Data Handling Policy

Effective Date: 1 June 2026
Last Updated: 1 June 2026

This Data Handling Policy describes the specific practices Byalance follows when collecting, processing, storing, and disposing of client financial and business data. It is intended to give clients full clarity and confidence in how their sensitive information is managed.

1. Scope

This policy applies to all data shared with Byalance by clients in connection with:

  • Accounting and bookkeeping services
  • GST filing and compliance
  • TDS returns and management
  • Payroll processing
  • ITR filing and tax advisory

It covers data shared via WhatsApp, email, physical documents, or any other channel.

2. Data Collection Standards

2.1 Minimum Necessary Data

We collect only the data required to perform the specific service you have engaged us for. We do not request documents or information beyond what is operationally necessary.

2.2 How You Share Data with Us

Clients typically share data through:

  • WhatsApp Business — invoices, bank statements, vouchers in image or PDF format
  • Email — documents, reports, and authorisation letters
  • Shared cloud folders — for bulk document uploads (Google Drive or similar, as agreed)

We do not ask clients to share government portal passwords unless absolutely necessary for filing, and in such cases, we strongly recommend changing the password immediately after the filing is complete.

3. Data Storage

3.1 Where Data is Stored

All client files are stored on Google Workspace (Google Drive), which provides:

  • AES-256 encryption at rest
  • TLS encryption in transit
  • Access logs and audit trails

No client data is stored on personal devices or local hard drives without encryption.

3.2 Access Controls

  • Each client's folder is accessible only to the team member(s) assigned to that client
  • Access is revoked immediately upon disengagement or staff change
  • File sharing links are set to "restricted" — no public access

3.3 Physical Documents

Physical documents received from clients (if any) are scanned and digitised within 2 business days, stored securely, and returned or destroyed as per client instructions.

4. Data Processing Standards

4.1 Who Processes Your Data

Your data is handled by:

  • Byalance's core accounting team members, directly responsible for your account
  • Contract accountants, where applicable — bound by the same NDA and confidentiality obligations

No client data is shared with third parties for outsourcing without explicit client consent.

4.2 Government Portal Access

When filing on your behalf on the GST Portal, Income Tax Portal, TRACES, MCA, or EPFO/ESIC:

  • We access portals using credentials authorised by you
  • We complete only the specific filing tasks you have engaged us for
  • Session is closed immediately after task completion
  • Credentials are not stored in our systems

4.3 Accuracy and Review

All entries, reconciliations, and filings are reviewed before submission. Clients are sent a confirmation or summary for approval before any return is filed on their behalf.

5. Non-Disclosure and Confidentiality

Before any data exchange begins:

  • A Non-Disclosure Agreement (NDA) is signed between Byalance and the client
  • The NDA covers all financial, operational, and personal data shared during the engagement
  • All team members handling client data are bound by confidentiality clauses in their employment or contractor agreements

6. Data Retention and Disposal

Data TypeRetention PeriodBasis
GST-related records8 years from filing dateGST Act, 2017
Income tax records8 years from assessment yearIncome Tax Act, 1961
TDS records7 yearsTDS rules under IT Act
Payroll records8 yearsLabour law and IT Act
Employee PAN / AadhaarDuration of engagement + 3 yearsStatutory requirement
Website inquiry data2 years from last contactInternal policy

After the applicable retention period:

  • Digital files are permanently deleted from all storage locations
  • Physical documents are shredded
  • Clients can request a certificate of destruction upon request

7. Data Breach Response

In the event of an actual or suspected data breach:

  1. We will contain and assess the breach within 24 hours of discovery
  2. Affected clients will be notified within 72 hours, as required under the DPDP Act, 2023
  3. We will report to the Data Protection Board of India if required by law
  4. A written incident report will be provided to affected clients on request

8. Client Rights Over Their Data

You may, at any time:

  • Request a copy of all data we hold related to your business
  • Request correction of any inaccurate data
  • Withdraw consent and request deletion, subject to statutory retention requirements
  • Request transfer of your data to another service provider
  • Raise a grievance if you believe this policy has been violated

All requests must be sent to info@byalance.in with your registered business name. We will acknowledge within 3 business days and resolve within 15 business days.

9. Compliance Framework

Byalance's data handling practices are aligned with:

  • Information Technology Act, 2000 and IT (Amendment) Act, 2008
  • Digital Personal Data Protection Act, 2023 (DPDP Act)
  • IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  • Applicable provisions of the GST Act, 2017 and Income Tax Act, 1961 regarding record retention

10. Contact for Data Matters

Data Handling Queries:
Email: info@byalance.in
Phone: +91 74062 96116
Address: 4th Phase, JP Nagar, Bengaluru, Karnataka

This policy is reviewed annually and updated as required. Last reviewed: June 2026.