Legal

Privacy Policy

Last updated: 12 May 2026

Taficon (“we”, “our”, “us”) operates taficon.app — a tax and financial intelligence platform for Indian taxpayers. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using Taficon you agree to this policy.

1. Information We Collect

1.1 Information you provide directly

Account details: name, email address, and optionally a phone number when you sign up via Google or email.
Financial data: income figures, deductions, and investment details you enter into our calculators and planner tools. This data is stored locally in your browser and, if you are signed in, synced to your account.
Bank statements: PDF or CSV files you upload for analysis. These are processed to extract transaction data and are not shared with third parties.
Gmail data (optional, opt-in): if you connect your Google account for the Gmail bank-statement auto-import feature, we receive a read-only OAuth token (gmail.readonly scope) limited to finding bank-statement PDF attachments. See Section 5 — Google API User Data for full details on what we read, what we store, and how to revoke access.
Contact form submissions: name, email, phone number, and message when you reach out via our contact form.
Consultation requests: details you submit when booking a CA consultation.

1.2 Information collected automatically

Usage data: pages visited, features used, calculator interactions, and time spent — collected via Google Analytics 4 (GA4).
Device and browser information: IP address, browser type, operating system, and referral URL — collected by GA4 and Microsoft Clarity.
Cookies and local storage: we use cookies for authentication sessions and localStorage to persist your calculator inputs between visits.

2. How We Use Your Information

Provide, operate, and improve the Taficon platform and its features.
Authenticate your account and keep your saved data secure.
Process bank statements and generate financial insights for you.
Send transactional emails (e.g., calculation summaries, consultation confirmations).
Respond to your support requests and contact form submissions.
Analyse aggregate usage patterns to improve our products (no individual profiling).
Comply with applicable Indian laws and regulations.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

3. Cookies

We use the following types of cookies:

Strictly necessary cookies: Firebase Authentication session cookies required for you to stay logged in.
Analytics cookies: Google Analytics 4 cookies (GA4) that help us understand how visitors use the site. Data is anonymised where possible.
Behaviour analytics: Microsoft Clarity session recordings and heatmaps to understand UI usability. No personally identifiable data is captured.

You can disable cookies in your browser settings. Disabling strictly necessary cookies will prevent you from logging in.

4. Third-Party Services

We use the following third-party services that may process your data:

Service	Purpose	Data Shared
Firebase (Google)	Authentication & database	Email, account data
Convex	Backend data storage	Saved calculations, transactions
Razorpay	Payment processing	Name, email, amount
Google Analytics 4	Usage analytics	Anonymised usage events
Microsoft Clarity	UX analytics	Session recordings (no PII)
Web3Forms	Contact form submission	Name, email, message
Resend	Transactional email	Email address

Each third-party service has its own privacy policy. We encourage you to review them. Razorpay is PCI-DSS compliant — we never store your card details.

5. Google API User Data (Gmail Integration)

If you choose to connect your Google account to enable Taficon's Gmail bank-statement auto-import feature, the following disclosures apply specifically to data received from Google APIs.

5.1 Scope requested

https://www.googleapis.com/auth/gmail.readonly — read-only access to your Gmail messages and their attachments.
openid and email — basic profile identifiers used only for sign-in and to associate the Gmail connection with your Taficon account.

We do not request scopes that allow sending, modifying, deleting, or organising your email. We do not access Google Drive, Calendar, Contacts, Photos, or any other Google service.

5.2 What we read and what we ignore

We search Gmail for emails matching specific bank-statement subject patterns (e.g., “bank statement”, “account statement”, “e-statement”) and known Indian bank sender domains.
We download only the PDF attachments from those matching emails for parsing.
We do not read or store the body content of emails.
We do not read non-statement emails such as personal correspondence, newsletters, or promotional messages.
For protected PDFs, we may extract a password format hint from the email body text (e.g., “your password is the first four letters of your name”). The hint is shown to you in a prompt and is not stored.

5.3 What we store

The OAuth refresh token issued by Google, encrypted at rest on our backend. This is what allows our 12-hourly background sync to fetch new statements without re-prompting you. Deleted within 24 hours of you disconnecting.
Parsed transaction rows extracted from your bank-statement PDFs (date, description, amount, type).
Statement metadata: detected bank, statement period, last 4 digits of account number.
Optional per-bank passwords that you explicitly choose to save on your profile for re-use across imports.

We do not store the original PDF file or the raw email contents beyond what is necessary to complete a single sync operation.

5.4 Limited Use disclosure

Taficon's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Taficon affirms that:

We use Google user data only to provide and improve the user-facing features that you authorised (i.e., auto-importing your own bank statements).
We do not transfer Google user data to third parties except as necessary to provide and improve those features, to comply with applicable law, or as part of a merger, acquisition, or asset sale (with prior notice to users).
We do not use Google user data for serving advertisements, including re-targeted, personalised, or interest-based advertising.
We do not allow humans to read Google user data, except (a) with your affirmative agreement for specific messages, (b) to investigate abuse or security concerns, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised in a way that cannot be re-identified.

5.5 Sharing with our PDF parser

PDF attachments downloaded from Gmail are sent to our own bank-statement parser service (hosted on Google Cloud Run, project tax-finance-consultant) for transaction extraction. The parser is operated by Taficon — not a third-party vendor. PDFs are processed in memory and discarded after parsing; only the extracted structured transaction data is persisted to your Taficon account.

5.6 Revoking access

You can revoke Taficon's access at any time:

Within Taficon: visit your profile and click Disconnect Gmail.
Within Google: visit myaccount.google.com/permissions, find “Taficon”, and click Remove Access.

After revocation, the stored OAuth refresh token is deleted within 24 hours. Already-parsed transaction data remains in your Taficon account until you delete it from Upload History or close your account.

6. Data Retention

Account data: retained as long as your account is active. Deleted within 30 days of account deletion.
Bank statements: uploaded files are processed and the raw file is not permanently stored. Extracted transaction data is kept until you delete it.
Analytics data: GA4 retains event data for 14 months by default.
Contact form submissions: retained for up to 12 months for support follow-up purposes.

7. Your Rights

As a user, you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and associated data.
Withdraw consent for analytics cookies at any time via browser settings.
Lodge a complaint with a relevant data protection authority.

To exercise these rights, email us at privacy@taficon.app. We will respond within 30 days.

8. Security

We implement industry-standard security measures including HTTPS encryption, Firebase security rules for database access control, and regular security reviews. No method of transmission over the internet is 100% secure — we cannot guarantee absolute security, but we work hard to protect your data.

9. Children's Privacy

Taficon is intended for adults aged 18 and above. We do not knowingly collect data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Governing Law

This Privacy Policy is governed by the laws of India, including the Information Technology Act 2000, the Information Technology (Amendment) Act 2008, and applicable rules thereunder. Any disputes shall be subject to the jurisdiction of courts in India.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the “Last updated” date at the top of this page and, where appropriate, by email. Your continued use of Taficon after changes constitutes acceptance of the revised policy.

12. Contact Us

For any privacy-related questions or requests:

Email: privacy@taficon.app
Contact form: taficon.app/contact