Privacy Policy

Effective Date: 16 October 2025

FastGST.in ("we", "our", "us") provides GST compliance tools and APIs (including the Tax Lookup API). We respect your privacy and are committed to protecting the personal and business information we collect. This Privacy Policy explains what information we collect, how we use it, how it is stored and secured, and your rights.

1. Scope

This Privacy Policy applies to information collected through FastGST.in websites, developer console, API services (including Tax Lookup API), support channels, and other services we provide.

2. Information We Collect

a. Account & Profile Information

When you register for an account or subscribe to a product, we may collect:

  • Name and business/organization name
  • Email address and contact details
  • Billing and payment information (processed by our payment processor)
  • Account credentials (passwords as described below)

b. API Usage & Technical Data

To provide and operate the Tax Lookup API and other services we collect:

  • API requests and responses (endpoint, parameters, timestamps)
  • Request metadata (IP address, user agent, HTTP headers)
  • Performance and usage metrics

c. Location & Timezone (IP-derived)

We infer geographic location and timezone from IP addresses to support:

  • Localization and timezone-aware responses
  • Fraud detection, rate limiting, and abuse prevention
  • Analytics and product improvement

d. Cookies and Tracking

We use cookies and similar technologies on our website to manage sessions, provide site functionality, and analyze usage. You can control cookies via your browser settings.

e. Logs and Reports

We store logs and generate operational and aggregated reports for monitoring, troubleshooting, usage analytics, and product improvement. Reports may include aggregated or pseudonymized usage statistics; we do not intentionally include unnecessary personal identifiers in aggregated reports.

3. How We Use Your Information

We use collected data to:

  • Provide, operate, and maintain our platform and APIs
  • Authenticate and secure accounts (including password verification)
  • Monitor and improve product performance and reliability
  • Detect and prevent fraud, abuse, or security incidents
  • Provide customer support and respond to inquiries
  • Generate reports and analytics (aggregated / pseudonymized where possible)
  • Communicate product updates, security notices, or required legal notices (you can opt out of marketing messages)

4. Passwords & Authentication

Account passwords are stored securely using industry-standard hashing algorithms. We use strong password hashing practices (for example, bcrypt or Argon2) combined with appropriate salts and configuration to protect credentials. Plain-text passwords are never stored.

If you use third-party authentication (OAuth, SSO), the authentication provider's terms and policies apply.

5. Hosting, Storage & Third-Party Processors

Cloud Provider

We use Microsoft Azure to host our services and process data. Our primary storage and compute for customer data is located in the Central India (Pune/Chennai) region of Azure, unless otherwise disclosed.

Third-Party Services

We use trusted third-party services for analytics, email delivery, payments, monitoring, backups, and other operational needs. These subprocessors receive only the data necessary to perform their functions and are contractually bound to protect it.

6. Data Retention

We retain personal and account information for as long as your account is active or as necessary to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

Typical retention periods (configurable by policy and legal needs):

  • Account information and billing records: retained for the duration of the account and up to 7 years after account closure for legal and tax purposes.
  • API request logs and metadata: retained for 12 months for monitoring, debugging, and abuse prevention (may be retained longer in aggregated/anonymized form).
  • Backups: retained per our backup schedule (typically up to 90 days) and protected as described in the Security section.

If you request deletion of your account, we will remove or anonymize your personal data from regular systems within a reasonable period, except where retention is required for legal or legitimate business purposes.

7. Data Security

We implement reasonable technical and organizational measures to protect data, including:

  • Encryption in transit using TLS for all web and API traffic
  • Encryption at rest for stored data (Azure-managed encryption)
  • Role-based access controls and least-privilege access for internal systems
  • Secure password hashing for credentials
  • Regular security reviews, monitoring, and logging
  • Periodic vulnerability scanning and patch management

While we take strong precautions, no system is entirely risk-free. If we become aware of a security breach affecting personal data, we will investigate promptly and notify affected users and authorities as required by applicable law (we aim to notify affected users and regulators without undue delay and, where applicable, within 72 hours of becoming aware of a qualifying breach).

8. Cross-Border Transfers

Data processed by FastGST.in is stored in Azure's Central India region. If at any time data is transferred outside of this region (for example, to a global Azure service or a third-party processor), we will ensure appropriate contractual and technical protections are in place to safeguard the data consistent with applicable laws.

9. Sharing and Disclosure

We will not sell or rent your personal data. We may share data in limited circumstances:

  • With our subprocessors and service providers (hosting, email, analytics, payments) who perform services on our behalf
  • To comply with legal obligations, court orders, or law enforcement requests
  • To protect rights, property, safety of our users or the public
  • In connection with a sale, merger, or reorganization (we will require a successor to adhere to this Privacy Policy)

10. Reporting & Use of Aggregated Data

We generate operational and product reports derived from usage data. Where possible, reports are aggregated and pseudonymized to prevent identification of individual users. We may use aggregated insights internally and productively to improve services, and to provide anonymized benchmarking to customers where agreed.

11. Your Rights & Controls

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or update your personal data
  • Request deletion of your personal data (subject to retention obligations)
  • Object to or restrict processing
  • Withdraw consent to marketing communications
  • Request a copy of your data in a portable format

To exercise your rights, please contact us at the address below. We will verify requests and respond in accordance with applicable law.

Account controls:

  • You can update your account profile and settings in the developer console.
  • To delete your account, follow the account deletion process in the console or contact support.

Cookies & tracking:

You can disable non-essential cookies via your browser settings. Disabling some cookies may limit functionality.

12. Children

Our services are intended for businesses and developers. We do not knowingly collect personal data from children under 18. If we learn we have collected such data, we will delete it promptly.

13. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy with a new Effective Date and notify account holders by email or an in-product message when appropriate. Continued use of our services after updates constitutes acceptance of the revised policy.