Legal

Privacy Policy

Last updated: 18 May 2026 · Effective: 18 May 2026

Contents
  1. Who we are
  2. Scope and acceptance
  3. What data we collect
  4. How we use your data
  5. Legal basis for processing
  6. Sharing and subprocessors
  7. International data transfers
  8. Data retention
  9. Your rights
  10. Security
  11. Children's data
  12. Cookies
  13. Changes to this policy
  14. Contact us

1. Who we are

This Privacy Policy explains how Finasa Lifestyle Private Limited ("North", "we", "us", or "our") — a private limited company incorporated in India and operator of the "North" finance-AI platform available at get-north.in and copilot.get-north.in — collects, uses, discloses, and protects personal information when you use our services (the "Services").

North is an AI co-pilot for Indian SMBs and their Chartered Accountants. We help users connect existing accounting systems (Zoho Books, Tally, Gmail) and run finance workflows via chat, voice, and WhatsApp.

2. Scope and acceptance

This Policy applies to all individuals who access or use the Services, including business owners, finance team members, Chartered Accountants, and any authorised users of an organisation that has subscribed to North. By creating an account or using the Services, you confirm that you have read, understood, and agree to this Policy.

This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), Information Technology Rules 2011, and applicable provisions of the EU GDPR for users in the European Economic Area.

3. What data we collect

3.1 Information you provide directly

  • Account data: name, email address, phone number, business name, role, password (stored hashed).
  • Organisation data: GSTIN, PAN, business address, financial year, language preference.
  • Payment information: handled by our payment partner Razorpay. We do not store full card numbers or CVV. We retain only payment status, a tokenised reference, and the last four digits of your card.
  • Communications: support tickets, live-chat transcripts, emails you send to us, feedback you provide.

3.2 Information you authorise us to access

  • Accounting data: when you connect Zoho Books or Tally via OAuth, we read invoices, bills, contacts, accounts, journal entries, GST records, and similar data on your behalf, and (with your authorisation) write transactions back. Scope is limited to what's necessary to operate the Services.
  • Gmail data (optional): if you connect Gmail, we read messages that match invoice / bill keywords or that you forward to a designated inbox label. We do not read general email content outside this scope.
  • OAuth tokens: access and refresh tokens for connected services. Stored encrypted at rest (column-level encryption) on our infrastructure.

3.3 Information collected automatically

  • Usage data: queries sent, tool calls made, response confidence, error rates. Used to operate the Services and improve quality.
  • Device data: IP address, browser type, operating system, referrer URL, timestamps. Used for security, fraud prevention, and rate limiting.
  • Cookies and similar technologies: see our Cookie Policy.

4. How we use your data

We process personal data for the following purposes:

  • Service delivery — to authenticate users, sync accounting data, generate AI responses, send WhatsApp alerts, and otherwise operate North.
  • Billing — to bill you for paid plans, raise GST invoices, and handle refunds.
  • Communication — to send transactional emails (e.g., trial-end reminder, billing receipts), respond to support, and notify you of material product changes.
  • Improvement — to debug issues, measure feature performance, and improve AI accuracy. We do not use your business financial data to train third-party general-purpose AI models.
  • Security and fraud prevention — to detect abuse, enforce rate limits, prevent unauthorised access, and maintain audit logs.
  • Legal and compliance — to comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.

We process personal data on the following bases:

  • Consent — for OAuth connections (Zoho, Gmail), WhatsApp alerts, and marketing communications. You can withdraw consent at any time.
  • Contract performance — to provide the Services you've subscribed to.
  • Legitimate interests — security, fraud prevention, product analytics, and improving our Services. We balance these against your rights.
  • Legal obligation — to comply with tax, accounting, and financial regulations applicable to a Mumbai- / Bengaluru-headquartered company.

6. Sharing and subprocessors

We do not sell personal data. We share data only with the following categories of recipients, and only to the extent necessary:

  • Subprocessors — vendors who process data on our behalf under written contracts that bind them to confidentiality and security obligations equivalent to ours. Our current subprocessors:
    SubprocessorPurposeRegion
    Supabase Inc.Application database, authentication, file storageMumbai, India
    Anthropic PBCAI model inference (Claude)United States
    Google LLC (Gemini API)AI model inference (Gemini, default)Singapore / United States
    Cloudflare Inc.CDN, DDoS protection, web hostingGlobal edge (incl. India)
    Razorpay Software Pvt. Ltd.Payments, subscription billing, GST invoicesBengaluru, India
    AiSensy / Meta Platforms Inc.WhatsApp Business API deliveryIndia / global
    Resend / SendGridTransactional email deliveryUnited States / Ireland
  • Your Chartered Accountant or team members — only if you explicitly invite them to your organisation in North.
  • Legal and regulatory authorities — when required by valid legal process. We will challenge requests we believe to be unlawful or overbroad and notify you unless legally prohibited.
  • Successor entities — in the event of a merger, acquisition, or sale of assets, where the successor is bound by terms at least as protective as this Policy.

7. International data transfers

Your primary application data — including your books, OAuth tokens, and chat history — is stored in Mumbai, India (Supabase ap-south-1 region). However, AI model inference occurs on servers in the United States and Singapore (Anthropic, Google). When we transfer personal data outside India, we rely on:

  • Standard contractual clauses or equivalent legal mechanisms with subprocessors;
  • Vendor commitments to applicable data protection laws (DPDP Act, GDPR);
  • Technical safeguards such as encryption in transit (TLS 1.2+) and at rest.

Inference requests sent to Anthropic and Google contain only the data necessary to answer your query (chat context, relevant accounting summaries) — never your full books, OAuth tokens, or payment details.

8. Data retention

We retain personal data as long as your account is active and for a limited period afterwards as set out below.

  • Account and books data: retained for the duration of your subscription. On account closure, deleted within 90 days unless legal hold applies.
  • Chat history: retained for the duration of your subscription. You can delete individual chats at any time from the app.
  • Billing records: retained for 8 years from the date of the transaction, as required by Indian tax law.
  • Audit logs and security events: retained for 12 months for fraud prevention and security investigation.
  • OAuth tokens: deleted within 7 days of disconnection.

9. Your rights

Under the DPDP Act, GDPR, and applicable laws, you have the following rights with respect to your personal data:

  • Right to access — request a copy of the personal data we hold about you.
  • Right to correction — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your personal data, subject to legal-hold exceptions.
  • Right to data portability — receive your data in a structured, machine-readable format. North provides full Excel + JSON export from Settings.
  • Right to withdraw consent — at any time, where processing is based on consent. Withdrawal does not affect prior lawful processing.
  • Right to nominate (DPDP Act § 14) — nominate another individual to exercise your rights in case of incapacity or death.
  • Right to grievance redressal — see Contact us. We respond within 7 working days. If unsatisfied, you may approach the Data Protection Board of India.

To exercise any of these rights, email privacy@get-north.in from the address registered to your account. We may ask for additional verification to protect your account.

10. Security

We use industry-standard administrative, technical, and physical safeguards to protect personal data:

  • TLS 1.2+ encryption for all data in transit.
  • Encryption at rest for OAuth tokens (column-level) and backups.
  • Row-level security (RLS) on the application database — every read and write is bound to a specific organisation_id.
  • Authentication via Supabase with email + password (and SSO for Enterprise).
  • Audit logs of every AI write to connected accounting systems, with one-click undo.
  • Periodic security audits and a documented incident response procedure.

Full details: /legal/security.html.

11. Children's data

North is not intended for individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please email privacy@get-north.in and we will delete it.

12. Cookies

We use a minimum of cookies and similar technologies. See our Cookie Policy for details and opt-out instructions.

13. Changes to this policy

We may update this Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date above. Continued use of the Services after the effective date constitutes acceptance.

14. Contact us

Data Controller: Finasa Lifestyle Private Limited.

Grievance Officer / Data Protection Officer: contact via privacy@get-north.in.

For general enquiries: hello@get-north.in.

Postal address available on request from the email above.