Version 2.0 • Last updated April 2026 • Effective immediately
1. Who We Are
MaxLeaf ("Company", "we", "us") operates the MyTaxLocker application and website at mytaxlocker.maxleaf.in.
Under the Digital Personal Data Protection Act (DPDPA) 2023, MaxLeaf is the Data Fiduciary responsible for securing all personal data collected through the MyTaxLocker app, including PAN, Aadhaar, Form 16, and bank account information.
2. What We Collect
| Category | Data Points | Purpose |
|---|---|---|
| Identity | PAN, Aadhaar, name, DOB, mobile, email | ITR form fields |
| Financial | Salary (Form 16), deductions, investments, bank account, IFSC | Tax computation |
| Documents | Form 16 PDF, rent receipts, investment proofs | Filing evidence |
| Device | Device type, OS version | Crash reporting only |
We do NOT collect: passwords, biometric templates, payment card details, location data, contacts, or call logs.
3. How We Use It
- Generate ITR-1 / ITR-4 JSON files for Income Tax filing
- Store tax documents in your encrypted personal vault
- Auto-fill forms across assessment years
- Generate PDFs (Form 12BB, rent receipts, tax computation sheet)
- Tax planning suggestions (regime comparison, deduction optimization)
We will NEVER sell, rent, or share your personal data with third parties for marketing.
4. How We Protect It
| Layer | Technology |
|---|---|
| Encryption at rest | AES-256 field-level encryption for PAN, Aadhaar, bank accounts |
| Encryption in transit | TLS 1.2+ with certificate pinning |
| Access control | Per-user data isolation via AWS IAM + Cognito |
| Authentication | Email + password with biometric (Face ID / fingerprint) option |
| Key management | Per-user encryption key stored in device secure enclave |
| Audit trail | PII access logged with timestamps for DPDPA compliance |
| Data residency | AWS Mumbai (ap-south-1), fully within India |
5. Data Sharing
With Chartered Accountants (CAs)
If you opt for CA-assisted filing, your filing data is shared with an assigned CA. This requires your explicit consent, is limited to one assessment year, and can be revoked by cancelling the request. The CA acts as a Data Processor under DPDPA.
With Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, authentication | All data (encrypted) |
| Sentry | Crash reporting | Error messages, stack traces (no PII) |
| Expo | App build & updates | App binary only (no user data) |
We do NOT share data with advertisers, data brokers, or social media platforms.
6. Data Retention
- Tax filings & documents: 8 years (aligned with Income Tax Act record-keeping requirements)
- Consent records: Retained permanently for DPDPA audit trail
- Audit logs: 500 most recent entries (rolling)
- Account deletion: All data purged within 24 hours of request
7. Your Rights
Under DPDPA 2023, you have the right to:
| Right | How to Exercise |
|---|---|
| Access | View all your data in-app (Tax Profile, Vault, Filing History) |
| Correction | Edit any field in your Tax Profile at any time |
| Erasure | "Delete Account" in app → purges DynamoDB, S3, and Cognito |
| Portability | "Export Data" in app → JSON download of all your data |
| Withdraw Consent | Delete account (app cannot function without processing tax data) |
8. Aadhaar Handling
Aadhaar is collected solely for ITR JSON generation (mandated by the Income Tax Department). It is encrypted at rest, masked in the UI (last 4 digits only), never shared with third parties, and deleted when you delete your account. We do not authenticate using Aadhaar or access UIDAI services.
9. Children's Privacy
MyTaxLocker is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we learn that we have collected data from a child, we will delete it promptly.
10. Cookies & Tracking
The MyTaxLocker mobile app does not use cookies. The website (mytaxlocker.maxleaf.in) uses no third-party trackers, analytics scripts, or advertising pixels. We collect zero browsing data from the website.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and updated on this page. Continued use of the App after changes constitutes acceptance.
12. Contact & Grievance Officer
Email: support@maxleaf.in
Website: maxleaf.in
Response time: Within 72 hours
Social: @MaxLeafIndia on Instagram, X, Facebook
GitHub: github.com/MaxLeafIndia
You may also contact the Data Protection Board of India if your grievance is not resolved satisfactorily.