PRIVACY POLICY

WFYI Technology Private Limited

Effective Date: November 28, 2025

Last Updated: November 28, 2025

---

TABLE OF CONTENTS

1. Introduction
2. Information We Collect
3. How We Use Your Information
4. Data Security & ISO 27001 Compliance
5. Sharing Your Information
6. Data Retention
7. Your Privacy Rights
8. Cookies & Tracking
9. Third-Party Services & Integrations
10. Children's Privacy
11. Grievance Redressal
12. Contact Us

---

1. INTRODUCTION

This Privacy Policy ("Policy") governs how WFYI Technology Private Limited ("Company," "we," "us," "our") collects, uses, protects, and processes personal data through our website https://www.fylflix.com ("Platform" or "Services").

The Company is registered under Indian law with:

• Registered Office: UGF-2, Sidharth Apartment, New Ghitorni Lake, Ghitorni, New Delhi, 110030
• Working Address: KH. No. 340, 100 Foota Road, Ghitorni, New Delhi, 110030

This Policy complies with:

• Information Technology Act, 2000 (IT Act)
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Reserve Bank of India (RBI) guidelines for financial data security
• Securities and Exchange Board of India (SEBI) guidelines for investment-related advice
• Income Tax Department regulations
• ISO 27001 Information Security Management System certification

By accessing or using FylFlix, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

---

2. INFORMATION WE COLLECT

2.1 Information Provided Directly by Users

When you create an account and use our Services, we collect the following personal data with your explicit consent:

Account Information:

• Full Name
• Email Address
• Phone Number
• Date of Birth
• Gender

Financial & Tax Information (with explicit user consent):

• Income details (salary, freelance, business income)
• Investment documents and records
• Pay slips and salary statements
• Rental income documents and agreements
• PAN (Permanent Account Number) and related identity documents
• ITR (Income Tax Return) filings and related documents
• Bank account details (for payment processing via Razorpay)
• Other financial documents necessary for tax planning and ITR filing
• GST records (if applicable)
• Business financial statements (if applicable)

Communication Data:

• Chat messages with Tax Experts and CAs
• Consultation call records and notes
• Email communications
• Support requests and feedback

2.2 Information Collected Automatically

Technical Data:

• IP address
• Device type and operating system
• Browser type and version
• Pages visited and time spent
• Clicks and interactions
• Referral source
• Device identifiers

Analytical Data:

• Google Analytics tracking
• User behavior patterns
• Feature usage analytics
• Error logs

Authentication Data:

• OTP verification records via MSG91
• Login timestamps
• Session information

2.3 Cookies & Tracking Technologies

We use cookies and similar tracking technologies including:

• Session cookies
• Persistent cookies
• Analytics cookies (Google Analytics)
• Marketing cookies for campaigns and offers

Refer to Section 8 for detailed cookie policy.

---

3. HOW WE USE YOUR INFORMATION

3.1 Primary Use Cases

Your information is used for the following lawful purposes:

Service Delivery:

• Creating and maintaining your user account
• Providing tax planning, financial advice, and ITR filing services
• Processing subscription and one-time payments through Razorpay
• Facilitating communication between you and our Tax Experts/CAs
• Generating personalized tax savings predictions and recommendations
• Creating financial dashboards showing your tax data trends over 7 years

Tax Compliance & Professional Services:

• Filing your Income Tax Returns with relevant tax authorities
• Preparing tax optimization strategies
• Providing financial planning guidance
• Generating tax compliance reports
• Meeting our statutory obligations under Income Tax Act, 1961

Communication:

• Sending service-related notifications
• OTP delivery for account verification via MSG91
• Updates about policy changes
• Customer support responses
• Tax filing reminders and deadlines
• Campaign offers and newsletters (with opt-in consent)

Security & Fraud Prevention:

• Verifying user identity and preventing unauthorized access
• Detecting and preventing fraudulent activities
• Protecting against cyber threats
• Maintaining platform security per ISO 27001 standards

Compliance & Legal Obligations:

• Meeting regulatory requirements under IT Act, Income Tax Department, RBI, and SEBI guidelines
• Responding to legal requests and government inquiries
• Maintaining audit trails for tax compliance
• Document authenticity verification

Analytics & Platform Improvement:

• Analyzing user behavior through Google Analytics
• Improving platform usability and features
• Identifying technical issues and optimizing performance
• Understanding user preferences to enhance services

3.2 Legal Basis for Processing

We process your data based on:

• Explicit Consent: You explicitly consent to data collection at registration and upload
• Contract Performance: Processing is necessary to provide our Services
• Legal Obligation: Compliance with Income Tax Act, IT Rules, RBI/SEBI guidelines
• Legitimate Interests: Improving our Services while protecting user privacy
• Public Task: Fulfilling tax compliance requirements

---

4. DATA SECURITY & ISO 27001 COMPLIANCE

4.1 Security Measures

WFYI Technology is ISO 27001 certified, demonstrating our commitment to information security. We implement:

Technical Security:

• End-to-end encryption for sensitive financial data
• Industry-standard SSL/TLS encryption for data transmission
• Secure document upload and storage systems
• Multi-factor authentication (OTP verification via MSG91)
• Regular security audits and penetration testing
• Firewall and intrusion detection systems
• Secure API integrations with Razorpay and other vendors

Operational Security:

• Access controls limiting data to authorized Tax Experts and CAs only
• Role-based access for internal staff
• Data access logs and monitoring
• Employee confidentiality agreements
• Regular security training for staff
• Incident response and breach notification procedures

Administrative Security:

• Secure data centers with physical access controls
• Regular backup and disaster recovery procedures
• Data encryption at rest and in transit
• Compliance with ISO 27001 standards
• Periodic security compliance assessments

4.2 Limitation of Liability

While we maintain robust security measures, no system is completely secure. We are not liable for unauthorized access, data breaches, or losses beyond our reasonable control. Users are responsible for:

• Maintaining confidentiality of login credentials
• Not sharing account access
• Reporting suspicious activities immediately
• Backing up their own copies of documents

---

5. SHARING YOUR INFORMATION

5.1 Authorized Internal Sharing

Your financial and personal data is shared internally only with:

Tax Experts and CAs:

• Licensed Chartered Accountants employed or contracted by WFYI Technology
• Financial advisors providing personalized tax planning
• Professionals directly engaged in your ITR filing and tax consultation
• All subject to confidentiality agreements and professional ethics codes

Internal Teams:

• Customer support staff (for resolving your queries)
• Compliance and legal teams (for regulatory requirements)
• Technical teams (for platform security and maintenance)
• All staff access data on need-to-know basis with proper authorization

5.2 Third-Party Service Integrations

Razorpay (Payment Gateway):

• Your bank account details and payment information are shared with Razorpay for payment processing
• Razorpay is PCI-DSS compliant
• Refer to Razorpay Privacy Policy: https://razorpay.com/privacy/
• We do not store your complete bank account details; Razorpay handles payment data securely

Google Analytics:

• Anonymous aggregated usage data is shared with Google Analytics
• Individual financial data is NOT shared with Google Analytics
• Google Analytics processes data per their Privacy Policy: https://policies.google.com/privacy

Google Cloud & Google Workspace Email Service:

• Email communications are processed through Google Cloud infrastructure
• Email service provider complies with Google's Privacy Policy and data handling standards
• We will transition to Mailchimp in future for additional email functionality

MSG91 (SMS/OTP Service):

• Phone numbers and OTP messages are processed through MSG91
• MSG91 is used for OTP verification and campaign communications
• MSG91 complies with telecom regulations and data privacy standards
• Refer to MSG91 Privacy Policy for details

Future Services:

• Mailchimp (for email campaigns) - privacy policy will apply upon integration
• Pan verification services (future) - separate consent will be obtained
• Any new vendor will comply with our privacy and security standards

5.3 Legal Disclosures

We may disclose your information when legally required:

• Responding to court orders or legal subpoenas
• Complying with Income Tax Department investigations
• Fulfilling RBI or SEBI regulatory requests
• Preventing fraud or illegal activities
• Protecting user safety and platform security
• Complying with other applicable laws

We will notify you of legal requests unless prohibited by law.

5.4 No Commercial Sharing

We DO NOT:

• Sell your personal or financial data to third parties
• Share data with marketing companies or advertisers
• Use your data for purposes unrelated to tax filing and financial planning
• Share data outside the Company except as specified above

---

6. DATA RETENTION

6.1 Retention Schedule

We retain your personal and financial data for 7 years from the date of last service usage or ITR filing, for the following reasons:

Legal Requirements:

• Income Tax Act, 1961 requires maintenance of financial records for 7 assessment years
• RBI guidelines for financial data retention
• IT Rules, 2011 compliance
• Tax audit and dispute resolution purposes

Operational Purposes:

• Providing dashboard access to view your financial history and tax trends
• Generating comparative tax savings reports
• Supporting future tax planning and ITR filings
• Maintaining audit trails and compliance documentation

6.2 Data Deletion After Retention Period

After 7 years:

• All personal data will be securely deleted or anonymized
• Financial documents will be permanently removed from our systems
• Anonymized statistical data may be retained for analytics
• You can request earlier deletion subject to legal compliance requirements

6.3 Right to Backup

You are responsible for maintaining your own backups of documents and data. We recommend regular downloads of your financial records and ITR filings.

---

7. YOUR PRIVACY RIGHTS

7.1 Rights Under Indian Law

Depending on applicable Indian jurisdiction and regulations, you have the following rights:

Right to Access:

• Request access to all personal data we hold about you
• Obtain copies of documents you have uploaded
• Receive information about how your data is processed
• Request in writing to wfyi@wfyi.ai

Right to Rectification (Correction):

• Correct inaccurate or incomplete personal information
• Request updates to your account details
• Ensure financial data accuracy before ITR filing
• Contact support through your account dashboard

Right to Erasure (Right to be Forgotten):

• Request deletion of personal data (subject to legal retention requirements)
• Delete financial documents after 7-year retention period
• Right may be limited by legal obligations and tax compliance requirements

Right to Data Portability:

• Obtain your data in a structured, commonly used format
• Receive your financial records and documents
• Transfer your data to another service provider
• Request by emailing wfyi@wfyi.ai

Right to Restrict Processing:

• Request limitation on how your data is processed
• Limit sharing with Tax Experts (limited by service requirements)
• Restrict analytics and tracking (may affect service quality)
• Applicable within service constraint limitations

Right to Object:

• Object to marketing communications and campaign offers
• Unsubscribe from newsletters using email opt-out links
• Opt-out of Google Analytics tracking (may affect personalization)
• We will continue sending essential service notifications

Right to Withdraw Consent:

• Withdraw consent for data collection (except legal obligations)
• Close your account and request data deletion
• Withdraw consent for future communications
• Note: This does not affect data already processed lawfully

Right to Non-Discrimination:

• We will not discriminate against you for exercising privacy rights
• Service quality will not be affected by privacy choices (except where service requires data)

7.2 Exercising Your Rights

To exercise any privacy right:

1. Submit a written request to wfyi@wfyi.ai
2. Include: Full name, email, phone number, specific request details
3. Provide supporting documents if applicable
4. Include "Privacy Rights Request" in subject line

Our Response:

• We will respond within 30 days of receiving your request
• We may request additional information to verify your identity
• We will inform you if we cannot fulfill your request and provide reasons
• Response will be provided in English or Hindi as requested

Identity Verification:

• We will verify your identity before processing sensitive requests
• Verification may include account details, OTP confirmation, or PAN matching
• This protects your data from unauthorized access

---

8. COOKIES & TRACKING

8.1 Cookie Policy

What are Cookies? Cookies are small text files stored on your device that help us recognize you and remember your preferences.

Types of Cookies We Use:

Session Cookies (Essential):

• Temporary cookies deleted when you close your browser
• Required for platform functionality
• Enable secure login and session management
• Cannot be disabled without affecting service

Persistent Cookies (Functional):

• Remain on your device for extended periods
• Remember your preferences and settings
• Improve user experience
• Can be deleted through browser settings

Analytics Cookies (Google Analytics):

• Track aggregated, anonymized user behavior
• Measure page views, user flows, and feature usage
• Help us improve platform performance
• Do NOT contain sensitive financial information

Marketing Cookies:

• Track campaign effectiveness and offer responses
• Personalize marketing communications
• Used for analytics and optimization
• Can be declined through opt-out mechanisms

8.2 Cookie Consent & Control

Consent:

• You are informed of cookies upon first website visit
• Essential cookies are enabled by default
• You can decline non-essential cookies
• Continuing to use the site implies cookie acceptance

Managing Cookies:

• Adjust cookie preferences through browser settings
• Delete existing cookies anytime through browser
• Disable specific cookie types (except essential)
• Third-party cookies can be blocked in browser settings

Impact of Declining Cookies:

• Declining essential cookies affects platform functionality
• Analytics tracking helps us improve service quality
• Declining marketing cookies stops personalized offers
• You can still use core services

8.3 Third-Party Tracking

Google Analytics:

• Uses cookies to track anonymous usage data
• Does not track personal or financial information
• Governed by Google's Privacy Policy
• You can opt-out using browser plugins

MSG91 Tracking:

• Campaign and OTP delivery tracking
• Used for service improvement and fraud prevention

Razorpay Tracking:

• Payment transaction tracking
• PCI-DSS compliant data handling

---

9. THIRD-PARTY SERVICES & INTEGRATIONS

9.1 Current Integrations

We partner with trusted third-party services for specific functions:

Razorpay (Payment Processing):

• Secure payment gateway for subscriptions and one-time payments
• PCI-DSS Level 1 certified (highest security standard)
• Bank account details processed securely
• We receive confirmation, not account details
• Privacy Policy: https://razorpay.com/privacy/

Google Analytics (Analytics):

• Anonymous usage analytics
• Helps us understand user behavior and improve platform
• Complies with Google Privacy Policy
• Privacy Policy: https://policies.google.com/privacy

Google Cloud & Google Workspace (Email):

• Infrastructure for secure email communication
• Ensures reliable email delivery
• Complies with Google's data handling standards
• Subject to Google's Privacy Policy

MSG91 (SMS/OTP):

• Secure OTP verification for account security
• Campaign communications and offers
• Telecom-compliant SMS delivery
• Complies with telecom regulations

9.2 Future Integrations

Mailchimp (Email Platform):

• Future integration for email campaigns
• Separate privacy consent will be obtained
• Will comply with Mailchimp privacy standards

PAN Verification Services:

• Future integration for PAN authenticity
• Separate consent will be required
• Will verify against official records

9.3 Third-Party Data Handling

• We carefully vet all third parties for security compliance
• All integrations require data protection agreements
• Third parties must meet our ISO 27001 standards
• We are not responsible for third-party privacy practices
• You should review third-party privacy policies

9.4 Links to External Websites

Our Platform may contain links to external websites (Income Tax Department, government sites, etc.). We are not responsible for:

• External website privacy practices
• Data collected by external sites
• Content or policies of linked websites
• You should review external privacy policies separately

---

10. CHILDREN'S PRIVACY

10.1 Age Restriction

In short: We do not knowingly collect data from children under 18 years.

Service Eligibility:

• Our Services are intended for adults 18 years and older
• By using FylFlix, you represent you are at least 18 years old
• Parents/guardians may create accounts for minors with explicit consent (limited functionality)

10.2 If We Learn of Child Data Collection

If we discover that a user under 18 has provided personal information:

• We will immediately deactivate the account
• All personal data will be promptly and securely deleted
• Parents/guardians will be notified
• Incident will be reported as required by law

10.3 Reporting Concerns

If you believe a child has provided personal information to our Platform:

• Email us immediately at wfyi@wfyi.ai
• Include "Child Data Concern" in subject line
• Provide details of the account or incident
• We will investigate and take corrective action

---

11. GRIEVANCE REDRESSAL

11.1 Grievance Redressal Process (Per IT Act)

We have established a formal grievance redressal mechanism compliant with the Information Technology Act, 2000 and IT Rules, 2011.

Raising a Grievance:

1. Step 1 - Initial Contact:

   • Email your grievance to info@wfyi.ai
   • Include: Your name, account email, phone number, detailed description of issue, supporting documents/screenshots
   • Subject line: "Privacy Grievance" or "Data Security Concern"

2. Step 2 - Acknowledgment:

   • We will acknowledge receipt within 24 hours
   • You will receive a grievance reference number for tracking
   • Estimated resolution timeline will be provided

3. Step 3 - Investigation:

   • Our Data Protection and Compliance team will investigate
   • We may request additional information
   • Investigation period: 7-14 days for most grievances

4. Step 4 - Resolution:

   • We will provide written resolution and corrective actions
   • If grievance is upheld, we will implement remedies
   • Resolution will be communicated within 30 days

5. Step 5 - Escalation (if needed):

   • If unsatisfied, you can escalate to our Grievance Redressal Officer
   • Contact: wfyi@wfyi.ai (mark "ESCALATION")
   • We will conduct senior review within 15 days

11.2 Grievance Categories

We handle grievances related to:

• Unauthorized data access or breaches
• Incorrect data collection or usage
• Inadequate security measures
• Refusal to fulfill privacy rights requests
• Non-compliance with privacy policy
• Data sharing without consent
• Cookie and tracking violations
• Retention of data beyond specified periods
• Third-party data handling issues
• Account security and authentication problems

11.3 Escalation & External Redressal

If internal resolution is unsatisfactory:

You may escalate to:

• Cyber Crime Cell: File complaint with local cybercrime authorities
• Income Tax Department: File complaint if tax-related data misuse
• RBI Financial Ombudsman: For financial data disputes (www.rbi.org.in)
• Ministry of Electronics & Information Technology (MeitY): For general IT complaints
• Consumer Protection Authority: For consumer rights violations

11.4 No Retaliation

• We will not retaliate against you for filing a grievance
• Your service quality will not be affected
• Account will not be suspended or terminated due to grievance

---

12. CONTACT US

For any privacy-related questions, concerns, or requests, please contact us:

Email: wfyi@wfyi.ai
Email (Queries): info@wfyi.ai

Registered Office:
UGF-2, Sidharth Apartment, New Ghitorni Lake, Ghitorni, New Delhi, 110030, India

Working Address:
KH. No. 340, 100 Foota Road, Ghitorni, New Delhi, 110030, India

Business Hours: Monday to Friday, 9:00 AM - 6:00 PM IST

Response Time:

• General inquiries: Within 24-48 hours
• Privacy rights requests: Within 30 days
• Urgent issues: Within 24 hours
• Grievances: As per grievance redressal process above

---

FINAL PROVISIONS

Updates to Privacy Policy

We may update this Privacy Policy periodically to reflect changes in:

• Legal requirements
• Security practices
• New features and services
• Technology updates

Notice of Changes:

• Significant changes will be notified via email
• Changes will be posted on our website with updated date
• Continued use of Platform implies acceptance of updated policy

Governing Law

This Privacy Policy is governed by the laws of India, specifically:

• Information Technology Act, 2000
• Information Technology Rules, 2011
• Income Tax Act, 1961
• RBI and SEBI guidelines
• Any other applicable Indian laws

Jurisdiction

Any disputes arising from this Privacy Policy shall be subject to:

• Exclusive jurisdiction of courts in New Delhi
• Applicable law: Laws of India
• Arbitration (if agreed): Per Arbitration and Conciliation Act, 1996

---

Version: 1.0
Last Updated: November 28, 2025
Effective Date: November 28, 2025

By using FylFlix, you acknowledge that you have read, understood, and agree to this Privacy Policy.