Privacy Policy — MyTaxLocker by MaxLeaf

Version 2.2 • Last updated June 2026 • Effective immediately

Disclaimer — Not Affiliated with Government. MyTaxLocker is an independent software product built by MaxLeaf. We are NOT affiliated with, endorsed by, or acting on behalf of the Income Tax Department of India, the Central Board of Direct Taxes (CBDT), the Ministry of Finance, the Government of India, or any other government entity. MyTaxLocker is a self-help tool that prepares an ITR JSON file from inputs you provide. The final filing must be submitted by you (or your authorised Chartered Accountant) directly to the official Income Tax e-Filing Portal at incometax.gov.in. We do not file returns with the government on your behalf.

Official sources for government information referenced in this app:

Income Tax e-Filing Portal (Government of India): https://www.incometax.gov.in
Central Board of Direct Taxes (CBDT): https://incometaxindia.gov.in
Digital Personal Data Protection Act, 2023 (MeitY): https://www.meity.gov.in/data-protection-framework

In plain language: MaxLeaf is the company that runs MyTaxLocker. We collect your tax data only to help you file ITR. Your data is encrypted, stored in India, and never sold. You can delete everything anytime — see Section 7: Account Deletion for the steps.

1. Who We Are

MaxLeaf ("Company", "we", "us") operates the MyTaxLocker application and website at mytaxlocker.maxleaf.in.

Under the Digital Personal Data Protection Act (DPDPA) 2023, MaxLeaf is the Data Fiduciary responsible for securing all personal data collected through the MyTaxLocker app, including PAN, Aadhaar, Form 16, and bank account information.

2. What We Collect

Category	Data Points	Purpose
Identity	PAN, Aadhaar, name, DOB, mobile, email	ITR form fields
Financial	Salary (Form 16), deductions, investments, bank account, IFSC	Tax computation
Documents	Form 16 PDF, rent receipts, investment proofs	Filing evidence
Device	Device type, OS version	Crash reporting only

Sign in with Google: If you sign in with Google, we receive your Google account email (and name) to create and identify your account. We do not access any other Google data.

We do NOT collect: passwords, biometric templates, payment card details, location data, contacts, or call logs.

3. How We Use It

Generate ITR-1 / ITR-4 JSON files for Income Tax filing
Store tax documents in your encrypted personal vault
Auto-fill forms across assessment years
Generate PDFs (Form 12BB, rent receipts, tax computation sheet)
Tax planning suggestions (regime comparison, deduction optimization)

We will NEVER sell, rent, or share your personal data with third parties for marketing.

4. How We Protect It

Layer	Technology
Encryption at rest	AES-256 field-level encryption for PAN, Aadhaar, bank accounts
Encryption in transit	TLS 1.2+ with certificate pinning
Access control	Per-user data isolation via AWS IAM + Cognito
Authentication	Email + password or Sign in with Google, with biometric (Face ID / fingerprint) option
Key management	Per-user encryption key stored in device secure enclave
Audit trail	PII access logged with timestamps for DPDPA compliance
Data residency	AWS Mumbai (ap-south-1), fully within India

5. Data Sharing

With Chartered Accountants (CAs)

If you opt for CA-assisted filing, your filing data is shared with an assigned CA. This requires your explicit consent, is limited to one assessment year, and can be revoked by cancelling the request. The CA acts as a Data Processor under DPDPA.

With Service Providers

Provider	Purpose	Data Shared
Amazon Web Services (AWS)	Hosting, storage, authentication	All data (encrypted)
Sentry	Crash reporting	Error messages, stack traces (no PII)
Expo	App build & updates	App binary only (no user data)

We do NOT share data with advertisers, data brokers, or social media platforms.

6. Data Retention

Tax filings & documents: 8 years (aligned with Income Tax Act record-keeping requirements)
Consent records: Retained permanently for DPDPA audit trail
Audit logs: 500 most recent entries (rolling)
Account deletion: See Section 7. All data purged within 30 days of request (typically 24 hours).

7. Account Deletion

Two ways to delete your MyTaxLocker account and all associated data:

Inside the app — Profile → Account → Delete account. Permanent and immediate.
Without the app (uninstalled, lost device, etc.) — email support@maxleaf.in with the subject "Account deletion request" and the email address you used to register. We will permanently delete your account within 30 days of receipt, in line with India's DPDPA.

What gets deleted

Permanently and irrecoverably erased on deletion:

All identity fields: PAN, Aadhaar, name, father's name, date of birth, mobile number, email, address.
All uploaded documents: Form 16 PDFs, salary slips, investment proofs, rent receipts, supporting documents.
All tax filing data: drafts, computed tax liabilities, generated ITR-1 / ITR-4 JSONs, regime selections.
Bank account details (account numbers, IFSC).
All encryption keys held on-device and in our key vault — making the encrypted blobs in DynamoDB and S3 cryptographically unrecoverable.
Cognito user record (you can no longer sign in with that email).

What is retained — and for how long

Data	Retention	Reason
Crash logs (PII-scrubbed)	Up to 90 days	Service-quality analytics; no personally-identifying fields.
Audit logs of administrative actions	Up to 180 days	DPDPA compliance; logged events do not include the deleted user's PII.
Aggregated, anonymous usage statistics	Indefinite	Cannot be linked back to an individual after deletion.

If your DPDPA grievance about deletion is not resolved within 30 days, you may escalate to the Data Protection Board of India.

8. Your Rights

Under DPDPA 2023, you have the right to:

Right	How to Exercise
Access	View all your data in-app (Tax Profile, Vault, Filing History)
Correction	Edit any field in your Tax Profile at any time
Erasure	"Delete Account" in app → purges DynamoDB, S3, and Cognito
Portability	"Export Data" in app → JSON download of all your data
Withdraw Consent	Delete account (app cannot function without processing tax data)

9. Aadhaar Handling

Aadhaar is collected solely for ITR JSON generation (mandated by the Income Tax Department). It is encrypted at rest, masked in the UI (last 4 digits only), never shared with third parties, and deleted when you delete your account. We do not authenticate using Aadhaar or access UIDAI services.

10. Children's Privacy

MyTaxLocker is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we learn that we have collected data from a child, we will delete it promptly.

11. Cookies & Tracking

The MyTaxLocker mobile app does not use cookies. The website (mytaxlocker.maxleaf.in) uses no third-party trackers, analytics scripts, or advertising pixels. We collect zero browsing data from the website.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and updated on this page. Continued use of the App after changes constitutes acceptance.

13. Contact & Grievance Officer

Company: MaxLeaf
Email: support@maxleaf.in
Website: maxleaf.in
Response time: Within 72 hours

Social: @MaxLeafIndia on Instagram, X, Facebook
GitHub: github.com/MaxLeafIndia

You may also contact the Data Protection Board of India if your grievance is not resolved satisfactorily.