Privacy Policy

Last updated: 6 June 2026

This Privacy Policy explains how Sarthak Mishra, a sole proprietor operating the website wekeep.in and the WeKeep platform (the "Service") under the brand "WeKeep" ("WeKeep", "we", "us", or "our"), collects, uses, shares, and protects your information. By using the Service, you agree to the practices described here.

WeKeep is a compliance and accounting platform for Indian businesses, used directly by businesses and by Chartered Accountants and other professionals ("Practitioners") who serve them.

1. Information we collect

Account information — name, email address, phone number, password (stored hashed), and, for Practitioners, firm/practice details.

Business and financial data — accounting records, invoices, transactions, bank statements, ledgers, tax filings, and related documents that you or your Practitioner upload or generate while using the Service.

Identity and KYC identifiers — where you choose to use our verification or filing features, identifiers such as GSTIN, PAN, TAN, Udyam, MCA/CIN, and bank account details. Sensitive identifiers — your PAN and bank account numbers — are encrypted at rest.

Aadhaar — WeKeep does not require your Aadhaar to provide its services, does not perform Aadhaar authentication or e-KYC against UIDAI's systems itself, and never collects Aadhaar biometric information. If you choose to verify a party using Aadhaar, the Aadhaar number is passed only to our licensed verification partner to complete that verification — we do not store the full Aadhaar number. We retain only the last four digits and the verification result, and we display Aadhaar only in masked form (XXXX-XXXX-1234).

Documents — files you upload (e.g. bills, statements, photos), including text extracted from them through optical character recognition (OCR).

Usage and technical data — log data, device and browser information, IP address, and cookies (see Section 9).

The Service is intended for businesses and professionals and is not directed to children under 18. We do not knowingly collect the personal data of children. If you are a parent or guardian and believe a child has provided us personal data, contact our Grievance Officer (Section 10) and we will delete it.

2. How we use your information

We use your information to provide, operate, secure, and improve the Service; to authenticate users and manage access; to process accounting, compliance, and statutory filings you initiate; to verify identifiers you submit; to process payments and manage subscriptions; to send service-related and transactional communications; and to comply with applicable law.

We do not sell your personal information.

3. Our role: Data Fiduciary and Data Processor

WeKeep serves two kinds of users, and our role under the Digital Personal Data Protection Act, 2023 ("DPDP Act") depends on whose data is involved:

  • Your own account. When you create and use a WeKeep account — whether you are a business or a Practitioner signing up directly — WeKeep is the Data Fiduciary for the personal data in your account (your name, contact details, login and usage data, and billing information). We determine the purposes and means of processing it, and we are responsible for it to you and to the Data Protection Board of India.
  • Your clients' data (where you are a Practitioner). When a Practitioner uses WeKeep to maintain the books, filings, and records of their own clients, the Practitioner is the Data Fiduciary for that client data and WeKeep acts only as a Data Processor on the Practitioner's behalf. We process such client data only on the Practitioner's documented instructions and only to deliver the Service. We do not determine the purposes of that data, do not use it for our own purposes, and do not sell it, share it across customers, or use it to build cross-client analytics or to train artificial-intelligence models on an identifiable basis. Requests by a client (a Data Principal) to access, correct, or erase that data, or any grievance about it, should be directed to the Practitioner; we will assist the Practitioner in responding.

If we ever decide to process client data for a new purpose of our own, we will be the Data Fiduciary for that processing and will only do so on a lawful basis under the DPDP Act.

4. How we share your information

We share information only as needed to run the Service, with the following categories of service providers (our "sub-processors") and recipients:

  • Cloud hosting — DigitalOcean (Bangalore, India), where the Service and its database are hosted.
  • Payment processor — Razorpay (India), to process subscription payments. We do not store your card number, CVV, or other payment credentials — these are handled directly by Razorpay.
  • Document and AI processing — AI/OCR providers used to read, classify, and extract information from the documents and bank statements you upload. This processing may take place outside India (including in the United States) — see Section 5.
  • Filing and verification partners — GST Suvidha Providers / TRACES and KYC/verification APIs (India), only to the extent required to complete a filing or verification you have requested.
  • Communication providers — email, WhatsApp, and similar providers for notifications you have enabled; some of these process data outside India (see Section 5).
  • Data-in connectors — where you connect them, services such as Gmail, Google Drive, or Google Sheets, used only to import the documents or data you direct us to.
  • Practitioners and team members — where you are a managed client, your authorized Practitioner can access the data within your engagement; where you are part of a team, access is governed by your role.
  • Legal and regulatory authorities — where required by law or to protect our rights, users, or the public.

We require our sub-processors, by contract, to protect your information, to use it only to provide services to us, and not to use it for their own purposes.

5. Where we store and process your data

We store your personal data primarily on servers located in India — our application and database are hosted in DigitalOcean's Bangalore region — and your PAN and bank-account numbers are encrypted at rest.

Some of our sub-processors — in particular document/AI processing and certain communication providers — are located outside India (including in the United States). Where you use those features, your personal data may be transferred to and processed in those countries. India's DPDP Act permits transfers of personal data to any country or territory unless the Government of India specifically restricts it; no such restriction currently applies to the countries we use. Where data is processed abroad, we require the provider by contract to protect it consistently with the DPDP Act, and we minimise — and, where feasible, mask — sensitive identifiers before processing.

6. Data security

We apply reasonable technical and organizational safeguards, including encryption in transit, encryption at rest for sensitive identifiers (such as PAN and bank-account numbers), access controls, role-based permissions, and audit logging, to protect your information. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.

In the event of a personal data breach that affects you, we will notify the Data Protection Board of India and affected users as required under applicable law, including a plain-language description of the breach and steps you can take to protect yourself.

7. Data retention

We retain your information for as long as your account is active and for the period required to provide the Service and meet legal, tax, and accounting obligations. You may request deletion as described in Section 8. Some records — in particular financial and tax records we are required to keep under the Income-tax Act, GST law, and the Companies Act — may be retained for the periods those laws require, even after you withdraw consent or close your account.

8. Your rights

Subject to applicable law (including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025), you may:

  • request a summary of the personal data we process about you, and access to it;
  • request correction, completion, updating, or erasure of your personal data;
  • withdraw consent where processing is based on consent (withdrawal does not affect processing already carried out);
  • nominate another individual to exercise your rights on your behalf in the event of your death or incapacity; and
  • have your grievances addressed (Section 10).

To exercise these rights, contact our Grievance Officer (Section 10). We may need to verify your identity before acting on a request, and we will respond within the timelines required by applicable law.

9. Cookies

We use cookies and similar technologies to keep you signed in, remember preferences, and understand how the Service is used. You can control cookies through your browser settings; disabling them may affect functionality.

10. Grievance Officer

In accordance with applicable Indian law, the contact for privacy questions and grievances is:

Sarthak Mishra, Grievance Officer Sarthak Mishra (sole proprietor, "WeKeep") Sector 9, CDA, Cuttack – 753014, Odisha, India Email: [email protected]

We will acknowledge your complaint promptly and aim to resolve it within thirty (30) days, and in any event within ninety (90) days as required under the Digital Personal Data Protection Rules, 2025. If you are not satisfied with the resolution, you may escalate the matter to the Data Protection Board of India.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email, and the "Last updated" date above will reflect the latest revision.

12. Contact us

Sarthak Mishra (sole proprietor, "WeKeep") Sector 9, CDA, Cuttack – 753014, Odisha, India Email: [email protected]