LaziLeoFinancial Compliance. Simplified.

Legal · Version 2.0

Privacy Policy

Last updated: 28/06/2026

Introduction & scope

Nirrathna Technologies Private Limited (“Nirrathna”, “the Company”, “we”, “us”, or “our”) owns and operates the LaziLeo platform (“LaziLeo” or the “Service”). We respect your privacy and are committed to protecting your personal data in accordance with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), the Information Technology Act, 2000, and the rules made under them.

This Privacy Policy explains what personal data we collect when you use the Service (available at lazileo.com and related domains and sub-domains), why we collect it, how we use, share, store, and protect it, and the rights and choices available to you. Please read it together with our Terms of Use.

By creating an account or using the Service, you confirm that you have read and understood this Policy and that you consent to the processing of your personal data as described here. If you do not agree, please do not use the Service.

Who we are (Data Fiduciary)

For personal data that relates to you as a User of the Service, the Data Fiduciary is:

Nirrathna Technologies Private Limited
A company incorporated under the Companies Act, 2013.
CIN: U72900KA2022PTC165288
Registered office:1st Floor, 114/1, Unnathi, 5th Cross Road, Krishnarajapuram, Bengaluru, Bengaluru Urban, Karnataka – 560036, India.
Privacy contact: privacy@lazileo.com
Grievance Officer: see the Grievance Officer section below.

Key definitions

  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
  • “Data Principal” means the individual to whom the Personal Data relates (for example, you).
  • “Data Fiduciary” means the person who determines the purpose and means of processing Personal Data.
  • “Data Processor” means a person who processes Personal Data on behalf of a Data Fiduciary.
  • “Processing” means any operation performed on Personal Data, such as collection, storage, use, sharing, or erasure.
  • “Board” means the Data Protection Board of India established under the DPDP Act.

Our roles: Fiduciary & Processor

  • For your account data (your identity, contact, firm, billing, and usage data), we are the Data Fiduciary and we process it as described in this Policy.
  • For client data you upload (data about your clients and the entities whose financials or filings you prepare), you are ordinarily the Data Fiduciary and we act as your Data Processor, processing that data only on your documented instructions and to provide the Service. See Client data you upload.

Personal Data we collect

Depending on how you use the Service, we may collect the following categories of Personal Data:

  • Identity & contact data: full name, designation (CA / CS / CMA / Advocate / other), email address, and mobile number.
  • Address data: address lines, city, state, PIN code, and country.
  • Account & authentication data: a securely hashed password (we never see your plaintext password), Google sign-in identifiers if you use Google login, account creation date, consent timestamp, and consent version.
  • Firm & team data: firm name, firm registration number, office address, team membership, roles, and invitations (entered by you or your firm administrator).
  • Billing data: where paid plans apply, billing details and transaction records (card and bank details are handled by our payment processors, not stored by us).
  • Client-company / entity data you upload: entity names, identifiers (such as CIN or PAN), financial year, directors / partners / proprietor details, auditor details, Trial Balance ledgers, mappings, journal entries, generated statements, notes, and disclosures.
  • Usage & device data: pages viewed, actions taken, timestamps, approximate location derived from IP address, browser and device type, and similar diagnostic data collected through logs and cookies.
  • Communications: the content of support requests, emails, and other messages you send us.

We do not intentionally collect special categories of sensitive data through the Service, and you should not upload such data unless it is necessary for the statutory output you are preparing.

How we collect it

  • Directly from you when you sign up, complete your profile, upload data, configure settings, subscribe, or contact us.
  • Automatically through cookies, server logs, and similar technologies when you use the Service.
  • From third parties such as Google (if you choose Google sign-in), your firm administrator (if you are invited to a Firm Workspace), and our payment processors (transaction confirmations).

Purposes of processing

We process Personal Data only for specified, lawful purposes, and we apply the principle of purpose limitation — data collected for one purpose is not reused for an unrelated purpose without a fresh legal basis. Our purposes include:

  • Providing the Service: creating and authenticating your Account, enabling statement preparation, generation, and export, and supporting Firm Workspaces.
  • Personalisation: greeting you by name and designation, remembering recent workspaces and preferences, and syncing your work across browser tabs and devices.
  • Communications: sending email verification, password resets, invitations, billing notices, security alerts, service announcements, and support responses.
  • Billing: processing subscriptions and payments and maintaining transaction records, where paid plans apply.
  • Security & fraud prevention: detecting and preventing unauthorised access, abuse, and security incidents, and maintaining audit logs.
  • Service improvement: using aggregated and de-identified analytics to understand usage, fix bugs, and improve features. Aggregated data cannot be used to identify you.
  • Legal compliance: complying with applicable law and responding to lawful requests from courts, regulators, or government authorities.

Cookies & similar technologies

We use a limited set of cookies and similar technologies:

  • Strictly necessary: session and authentication cookies that are essential for you to log in and use the Service. These cannot be disabled.
  • Functional: cookies that remember your preferences (for example, sidebar state or accent settings).
  • Analytics: cookies that help us understand aggregated usage. We do not use third-party advertising cookies and we do not sell data for advertising.

You can control cookies through your browser settings, but disabling strictly necessary cookies will prevent the Service from functioning.

How we share data

We do not sell your Personal Data. We share it only as described below, and only with appropriate confidentiality and security safeguards in place:

  • Service providers (Data Processors): hosting, database, authentication, and email-delivery providers who process data on our instructions to run the Service (see Sub-processors).
  • Within your firm: if you belong to a Firm Workspace, your data and the company files you work on may be visible to other authorised members of that workspace, according to the roles your administrator sets.
  • Payment processors: where paid plans apply, to process transactions.
  • Professional advisors & authorities: legal, audit, or regulatory recipients where required by law or to establish, exercise, or defend legal claims.
  • Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets, in which case the successor will be bound by this Policy or an equivalent one.

Sub-processors

We engage the following categories of sub-processors to provide the Service. Each is bound by contractual obligations of confidentiality and security:

Sub-processorPurposeIndicative location
SupabaseDatabase (PostgreSQL) & authenticationCloud (may include regions outside India)
VercelWeb application hosting (Next.js)Cloud (may include regions outside India)
RenderApplication/compute hosting (Python service)Cloud (may include regions outside India)
Email delivery providerTransactional email (verification, reset, invitations)Cloud (may include regions outside India)

We keep our list of sub-processors under review and will update this Policy when there are material changes. For the current list at any time, contact privacy@lazileo.com.

Cross-border transfers

Some of our sub-processors operate data centres outside India. Where Personal Data is transferred outside India, we do so in a manner consistent with the DPDP Act, transferring only to countries or territories not restricted by the Central Government, and we apply contractual and technical safeguards intended to ensure a comparable level of protection. If you have specific data-localisation requirements, contact our Grievance Officer and we will try to accommodate them, subject to technical feasibility.

Data retention

We retain Personal Data only for as long as necessary for the purposes for which it was collected, or as required by law:

  • Account data: retained while your Account is active and for a limited period (up to 6 months) after deletion to meet security, audit, tax, and legal obligations, after which it is deleted or anonymised.
  • Client-company / entity data: retained while your Account is active; you can delete individual companies or entities within the Service at any time.
  • Records required by law: where retention is required under the Companies Act, 2013, the Income-tax Act, 1961, or other statutes, relevant records and audit trails may be retained for the applicable statutory period.
  • Billing records: retained for the period required under applicable tax and accounting laws.
  • System & security logs: retained for up to 180 days for security, diagnostics, and abuse prevention.

Security safeguards

We implement reasonable technical, organisational, and physical safeguards designed to protect Personal Data against unauthorised access, disclosure, alteration, and loss, including:

  • encryption of data in transit using TLS;
  • passwords stored only as salted hashes — never in plaintext;
  • row-level security in the database so that you can access only your own data and the data shared within your Firm Workspace;
  • restricted, need-to-know access to production systems by named personnel;
  • key-based access to source control and no plaintext credentials in code;
  • audit logging of sensitive operations; and
  • regular dependency updates and vulnerability monitoring.

No method of transmission or storage is perfectly secure; while we strive to protect your data, we cannot guarantee absolute security.

Data breach notification

In the event of a personal data breach, we will take prompt remedial action and will notify the affected Data Principals and the Data Protection Board of India in the manner and within the timelines required by the DPDP Act and the rules made under it.

Your rights (Data Principal)

Subject to the DPDP Act, you have the following rights in respect of your Personal Data:

  • Right to access (Section 11): obtain a summary of the Personal Data we process about you, the processing activities, and the identities of other Data Fiduciaries / Processors with whom it has been shared.
  • Right to correction & erasure (Section 12): correct inaccurate or misleading data, complete incomplete data, update it, and request erasure of data no longer necessary for the purpose for which it was processed (unless retention is required by law).
  • Right of grievance redressal (Section 13): have your grievances addressed by our Grievance Officer.
  • Right to nominate (Section 14): nominate another individual to exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent: withdraw your consent at any time, as easily as it was given.

How to exercise your rights

You can update much of your information directly within the Service (in your profile and settings). To exercise any of the rights above, email privacy@lazileo.com from the email address associated with your Account, describing your request. We may need to verify your identity before acting. We will respond within the timelines required by law, and ordinarily within 30 days.

Children's data

The Service is intended for professionals and business users aged 18 and above. We do not knowingly collect or process the Personal Data of children (individuals under 18) or of persons with lawful guardians without appropriate consent as required by the DPDP Act. If you believe a child has provided us Personal Data, please contact us and we will take steps to delete it.

Your duties as a Data Principal

Under Section 15 of the DPDP Act, you agree that you will:

  • comply with applicable law while exercising your rights;
  • not impersonate another person or suppress material information when providing your Personal Data;
  • not register a false or frivolous grievance or complaint; and
  • provide only verifiably authentic information when exercising your right to correction or erasure.

Client data you upload

When you upload data about your clients or other third parties, you are ordinarily the Data Fiduciary for that data and we act as your Data Processor. You represent and warrant that you have a valid legal basis (including any required consents and engagement authority) to provide that data to us and to have it processed through the Service. We will process such data only to provide the Service to you and on your instructions, will maintain appropriate safeguards, and will assist you, to the extent reasonable, in meeting your own obligations as a Data Fiduciary, including responding to data-principal requests and deletion. You are responsible for informing your clients about how their data is processed.

Automated decision-making

The Service automates calculations and the generation of draft statements based on the inputs you provide, but it does not make legal or significant decisions about you through solely automated means. All statutory outputs are drafts that require your professional review and sign-off, as described in our Terms of Use.

Grievance Officer & the Board

If you have any concern or complaint about how we handle your Personal Data, please contact our Grievance Officer:

Grievance Officer: Sudheer Lokanadham, Nirrathna Technologies Private Limited
Email: grievance@lazileo.com
Response time: we aim to acknowledge within 48 hours and resolve within 30 days of receipt.

If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India established under the DPDP Act.

Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email to your registered address or by an in-app notice, ordinarily at least seven (7) days before the changes take effect. The version number and “Last updated” date above always reflect the current version. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Governing law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000. Subject to the dispute-resolution provisions of our Terms of Use, the courts at Bengaluru, Karnataka, India will have exclusive jurisdiction over any matter arising out of or relating to this Policy.

Contact us

Nirrathna Technologies Private Limited
Privacy queries: privacy@lazileo.com
Grievances: grievance@lazileo.com
Product support: support@lazileo.com

This Privacy Policy is provided for general information and does not constitute legal advice. If you require advice on how the DPDP Act applies to your specific circumstances, please consult a qualified Indian lawyer.