This Privacy Policy explains how Quillix collects, uses, stores, shares, and protects personal data of users of the Quillix software platform.
This Privacy Policy explains how Quillix ("Quillix", "we", "us", or "our") collects, uses, stores, shares, and protects personal data of users of the Quillix software platform (the "Platform"), accessible at [quillix.co / final domain] and through any associated mobile or web applications.
Quillix is operated by [LEGAL ENTITY NAME], with its principal place of business at [REGISTERED ADDRESS, Chennai, Tamil Nadu, India].
We are committed to processing personal data lawfully, transparently, and in accordance with:
For the purposes of the DPDP Act, Quillix acts as a Data Fiduciary in relation to data we determine the purpose and means of processing for (such as account information of audit firm staff and authentication data), and as a Data Processor in relation to data that audit firms enter into the Platform on behalf of their clients (such as customer records, invoices, and sales transactions).
This Policy should be read together with our Terms of Service.
We collect only the data we need to operate the Platform.
When an Audit Firm signs up for or uses Quillix, we collect:
In the course of using Quillix's bookkeeping and GST features, Audit Firms or their authorised users enter:
For data covered by Section 3.2, the Audit Firm acts as the Data Fiduciary and Quillix acts as the Data Processor. The Audit Firm is responsible for obtaining all necessary consents from the Data Principals concerned.
When you use the Platform, certain data is collected automatically:
We do not collect biometric data, location data beyond IP-derived approximate geography, advertising identifiers, or behavioural data for advertising or profiling purposes.
To remove any ambiguity, Quillix does not:
Under the DPDP Act, we process personal data on the lawful basis of consent or legitimate use as expressly recognised by the Act. The table below sets out each purpose, the data involved, and the legal basis.
| # | Purpose | Categories of Data | Legal Basis |
|---|---|---|---|
| 1 | Create and manage your user account, authenticate you, and provide access to the Platform | Identity, contact, authentication credentials | Consent (provided at signup); Performance of contract |
| 2 | Provide the bookkeeping, invoicing, GSTR-1 generation, and Tally export features | Data entered under Section 3.2 | Performance of contract; Processing on behalf of Audit Firm |
| 3 | Process subscription payments, issue invoices, and manage billing | Identity, contact, billing data | Performance of contract; Compliance with tax laws |
| 4 | Communicate with you about service updates, security alerts, deadlines, and important changes | Identity, contact data | Legitimate use; Performance of contract |
| 5 | Detect, prevent, and respond to fraud, security incidents, and abuse | Technical, usage, authentication metadata | Legitimate use; Compliance with applicable law |
| 6 | Maintain audit logs and meet record-keeping obligations under tax and IT laws | All data necessary | Compliance with applicable law (incl. Section 36 of the CGST Act, 2017) |
| 7 | Respond to your grievances, support requests, and enquiries | Identity, contact, communication content | Performance of contract |
| 8 | Comply with court orders, lawful directions of regulators, or other legal obligations | Any data legally required | Compliance with applicable law |
| 9 | Send marketing communications about new features (only with separate, withdrawable consent) | Identity, contact data | Consent (separate from signup, opt-in) |
We will not process your personal data for any purpose materially different from those above without giving you advance notice and, where required, obtaining your fresh consent.
Quillix shares personal data only with the limited categories of recipients described below. We do not sell, rent, or trade personal data.
| Service Provider | Function | Location of Data |
|---|---|---|
| Google LLC / Google Cloud (Firebase Authentication, Cloud Firestore, Firebase Hosting) | User authentication, encrypted database storage, web hosting | Mumbai, India (asia-south1 region) |
| Razorpay Software Private Limited | Payment processing for subscriptions | India |
| [Email service — e.g. Resend / SendGrid] | Transactional email (verification, password reset, notifications) | [Region] |
| [Customer support platform, if any] | Helpdesk and ticket management | [Region] |
We require all sub-processors to commit, by contract, to: process personal data only on our documented instructions; implement reasonable security safeguards; notify us promptly of any data breach; delete or return personal data on termination; and be subject to confidentiality obligations.
We will update this list whenever we add or change a material sub-processor. Material changes will be notified by email to the Audit Firm's primary contact at least 15 days before they take effect.
Personal data entered into the Platform is, by design, accessible to authorised users of the same Audit Firm, in accordance with the role-based access controls configured by that firm (Auditor, Store Admin, Store User). Tenant isolation rules ensure that data of one Audit Firm is never accessible to users of another Audit Firm.
We may disclose personal data if required to do so by a court order, summons, or directive issued by a regulator (including the Data Protection Board of India, the GST authorities, the Income Tax Department, MeitY, or law-enforcement agencies); or by Indian or foreign law where we are reasonably satisfied of the lawful basis. Where legally permitted, we will notify the affected Audit Firm before making such a disclosure.
If Quillix is involved in a merger, acquisition, sale of assets, financing, or insolvency, personal data may be transferred to the successor or acquiring entity. In such an event we will notify Audit Firms by email at least 30 days in advance, ensure the successor is bound by privacy obligations no less protective than this Policy, and provide Audit Firms the option to terminate and request export/deletion of their data before the transfer takes effect.
The DPDP Act permits transfer of personal data to jurisdictions other than those notified by the Central Government as restricted. As of the Effective Date, the Central Government has not notified any restricted jurisdictions.
Quillix's primary data storage is in Mumbai, India (Google Cloud's asia-south1 region). Some sub-processors (for example, certain transactional email services) may process data outside India. Where such transfers occur, the recipient is contractually bound to safeguards equivalent to those required under Indian law, transfers are limited to data necessary to perform the relevant function, and transfers comply with the DPDP Act and any government notifications in force.
We retain personal data only for as long as necessary to fulfil the purposes set out in Section 4, or as required by applicable law.
| Category of Data | Retention Period |
|---|---|
| Account, login, and identity data | For the duration of the active subscription, plus 30 days after termination (during which export is available), then deleted. |
| Sales transactions, invoices, customer/stock/ledger masters, and GSTR-1 data | For the duration of the subscription. After termination: retained for 8 years per Section 36 of the CGST Act, 2017, which requires every registered person to maintain books for 72 months from the due date of the relevant annual return. |
| Backups containing any of the above | Overwritten on a rolling basis, with no backup retained longer than 90 days beyond the underlying record's retention period. |
| Audit logs (security events, access logs) | 2 years from the date of the event, per Rule 6 of the DPDP Rules 2025. |
| Marketing consent records and withdrawal records | 3 years from the date of withdrawal or last interaction. |
| Support communications | 3 years from the date of the communication. |
| Data required to defend legal claims | Until the relevant limitation period under Indian law expires. |
When an Audit Firm terminates its subscription, within 30 days of termination the Audit Firm may export all data via the Platform's export functions (CSV, XML, JSON, Tally CSV/XML, GSTR-1 JSON). After 30 days, we will permanently delete all personal data except records we are legally required to retain (such as those required by the CGST Act). Deletion from primary storage occurs within 30 days; deletion from backups occurs within a further 90 days.
Upon a valid Data Principal request for erasure (Section 8.3), we will act within 7 days of receipt, subject to legal retention obligations.
Under the DPDP Act, you have the following rights in relation to your personal data:
You have the right to obtain a summary of the personal data being processed about you and the processing activities undertaken, along with the identities of any other Data Fiduciaries with whom your personal data has been shared.
You have the right to correct inaccurate or misleading personal data, complete incomplete personal data, and update outdated personal data.
You have the right to request the deletion of your personal data, except where we are legally required to retain it (for example, under the CGST Act or other tax laws).
You have the right to a readily available means of grievance redressal, with a response from us. If you are dissatisfied with our response, you may approach the Data Protection Board of India.
You have the right to nominate any other individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
Where processing is based on your consent, you have the right to withdraw that consent at any time, with effect for the future. Withdrawal will not affect the lawfulness of processing that occurred before the withdrawal.
To exercise any of these rights, contact our Grievance Officer using the details in Section 13. We will respond within a reasonable period and in any case within 30 days (or 7 days for erasure requests); verify your identity before processing the request; and provide our response free of charge for the first request in any 12-month period.
If your data was provided to us by an Audit Firm in the course of processing on its behalf (Section 3.2), we may direct you to that Audit Firm in the first instance, as it is the Data Fiduciary for that data.
We implement reasonable security safeguards designed to protect personal data from unauthorised access, alteration, disclosure, or destruction. These safeguards include the measures listed in Rule 6 of the DPDP Rules 2025 to the extent applicable to our scale of processing.
No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and for promptly notifying us of any suspected unauthorised access.
If a personal data breach affecting your data occurs, we will:
We treat this obligation seriously and do not condition notification on the severity of the breach.
The Platform uses cookies and similar technologies (such as localStorage and IndexedDB) for the following purposes:
We do not use third-party advertising cookies, behavioural tracking pixels, or analytics that share data with advertising networks. We may, in future, use a privacy-respecting first-party analytics tool to understand product usage in aggregate; if and when we do, this Policy will be updated.
You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent the Platform from working.
The Platform is intended for use by Audit Firms and their authorised employees, who must be of legal age to enter into a contract under Indian law (18 years).
We do not knowingly collect personal data of any individual under the age of 18. Under the DPDP Act, processing of personal data of children (defined as individuals under 18) requires verifiable parental consent, and certain types of processing (including tracking, behavioural monitoring, and targeted advertising directed at children) are prohibited.
If we become aware that we have inadvertently collected personal data of a child without the required parental consent, we will delete it promptly. If you believe such data has been collected, please contact our Grievance Officer.
In accordance with the DPDP Act, the Information Technology Rules, and the SPDI Rules, 2011, we have appointed a Grievance Officer / Data Protection Officer to address your data-protection concerns.
Name: [TO BE FILLED]
Designation: [Founder / Data Protection Officer]
Email: support@quillix.co
Postal address: [REGISTERED ADDRESS, Chennai, Tamil Nadu, India]
Response time: We will acknowledge your request within 3 working days and respond substantively within 30 days (or 7 days for erasure requests).
If you remain dissatisfied with our response, you may file a complaint with the Data Protection Board of India, the contact details for which are published on the official portal of the Ministry of Electronics and Information Technology.
For general queries that are not data-protection related, please write to support@quillix.co.
We may update this Privacy Policy from time to time to reflect changes in our products, features, or sub-processors; applicable law (including notifications and rules issued under the DPDP Act); or industry practice.
When we make material changes we will update the "Last Updated" date at the top of this Policy, notify Audit Firms by email at least 15 days before the change takes effect, and where required by law obtain fresh consent. You should review this Policy periodically. Continued use of the Platform after a change takes effect constitutes acceptance of the revised Policy, except where fresh consent is required.
This Privacy Policy is governed by the laws of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Chennai, Tamil Nadu.
If you have questions about this Privacy Policy or our data-handling practices, please contact:
Quillix
[Legal entity name]
[Registered address, Chennai, Tamil Nadu, India]
Privacy queries: support@quillix.co
General support: support@quillix.co
This Privacy Policy was last reviewed on [DATE]. This document is provided in English. A version in Tamil or Hindi is available on request, in compliance with the language requirements of the DPDP Act.