The professional double-entry accounting operating system engineered specifically for Indian CA firms, clients, and vendors.

Made with absolute precision in India

Product Modules

Company

Legal & Security

Double-entry tenant isolation runs on every SQL query.

© 2026 Cyntrova. All rights reserved. Ledger audit version 1.0.8.

··
Privacy and Data Governance

Privacy Policy

This policy explains what personal data Cyntrova processes, why it is used, how CA-managed financial workspaces affect responsibility, and how individuals can exercise applicable privacy rights.

Effective: 20 June 2026Last updated: 20 June 2026cyntrova@gmail.com

At a glance

Customer financial data remains controlled by the relevant CA firm or business workspace.

AI-assisted features may read scoped documents, but do not independently approve accounting entries.

Cyntrova uses tenant scope, role-based access, audit logs, and other safeguards for financial workflows.

Privacy and grievance requests can be sent to cyntrova@gmail.com.

This document describes Cyntrova's current service position. Signed order forms, pilot agreements, and data-processing addenda may add more specific commitments. Applicable law controls where it requires a different result.

1. Scope and operator

This Privacy Policy applies to Cyntrova websites, applications, CA firm workspaces, invited business portals, vendor upload links, APIs, support channels, pilot programs, and related services that link to this policy (collectively, the Service).

The Service operates under the Cyntrova name. In this policy, Cyntrova, we, us, and our refer to the operator identified in the applicable order form, pilot agreement, or account documentation.

This policy applies to digital personal data processed through the Service. It does not replace privacy notices that a CA firm, business, bank, Account Aggregator, payment provider, or another third party must provide for its own processing.

This policy is intended to operate alongside applicable Indian law, including relevant provisions of the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 as those provisions come into force, together with other information-technology, financial-sector, tax, and professional requirements that apply to a particular workflow.

2. Our role and the CA firm's role

Cyntrova's privacy role depends on the processing context. For account registration, platform security, service administration, billing, support, and product communications, Cyntrova generally determines why and how relevant personal data is processed.

For invoices, books, bank transaction records, GST records, client requests, vendor information, and reports uploaded to or created inside a CA-managed client workspace, the CA firm or relevant business generally decides what information is processed and for what professional purpose. Cyntrova processes that information to provide the Service under the customer's instructions and applicable agreement.

CA firms and businesses are responsible for ensuring that they have authority to upload, use, disclose, and instruct Cyntrova to process personal data concerning their clients, employees, customers, vendors, and other individuals. They are also responsible for their own professional, statutory, notice, consent, and record-retention obligations.

If your data appears in a workspace controlled by a CA firm or business, contact that organization first. Cyntrova will support verified requests as required by the applicable relationship and law.

3. Personal data we may collect

The data processed depends on the features used, the user's role, and the information supplied by the relevant firm or business.

  • Identity and account data, such as name, business email, phone number, role, organization, account identifiers, authentication events, and access status.
  • Firm and workspace data, such as firm name, client name, business profile, GSTIN, PAN or tax identifiers where required, fiscal-year settings, team assignments, and permissions.
  • Financial workflow data, such as invoices, credit or debit notes, journal entries, ledgers, bank transactions, reconciliation records, payments, receivables, payables, GST records, supporting documents, and published reports.
  • Customer and vendor data contained in accounting records, including names, contact details, tax identifiers, addresses, invoice details, bank references, and payment information.
  • Consent and integration data, including bank-consent status, consent artefact metadata, integration tokens, connection status, and transaction-fetch events. Cyntrova does not need your internet-banking password to provide an Account Aggregator-based flow.
  • Device, network, and usage data, such as IP address, browser and device information, session activity, audit events, pages or features used, error logs, and security signals.
  • Communications, support requests, product feedback, account requests, demo requests, and information you provide when contacting us.
  • Billing and subscription records. Payment card or bank-payment credentials may be collected directly by an authorized payment processor rather than stored by Cyntrova.

4. Sources of data

We may receive personal data directly from you; from a CA firm, business administrator, client, vendor, or authorized team member; from documents uploaded to the Service; from configured integrations; and from service providers acting for us.

Where bank transaction access is enabled, data may be received through an Account Aggregator or another authorized integration only after the required consent or authorization flow. Vendor upload links may collect information submitted by a vendor for the specific client workspace identified by the link.

5. Why we process data

We process personal data only for identified service, security, support, compliance, and business-administration purposes. Depending on the context and applicable law, processing may be based on consent, steps requested by you, performance of a service agreement, certain legitimate uses recognized by law, compliance with legal obligations, or another lawful ground.

  • Create and administer accounts, firms, client workspaces, roles, permissions, and access controls.
  • Receive, organize, extract, validate, review, post, reconcile, report, export, and audit accounting information as instructed by authorized users.
  • Operate client and vendor portals, requests, notifications, support, and collaboration workflows.
  • Provide bank-consent, transaction-fetch, reconciliation, GST, reporting, and related integrations selected by the customer.
  • Detect unauthorized access, fraud, abuse, duplicate actions, service failures, and security incidents.
  • Maintain auditability, data integrity, backups, business continuity, and enforceable service records.
  • Measure service performance, diagnose errors, improve usability, and understand feature adoption using appropriately scoped analytics.
  • Respond to support, privacy, legal, regulatory, and law-enforcement requests where valid and applicable.
  • Send service notices and, where permitted, product or pilot communications. You may opt out of non-essential marketing messages.

6. AI-assisted and automated features

Cyntrova may use optical character recognition, machine learning, and AI services to extract invoice fields, normalize document content, suggest classifications or matches, explain exceptions, and draft report narratives or communications.

Only the data reasonably needed for the selected feature should be sent to the configured provider. AI output is treated as assistance, not accounting truth. Deterministic services calculate balances, GST values, report figures, and posting entries. Authorized human review remains required wherever the product presents an approval control.

AI-generated summaries may describe precomputed report figures, trends, and risks. They must not invent, alter, or become the source of financial numbers. Users remain responsible for reviewing AI output before relying on or sharing it.

7. When data may be shared

We do not sell personal data as a business model. We may disclose data only as needed for the Service, the customer's instructions, a transaction, security, or applicable law.

  • Authorized users of the same firm or client workspace, according to role, client assignment, and publication settings.
  • Invited business users or scoped vendor-link users, limited to the information and actions made available to them.
  • Cloud hosting, database, storage, authentication, email, support, analytics, OCR, AI, monitoring, and payment providers acting under appropriate service arrangements.
  • Account Aggregators, financial-information providers or users, banks, GST-related providers, and other integrations selected or authorized by the customer.
  • Professional advisers, auditors, insurers, investors, or transaction counterparties subject to confidentiality and need-to-know restrictions.
  • Government, regulatory, judicial, or law-enforcement authorities when disclosure is legally required or reasonably necessary to protect rights, users, or the Service.
  • A successor or participant in a merger, financing, reorganization, acquisition, insolvency, or transfer of all or part of the business, subject to applicable safeguards.

8. Bank data and Account Aggregator flows

Where available, Cyntrova may support consent-based receipt of financial information through Account Aggregator rails or another authorized provider. The consent interface or consent artefact should describe the data requested, purpose, frequency, duration, and participating entities.

Users should review the Account Aggregator's own privacy notice and consent terms. Revoking or expiring consent may stop future data fetches but does not automatically erase transaction data already lawfully received and retained for accounting, audit, dispute, security, or legal purposes.

Cyntrova is not a bank and does not independently provide regulated Account Aggregator services unless expressly identified in the applicable integration documentation.

9. Cookies, browser storage, and analytics

The Service may use cookies, local storage, and similar technologies for authentication, session continuity, security, preferences, theme settings, diagnostics, and analytics. Some of these technologies are necessary for the Service to function.

Analytics technologies may record feature usage, page events, device information, and approximate network information. Where consent is required, non-essential analytics should be enabled only after the relevant choice. Browser settings can block or delete cookies, but disabling essential storage may prevent sign-in or other features from working.

10. Security safeguards

Cyntrova uses administrative, technical, and organizational measures designed for a multi-tenant financial application. Measures may include encrypted transport, access controls, role and client assignment checks, tenant-scoped queries, audit logging, monitoring, backups, secure development practices, and incident-response procedures.

No online service can guarantee absolute security. Customers must protect credentials, restrict user access, review role assignments, use supported devices and networks, and notify us promptly of suspected misuse or compromise.

11. Retention, deletion, and account closure

We retain data for as long as reasonably necessary to provide the Service, maintain accounting and audit continuity, comply with customer instructions and legal obligations, resolve disputes, enforce agreements, prevent fraud, and maintain security records.

Retention periods vary by data type, workspace configuration, contract, statutory recordkeeping duties, and the customer's instructions. Financial records may need to be retained longer than ordinary account or analytics data. Deletion may be delayed where retention is required by law, a legal hold, an unresolved dispute, security requirements, or backup rotation.

After termination, export and deletion arrangements are governed by the applicable service agreement or order form. De-identified or aggregated information that cannot reasonably identify an individual may be retained for analytics, security, and service improvement.

12. Processing and transfers outside India

Some service providers may process or store data in jurisdictions outside India. Where this occurs, we use contractual, access, security, and vendor-management measures appropriate to the service and comply with restrictions or governmental requirements applicable to cross-border transfers at the relevant time.

A customer with specific localization or residency requirements must raise them before onboarding so they can be addressed in the applicable agreement and architecture.

13. Privacy rights and choices

Subject to identity verification, workspace control, applicable exemptions, and provisions of law that are in force, an individual may request information about personal data being processed, correction or completion of inaccurate data, erasure where retention is no longer required, withdrawal of consent, grievance redressal, or nomination of another individual where legally available.

Withdrawal of consent does not affect processing already completed lawfully and may prevent us from continuing features that require the withdrawn data. We may ask for account, workspace, or transaction details necessary to locate the relevant data and protect it from unauthorized disclosure.

Send requests to cyntrova@gmail.com. If the request concerns a CA-managed workspace, we may refer it to or coordinate with the controlling CA firm or business. We will respond within the period required by applicable law or contract.

14. Children's data

Cyntrova is a professional accounting service and is not intended for individuals under 18 to create or operate accounts independently. We do not knowingly seek children's personal data for marketing or profiling.

If a financial or employment record lawfully contains data relating to a child, the uploading customer is responsible for ensuring authority, necessity, and appropriate safeguards. Contact us if you believe a child has created an account or data has been submitted without proper authority.

15. Personal data incidents

If we become aware of a personal data breach affecting the Service, we will investigate, contain, preserve relevant evidence, and take remediation steps. We will notify affected customers, individuals, and authorities when and within the timeframe required by applicable law or contract.

Customers must promptly report suspected unauthorized access, misdirected uploads, exposed portal links, compromised credentials, or other incidents to cyntrova@gmail.com.

16. Third-party services and links

The Service may link to or integrate with third-party services. Their privacy practices and terms govern processing they independently control. Cyntrova is not responsible for a third party's independent practices, and users should review the relevant notices before authorizing an integration.

17. Changes to this policy

We may update this policy to reflect changes in the Service, vendors, security practices, or law. The updated version will show a revised date. Where a change materially affects how personal data is used, we will provide additional notice or seek consent when required.

18. Contact and grievance redressal

Privacy and Grievance Contact: Cyntrova

Email: cyntrova@gmail.com

Include your name, organization or workspace, relationship to the data, the right or concern involved, and enough detail to verify and investigate the request. Do not email passwords, full bank credentials, or unnecessary financial documents.

Additional legal-entity and postal details, where applicable, will be stated in the relevant order form, invoice, pilot agreement, or account documentation.

Questions or requests

Contact Cyntrova

Email Cyntrova