Privacy Policy

How Advisory Monks Consulting collects, uses, stores, and protects personal data, under India's Digital Personal Data Protection Act 2023, the EU GDPR for European residents, and applicable US state privacy laws.

1. Who we are

Advisory Monks Consulting ("we", "our", "us") is the trade name of Advisory Monks Consulting (OPC) Private Limited, an independent advisory firm registered in India and headquartered at C-94B, Sector 19, Noida 201301, Uttar Pradesh. The firm was founded in 2021 with ex-Big 4 leadership. We are the Data Fiduciary (under the DPDP Act 2023) and the Data Controller (under GDPR) for the personal data described below.

2. What we collect

We collect two categories of personal data:

• Marketing-site visitors: first-party server logs (IP address, user agent, page accessed, timestamp), and any information you voluntarily submit through forms (name, email, company, phone number, message, persona, engagement interest).
• Engaged clients: tax-relevant financial information (returns, statements, ledgers), identification documents (PAN, Aadhaar where required, foreign identifiers including SSN / EIN / ITIN where US scope applies, passport copies for NRI / cross-border engagements), banking details for invoicing and payroll where in scope, and operational data necessary to deliver the engaged services.

We do not knowingly collect personal data from minors. We do not collect special-category data unless it is essential to the engagement and you have given explicit written consent.

3. Lawful basis & purpose of processing

We process personal data on the following bases:

• Consent (DPDP Act Section 6, GDPR Article 6(1)(a)): for marketing-site form submissions and analytics.
• Performance of contract (DPDP Act Section 7(a), GDPR Article 6(1)(b)): for client engagement work.
• Legal obligation (GDPR Article 6(1)(c), DPDP Act Section 7(b)): for statutory record-keeping under the Income Tax Act 1961, Companies Act 2013, GST Act, FEMA, and analogous foreign laws.
• Legitimate interest (GDPR Article 6(1)(f)): for site security, fraud prevention, and audit logging.

4. How we protect personal data

• All client documents move through our encrypted client portal with role-based access and full audit trails.
• Files are encrypted at rest using AES-256 and in transit using TLS 1.3.
• Hosting is on audited cloud infrastructure with regional segregation per engagement.
• Access is role-based, MFA-enforced, and logged. We maintain a written information security program reviewed annually.
• We do not commingle client files. Each engagement is logically separated.
• In the event of a personal data breach, we will notify the Data Protection Board of India within seventy-two (72) hours as required under the DPDP Act, and affected individuals without undue delay.

5. Sub-processors & cross-border transfers

To deliver our services we engage a limited number of sub-processors under written agreements that bind them to confidentiality and security standards no lower than our own:

• Cloud infrastructure (audited providers with India region availability)
• Email and communications (Google Workspace / Microsoft 365)
• Payment processing (Razorpay, RBI-authorized Payment Aggregator – Cross-Border, holding PA-CB authorization since 2026)
• Tax-software vendors as required for specific engagements (e.g., for foreign-jurisdiction filings within scope of a Global desk engagement)

Where personal data is transferred outside India, we comply with Section 16 of the DPDP Act (countries listed by the Central Government as permissible) and applicable contractual safeguards (GDPR Standard Contractual Clauses or equivalent for transfers from the EEA).

6. Cookies & analytics

The marketing site uses minimal first-party storage for session and preference handling (locale choice, consent state). With your explicit consent, we use privacy-respecting analytics (Plausible, which does not use cookies and does not collect personal identifiers) to understand site usage in aggregate. We do not run advertising trackers, retargeting pixels, or third-party cookies. You can withdraw consent at any time by clearing this site's local storage or contacting us.

7. Your rights

Subject to applicable law, you have the following rights with respect to your personal data:

• Access: to know what personal data we hold about you.
• Correction: to update inaccurate or incomplete data.
• Erasure: to have your data deleted, subject to overriding legal obligations.
• Portability: to receive your data in a machine-readable format.
• Withdrawal of consent: to revoke consent for processing where consent is the lawful basis.
• Grievance redressal: to register a grievance with our Grievance Officer (see Section 11).
• Nomination (DPDP Act Section 14): to nominate another person to exercise these rights in the event of your death or incapacity.

To exercise any right, email [email protected]. We respond within thirty (30) days. Residents of California, Virginia, Colorado, Connecticut, Utah and other US states with applicable privacy laws have analogous rights and may exercise them through the same channel.

We do not sell personal data.

8. Professional confidentiality

Where engagements involve credentialed professionals on our panel (Chartered Accountants, IBBI Registered Valuers, lawyers), they are individually bound by their respective professional codes of conduct, including confidentiality obligations. We treat client information with the standard required of the profession, in addition to the security controls described above. We do not use client data to train artificial intelligence systems. We do not disclose client identities or engagement details to third parties without express written consent, save where required by law.

9. Data retention

We retain client records for the period required by Indian statute and the analogous foreign law applicable to the engagement, typically a minimum of seven (7) years under the Income Tax Act 1961 and the Companies Act 2013, and longer where ongoing regulatory or contractual obligations require. Marketing-form submissions are retained for two (2) years and then deleted, unless you become a client.

10. Changes to this policy

We update this policy when our practices change or when applicable law evolves. The "Effective" date and version above reflect the current iteration. Material changes are notified to active clients by email and posted at the top of this page for thirty (30) days.

11. Contact & Grievance Officer

Under the DPDP Act 2023, we maintain a designated Grievance Officer to address questions and complaints relating to personal data:

Grievance Officer · Advisory Monks Consulting
Email: [email protected]
Mail: C-94B, Sector 19, Noida 201301, Uttar Pradesh, India
Response within 30 days as required by DPDP Rules 2025.

For general (non-privacy) contact: [email protected].