Legal
Privacy policy.
This policy explains how Premlata Purohit and Associates collects, uses and protects personal data submitted through this website, in accordance with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025.
Version 1.2 · Last updated 8 May 2026
Premlata Purohit and Associates (the firm, we, us) is the Data Fiduciary in respect of personal data collected through this website. The firm is constituted as a sole proprietorship; the proprietor is the data fiduciary for the purposes of the DPDP Act, 2023. This policy explains what we collect, why, for how long, and the rights available to you under Indian law including the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 read with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).
1. Identity of the Data Fiduciary
Premlata Purohit and Associates, with office at F 204, Meenakshi Chambers, Near Kasturi Estate, Opposite Asian Motors, Bhayandar East, Maharashtra 401105. Email contact@purohitca.com. ICAI Firm Registration Number 135584W. The proprietor is CA Premlata Purohit, FCA, CS.
2. Data we collect, why, and for how long
| Data | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Name, email, phone, message via contact form | Respond to your enquiry | Consent | 36 months from last interaction |
| Email and optional WhatsApp for compliance reminders | Send statutory due-date reminders | Consent | Until withdrawal |
| Email, name, interests for newsletter | Send the firm’s newsletter | Consent | Until withdrawal |
| IP address, user agent, page path (server logs) | Security and abuse detection | Legitimate use | 13 months |
| Cookie identifiers | Analytics and preferences (only after consent) | Consent | 14 months |
| Audit log entries (admin actions) | Security and accountability | Legal obligation | 7 years |
3. Recipients and processors
The firm uses the following processors to operate the website. Each is bound by contract.
- Hostinger (hosting and primary SMTP for transactional email).
- Resend (alternate transactional email transport, used only as a fallback): may store data in the United States.
- Cloudflare (CDN, WAF, Turnstile): processes traffic at global edges.
- Database (Supabase) hosted in Asia Pacific (Mumbai).
- Google Analytics 4 (only when analytics cookies are accepted).
4. Cross-border transfer
Some processors store data outside India. We rely on contractual safeguards. From 13 May 2027, the Government may notify restricted destination countries; the firm will reassess transfers if and when such notifications take effect.
5. Your rights as a Data Principal
- Right to access information about processing of your personal data.
- Right to correction, completion, updating and erasure.
- Right of grievance redressal (within 90 days).
- Right to nominate (in case of death or incapacity).
- Right to withdraw consent. Withdrawal is as easy as giving consent.
Use the dedicated data rights portal to submit a request. Identity is verified by an email verification link.
6. Grievance Officer
CA Premlata Purohit, Proprietor and Grievance Officer. Email capremlata.purohit@gmail.com. We respond within 90 days.
7. Children
The site is not directed at children under 18. Personal data of a person known to be a child is deleted on notice. From 13 May 2027 verifiable parental consent provisions apply; the firm will implement them when in force.
8. Cookies
Strictly necessary cookies are always on. Functional, analytics and marketing cookies are off by default and are loaded only after you accept them. Manage your choices any time from the Cookie preferences link in the footer.
9. Sensitive personal data
The firm does not solicit sensitive personal data through this website. If you share such information in a message, we treat it with the same confidentiality as our client matters.
10. Security
The firm implements technical and organisational safeguards including TLS in transit, encryption at rest where supported, role based access control, audit logging, two factor authentication for administrators and rate limiting of public endpoints. No system is perfectly secure; we update controls as the threat landscape evolves.
11. Breach notification
On a personal data breach, we will notify the Data Protection Board of India and affected Data Principals without undue delay, in line with the DPDP Act and the DPDP Rules, 2025.
12. Changes to this policy
We will revise this policy from time to time. The effective version with date is shown at the top.