers. It is not directed at children, and we do not knowingly collect personal data of users under 18.

When we change this policy materially we will notify you by email at least 14 days before the change takes effect. Minor clarifications are updated in place; the “last updated” date at the top reflects the most recent edit.

Manual2AI Technologies Private Limited
Privacy queries: privacy@m2ai.ai
General support: support@m2ai.ai