Privacy Policy

Milaan is a SaaS platform built for Chartered Accountants (CAs) and tax professionals in India. It assists in reconciling Tally exports, GST returns, and bank statements for client engagements. Milaan is operated by its founders based in India.

For any privacy-related queries, contact us at privacy@milaan.in.

Account data

When you sign up, we collect your email address and a hashed password. We do not collect your name, phone number, or payment details at registration.

Client data you upload

As part of using the reconciliation service, you may upload files containing:

• Client firm name, GSTIN, and PAN numbers
• Bank statements (PDF, Excel, CSV, or photo/screenshot)
• Tally export files (sales and purchase registers)
• GST return data (GSTR-1, GSTR-3B, GSTR-2A)

This data belongs to your clients. You are the Data Fiduciary for that data; Milaan acts as a Data Processor on your behalf.

Usage data

We log events such as document uploads, reconciliation runs, and exports. We do not use third-party analytics trackers.

• To provide the reconciliation and extraction service you signed up for.
• To send transactional emails (OTP verification, password reset). We send no marketing email.
• To maintain an audit log of data-access events for compliance under the DPDP Act 2023.
• To detect and prevent abuse or unauthorised access to the platform.

We do not sell your data, share it with advertisers, or use it to train AI models.

By using Milaan's bank-statement extraction feature, you explicitly consent to the following disclosure:

Bank statement files (PDFs, images, and screenshots) you upload are transmitted to Google's Gemini API (currently gemini-2.5-flash or gemini-2.5-pro) for AI-based data extraction. This processing is performed by Google LLC under their API Terms of Service and a zero-data-retention Data Processing Agreement — Google does not store, retain, or use your uploaded documents to train its AI models.

Tally exports and GST files that are already structured (clean CSV or Excel) are processed locally on our servers and are not sent to the Gemini API.

We do not send PAN numbers, GSTIN numbers, or client names inside the prompt text to the Gemini API — only the raw document content is transmitted for extraction. However, if such identifiers appear inside the document itself (e.g. printed on a bank statement), they may be included in the transmission.

You must inform your clients that their bank statements may be processed by a third-party AI service. Milaan's consent flow surfaces this disclosure before the first upload.

• Database: All structured data (client records, extracted transactions, consent logs) is stored in Supabase Postgres, hosted on AWS infrastructure with encryption at rest.
• File storage: Uploaded raw files are stored in a private Supabase Storage bucket. Files are never publicly accessible by URL.
• Row-level isolation: Database-level Row Level Security (RLS) policies ensure one CA user can never read another CA's client data, even if there is an application bug.
• Transit: All data in transit is encrypted using TLS 1.2 or higher.
• Server: The application backend runs on a dedicated VPS with access restricted by SSH key. No raw uploaded file is written to unencrypted disk.

Raw uploaded files are deleted from storage automatically after 30 days following a confirmed reconciliation, or upon your explicit deletion request — whichever comes first.

Extracted structured data (the transaction rows derived from your files) is retained until you delete the client or request erasure. This is your work product — we retain it so you can re-open a reconciliation without re-uploading.

Account data is retained for the life of your account. On account deletion, all your clients, documents, transactions, and consent records are permanently deleted within 30 days.

As a Data Principal, you have the following rights:

• Right to access: Request a summary of personal data we hold about you.
• Right to correction: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your account and all associated data. We provide a live Delete endpoint — this is not a request form, it is executed immediately and cascades across all your data.
• Right to withdraw consent: You may withdraw consent for AI processing at any time by discontinuing the bank-statement upload feature. Existing extracted data is unaffected.
• Right to grieve: If you believe your data rights have been violated, you may contact us at privacy@milaan.in. You also have the right to file a complaint with the Data Protection Board of India once it is constituted.

To exercise any of these rights, email us at privacy@milaan.in from the address registered with your account. We will respond within 72 hours.

Before you upload any document for a client for the first time, Milaan records an explicit consent event timestamped against your account. A pre-ticked checkbox does not constitute consent — you must actively check the box. This consent covers:

• Storing and processing the uploaded financial documents.
• Transmitting bank statements to the Google Gemini API for extraction under a zero-data-retention agreement.

Consent is recorded in an append-only audit log that cannot be modified.

Milaan uses one session cookie (set by Supabase Auth) to keep you logged in. We set no advertising cookies, no analytics cookies, and no third-party tracking pixels.

We will notify you by email at least 14 days before any material change to this policy. The effective date at the top of this page will be updated. Continued use after the effective date constitutes acceptance of the updated policy.

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act 2023, the Information Technology Act 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.