Privacy Policy

Y M Shah & Co., Chartered Accountants ("the Firm", "we", "us", or "our") is committed to protecting the privacy and confidentiality of all individuals who interact with our website, engage our professional services, or otherwise share personal information with us. This Privacy Policy ("Policy") sets out in detail the types of personal data we collect, the purposes for which we use it, the legal bases on which we rely, how long we retain it, who we may share it with, and the rights you hold as a data subject.

This Policy applies to all personal information processed by Y M Shah & Co. in connection with: (a) use of our website at www.ymshah.com and any related subdomains; (b) the provision of chartered accountancy, tax advisory, audit, company formation, GST compliance, litigation support, and related professional services; and (c) any other interaction you may have with the Firm through any channel, including telephone, email, physical correspondence, or in-person meetings.

By using our website or engaging our services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you should discontinue use of our website and services and notify us so we can address your concerns.

For the purposes of applicable data protection legislation, the data controller responsible for your personal information is:

As a firm of Chartered Accountants regulated by the ICAI, we are also subject to professional confidentiality obligations under the Chartered Accountants Act, 1949 and the Code of Ethics issued by ICAI, which impose duties of confidentiality that are in addition to and consistent with our obligations under data protection law.

bdomains; (b) the provision of chartered accountancy, tax advisory, audit, company formation, GST compliance, litigation support, and related professional services; and (c) any other interaction you may have with the Firm through any channel, including telephone, email, physical correspondence, or in-person meetings.

By using our website or engaging our services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you should discontinue use of our website and services and notify us so we can address your concerns.

We collect personal information through the following channels:

4.1 Directly From You

• Client Engagement: When you instruct us to provide professional services, by completing our client intake forms, signing our engagement letter, or providing us with documents
• Website Contact Forms: When you submit an enquiry, schedule a consultation, or use any interactive feature on our website
• Email and Telephone: When you contact us by email (haard@ymshah.com) or phone (+91 90332 31693)
• In-Person Meetings: When you visit our office or attend meetings arranged by us
• WhatsApp and Messaging: When you contact us through WhatsApp or other messaging platforms
• Internship / Career Applications: When you apply for a position or internship at the Firm

4.2 Automatically From Your Device

• Through cookies, pixel tags, and similar tracking technologies when you browse our website
• Via server logs maintained by our web hosting provider
• Through Google Analytics (see Section 8)

4.3 From Third Parties and Public Sources

• Government portals: MCA21, GSTN, Income Tax Department, TRACES, DGFT
• CIBIL, credit bureaus, and financial institutions (with your consent)
• Other professional advisors working on the same engagement (solicitors, valuers, bankers)
• Publicly available records such as the ROC, MCA website, GSTN portal, and court records
• Referrals from existing clients or associate professionals

We rely on the following legal bases to process your personal information:

We use personal information for the following purposes, always ensuring that there is a valid legal basis for each use:

6.1 Professional Service Delivery

• Providing chartered accountancy, tax advisory, audit & assurance, GST compliance, company formation, NRI advisory, and litigation support services
• Preparing and filing tax returns, GST returns, ROC filings, and other statutory documents
• Representing you before tax authorities, appellate tribunals, and regulatory bodies
• Conducting due diligence, valuations, and business advisory work
• Corresponding with the Income Tax Department, GSTN, MCA, RBI, and other regulators on your behalf

6.2 Client Relationship Management

• Managing your client file, maintaining records of advice given and documents received
• Sending you compliance reminders, deadline alerts, and updates on tax law changes
• Processing payments and managing billing and invoicing
• Conducting client satisfaction surveys (participation is voluntary)

6.3 Legal, Regulatory & Risk Management

• Verifying your identity for KYC (Know Your Client) and Anti-Money Laundering (AML) purposes under the PMLA, 2002
• Maintaining mandatory records as required by ICAI standards, the Companies Act, IT Act, and other applicable laws
• Detecting and preventing fraud, financial crime, and misuse of our services
• Managing and defending legal claims involving the Firm

6.4 Website & Technology Operations

• Operating, maintaining, and improving the security and performance of our website
• Analysing website usage patterns to improve user experience
• Managing IT systems, backups, and disaster recovery
• Communicating with you regarding your website enquiry or contact form submission

6.5 Marketing Communications (with Consent)

• Sending newsletters, tax updates, budget analyses, and educational content — only where you have opted in
• Informing you about new services, webinars, or workshops you may be interested in
• You may withdraw consent and unsubscribe at any time using the link in any marketing email or by contacting us directly

We do not sell, rent, or trade your personal data. We share information only in the following circumstances:

7.1 Government Authorities & Regulators

We share your information with government bodies as required or authorised by law, including: Income Tax Department (Portal, CPC, faceless assessment), GST Network (GSTN), Ministry of Corporate Affairs (MCA21), SEBI, RBI (FEMA compliance), EPFO/ESIC, and other competent authorities. This is done only to the extent necessary to fulfil our professional mandate.

7.2 Professional Co-Advisors

In certain complex engagements, we may involve barristers, solicitors, financial institutions, valuers, notaries, or international CA firms. All such parties are bound by professional confidentiality obligations and, where applicable, data processing agreements.

7.3 Service Providers (Data Processors)

7.4 Legal Obligation or Vital Interests

We may disclose your personal information if required to do so by law, court order, or other legal process, or if we believe in good faith that such disclosure is necessary to: (i) comply with applicable law; (ii) protect the rights, property, or safety of the Firm, our clients, or the public; or (iii) prevent or detect a crime.

7.5 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of the Firm's practice or a substantial portion thereof, your personal data may be transferred as part of that transaction. We will notify affected clients as required by applicable law and ensure appropriate data protection obligations are maintained.

Our website uses cookies and similar technologies to enhance your experience and collect analytical data. Below is a detailed description of the cookies we use:

8.1 Managing Your Cookie Preferences

You can manage or disable cookies at any time by: (a) using the cookie consent banner when you first visit our site; (b) adjusting your browser settings to block or delete cookies; or (c) using the Google Analytics opt-out browser add-on available at tools.google.com/dlpage/gaoptout.

Please note that disabling certain cookies may impair the functionality of our website and prevent you from accessing some of its features.

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal, regulatory, and professional obligations.

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, accidental loss, alteration, disclosure, or destruction. Our security framework includes:

10.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser and our website is encrypted using TLS 1.2 / 1.3 (HTTPS)
• Encryption at Rest: Sensitive client documents stored electronically are encrypted using AES-256 or equivalent
• Access Controls: Role-based access controls (RBAC) ensure staff access only the data necessary for their functions
• Multi-Factor Authentication: All staff accounts on client data systems are protected with MFA
• Firewalls and Intrusion Detection: Network-level security systems monitor and block unauthorised access attempts
• Regular Security Patching: Operating systems, software, and plugins are kept up to date

10.2 Organisational Measures

• All staff and article clerks handling client data are trained on data protection and confidentiality obligations as part of their induction
• Physical files containing personal data are stored in locked cabinets with restricted access
• Clean desk policy is maintained for all staff handling client documents
• Data breach response procedures are in place; in the event of a breach affecting your rights, we will notify you and the appropriate authority as required by law
• Engagement letters include specific confidentiality clauses binding all parties

Depending on your location and the applicable law, you may hold some or all of the following rights in relation to your personal data. We will respond to all valid requests within 30 days of receipt (extendable by a further two months in complex cases, with notice).

11.1 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to us at: haard@ymshah.com with the subject line "Data Subject Request — [Your Name]". We may need to verify your identity before processing your request. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.

11.2 Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data or with our response to a rights request, you have the right to lodge a complaint with the competent data protection authority:

• India: The Data Protection Board of India (once operational under the DPDP Act, 2023); currently, complaints may be filed with the Ministry of Electronics & Information Technology (MeitY)
• European Union / EEA: Your local data protection supervisory authority (e.g., CNIL in France, BfDI in Germany)
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

Our primary operations are based in India and we endeavour to store and process data within India wherever possible. However, certain service providers (such as cloud platforms or communication tools) may process data in other jurisdictions.

Where personal data of EEA or UK residents is transferred outside those regions, we ensure appropriate safeguards are in place, which may include:

• Transfers to countries with an adequacy decision under GDPR (e.g., transfers back to India are treated under applicable GDPR adequacy rules)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs) for UK-based clients
• Binding Corporate Rules, where applicable

You may request a copy of the safeguards we rely on for international transfers by contacting us at haard@ymshah.com.

Our website and professional services are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you are a parent or guardian and become aware that your child has provided us with personal information without your consent, please contact us immediately and we will take steps to delete such information from our records.

In circumstances where we are required to process information relating to a minor (e.g., for inclusion in a family tax return, trust deed, or succession planning matter), we will do so only with the explicit consent of a parent or legal guardian and only to the extent necessary to fulfil the professional mandate.

Our website may contain links to third-party websites including government portals (Income Tax e-Filing, GSTN, MCA21, ICAI), professional bodies, payment gateways, and resource platforms. These links are provided for your convenience only.

We have no control over the content, privacy practices, or security of third-party websites, and this Policy does not apply to those sites. We strongly encourage you to read the privacy policy of any website you visit via a link from our site before providing any personal information to that site.

Third-party integrations currently used on this website include Google Analytics, Google Fonts, and WhatsApp Business API. Each of these providers has its own privacy policy governing their data practices.

For users based in India, the following provisions apply in addition to and consistent with the general terms of this Policy:

15.1 Digital Personal Data Protection Act, 2023 (DPDP Act)

Y M Shah & Co. acts as a "Data Fiduciary" under the DPDP Act, 2023, and is committed to full compliance with its provisions as they come into force. As a Data Principal (individual), you have the rights described in Section 11 above, as applicable under the DPDP Act.

• We collect and process personal data only for specified, clear, and lawful purposes
• We do not process personal data beyond what is necessary for the stated purpose
• We maintain the accuracy of personal data and delete it when the purpose is fulfilled
• In the event of a personal data breach affecting your rights, we will notify you and the Data Protection Board within the prescribed timeframe
• Our Grievance Officer for the purposes of the DPDP Act is contactable at: haard@ymshah.com

15.2 Information Technology Act, 2000 & IT (Amendment) Act, 2008

We comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"). The categories of sensitive personal data as defined under SPDI Rules are handled with heightened security and are not disclosed to third parties without your consent except as required by law or for the performance of our professional services.

15.3 PMLA & RBI KYC Norms

As a designated professional under the Prevention of Money Laundering Act, 2002 (PMLA), we are required to conduct client due diligence (CDD / KYC) for certain categories of transactions. Information collected for KYC purposes is retained as required by the PMLA and ICAI's Anti-Money Laundering Guidelines and may be shared with the Financial Intelligence Unit — India (FIU-IND) in the event of a suspicious transaction report (STR) being filed.

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or the UK GDPR (as applicable) applies to our processing of your personal data.

16.1 Data Protection Representative

As we do not have an establishment in the EEA or UK but do provide services to individuals located there (primarily NRI advisory and international business formation services), we may be required to appoint an EU / UK representative. Where required, details of our representative will be published in this section and communicated to affected individuals.

16.2 Legal Bases (GDPR Article 6)

Our legal bases for processing data of EEA/UK residents are as set out in Section 5 of this Policy, with reference to the specific articles of GDPR Article 6 (and Article 9 for special category data, where applicable).

16.3 Supervisory Authority

EEA residents may complain to their local supervisory authority. UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

We review and update this Privacy Policy periodically to reflect changes in our practices, services, applicable law, or regulatory guidance. When we make material changes, we will:

• Update the "Last Reviewed" date at the top of this Policy
• Post a prominent notice on our website homepage for at least 30 days
• Send an email notification to active clients where we hold your email address and the change materially affects how we use your data
• Where required by law, seek fresh consent before implementing the change

Your continued use of our website or services after the effective date of any changes constitutes your acceptance of the updated Policy. We encourage you to periodically review this page for the latest information on our privacy practices.

Previous versions of this Policy are available on request by contacting us at haard@ymshah.com.

For any questions, concerns, complaints, or requests relating to this Privacy Policy or our data processing practices, please contact our designated Privacy Contact / Grievance Officer: