← Worknite

PRIVACY POLICY

Worknite — AI-Powered Tax Management Platform

Effective Date: 01 January 2026
Last Updated: 16 June 2026
Version: 2.0 (Comprehensive)


1. WHO WE ARE & JURISDICTION

Worknite is an AI-powered tax management and compliance platform for Indian taxation professionals and taxpayers, accessible at worknite.in. We are operated as an Indian entity and governed by Indian law.

This Privacy Policy explains how we collect, use, store, protect, and share your information when you use our platform — whether as:

  • Assessing Officers (AO) — government tax officers managing assessment proceedings
  • Chartered Accountants (CA) — tax professionals managing client portfolios
  • Taxpayers (PT) — individual or business taxpayers managing their own tax matters

This policy applies to all data you provide directly, data we collect through your use of the platform, and data we process on your behalf.


2. INFORMATION WE COLLECT

2.1 Account & Registration Information

  • Name, email address, phone number — required for account creation
  • Professional details — PAN (Permanent Account Number), CA membership number / government ID (for AO verification), designation, organization name
  • Profile data — photo (optional), department/firm details, geographic location
  • Authentication data — passwords, multi-factor authentication tokens (stored securely, never in plaintext)

2.2 Document & Case Data

  • Tax documents — Income Tax Returns (ITRs), Assessment Orders, Show Cause Notices, Replies, computation sheets, bank statements, GST returns, ledger copies
  • Unstructured files — PDFs, Word documents, Excel sheets, images of handwritten documents, scanned letters
  • Case metadata — case numbers, assessment year, taxpayer details, document upload timestamps, file sizes
  • Case notes — AI-generated summaries and analysis of uploaded documents (stored in encrypted form, containing only extracted keywords and findings, not full document copies)

2.3 Usage & Platform Data

  • Session data — login/logout times, pages visited, features used (build-memory, chat, draft generation, search)
  • Interaction data — chat messages, questions asked, drafts created, time spent per feature
  • Device & browser data — device type, OS, browser version, IP address, screen resolution
  • Performance data — page load times, error logs, API response times

2.4 Payment & Billing Information

  • Billing details — name, email, billing address, subscription tier selected
  • Payment data — transaction amount, date, reference ID (we do NOT store full card numbers, CVV, or full banking details; Razorpay processes and secures these)
  • Usage logs for billing — token consumption, feature usage, credits used/remaining

2.5 Communications

  • Support tickets — emails, chat messages sent to support team
  • Feedback & surveys — responses to feature feedback, user satisfaction surveys
  • Notifications — email/SMS delivery logs

2.6 AI Processing Logs

  • Model call records — timestamps, input token count, output token count, model used (Claude, GPT), feature triggering the call (build-memory, chat, draft), latency
  • Error logs — failed API calls, parsing errors, clarification needed from user
  • Cost logs — tokens consumed, USD cost, INR equivalent (for billing calculation)

3. HOW WE USE YOUR INFORMATION

We use your information for the following purposes:

3.1 Core Service Delivery

  • Generate AI-assisted outputs — case notes, draft notices (142(1), 133(6), SCN), chat responses, document summaries
  • Analyze and extract information — OCR for scanned documents, text extraction, contradiction detection, cross-document analysis
  • Maintain case continuity — storing case memory so your understanding persists across sessions
  • Process your requests — uploading documents, asking questions, generating drafts

3.2 Platform Improvement & Support

  • Respond to support queries — troubleshooting, feature requests, account issues
  • Improve platform features — aggregate usage analytics, identify bugs, optimize performance
  • Provide technical support — error investigation, system maintenance
  • Communicate updates — new features, platform changes, policy updates

3.3 Billing & Subscription Management

  • Process payments — charge subscription fees, manage refunds
  • Track usage for billing — token consumption, credit deduction, tier-appropriate limits
  • Generate invoices & receipts — transactional records for accounting
  • Manage subscription lifecycle — renewals, downgrades, cancellations

3.4 Legal & Compliance

  • Comply with Indian law — Income Tax Act 1961, Digital Personal Data Protection Act 2023 (DPDP Act), Bharatiya Nyaya Sanhita 2023
  • Respond to legal requests — government authorities, tax department, law enforcement (with proper warrant/legal process)
  • Audit & compliance records — maintain transaction logs for potential disputes, regulatory inquiries
  • Fraud & abuse prevention — detect misuse, unauthorized access, policy violations

3.5 Legitimate Business Interests

  • Platform analytics — understand user behavior (anonymized), feature adoption, churn analysis
  • Security monitoring — detect unusual account activity, prevent unauthorized access
  • System health — monitor infrastructure, prevent service disruptions

4. AI PROCESSING & YOUR DATA — CRITICAL INFORMATION

4.1 No Training on Your Data

Your documents, case notes, and messages are NEVER used to train or improve Claude, GPT, or any AI model — by Worknite or by our AI providers.

  • When you upload a document or ask a question, the input is sent to Anthropic (Claude) or OpenAI servers only to generate an output for your session
  • Once the output is generated and delivered to you, the input is not retained by these providers for training purposes
  • This commitment is enforced through Data Processing Agreements (DPA) with Anthropic and OpenAI, which contractually prohibit training use

4.2 AI Providers & Data Processing

We use the following AI models:

ProviderServiceModelsData RetentionLocation
AnthropicLarge Language ModelClaude Sonnet 4.6, Claude Haiku 4.5Session-only (not retained for training)USA
OpenAILarge Language Model (optional)GPT-4, GPT-4 TurboSession-only (per OpenAI's Data Privacy & Security FAQ)USA

4.3 What Information Goes to AI Providers

  • For case notes: your existing case note + new documents you upload
  • For chat: your question + context (case memory, document excerpts)
  • For drafts: case facts, relevant excerpts from documents, query about what draft to generate
  • For document extraction: the document itself (PDF, Excel, image, etc.)

4.4 What Information Does NOT Go to AI Providers

  • Your account credentials — passwords, OTP, API keys
  • Payment information — card numbers, banking details
  • Full document originals — only relevant excerpts for specific queries
  • Other users' data — your account is isolated; you cannot access others' documents

4.5 AI Output Ownership

All content generated by Claude, GPT, or other AI models is your intellectual property.

  • You own the generated case notes, draft notices, summaries, and analyses
  • You may use these outputs freely — file them with tax authorities, share them with clients, publish them
  • Worknite has no claim to this content

5. DATA STORAGE & SECURITY

5.1 Infrastructure & Hosting

  • Primary Database: Supabase (PostgreSQL), hosted in Singapore
  • Web Hosting: Vercel (Next.js deployment), hosted in USA (East, iad1)
  • File Storage: Encrypted cloud storage (encrypted at rest)
  • Backups: Automated daily backups, stored in Singapore (same region as primary database)

5.2 Encryption & Access Controls

  • Encryption at Rest: All data stored on disk is encrypted using AES-256
  • Encryption in Transit: All communication between your browser, our servers, and third-party APIs uses TLS 1.2 or higher (HTTPS)
  • API-level Encryption: Sensitive fields (documents, case notes) are encrypted at the application level before storage
  • Access Controls: Database access is restricted to authorized personnel via VPN; all access is logged and monitored
  • API Keys: API keys (Anthropic, OpenAI) are stored in encrypted environment variables, never committed to version control

5.3 Security Practices

  • Regular security reviews — code audits, dependency scans, penetration testing (planned)
  • Principle of least privilege — staff access only what they need to do their job
  • Audit logging — all data access is logged with user ID, timestamp, action
  • Incident response plan — procedures for detecting and responding to breaches
  • Vulnerability management — monitor for security advisories, patch promptly

5.4 Data Integrity

  • Database constraints — foreign keys, unique constraints to prevent data corruption
  • Transaction logging — all writes are logged and can be audited
  • Backup testing — periodic restore tests to ensure backups are usable
  • Version control — code changes are tracked; rollback possible if needed

6. DATA SHARING & SUB-PROCESSORS

6.1 Who We Share Your Data With

We share your data only in the following situations:

AI Processing (Required for Service)

ServicePurposeData SharedRetentionAgreement
Anthropic (Claude)Case analysis, chat, draft generationUploaded documents, case contextSession-only; not trained onDPA
OpenAI (if selected)Alternative AI modelUploaded documents, case contextSession-only; not trained onDPA

Infrastructure & Operations

ServicePurposeData SharedRetentionAgreement
SupabaseDatabase hostingAll structured data (encrypted)Until deletedService Agreement
VercelWeb hosting & deploymentSession data, request logs90 days (per Vercel policy)Service Agreement

Payments & Billing

ServicePurposeData SharedRetentionAgreement
RazorpayPayment processingName, email, transaction amountPer Razorpay's policy (typically 7 years for tax compliance)DPA

Support & Analytics

ServicePurposeData SharedRetentionAgreement
Email serviceSupport replies, notificationsSupport tickets, user emailPer email provider's policyService Agreement

6.2 Who We Do NOT Share Your Data With

  • Other users — your case data is isolated; other users cannot see it
  • Advertisers or marketing partners — we do not sell or share data for marketing
  • Data brokers — we do not sell your personal data to third parties
  • Social media platforms — we do not share data with Facebook, Google, etc. (unless you explicitly authorize)

6.3 Legal & Government Requests

We may share your data with government or legal authorities only in the following cases:

  • With a valid warrant — issued by a competent court under Indian law (Income Tax Department, Enforcement Directorate, Police, etc.)
  • To comply with legal process — summons, notice, court order
  • In an emergency — to prevent imminent harm, loss of life, or national security threat
  • With user consent — if you explicitly authorize us to share data with a specific party

Procedure:

  1. We receive a legal request (warrant, summons, notice)
  2. We verify the authenticity of the request with issuing authority
  3. We notify the user (if legally permitted) that their data has been requested
  4. We provide only the minimum data necessary to comply
  5. We document the request for our records

We do not comply with requests that:

  • Lack proper legal authority
  • Are overly broad or fishing expeditions
  • Violate DPDP Act protections

7. INTERNATIONAL DATA TRANSFER

7.1 Cross-Border Data Flow

Your data is transferred to the following countries as part of normal service delivery:

DestinationServiceLegal BasisSafeguard
USAAnthropic (Claude API), OpenAI (API), Vercel (hosting)User consent (Terms of Service) + DPDP adequacy assessmentData Processing Agreements with safeguards
SingaporeSupabase (database hosting, backups)User consent (Terms of Service)Encryption at rest, access controls
IndiaRazorpay (payment processing)User consent (Terms of Service)Domestic service, RBI-regulated

7.2 Adequacy & Safeguards

Under DPDP Act 2023, India has not yet declared any country as "adequate" for data transfers. However:

  • Transfers are based on your explicit consent (by using the platform)
  • We use contractual safeguards (Data Processing Agreements, Standard Contractual Clauses)
  • Sensitive data is encrypted before transfer, so cross-border data is in ciphertext
  • You may request local-only storage (though this may limit some features); contact support@worknite.in

8. DATA RETENTION & DELETION

8.1 Data Retention by Type

Data TypeRetention PeriodReason
Case documentsUntil case deletion + 30 days (archive recovery window)Allow recovery of accidentally deleted cases
Case note (memory)Until case deletion + 30 daysSame as above
Chat historyUntil case deletion + 30 daysSame as above
ai_usage_logs1 yearBilling accuracy, dispute resolution, system performance analysis
Account metadataUntil account deletionAccount management, compliance
Backup data30 days after deletionDisaster recovery, compliance
Email communications1 yearSupport ticket closure, reference
Error logs / debug data90 daysSystem improvement, troubleshooting

8.2 User-Initiated Deletion

You can delete your data in two ways:

Case Deletion (Single Case)

  • What deletes: all documents, case note, chat history, timeline, issues, findings — everything associated with that case
  • What persists: aggregate usage logs (ai_usage_logs) for 1 year (for billing/audit)
  • Recovery window: 30 days (contact support@worknite.in to recover; after 30 days, permanent)
  • Effect on generated content: any drafts you've downloaded are yours to keep; we delete our copies

Account Deletion (Full Account)

  • What deletes: all cases, documents, notes, chat history, account profile, payment history (except invoices)
  • What persists:
    • Invoices (for 7 years, per Indian tax law)
    • Anonymized usage logs (ai_usage_logs without user ID, for 1 year)
    • Server logs and backups (30-day window, then purged)
  • Recovery window: 30 days (contact support@worknite.in; after 30 days, permanent deletion initiated)
  • Time to complete: 5-7 business days

8.3 Automatic Deletion

  • Inactive accounts: accounts inactive for 5+ years may be flagged for deletion (we'll email you first)
  • Trial accounts: free trial data deleted 90 days after trial end (if not converted to paid)

8.4 Legal Hold

If you're involved in a legal dispute or tax audit, your data may be held beyond the normal retention periods per government request.


9. YOUR RIGHTS UNDER DPDP ACT 2023

9.1 Right to Access

You have the right to know what personal data we hold and how we use it.

  • How to exercise: Email support@worknite.in with "Data Access Request" in the subject
  • What you'll get: A copy of all personal data we hold about you (documents, messages, metadata, AI logs)
  • Timeline: Within 30 days
  • Cost: Free (except for large data exports, which may incur a nominal fee)

9.2 Right to Correction

If any of your personal data is inaccurate or incomplete, you can request correction.

  • How to exercise: Email support@worknite.in with "Data Correction Request" + details
  • Examples: Wrong phone number, incorrect PAN, misspelled name
  • Timeline: Within 30 days
  • Cost: Free

9.3 Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data in certain circumstances:

  • Grounds: data no longer needed for original purpose, consent withdrawn, data processed unlawfully, legal obligation to delete
  • How to exercise: Email support@worknite.in with "Data Erasure Request"
  • Exceptions: We may retain data if required by law (e.g., invoices for 7 years under tax law)
  • Timeline: Within 30 days
  • Cost: Free

9.4 Right to Data Portability

You can request your data in a structured, portable format (CSV, JSON).

  • How to exercise: Email support@worknite.in with "Data Portability Request"
  • Format: JSON or CSV (we'll provide what's technically feasible)
  • Timeline: Within 30 days
  • Cost: Free
  • Limitations: Some derived data (e.g., AI-generated case notes) may not be easily portable

9.5 Right to Withdraw Consent

You can withdraw consent for data processing at any time.

  • Effect: Worknite will stop processing your data (but may not be able to delete already-processed data)
  • How to exercise: Email support@worknite.in with "Withdraw Consent" + specify which processing activities
  • Timeline: Processed within 30 days
  • Service impact: Withdrawing consent for AI processing will disable case analysis, chat, drafts

9.6 Right to Lodge a Complaint

If you believe we've violated your DPDP Act rights, you can file a complaint with the Data Protection Board of India (after exhausting internal remedies with us first).

  • Our internal grievance process: Email support@worknite.in with "DPDP Complaint"; we'll respond within 30 days
  • DPB Complaint: If unsatisfied, file with DPB (mechanism TBD by Government of India; process will be published on official portal)

9.7 Right to Nominate a Representative

You can nominate another person to exercise your DPDP rights on your behalf.

  • How: Email support@worknite.in with "Nominate Representative" + nominated person's name, email, relationship
  • Verification: We'll verify the nomination before allowing the representative to make requests

10. COOKIES & TRACKING

10.1 Essential Cookies

We use the following essential cookies required for platform functionality:

CookiePurposeLifetimeType
session_idMaintain your login sessionSession (until logout)Essential
csrf_tokenPrevent cross-site request forgery attacksSessionEssential
theme_preferenceRemember your dark/light mode choice1 yearEssential
language_preferenceRemember your language setting1 yearEssential

10.2 Analytics Cookies (Optional)

We may use analytics cookies to understand usage patterns:

  • Tool: Plausible Analytics (privacy-focused, no third-party tracking)
  • Data collected: page views, features used, rough geographic location (country/city level, not IP-based)
  • Retention: 90 days
  • User control: You can disable analytics in your account settings

10.3 Third-Party Cookies

We do NOT use cookies from advertisers, social media platforms, or data brokers.

10.4 Opt-Out

You can disable non-essential cookies through your browser settings (Settings → Privacy → Cookies). However, this may affect platform functionality.


11. CHILDREN & MINORS

Worknite is not intended for children under 18 years old. We do not knowingly collect data from minors.

If you believe we have collected data from a minor, please notify us immediately at support@worknite.in, and we will delete the data promptly.

Parents or guardians may request deletion of their child's account and data under this section.


12. SENSITIVE PERSONAL DATA

Under DPDP Act 2023, the following are classified as "sensitive personal data":

  • Government ID numbers (PAN, Aadhaar, passport)
  • Financial information (bank account details, credit card numbers, transaction history)
  • Health data (medical records, if uploaded as part of case documents)
  • Biometric data (fingerprints, face recognition)

Our handling of sensitive data:

  • Stored with enhanced encryption (AES-256)
  • Access restricted to authorized personnel only
  • Never shared with third parties except as required by law
  • Retained only as long as necessary for the stated purpose
  • User can request erasure at any time (except where legally required to retain)

13. CALIFORNIA & GDPR COMPLIANCE NOTE

If you are a resident of California, you have rights under the California Consumer Privacy Act (CCPA). If you are in the European Union, GDPR may apply. However, Worknite is primarily designed for Indian taxation professionals and Indian law compliance.

For California residents: You have rights to know, delete, and opt-out; these are largely covered by our DPDP Act compliance above.

For EU residents: GDPR may override some of this policy. We recommend consulting with a data protection officer.

Please contact support@worknite.in for jurisdiction-specific inquiries.


14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect:

  • Changes in applicable law
  • Changes to our data practices
  • New features or services
  • Feedback from users or regulators

Notification of Changes

  • Material changes (that affect your rights) will be communicated via email to your registered account email
  • Minor changes (clarifications, formatting) will be published here without notice
  • Continued use of Worknite after updates constitutes your acceptance of the updated policy

History of updates:

  • 01 January 2026: Version 1.0 (launch)
  • 16 June 2026: Version 2.0 (comprehensive update — added international data transfer, sub-processor list, detailed retention, DPDP rights)

15. CONTACT & GRIEVANCE REDRESSAL

15.1 General Inquiries

Email: support@worknite.in
Phone: [TBD — add your support number]
Address: [TBD — add your registered office address]
Hours: Monday–Friday, 10 AM–6 PM IST

15.2 Privacy-Specific Inquiries

Email: privacy@worknite.in (or support@worknite.in with "PRIVACY" in subject)
DPDP Complaints: support@worknite.in with "DPDP Complaint" in subject
Data Access/Erasure Requests: support@worknite.in with "Data Access Request" / "Data Erasure Request" in subject

15.3 Grievance Redressal Process

  1. Submit complaint via email with detailed description
  2. Acknowledgment within 2 business days
  3. Investigation within 15 days
  4. Response with resolution or explanation within 30 days
  5. Appeal: If unsatisfied, escalate to Data Protection Board of India (process TBD by government)

15.4 Data Protection Officer (DPO)

[TBD — nominate a DPO once you scale to 100+ employees]
Role: Oversee DPDP Act compliance, address user grievances, monitor data practices


16. DEFINITIONS

  • Personal Data: Any information relating to a natural person (name, email, PAN, etc.)
  • Sensitive Personal Data: Government IDs, financial data, health data, biometric data
  • Processing: Any operation on data (collection, storage, use, deletion, etc.)
  • Data Principal: You (the user whose data is being processed)
  • Data Fiduciary: Worknite (the entity deciding how data is processed)
  • Data Processor: Third parties processing data on our behalf (Anthropic, Supabase, Vercel)
  • Consent: Your voluntary, specific, informed agreement to process data in a particular way
  • Data Breach: Unauthorized access, loss, or destruction of personal data

17. ACKNOWLEDGMENT

By using Worknite, you acknowledge that:

  • You have read and understood this Privacy Policy
  • You consent to the collection and use of your information as described
  • You are aware of international data transfers and AI processing
  • You understand your rights under DPDP Act 2023
  • You accept this Privacy Policy and agree to be bound by it

If you do not agree with any part of this policy, do not use Worknite.


18. ADDITIONAL RESOURCES


End of Privacy Policy

Document Version: 2.0
Last Updated: 16 June 2026
Next Review: 16 June 2027 (or upon material legal change)

For any questions or concerns, contact support@worknite.in.