Plain English summary: FinLytTech connects to your accounting software (Zoho Books or Tally Prime) to generate financial reports. We store your account credentials securely but do not store your financial data — it is fetched live each time you request a report and never saved to our servers.
FinLytTech ("FinLytTech", "we", "us", "our") is an AI-powered financial intelligence platform for Indian startups and small and medium enterprises. We are based in India and operate under the laws of India.
Data Fiduciary: ACETRILLYTICS TECH LLP
Contact: Contact Us | finlyt.net
| Category | What exactly | When collected | Stored? |
|---|---|---|---|
| Account data | Name, company name, email address, password (hashed) | On signup | Yes — encrypted |
| Business identifiers | Entity type and PAN (mandatory). GSTIN, CIN or LLPIN (conditional on entity type) | On signup | Yes — encrypted |
| Network metadata | IP address of every signup and sign-in | On signup and every login | Yes — server logs |
| Authentication tokens | Zoho Books OAuth access and refresh tokens | When you connect Zoho Books | Yes — encrypted |
| Financial data | P&L, Balance Sheet, Cash Flow, Chart of Accounts from your Zoho Books or Tally | When you generate a report | Snapshots only — see Section 4 |
| Usage data | Pages visited, features used, error logs | During product use | Yes — anonymised |
| Payment data | Subscription status, payment confirmation (not card details) | On payment | Yes — via Razorpay |
Why we collect business identifiers: Indian government IDs (PAN, GSTIN, CIN, LLPIN) are the only reliable way to ensure one account per legal entity — company names collide and email addresses don't. We use PAN as the unique key to prevent duplicate signups, and we use GSTIN to issue GST-compliant tax invoices on your subscription as required by Indian tax law. We never share these with third parties or use them for any purpose other than identity and billing.
Why we collect IP addresses: Logged for security (account-takeover detection), abuse prevention, and statutory record-keeping under Section 67C of the Information Technology Act, 2000. IP logs are retained for 12 months and then deleted.
We do not collect: Aadhaar, bank account details, biometrics, or any data beyond what is listed above.
We do not use your data for advertising, sell it to third parties, or use your financial data to train AI models.
This is the most important section for business users. Your company's financial data — P&L, Balance Sheet, Cash Flow, ledger entries — is never stored on FinLytTech's servers.
When you request a report, FinLytTech:
For Tally XML uploads: the uploaded XML file is processed and immediately deleted from our servers. It is not retained.
The AI narrative is generated by Anthropic's Claude API. Financial data is sent to Anthropic's API for this purpose under their data processing agreement. Anthropic does not use your data to train models (see their privacy policy at anthropic.com).
The following AI-powered features process data via Anthropic's Claude API: AI narrative generation, AI risk insights on ageing analysis, AI-drafted debtor and creditor follow-up emails, scenario analysis runs, and loan-readiness CMA generation.
What is sent to Anthropic:
What is NOT sent to Anthropic:
Consent and control. Every AI generation is triggered by you (or your invited team member) — there is no automatic background AI processing. The system displays a one-time per-session confirmation ("This will use 1 credit. Continue?") before each generation, which you may opt to skip for the rest of the session. There is no automatic regeneration: existing AI output is refreshed only when you click Regenerate or load new books / press F5.
Retention by Anthropic. Per Anthropic's API terms (anthropic.com/legal), inputs and outputs are retained only for abuse-monitoring purposes for up to 30 days and are not used to train models. FinLytTech itself retains the generated AI output text inside your account so you can view it without re-spending a credit; you may delete it from inside the dashboard at any time.
Right to opt out of AI. You may operate the platform without using any AI-credit-consuming feature. All deterministic functions (statements, ratios, ageing totals, exports, predictive alerts) work without any AI processing.
| Data | Service | Location | Security standard |
|---|---|---|---|
| Account data + OAuth tokens | Supabase | US (AWS us-east-1) | SOC 2 Type II, encrypted at rest (AES-256) |
| API processing | Render | Singapore (Southeast Asia) | TLS in transit, isolated containers |
| Frontend | Vercel | Global CDN | TLS, no personal data stored |
| AI narrative generation | Anthropic API | US | Enterprise data processing agreement |
| Payments | Razorpay | India | PCI-DSS compliant |
Data residency note: Account data is currently stored in US-based Supabase servers. The Digital Personal Data Protection Act 2023 (DPDP Act) has data localisation provisions that are not yet fully notified. We will migrate to India-region storage as and when required by law or Supabase India region becomes available.
We do not share your personal data with any other third parties. We do not use Google Analytics or any advertising trackers.
Under the Digital Personal Data Protection Act 2023, you have the following rights as a Data Principal:
To exercise any of these rights, send us a Data Rights Request via Contact Us. We will respond within 30 days.
Account deletion: To delete your FinLytTech account and all associated data, submit a Contact Us request. We will delete your account within 7 business days. This will revoke your Zoho Books connection and delete all stored tokens.
| Data type | Retention period | Reason |
|---|---|---|
| Account data (name, email, company) | Duration of account + 90 days after deletion | Account management |
| Zoho OAuth tokens | Until revoked or account deleted | Service continuity |
| Financial data (P&L, BS, CF) | Not stored — processed in memory only | Privacy by design |
| Payment records | 7 years | GST and accounting compliance under Indian law |
| Usage logs | 90 days | Security and debugging |
To operate the FinLytTech platform reliably and to diagnose issues you may encounter, we automatically record a limited set of service-operation events when you use the platform. We rely on legitimate interest as our legal basis under the Digital Personal Data Protection Act, 2023.
What we record:
What we deliberately do NOT record:
Each record contains: the event name, a sanitised metadata payload, your account identifier, your IP address, and your browser identifier. The payload is automatically scrubbed of any pattern that resembles a JWT token, API key, PAN, GSTIN, or Aadhaar number, and any string longer than 500 characters is truncated.
Retention: These records are stored for 90 days and then automatically purged.
How we use these records:
We do not use these records for marketing, profiling, ad targeting, or any purpose other than the ones listed above. We do not share these records with third parties.
Your rights specific to this section:
These rights are in addition to the data subject rights set out in Section 7 above.
When you open a support ticket from inside the dashboard (the green "?" button bottom-right of every page), we process and store the information needed to track, resolve, and follow up on your request. Our legal basis is contractual necessity under the Digital Personal Data Protection Act, 2023 — the support relationship is part of the service you've signed up for.
What we collect when you open a ticket:
What we deliberately do NOT collect on a ticket:
How we use ticket data:
Internal notes: Our support team may add internal notes against your ticket that you do not see (for example, technical investigation notes). These never leave the ticket record and are visible only to FinLytTech operators.
Email notifications: When you open a ticket, when our team replies, and when you reply back, we may send email notifications using the Zoho Mail service to your account email address. You can stop receiving these by closing the ticket (the "Resolved" state stops further notifications).
Retention:
We do not share ticket data with third parties, and we do not use the contents of your tickets for marketing, profiling, or model training of any kind.
Your rights specific to support tickets:
In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware of it, as required under the DPDP Act 2023.
FinLytTech is a B2B financial intelligence platform intended for use by businesses and professionals. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has created an account, please contact us and we will delete it immediately.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify registered users by email if changes are material. Continued use of FinLytTech after changes take effect constitutes acceptance of the updated policy.
For any privacy-related questions, data rights requests, or grievances:
FinLytTech — Data Fiduciary
Contact: Open the Contact Us form on finlyt.net
Website: finlyt.net
Response time: Within 30 days of receiving your request
This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts in India.