Privacy Policy

1. Introduction

CSTrax ("we", "our", or "us") is a product of Wenvia Technologies, headquartered in Hyderabad, Telangana, India. We are committed to protecting the privacy and security of our users' personal and professional data. This Privacy Policy explains how we collect, use, store, share, and safeguard your information when you access or use the CSTrax platform ("the Platform").

By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree with these practices, please do not use the Platform. This policy applies to all users of the Platform, including Tenant Administrators, Managers, Staff Users, and Clients.

2. Information We Collect

We collect and process the following categories of information:

2.1 Account Information

• Full name, email address, and phone number provided during registration or invitation
• Firm name, firm registration details, and professional credentials (e.g., ICSI membership number)
• Role assignment within the Platform (Administrator, Manager, User, or Client)
• Profile photograph (if voluntarily uploaded)
• Password (stored as a one-way cryptographic hash; we never store plaintext passwords)
• Two-factor authentication (2FA) configuration data, if enabled

2.2 Firm and Client Data

• Client company details: name, CIN, registered address, director information, and authorized capital
• Case records: service type, status, assignee, deadlines, SLA data, and case notes
• Compliance records: regulatory filings, deadlines, penalty calculations, and compliance status
• MCA filing data: form types, filing dates, acknowledgment numbers, and associated documents
• Invoice and billing records: line items, amounts, payment status, and GST information
• Time tracking entries: hours logged, billable classification, and associated case references

2.3 Documents

• Files uploaded to the Platform including corporate documents, board resolutions, annual returns, financial statements, and correspondence
• Documents generated within the Platform such as invoices, compliance reports, and draft letters
• E-signature request metadata: signer identity, signing timestamp, IP address at time of signing, and document hash for integrity verification

2.4 Usage and Technical Data

• IP addresses, browser type and version, operating system, and device information
• Pages visited, features used, timestamps of actions, and session duration
• Error logs and performance metrics for debugging and service improvement
• Authentication events: login attempts (successful and failed), password reset requests, and session activity

2.5 Communication Data

• Support tickets and correspondence submitted through the Platform
• In-app notifications and their read/unread status
• Email communications related to platform operations (verification, password reset, notifications)

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Delivery

• Providing, operating, and maintaining the Platform and its features
• Processing case management workflows, document storage, and compliance tracking
• Facilitating e-signature workflows and document collaboration
• Processing subscription payments and generating invoices through Razorpay
• Managing user accounts, roles, permissions, and firm-level configurations

3.2 Communication

• Sending transactional emails: account verification, password resets, case status updates, compliance deadline reminders, and e-signature requests
• Delivering in-app and push notifications for assigned tasks, SLA alerts, and system announcements
• Responding to support requests and providing customer assistance
• Sending important service announcements such as scheduled maintenance, security alerts, or Terms updates

3.3 Analytics and Improvement

• Analyzing usage patterns to improve user experience, identify popular features, and prioritize development
• Generating aggregated, anonymized statistics for internal reporting (e.g., total cases processed, average response times)
• Monitoring system performance, identifying bottlenecks, and optimizing infrastructure
• Conducting A/B testing for feature improvements (using anonymized data only)

3.4 Security and Compliance

• Detecting, preventing, and responding to security threats, fraud, and unauthorized access
• Maintaining audit trails for regulatory compliance and dispute resolution
• Enforcing our Terms of Service and acceptable use policies
• Complying with applicable legal obligations, court orders, and regulatory requirements

4. Data Storage and Security

4.1 Infrastructure

• Document Storage: All documents and files are stored on Cloudflare R2 object storage in the Asia-Pacific (APAC) region. Cloudflare R2 provides S3-compatible storage with built-in redundancy and high availability.
• Database: Structured data (accounts, cases, compliance records, invoices) is stored in PostgreSQL databases with automated daily backups and point-in-time recovery capability.
• Caching: Temporary session data and frequently accessed records are cached in Redis with appropriate TTL (time-to-live) expiration policies.
• CDN: Static assets are served through Cloudflare's global content delivery network for performance and DDoS protection.

4.2 Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and APIs.
• At Rest: Data stored in our databases and object storage is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
• Passwords: User passwords are hashed using bcrypt with appropriate salt rounds. We never store or transmit passwords in plaintext.

4.3 Tenant Isolation

CSTrax operates on a multi-tenant architecture with strict logical data isolation. Every database query is scoped by the firm's unique identifier (firmId), enforced at the repository layer of the application. This means:

• A firm's data (cases, documents, clients, employees, invoices) is never accessible by users of another firm
• API endpoints enforce firm-level authorization on every request
• Search results, reports, and analytics are always scoped to the requesting firm
• Administrative actions by one firm cannot affect another firm's data or configuration

4.4 Access Controls

• Role-based access control (RBAC) with four distinct roles: Administrator, Manager, User, and Client
• JWT-based authentication with HTTP-only secure cookies and automatic token rotation
• Optional two-factor authentication (TOTP-based) for enhanced account security
• API rate limiting to prevent abuse and brute-force attacks
• Comprehensive audit logging of security-relevant events

5. Third-Party Services

We integrate with the following third-party services to provide and enhance the Platform. Each service receives only the minimum data necessary for its function:

• Cloudflare (CDN, R2 Storage, DDoS Protection): Provides content delivery, object storage for documents, and protection against distributed denial-of-service attacks. Cloudflare processes request metadata (IP addresses, request headers) for security purposes. Cloudflare Privacy Policy.
• Google OAuth: If you choose to sign in with Google, we receive your name, email address, and profile picture from Google. We do not access your Google Drive, Gmail, or other Google services. Google Privacy Policy.
• Razorpay (Payment Processing): Processes subscription payments and recurring billing. Razorpay receives billing details necessary for payment processing. We do not store full credit card numbers on our servers. Razorpay Privacy Policy.
• OnlyOffice (Document Editing): Provides collaborative editing for DOCX, XLSX, and PPTX files. Document content is transmitted to the OnlyOffice server for rendering and editing. We use a self-hosted OnlyOffice instance to maintain data control.
• SMTP Email Provider: Transactional emails (verification codes, password resets, case notifications, compliance reminders) are delivered through our configured SMTP provider. Recipient email addresses and email content are transmitted to the provider for delivery.
• Google Gemini (AI Features): If you use AI-assisted draft generation, the document context and your prompt are sent to Google's Gemini API. We do not send personally identifiable information in AI prompts. AI-generated content is not used to train third-party models.

6. Data Sharing

We do not sell, rent, or trade your personal information or firm data to any third party. We share your information only in the following limited circumstances:

• With Your Consent: When you explicitly authorize us to share specific data with a third party, such as sharing case documents with a client through the Platform's collaboration features.
• Service Providers: With trusted third-party service providers who assist us in operating the Platform (as listed in Section 5), subject to confidentiality agreements and data processing terms.
• Legal Requirements: When required by law, regulation, legal process, or governmental request, including compliance with court orders, subpoenas, or requests from regulatory authorities such as the Ministry of Corporate Affairs (MCA) or the Institute of Company Secretaries of India (ICSI).
• Protection of Rights: When we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a security incident.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

7. Cookie Policy

CSTrax uses a minimal set of cookies, limited to essential functionality. We do not use third-party advertising cookies or invasive tracking technologies.

• Authentication Cookie (Essential): An HTTP-only, secure cookie containing an encrypted JWT token is used to maintain your authenticated session. This cookie is strictly necessary for the Platform to function and cannot be disabled. It expires when you log out or after a period of inactivity.
• Refresh Token Cookie (Essential): A separate HTTP-only cookie stores a refresh token used to seamlessly renew your session without requiring re-authentication. This token is rotated on each use for security.
• Language Preference (Functional): A cookie stores your selected interface language (English, Hindi, or other supported languages) so your preference persists across sessions.
• Theme Preference (Functional): A cookie or localStorage entry stores your light/dark mode preference.

We do not use cookies for advertising, cross-site tracking, or behavioral profiling. You can manage cookie settings through your browser preferences, but disabling essential cookies will prevent you from using the Platform.

8. Data Retention

We retain your data according to the following schedule:

• Active Subscription: All data is retained for the duration of your active subscription and is accessible through the Platform.
• After Cancellation: Upon subscription cancellation or account termination, your data is retained in a read-only state for 90 calendar days. During this period, you may contact us to export your data or reactivate your account.
• After Retention Period: Following the 90-day retention period, all firm data, documents, user accounts, and associated database records are permanently and irreversibly deleted from our primary systems and backups.
• Permanent Deletion on Request: You may request immediate permanent deletion of your data at any time by contacting us at privacy@cstrax.com. We will process deletion requests within 30 business days, subject to any legal retention obligations.
• Audit Logs: Security audit logs (login events, access logs, administrative actions) are retained for 12 months after account termination for security and compliance purposes, after which they are automatically purged.
• Anonymized Data: Aggregated, anonymized usage statistics that cannot be linked to any individual or firm may be retained indefinitely for analytics and service improvement purposes.

9. Your Rights

We respect your rights regarding your personal data. Depending on your jurisdiction and applicable data protection laws, you have the following rights:

• Right to Access: You may request a copy of all personal data we hold about you. Tenant Administrators can access and export firm-level data directly through the Platform's export features.
• Right to Correction: You may request correction of any inaccurate or incomplete personal data. You can update most profile information directly through the Platform's settings.
• Right to Deletion: You may request deletion of your personal data, subject to legal retention requirements. Upon receiving a valid deletion request, we will delete your data within 30 business days.
• Right to Data Portability: You may request your data in a structured, commonly used, and machine-readable format (CSV, JSON, PDF). The Platform provides built-in export functionality for cases, clients, invoices, compliance records, and documents.
• Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Object: You may object to the processing of your personal data for direct marketing or analytics purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

To exercise any of these rights, please contact us at privacy@cstrax.com. We will respond to your request within 30 business days. We may request identity verification before processing your request.

10. Children's Privacy

CSTrax is a professional business application designed for use by Company Secretary firms, their staff, and their corporate clients. The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete such information from our records. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@cstrax.com.

11. International Data Transfers

CSTrax primarily stores and processes data within the Asia-Pacific (APAC) region. However, some data processing may occur in other regions in the following circumstances:

• Cloudflare's global CDN network may cache static assets at edge locations worldwide to optimize performance
• Google OAuth authentication may involve data processing through Google's global infrastructure
• AI-powered features (document drafting) may process data through Google Gemini servers located outside India
• Email delivery may route through our SMTP provider's international infrastructure

Where data is transferred outside India, we ensure that appropriate safeguards are in place, including data processing agreements with our service providers that include standard contractual clauses and data protection commitments consistent with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• Material Changes: We will notify all Tenant Administrators via email at least 15 days before material changes take effect. An in-app notification banner will also be displayed to all users.
• Non-Material Changes: Minor clarifications or formatting changes may be made without prior notice but will be reflected in the "Last updated" date at the top of this page.
• Continued Use: Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you disagree with any changes, you should discontinue use of the Platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Previous versions of this Privacy Policy are available upon request.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:

• Privacy Inquiries: privacy@cstrax.com
• General Support: support@cstrax.com
• Data Protection Officer: dpo@cstrax.com
• Contact Form: cstrax.com/contact

Wenvia Technologies
Hyderabad, Telangana, India
CIN: [Company Registration Number]

We aim to respond to all privacy-related inquiries within 5 business days and to process formal data rights requests within 30 business days.