Privacy Policy

Effective Date: 26 April 2026
Last Updated: 26 April 2026

---

1. About This Policy

This Privacy Policy explains how Vijay R Singh & Co., Chartered Accountants (“we”, “us”, “our”, “the Firm”) collects, uses, stores, and protects your personal data when you visit our website at https://cavijaysingh.com or engage us for professional services. This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable rules thereunder.

By using our website or engaging us for services, you acknowledge that you have read and understood this Policy.

2. Who We Are (Data Fiduciary Identity)

Firm Name	Vijay R Singh & Co., Chartered Accountants
Type	Sole Proprietorship Firm of Chartered Accountants
Proprietor	CA Vijay R Singh, FCA
ICAI Membership No.	153926
Firm Registration No. (FRN)	136869W
Office Address	Office No. 4, D Wing, Vishal CHSL, Sir Mathuradas Vasanji Road, Near Vishal Hall, Azad Nagar, Andheri East, Mumbai, Maharashtra 400069
Phone	+91 98607 23959
Email	info@cavijaysingh.com
Website	https://cavijaysingh.com

For the purposes of the DPDP Act, the Firm is a Data Fiduciary with respect to personal data we process.

3. Personal Data We Collect

We collect personal data only to the extent necessary for the purposes set out in Section 4. The categories of data we collect depend on how you interact with us:

3.1 Website Visitor Data

When you visit our website, we may collect:

• Name, email address, phone number (only when you fill in contact forms, request a quote, or download resources)
• Browser type, operating system, IP address, device identifiers
• Pages visited, time spent on pages, referring URL (via Google Analytics — see Section 7)
• Communication preferences (if you subscribe to updates)

3.2 Client Engagement Data

When you engage us for professional services, in addition to the above we collect data necessary for service delivery, which may include:

• Permanent Account Number (PAN), Aadhaar number, Director Identification Number (DIN)
• GST Identification Number (GSTIN), Tax Deduction Account Number (TAN), Importer Exporter Code (IEC)
• Bank account details, financial statements, investment records, salary details
• Property documents, sale deeds, registration documents
• Know-Your-Customer (KYC) documents required under the Prevention of Money-Laundering Act, 2002 (“PMLA”)
• Engagement letter, signed scope of work, and related communications

3.3 Statutory Submission Data

For specific engagements, we may additionally collect data necessary to fulfil statutory obligations on your behalf, including:

• Family member details (for ITR filings, Form 16, HUF returns)
• Passport details and foreign-source income (for NRI engagements)
• Spouse details (for joint returns)
• Director, partner, or beneficial owner details (for corporate and LLP engagements)
• Foreign remittance details and FEMA-regulated transaction information

We do not collect data we do not need. Where statute permits, we limit collection to the minimum necessary.

4. Purposes of Processing

We process your personal data for the following purposes:

1. Service delivery — to perform the professional services agreed under our engagement letter (audit, assurance, taxation, GST, ROC compliance, FEMA advisory, virtual CFO, NRI advisory, and related services).
2. Statutory filings on your behalf — to file returns, forms, certifications, and disclosures with the Income-tax Department, Goods and Services Tax authorities, Ministry of Corporate Affairs, Reserve Bank of India, FEMA authorities, ICAI, and other regulators as applicable to your engagement.
3. Communication — to communicate with you regarding engagement updates, regulatory changes affecting you, deadlines, queries, and grievances.
4. Compliance with law — to meet our obligations under the Chartered Accountants Act, 1949; the Income-tax Act, 1961 / Income-tax Act, 2025 (with effect from 1 April 2026); the Companies Act, 2013; the Limited Liability Partnership Act, 2008; the Goods and Services Tax laws; the Foreign Exchange Management Act, 1999; the Prevention of Money-Laundering Act, 2002; the ICAI Code of Ethics; and other applicable laws.
5. Website operation and analytics — to operate our website, understand visitor behaviour in aggregate, and improve our content (see Section 7).
6. Marketing communications — only with your explicit consent, to send newsletters, regulatory updates, and information about our services. You may withdraw consent at any time.
7. Legal defence and audit retention — to retain records for the periods required by law and to defend any legal, regulatory, or disciplinary proceedings.

We do not use your personal data for purposes incompatible with the above without your fresh consent.

5. Legal Basis for Processing

Under the DPDP Act, we process your personal data on the following legal bases:

Type of Data	Legal Basis
Client engagement data	Your consent (via signed engagement letter) and Legitimate Use under Section 7(b) of the DPDP Act (compliance with applicable law)
Statutory submission data	Legitimate Use under Section 7(b) — performance of legal obligations on your behalf
KYC and PMLA records	Legitimate Use under Section 7(b) — statutory mandate under PMLA
Marketing communications	Your explicit, opt-in consent — withdrawable at any time
Website analytics cookies (see Section 7)	Currently processed under Legitimate Use; consent-based mechanism is being implemented (see Section 7)

6. Sharing of Personal Data

We do not sell your personal data. We share it only as follows:

1. With government authorities — as required by law (Income-tax Department, GSTN, MCA, RBI, FEMA, ICAI, courts and tribunals).
2. With banks, financial institutions, and counterparties — only to the extent necessary for service delivery and only with your knowledge.
3. With service providers (Data Processors) — including:
   • Cloud storage and email providers (Zoho, Google Workspace) — for routine business operations
   • Calendly Inc. — for appointment scheduling, when you book a meeting via our website
   • Practice management software providers (Zoho Practice) — for engagement and workflow management
   • Communication platforms (AiSensy, Brevo) — for client communication where consented
   All Data Processors are bound by contractual obligations to protect your data in accordance with the DPDP Act and applicable law.
4. In a business transition — if the Firm is succeeded, merged, or its practice transferred (subject to ICAI rules and applicable law), your data may transition to the successor practice with you given notice.
5. In response to legal process — in response to subpoenas, court orders, statutory summons, regulatory inquiries, or to defend legal claims.

We do not share your data with third parties for their independent marketing purposes.

7. Cookies and Website Analytics

Our website uses cookies and similar technologies to operate the site and understand how it is used.

7.1 Types of Cookies

• Strictly necessary cookies — required for site functionality, including session and security cookies set by WordPress.
• Analytics cookies — set by Google Analytics 4 (deployed via Site Kit by Google) to help us understand aggregate visitor behaviour. Measurement ID: GT-WP5S5WV6.
• Third-party cookies — set by Calendly Inc. when you click to book a meeting and are taken to their domain.

7.2 Status of Consent Mechanism

We are currently in the process of implementing a cookie consent banner to enable explicit, granular consent for non-essential cookies, as contemplated under Section 6 of the DPDP Act. Until this banner is live, we recommend visitors who do not wish to be subject to analytics tracking to:

• Use browser-level “Do Not Track” settings, or
• Install Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout), or
• Use private/incognito browsing mode.

We expect to deploy the consent banner within 60 days of the effective date of this Policy. This Policy will be updated when the banner goes live.

7.3 Calendly

When you click any “Book Free Call”, “Appointment”, or “Get Quote” button on our website, you are redirected to Calendly’s domain (calendly.com). Calendly’s privacy practices are governed by their own privacy policy, available at https://calendly.com/legal/privacy-notice. We receive only the appointment confirmation and your contact details from Calendly.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, plus statutory retention periods.

Type of Data	Retention Period
Client engagement records, working papers, audit files	8 years from end of engagement (matching Section 128 of the Companies Act, 2013, Section 44AA of the Income-tax Act, and ICAI guidance)
Tax returns, statutory filings, supporting documents	8 years or longer where required by specific statute
KYC and PMLA records	As required under PMLA (currently 5 years from end of relationship)
Website analytics data	24 months from collection
Marketing communication preferences	Until you withdraw consent or 24 months of inactivity, whichever is earlier
Records subject to litigation, investigation, or disciplinary inquiry	Until conclusion of proceedings plus applicable limitation period

After the retention period ends, we securely delete or anonymise your personal data within 90 days, except where longer retention is required by law.

9. Cross-Border Transfer of Data

Some of our service providers (including cloud storage, email, and software platforms) may store data on servers located outside India. Cross-border transfers comply with Section 16 of the DPDP Act and any restrictions notified by the Ministry of Electronics and Information Technology (MeitY). We do not transfer personal data to any country or territory restricted by MeitY notification.

10. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights with respect to your personal data:

10.1 Right to Access (Section 11)

You may request a summary of the personal data we hold about you, the purposes for which it is being processed, and the identities of any Data Processors with whom it has been shared.

10.2 Right to Correction and Erasure (Section 12)

You may request correction of inaccurate or incomplete data, or erasure of data that is no longer necessary for the purpose for which it was collected, subject to our statutory retention obligations.

10.3 Right to Grievance Redressal (Section 13)

You may register a grievance with our Grievance Officer (Section 12 below). We will respond within the timelines prescribed under the DPDP Act and rules. If unsatisfied, you may approach the Data Protection Board of India.

10.4 Right to Nominate (Section 14)

You may nominate a person to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, write to info@cavijaysingh.com with the subject line “DPDP Data Principal Request” and a copy of identity verification.

11. Withdrawal of Consent

Where processing is based on your consent, you may withdraw consent at any time by writing to info@cavijaysingh.com. Withdrawal of consent will not affect the lawfulness of processing prior to withdrawal, nor will it affect processing required for legal obligations or statutory retention.

Withdrawal of consent for processing essential to an active engagement may impact our ability to deliver services; we will discuss alternatives with you on a case-by-case basis.

12. Grievance Officer

If you have any concerns regarding our processing of your personal data, please contact our Grievance Officer:

Name	CA Vijay R Singh, Proprietor
Email	info@cavijaysingh.com
Phone	+91 98607 23959
Address	Office No. 4, D Wing, Vishal CHSL, Sir Mathuradas Vasanji Road, Near Vishal Hall, Azad Nagar, Andheri East, Mumbai 400069
Response Timeline	Within 7 working days of receipt; final resolution within 30 days

If you are not satisfied with our response, you may approach the Data Protection Board of India under Section 27 of the DPDP Act.

13. Children’s Personal Data

Our services are intended for adults (18 years and above), professional firms, companies, and other adult entities. We do not knowingly collect personal data of children (persons under 18) without verifiable parental consent in compliance with Section 9 of the DPDP Act. If we become aware that we have inadvertently collected such data, we will delete it promptly.

14. Data Security

We implement reasonable technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encrypted storage of sensitive client data
• Access controls limiting data access to authorised personnel
• Regular security updates to our website infrastructure
• Confidentiality obligations on all employees and Data Processors
• Adherence to ICAI’s Standards on Auditing and Code of Ethics

In the event of a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board of India and affected Data Principals as required under the DPDP Act.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in law, our services, or our processing practices. The “Last Updated” date at the top of this page indicates when changes were made. Material changes will be notified to active clients by email and will be prominently displayed on our website for at least 30 days.

16. Governing Law

This Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India.

---

Contact Us

For any questions regarding this Privacy Policy or our data practices:

Vijay R Singh & Co., Chartered Accountants
Office No. 4, D Wing, Vishal CHSL,
Sir Mathuradas Vasanji Road, Near Vishal Hall,
Azad Nagar, Andheri East,
Mumbai, Maharashtra 400069

📧 info@cavijaysingh.com
📞 +91 98607 23959
🌐 https://cavijaysingh.com

This policy is effective from 26 April 2026.

Effective Date: 26 April 2026
Last Updated: 26 April 2026

---

1. About This Policy

This Privacy Policy explains how Vijay R Singh & Co., Chartered Accountants (“we”, “us”, “our”, “the Firm”) collects, uses, stores, and protects your personal data when you visit our website at https://cavijaysingh.com or engage us for professional services. This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable rules thereunder.

By using our website or engaging us for services, you acknowledge that you have read and understood this Policy.

2. Who We Are (Data Fiduciary Identity)

Firm Name	Vijay R Singh & Co., Chartered Accountants
Type	Sole Proprietorship Firm of Chartered Accountants
Proprietor	CA Vijay R Singh, FCA
ICAI Membership No.	153926
Firm Registration No. (FRN)	136869W
Office Address	Office No. 4, D Wing, Vishal CHSL, Sir Mathuradas Vasanji Road, Near Vishal Hall, Azad Nagar, Andheri East, Mumbai, Maharashtra 400069
Phone	+91 98607 23959
Email	info@cavijaysingh.com
Website	https://cavijaysingh.com

For the purposes of the DPDP Act, the Firm is a Data Fiduciary with respect to personal data we process.

3. Personal Data We Collect

We collect personal data only to the extent necessary for the purposes set out in Section 4. The categories of data we collect depend on how you interact with us:

3.1 Website Visitor Data

When you visit our website, we may collect:

• Name, email address, phone number (only when you fill in contact forms, request a quote, or download resources)
• Browser type, operating system, IP address, device identifiers
• Pages visited, time spent on pages, referring URL (via Google Analytics — see Section 7)
• Communication preferences (if you subscribe to updates)

3.2 Client Engagement Data

When you engage us for professional services, in addition to the above we collect data necessary for service delivery, which may include:

• Permanent Account Number (PAN), Aadhaar number, Director Identification Number (DIN)
• GST Identification Number (GSTIN), Tax Deduction Account Number (TAN), Importer Exporter Code (IEC)
• Bank account details, financial statements, investment records, salary details
• Property documents, sale deeds, registration documents
• Know-Your-Customer (KYC) documents required under the Prevention of Money-Laundering Act, 2002 (“PMLA”)
• Engagement letter, signed scope of work, and related communications

3.3 Statutory Submission Data

For specific engagements, we may additionally collect data necessary to fulfil statutory obligations on your behalf, including:

• Family member details (for ITR filings, Form 16, HUF returns)
• Passport details and foreign-source income (for NRI engagements)
• Spouse details (for joint returns)
• Director, partner, or beneficial owner details (for corporate and LLP engagements)
• Foreign remittance details and FEMA-regulated transaction information

We do not collect data we do not need. Where statute permits, we limit collection to the minimum necessary.

4. Purposes of Processing

We process your personal data for the following purposes:

1. Service delivery — to perform the professional services agreed under our engagement letter (audit, assurance, taxation, GST, ROC compliance, FEMA advisory, virtual CFO, NRI advisory, and related services).
2. Statutory filings on your behalf — to file returns, forms, certifications, and disclosures with the Income-tax Department, Goods and Services Tax authorities, Ministry of Corporate Affairs, Reserve Bank of India, FEMA authorities, ICAI, and other regulators as applicable to your engagement.
3. Communication — to communicate with you regarding engagement updates, regulatory changes affecting you, deadlines, queries, and grievances.
4. Compliance with law — to meet our obligations under the Chartered Accountants Act, 1949; the Income-tax Act, 1961 / Income-tax Act, 2025 (with effect from 1 April 2026); the Companies Act, 2013; the Limited Liability Partnership Act, 2008; the Goods and Services Tax laws; the Foreign Exchange Management Act, 1999; the Prevention of Money-Laundering Act, 2002; the ICAI Code of Ethics; and other applicable laws.
5. Website operation and analytics — to operate our website, understand visitor behaviour in aggregate, and improve our content (see Section 7).
6. Marketing communications — only with your explicit consent, to send newsletters, regulatory updates, and information about our services. You may withdraw consent at any time.
7. Legal defence and audit retention — to retain records for the periods required by law and to defend any legal, regulatory, or disciplinary proceedings.

We do not use your personal data for purposes incompatible with the above without your fresh consent.

5. Legal Basis for Processing

Under the DPDP Act, we process your personal data on the following legal bases:

Type of Data	Legal Basis
Client engagement data	Your consent (via signed engagement letter) and Legitimate Use under Section 7(b) of the DPDP Act (compliance with applicable law)
Statutory submission data	Legitimate Use under Section 7(b) — performance of legal obligations on your behalf
KYC and PMLA records	Legitimate Use under Section 7(b) — statutory mandate under PMLA
Marketing communications	Your explicit, opt-in consent — withdrawable at any time
Website analytics cookies (see Section 7)	Currently processed under Legitimate Use; consent-based mechanism is being implemented (see Section 7)

6. Sharing of Personal Data

We do not sell your personal data. We share it only as follows:

1. With government authorities — as required by law (Income-tax Department, GSTN, MCA, RBI, FEMA, ICAI, courts and tribunals).
2. With banks, financial institutions, and counterparties — only to the extent necessary for service delivery and only with your knowledge.
3. With service providers (Data Processors) — including:
   • Cloud storage and email providers (Zoho, Google Workspace) — for routine business operations
   • Calendly Inc. — for appointment scheduling, when you book a meeting via our website
   • Practice management software providers (Zoho Practice) — for engagement and workflow management
   • Communication platforms (AiSensy, Brevo) — for client communication where consented
   All Data Processors are bound by contractual obligations to protect your data in accordance with the DPDP Act and applicable law.
4. In a business transition — if the Firm is succeeded, merged, or its practice transferred (subject to ICAI rules and applicable law), your data may transition to the successor practice with you given notice.
5. In response to legal process — in response to subpoenas, court orders, statutory summons, regulatory inquiries, or to defend legal claims.

We do not share your data with third parties for their independent marketing purposes.

7. Cookies and Website Analytics

Our website uses cookies and similar technologies to operate the site and understand how it is used.

7.1 Types of Cookies

• Strictly necessary cookies — required for site functionality, including session and security cookies set by WordPress.
• Analytics cookies — set by Google Analytics 4 (deployed via Site Kit by Google) to help us understand aggregate visitor behaviour. Measurement ID: GT-WP5S5WV6.
• Third-party cookies — set by Calendly Inc. when you click to book a meeting and are taken to their domain.

7.2 Status of Consent Mechanism

We are currently in the process of implementing a cookie consent banner to enable explicit, granular consent for non-essential cookies, as contemplated under Section 6 of the DPDP Act. Until this banner is live, we recommend visitors who do not wish to be subject to analytics tracking to:

• Use browser-level “Do Not Track” settings, or
• Install Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout), or
• Use private/incognito browsing mode.

We expect to deploy the consent banner within 60 days of the effective date of this Policy. This Policy will be updated when the banner goes live.

7.3 Calendly

When you click any “Book Free Call”, “Appointment”, or “Get Quote” button on our website, you are redirected to Calendly’s domain (calendly.com). Calendly’s privacy practices are governed by their own privacy policy, available at https://calendly.com/legal/privacy-notice. We receive only the appointment confirmation and your contact details from Calendly.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, plus statutory retention periods.

Type of Data	Retention Period
Client engagement records, working papers, audit files	8 years from end of engagement (matching Section 128 of the Companies Act, 2013, Section 44AA of the Income-tax Act, and ICAI guidance)
Tax returns, statutory filings, supporting documents	8 years or longer where required by specific statute
KYC and PMLA records	As required under PMLA (currently 5 years from end of relationship)
Website analytics data	24 months from collection
Marketing communication preferences	Until you withdraw consent or 24 months of inactivity, whichever is earlier
Records subject to litigation, investigation, or disciplinary inquiry	Until conclusion of proceedings plus applicable limitation period

After the retention period ends, we securely delete or anonymise your personal data within 90 days, except where longer retention is required by law.

9. Cross-Border Transfer of Data

Some of our service providers (including cloud storage, email, and software platforms) may store data on servers located outside India. Cross-border transfers comply with Section 16 of the DPDP Act and any restrictions notified by the Ministry of Electronics and Information Technology (MeitY). We do not transfer personal data to any country or territory restricted by MeitY notification.

10. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights with respect to your personal data:

10.1 Right to Access (Section 11)

You may request a summary of the personal data we hold about you, the purposes for which it is being processed, and the identities of any Data Processors with whom it has been shared.

10.2 Right to Correction and Erasure (Section 12)

You may request correction of inaccurate or incomplete data, or erasure of data that is no longer necessary for the purpose for which it was collected, subject to our statutory retention obligations.

10.3 Right to Grievance Redressal (Section 13)

You may register a grievance with our Grievance Officer (Section 12 below). We will respond within the timelines prescribed under the DPDP Act and rules. If unsatisfied, you may approach the Data Protection Board of India.

10.4 Right to Nominate (Section 14)

You may nominate a person to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, write to info@cavijaysingh.com with the subject line “DPDP Data Principal Request” and a copy of identity verification.

11. Withdrawal of Consent

Where processing is based on your consent, you may withdraw consent at any time by writing to info@cavijaysingh.com. Withdrawal of consent will not affect the lawfulness of processing prior to withdrawal, nor will it affect processing required for legal obligations or statutory retention.

Withdrawal of consent for processing essential to an active engagement may impact our ability to deliver services; we will discuss alternatives with you on a case-by-case basis.

12. Grievance Officer

If you have any concerns regarding our processing of your personal data, please contact our Grievance Officer:

Name	CA Vijay R Singh, Proprietor
Email	info@cavijaysingh.com
Phone	+91 98607 23959
Address	Office No. 4, D Wing, Vishal CHSL, Sir Mathuradas Vasanji Road, Near Vishal Hall, Azad Nagar, Andheri East, Mumbai 400069
Response Timeline	Within 7 working days of receipt; final resolution within 30 days

If you are not satisfied with our response, you may approach the Data Protection Board of India under Section 27 of the DPDP Act.

13. Children’s Personal Data

Our services are intended for adults (18 years and above), professional firms, companies, and other adult entities. We do not knowingly collect personal data of children (persons under 18) without verifiable parental consent in compliance with Section 9 of the DPDP Act. If we become aware that we have inadvertently collected such data, we will delete it promptly.

14. Data Security

We implement reasonable technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encrypted storage of sensitive client data
• Access controls limiting data access to authorised personnel
• Regular security updates to our website infrastructure
• Confidentiality obligations on all employees and Data Processors
• Adherence to ICAI’s Standards on Auditing and Code of Ethics

In the event of a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board of India and affected Data Principals as required under the DPDP Act.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in law, our services, or our processing practices. The “Last Updated” date at the top of this page indicates when changes were made. Material changes will be notified to active clients by email and will be prominently displayed on our website for at least 30 days.

16. Governing Law

This Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India.

---

Contact Us

For any questions regarding this Privacy Policy or our data practices:

Vijay R Singh & Co., Chartered Accountants
Office No. 4, D Wing, Vishal CHSL,
Sir Mathuradas Vasanji Road, Near Vishal Hall,
Azad Nagar, Andheri East,
Mumbai, Maharashtra 400069

📧 info@cavijaysingh.com
📞 +91 98607 23959
🌐 https://cavijaysingh.com

This policy is effective from 26 April 2026.