Privacy Policy

This Privacy Policy describes how Mavis Communication Services Pvt. Ltd. (CIN: U74999HR2017PTC067915), operating under the brand Krama, collects, uses, and protects information in connection with CAtrak — a compliance management platform for Chartered Accountants in India.

Information We Collect

Account information

Name, email address, and phone number provided during registration
Authentication data (password hash, Google OAuth tokens) — we never store plaintext passwords

Business information

Entity name, GSTIN, state, entity type, turnover bracket, and compliance registrations (PF, ESI, TDS, TCS, Professional Tax)
Filing records — compliance deadlines, filing status, ARN/acknowledgment numbers, and filing dates
Documents uploaded to the document portal by CAs or their clients
Fee schedules, invoice records, and payment information (visible only to the CA, not staff unless explicitly permitted)
Notification preferences — reminder channel (email, WhatsApp, or both) and preferred intervals

AIntern (AI Assistant)

Messages you send to AIntern are transmitted to Anthropic's Claude API to generate responses
Relevant account context (entity names, deadline data) may be included to provide accurate answers
Conversation history is stored for 24 hours per session, then automatically deleted
Common question-answer pairs may be cached (without user-specific data) to improve response times
Anthropic does not use your data to train models when accessed via their API

Automatically collected

Browser type, device information, and IP address when you visit CAtrak
Pages visited and session duration for performance monitoring
Functional cookies for authentication and preferences — no advertising or behavioural tracking cookies

How We Use Your Information

Generate compliance calendars and calculate filing deadlines
Send deadline reminders via email and WhatsApp
Operate the client document portal and invoice management
Power AIntern responses with relevant account context
Process subscription payments via Razorpay
Send transactional emails (filing confirmations, document requests, invoice follow-ups)
Improve platform performance and fix bugs
Comply with applicable Indian laws and regulatory requirements

We do not sell, rent, or trade your personal information to third parties.

Data Sharing & Processors

We share data with the following processors, strictly for the purposes described:

Supabase

Database, authentication & file storage (AWS)

Meta Platforms

WhatsApp Business API message delivery

Resend

Email delivery for reminders & notifications

Razorpay

Payment processing (we never store card details)

Anthropic

AI processing for AIntern assistant

Inngest

Background job processing for scheduled reminders

Vercel

Application hosting & edge network

Legal & regulatory authorities — where required by law, court order, or to comply with GST and other statutory obligations

No third-party advertising — we do not share data with advertisers or data brokers

WhatsApp Business Messaging

We use the official WhatsApp Business API (Meta Cloud API) to send compliance deadline reminders
Your phone number is shared with Meta Platforms, Inc. for message delivery
We send only pre-approved template messages — deadline reminders, filing confirmations, document requests, and invoice follow-ups
We do not read or access your personal WhatsApp conversations
Message delivery status (sent, delivered, read) may be received from Meta's API
You can opt out at any time by changing notification preferences in Settings

Data Retention

Account and compliance data is retained for as long as your account is active
AIntern conversation history is automatically deleted after 24 hours
Upon account deletion, all data is permanently removed within 30 days
Financial records (invoices, payment history) may be retained for seven years as required under Indian law
Anonymised, aggregated analytics (not traceable to individuals) may be retained indefinitely

Security

All data is transmitted over HTTPS (TLS encryption)
Database secured with row-level security policies (Supabase/PostgreSQL)
Webhook signatures validated via HMAC (Razorpay, WhatsApp)
CSRF protection via Origin-based validation in middleware
Rate limiting on all public API endpoints
No plaintext password storage — bcrypt hashing via Supabase Auth
Regular dependency audits and security patching

While we take every reasonable precaution, no method of transmission over the internet is entirely secure.

Your Rights & Data Deletion

You may request access to, correction of, or deletion of your personal information at any time.

Export all your data in JSON format from Settings
Delete individual entities and their associated data from within the application
Delete your entire account from Settings, or email hi@krama.ai with the subject “Data Deletion Request”
Deletion requests are processed within 30 days with written confirmation
Certain records may be retained where required by Indian law (Companies Act, GST statutory retention)

CAtrak complies with the Digital Personal Data Protection Act, 2023 (DPDP Act).

Cookies & Local Storage

CAtrak uses only functional cookies and browser storage required for operation:

Authentication

Session cookie for login state. Cleared on logout.

Theme preference

Stored in local storage. Light/dark/system.

Cookie consent

Stored in local storage to remember your choice.

PWA state

Service worker cache for offline access (optional).

No advertising, behavioural tracking, or third-party cookies are used.

Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email or in-app notification. Continued use of CAtrak after changes constitutes acceptance of the updated policy.

Contact

Mavis Communication Services Pvt. Ltd.
Email: hi@krama.ai
Phone: +91 9289707838
CIN: U74999HR2017PTC067915· GST: 06AAKCM8679A1Z7