Privacy Notice

01SCOPE AND DEFINITIONS

This Privacy Notice describes how Levich Solutions Pvt. Ltd. (“Levich”, “we”, “us”) collects, uses, shares, and protects personal data when you use ZlyntOffice (the “Service”) — our practice management platform for Indian chartered accountants and finance professionals — and the marketing websites at zlyntoffice.com and levich.co.

In this Notice, “Customer” means the firm or organisation that subscribes to the Service. “Customer Content” means the client records, documents, tasks, and other data a Customer uploads to or generates within the Service. For Customer Content, the Customer is the Data Fiduciary and Levich acts as a Data Processor.

02INFORMATION WE COLLECT

Account information

When you create an account we collect your name, work email address, organisation name, role, and (if you opt in) a profile photo. We collect phone numbers only when you provide them — for example to receive OTPs or transactional alerts.

Customer Content

The Service stores the practice-management data your firm chooses to upload — client records, PAN/GSTIN where applicable, ITR/GST filing checklists, tasks, DSC metadata, invoices, and any documents attached to requests. We do not access Customer Content to read it, except as needed to operate, secure, support, or improve the Service, or when required by law.

Usage and technical data

We collect logs of feature usage, IP addresses, device and browser information, referrer URLs, and timestamps. We use a small set of analytics events to understand how features are used so we can prioritise improvements.

Cookies and similar technologies

We use strictly-necessary cookies to keep you signed in and to remember your preferences, and analytics cookies (where consented) to measure aggregate usage. We do not run third-party advertising trackers on the Service.

Information from third parties

If you sign in using Google or another identity provider, we receive the information that provider shares per the permissions you grant — typically your name and email address.

03HOW WE USE INFORMATION

We use the information described above to:

• Provide, operate, and maintain the Service for your firm.
• Authenticate users, send OTPs, and protect accounts from unauthorised access.
• Send transactional messages (billing, alerts, security notifications).
• Provide customer support, including diagnosing and resolving issues you raise with us.
• Improve the Service — measure feature usage in aggregate, debug errors, and prioritise roadmap work.
• Detect and prevent fraud, abuse, security incidents, and violations of our Terms.
• Comply with applicable legal and regulatory obligations, including responding to lawful requests from Indian authorities.

We do not sell personal data, and we do not use Customer Content to train general-purpose AI models.

04LEGAL BASIS

Where the DPDP Act 2023 applies, we process personal data on the following bases:

• Performance of contract with the Customer (your firm) — to provide the Service you have subscribed to.
• Consent — for analytics cookies, optional marketing communications, and any feature you must explicitly opt into.
• Legitimate use under DPDP §7 — for example, complying with a judgment, decree, or order; for medical emergencies; or for employment relationships, where applicable.
• Compliance with law — to meet our statutory and regulatory obligations under Indian law.

05SHARING AND DISCLOSURE

Sub-processors

We use a small set of trusted infrastructure providers to operate the Service. Current sub-processors include:

• DigitalOcean — primary hosting and managed database, region BLR1 (Bengaluru).
• Email and OTP delivery — transactional email and SMS providers used to deliver authentication codes and account notifications.
• Payments — payment-gateway providers used to bill subscriptions (we do not store full card numbers; the gateway is PCI-DSS compliant).

We maintain a current sub-processor list and will provide it on request to Customers with an active subscription.

Disclosures required by law

We will disclose information when compelled by valid legal process or where we believe in good faith that disclosure is necessary to comply with Indian law, protect the rights or safety of users, or address fraud or security issues.

No sale of personal data

We do not sell personal data and we do not share it for cross-context advertising.

06DATA STORAGE AND SECURITY

The Service is hosted on DigitalOcean in the Bengaluru region (BLR1). Personal data stays within India by default. We implement administrative, technical, and physical safeguards designed to protect personal data:

• TLS 1.2+ for all data in transit.
• Encryption at rest for primary databases and document storage.
• Role-based access control inside Levich, with least-privilege defaults and audit logs of administrative access.
• Multi-factor authentication for Levich engineering and support accounts.
• Regular dependency scanning and security review of code changes before they ship to production.

No system is impenetrable. If you believe a security issue affects the Service, please report it to contact@levich.co; we follow a coordinated-disclosure process and aim to acknowledge reports within one business day.

07DATA RETENTION

We retain personal data only as long as we need it to provide the Service or to meet a legal obligation.

• Active accounts: Customer Content is retained for as long as the Customer's subscription is active.
• Cancelled subscriptions: Customer Content is retained for a grace period of 30 days after cancellation so the Customer can export. After the grace period it is purged from production systems.
• Backups: Encrypted backups are rotated on a rolling 35-day schedule and overwritten by normal operation.
• Audit and billing records: Retained for as long as required by Indian tax, accounting, and other applicable statutes.

08YOUR RIGHTS

Subject to the DPDP Act 2023, you have the right to:

• Access a summary of the personal data we process about you.
• Correction of inaccurate or incomplete personal data.
• Erasure of personal data we no longer need to keep — subject to our legal-retention obligations.
• Withdraw consent you have previously given, with effect for the future.
• Grievance redressal — escalate to our Grievance Officer (details below) if you are not satisfied with our response.

For Customer Content, please raise rights requests with your firm (the Customer); we will support them in responding within the timelines the DPDP Act requires.

09INTERNATIONAL TRANSFERS

Personal data is stored in India. If we ever need to transfer personal data outside India — for example, to a sub-processor whose service is not available in the Bengaluru region (BLR1) — we will do so only to jurisdictions permitted under the DPDP Act and only under appropriate contractual safeguards. We will update this Notice and our sub-processor list before any such change takes effect.

10CHILDREN'S DATA

The Service is intended for use by professionals and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child's personal data has reached us, contact contact@levich.co and we will delete it.

11CHANGES TO THIS NOTICE

We will update this Notice from time to time as the Service evolves or the law changes. We will update the “Last updated” date at the top of this page; material changes will be communicated to active Customers by email at least 15 days before they take effect.

12CONTACT US

For privacy questions, security reports, or to exercise any of the rights described above, write to us at contact@levich.co.

• Email: contact@levich.co
• Website: https://levich.co
• Grievance Officer (per DPDP §8(10) and IT Rules):
  Levich Solutions Pvt. Ltd.
  Block 2, Ardente Office One, Hoodi Circle, Whitefield,
  Bengaluru, Karnataka 560048, India
  contact@levich.co

We aim to acknowledge requests within 72 hours and to substantively respond within the timelines required by the DPDP Act.