Skip to main content

Privacy Policy

Effective Date: 1 April 2026
Last Updated: 25 April 2026

1. Introduction

KSMG & CO ("KSMG & CO," "the Firm," "we," "us," or "our") is a chartered accountancy firm registered with the Institute of Chartered Accountants of India (ICAI), operating from the National Capital Region of India. We respect your privacy and are committed to protecting the personal data you share with us.

This Privacy Policy ("Policy") explains how we collect, use, store, disclose, and protect your personal data when you:

  • Visit or interact with our website at https://www.ksmg.co (the "Website");
  • Use our Client Portal to upload or receive documents;
  • Use our Compliance Calendar to track regulatory deadlines;
  • Subscribe to our newsletters or other communications;
  • Apply for career opportunities through our Website;
  • Engage us for professional services including accounting, auditing, taxation, and advisory services;
  • Make payments through our online payment facility;
  • Visit our offices or attend events organised by us; or
  • Otherwise interact with us through channels where this Policy is posted (collectively, the "Services").

This Policy is published in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules"), the Digital Personal Data Protection Act, 2023 ("DPDP Act"), and other applicable laws in India. As the rules under the DPDP Act are notified and come into effect, we will update this Policy to reflect any additional requirements.

Where we process personal data on behalf of our clients in the course of providing professional services, the client's instructions and the terms of our engagement letter shall govern such processing. In such cases, our clients' own privacy policies may apply in addition to this Policy.

Please read this Policy carefully. By using our Website or Services, you acknowledge that you have read and understood this Policy. If you do not agree with the practices described herein, please refrain from using the Website or Services.

2. Definitions

For the purposes of this Policy:

  • "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023, and includes personal information and sensitive personal data or information as defined under the IT Act and IT Rules.
  • "Sensitive Personal Data or Information" ("SPDI") means personal information relating to passwords, financial information, health conditions, biometric information, and such other categories as specified under Rule 3 of the IT Rules, 2011.
  • "Data Principal" means the individual to whom the personal data relates, as defined under the DPDP Act, 2023 (referred to as "you" or "your" in this Policy).
  • "Data Fiduciary" means any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data, as defined under the DPDP Act, 2023. For the purposes of this Policy, KSMG & CO is the Data Fiduciary.
  • "Processing" includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction of personal data.
  • "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary.

3. Information We Collect

We collect personal data that you provide directly to us, information collected automatically through your use of our Website and digital platforms, and information received from other sources. The categories of personal data we may collect depend on the nature of your interaction with us.

3.1 Information You Provide Directly

When you interact with us — whether as a client, prospective client, job applicant, newsletter subscriber, or general visitor — you may provide us with the following categories of personal data:

Identifiers and Contact Information Your name, email address, postal address, telephone number, professional title, and organisational affiliation. This information may be provided when you contact us through the Website, subscribe to newsletters, register for events, use our Client Portal, or engage us for professional services.

Government-Issued Identification Permanent Account Number (PAN), Aadhaar number (where legally required and with appropriate consent), passport number, voter identity number, driving licence number, or other government-issued identification. Such information is collected primarily for client onboarding, know-your-client (KYC) verification, tax compliance, and regulatory due diligence as mandated under applicable laws.

Financial Information Bank account details, financial statements, tax returns and related filings, investment records, invoicing information, payroll data, and other financial records. This information is collected in the course of providing our professional services, processing payments, and fulfilling our engagement obligations.

Professional and Business Information Details relating to your business, industry, type of engagement, corporate documents such as partnership deeds, memoranda and articles of association, board resolutions, employee and contractor information, and other business records necessary for the provision of our Services.

Account and Portal Information Username, password, and other credentials you create when registering for our Client Portal. This also includes documents you upload to or receive through the Portal, and your usage of the Compliance Calendar.

Career Application Information If you apply for a position at KSMG & CO through our careers section, we may collect your curriculum vitae (CV), educational qualifications, employment history, professional certifications, references, and any other information you choose to include in your application.

Communication Records The content of emails, messages, enquiries submitted through our contact forms, and other correspondence you send to us.

Newsletter and Subscription Information Your email address and communication preferences when you subscribe to our newsletters or elect to receive updates from us.

Payment Information When you use our online payment facility, our third-party payment gateway partner may collect payment card details, bank account information, Unified Payments Interface (UPI) identifiers, and transaction records. We do not directly store your full payment card numbers on our servers; these are processed securely by our payment gateway partner in compliance with applicable Payment Card Industry Data Security Standards (PCI DSS) and Reserve Bank of India (RBI) guidelines.

Event and Seminar Information Your name, contact details, and other registration information when you attend events, seminars, or webinars organised by us, including photographs or recordings taken at such events (with appropriate notice and consent).

Other Information Any other personal data you voluntarily provide to us in the course of your interaction with the Firm.

3.2 Information Collected Automatically

When you visit our Website or use our digital platforms, certain information is collected automatically through cookies, server logs, and similar technologies:

Device and Technical Data Information about the device you use to access our Website, including your Internet Protocol (IP) address, browser type and version, operating system, device type, screen resolution, language preferences, and unique device identifiers.

Usage and Log Data Information about your interaction with our Website, including the pages you visit, the time and date of your visits, the duration of your visit, the referring website or source, search queries entered on our Website, links clicked, and other diagnostic and usage data recorded in server log files.

Location Data Approximate geographic location derived from your IP address (city or region level). We do not collect precise geolocation data through the Website.

Cookies and Similar Technologies We use cookies, web beacons, pixels, and similar technologies to enhance your experience, analyse Website usage, and improve our Services. Please refer to the "Cookies and Similar Technologies" section below for detailed information.

3.3 Information from Other Sources

We may receive personal data about you from the following sources:

  • Our Clients: In the course of providing professional services, our clients may share personal data relating to their employees, directors, partners, vendors, or other associated individuals.
  • Professional Advisers and Third Parties: We may receive information from your legal, financial, or other professional advisers, or from regulatory authorities, as necessary for the performance of our Services.
  • Publicly Available Sources: We may collect information from publicly available records, government databases, professional registries, and other open sources for the purposes of client verification, due diligence, and regulatory compliance.
  • Referrals: Information provided to us by individuals or entities who refer you to our Firm.

4. How We Use Your Information

We use the personal data we collect for the following purposes, as permitted or required by applicable law:

Provision of Professional Services To provide accounting, auditing, taxation, advisory, and other professional services as engaged by our clients, including the preparation of financial statements, tax returns, compliance filings, and other deliverables.

Client Relationship Management To administer and manage our relationship with clients, including processing invoices, maintaining client records, facilitating communication, managing the Client Portal, and addressing enquiries.

Client Portal and Compliance Calendar To enable you to securely upload and receive documents through our Client Portal, and to provide access to our Compliance Calendar for tracking regulatory deadlines and filing obligations.

Payment Processing To process payments made through our online payment facility in collaboration with our third-party payment gateway partner, including the verification and reconciliation of transactions.

Communications and Newsletters To send you newsletters, thought leadership content, regulatory updates, event invitations, and other informational communications that you have opted to receive. You may unsubscribe from such communications at any time.

Career Applications To evaluate your application for employment, communicate with you regarding your application, and, if applicable, to consider you for future opportunities at the Firm.

Website Improvement and Analytics To analyse how our Website is used, to improve its content, functionality, and user experience, and to develop new features and services.

Security and Fraud Prevention To maintain the security and integrity of our Website, systems, and data; to detect and prevent fraudulent, malicious, or unauthorised activity; and to protect the rights and interests of the Firm, our clients, and other stakeholders.

Legal and Regulatory Compliance To comply with applicable laws, regulations, and professional standards, including ICAI regulations, tax laws, anti-money laundering requirements, KYC obligations, and any orders or requests from courts, tribunals, or regulatory authorities.

Contractual Performance To perform our obligations and enforce our rights under any agreements, engagement letters, or contracts to which we are a party.

Dispute Resolution To establish, exercise, or defend legal claims, and to resolve disputes.

5. Legal Basis for Processing

We process your personal data on one or more of the following legal bases, as applicable under the DPDP Act, 2023, the IT Act, 2000, and the IT Rules, 2011:

Consent Where we rely on your consent to process your personal data, we will provide you with a clear and specific notice (in English or any language specified in the Eighth Schedule to the Constitution of India) describing the personal data to be collected and the purpose of processing, before or at the time of seeking your consent. You have the right to withdraw your consent at any time, as described in Section 11 of this Policy.

Legitimate Uses We may process your personal data without consent where such processing is for a "legitimate use" as defined under Section 7 of the DPDP Act, 2023. Legitimate uses include processing that is necessary for: the performance of any function under law; compliance with any order or judgement of a court or tribunal; responding to a medical emergency; taking measures to ensure safety during a disaster or breakdown of public order; and employment-related purposes as specified by law.

Contractual Necessity Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract, including processing pursuant to our engagement letters.

Legal Obligation Where processing is necessary for compliance with a legal obligation to which we are subject, including obligations under tax laws, anti-money laundering regulations, and professional standards issued by ICAI.

6. Disclosure of Your Information

We do not sell your personal data. We may disclose your personal data to the following categories of recipients, in each case only to the extent necessary for the stated purpose:

Service Providers and Processors We engage trusted third-party service providers who perform functions on our behalf, such as cloud hosting and data storage providers, payment gateway operators, email and communication service providers, analytics providers, and information technology support providers. These service providers are contractually bound to process your personal data only in accordance with our instructions and applicable data protection laws, and to implement appropriate security measures.

Professional Advisers and Collaborators We may share your information with other professionals, consultants, or experts engaged to assist in the provision of our Services, including legal advisers, fellow chartered accountants (where required for collaborative engagements), and other professional partners.

Regulatory and Government Authorities We may disclose your personal data to regulatory bodies, tax authorities, courts, tribunals, law enforcement agencies, and other government authorities where required by law, regulation, or professional obligation, or in response to a valid legal process such as a court order, summons, or notice.

Within the Firm Your personal data may be shared among the partners, employees, and authorised personnel of KSMG & CO on a need-to-know basis for the purposes described in this Policy.

Business Transitions In the event of a merger, amalgamation, restructuring, acquisition, or transfer of all or a portion of the Firm's practice, your personal data may be transferred to the successor entity, subject to appropriate confidentiality and data protection obligations.

With Your Consent We may disclose your personal data to other parties where you have provided your prior consent for such disclosure.

To Protect Rights and Interests We may disclose personal data where we believe, in good faith, that such disclosure is necessary to protect the rights, property, or safety of the Firm, our clients, or others; to enforce our terms and conditions; to investigate potential violations; or to respond to an emergency.

7. Cookies and Similar Technologies

Our Website uses cookies and similar technologies to enhance your browsing experience, analyse usage patterns, and improve our Services.

7.1 What Are Cookies?

Cookies are small text files placed on your device by a website when you visit it. They enable the website to recognise your device and remember certain information about your visit, such as your preferences and actions.

7.2 Types of Cookies We Use

Strictly Necessary Cookies These cookies are essential for the functioning of our Website. They enable core features such as page navigation, access to secure areas (including the Client Portal), and session management. The Website cannot function properly without these cookies, and they cannot be disabled.

Analytics and Performance Cookies These cookies collect aggregated, anonymised information about how visitors use our Website — such as which pages are visited most frequently, how long visitors spend on each page, and whether any error messages are encountered. This data helps us understand usage patterns and improve the performance and content of our Website. We may use third-party analytics services for this purpose.

Functionality and Preference Cookies These cookies allow our Website to remember choices you have made (such as language preferences or region settings) and provide enhanced, personalised features.

Marketing and Advertising Cookies We do not currently use marketing or advertising cookies on our Website. Should this change in the future, we will update this Policy and obtain your consent where required.

7.3 Managing Cookies

When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You may change your cookie preferences at any time through the cookie settings option available on our Website.

You may also configure your web browser to block or delete cookies. Please note that disabling certain cookies may affect the functionality and performance of our Website, and some features — including the Client Portal — may not operate as intended.

7.4 Third-Party Analytics

We may use third-party analytics tools to collect and analyse information about how our Website is used. These tools may use cookies and similar technologies to gather data such as pages visited, session duration, and user interactions. The data collected is aggregated and anonymised where possible. These third-party providers process data in accordance with their own privacy policies, and we encourage you to review them.

8. Data Security

We take the protection of your personal data seriously and have implemented reasonable security practices and procedures, as required under Section 43A of the IT Act and Rule 8 of the IT Rules, to safeguard your personal data against unauthorised access, alteration, disclosure, or destruction.

Our security measures include:

  • Technical Safeguards: Encryption of data in transit (using SSL/TLS protocols), secure access controls, firewalls, and intrusion detection systems.
  • Organisational Safeguards: Access restrictions on a need-to-know basis, confidentiality obligations for all personnel, regular security awareness training, and documented information security policies and procedures.
  • Physical Safeguards: Controlled access to our office premises and physical records.
  • Payment Security: Online payments are processed through our third-party payment gateway partner, which complies with PCI DSS standards and RBI guidelines. We do not store full payment card numbers on our systems.

Notwithstanding these measures, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately using the details provided at the end of this Policy.

9. Data Breach Notification

In the event of a personal data breach that compromises the confidentiality, integrity, or availability of your personal data, we will:

  • Notify the Data Protection Board of India (once constituted and operational under the DPDP Act, 2023) in such form and manner as may be prescribed under the Act and its rules;
  • Notify each affected Data Principal of such breach, in such form and manner as may be prescribed, providing details of the nature of the breach and the personal data affected;
  • Report the breach to the Indian Computer Emergency Response Team (CERT-In) in accordance with the directions issued under the IT Act, 2000, where applicable; and
  • Take all reasonable steps to mitigate the effects of the breach and prevent further unauthorised access.

Until such time as the specific rules under the DPDP Act prescribing the form and manner of breach notification are notified, we will follow the applicable provisions under the IT Act and any directions issued by CERT-In, and will endeavour to inform affected individuals without unreasonable delay.

10. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. The specific retention period depends on the nature of the data and the purpose of its collection:

  • Client Engagement Records: Retained for a minimum period as prescribed under applicable laws, professional standards issued by ICAI, and the Firm's document retention policies. This typically includes a period of at least eight years from the completion of the engagement, or longer where required by specific regulations.
  • Tax and Financial Records: Retained in accordance with the applicable provisions of the Income Tax Act, 1961; the Goods and Services Tax Act, 2017; the Companies Act, 2013; and other relevant statutes.
  • Career Application Data: If your application is not successful, your CV and related information will be retained for a reasonable period (typically up to twelve months) to consider you for future opportunities, unless you request earlier deletion.
  • Newsletter Subscriptions: Your email address and preferences are retained until you unsubscribe.
  • Website Usage Data: Log data and analytics information are retained in aggregated or anonymised form for a reasonable period for analytical purposes.
  • Payment Records: Transaction records are retained in compliance with RBI regulations, the Payment and Settlement Systems Act, 2007, and applicable tax laws.

When personal data is no longer required for any purpose, we will securely delete or anonymise it in accordance with our data retention and disposal policies.

11. Your Rights as a Data Principal

Under the DPDP Act, 2023, and the IT Rules, 2011, you may have certain rights with respect to your personal data. Subject to applicable legal exceptions and limitations, these rights include:

Right to Access Information You have the right to obtain confirmation from us as to whether your personal data is being processed, and to access a summary of such personal data along with information about the processing activities.

Right to Correction and Erasure You have the right to request the correction of inaccurate or misleading personal data, the completion of incomplete personal data, and the erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to applicable legal retention requirements.

Right to Grievance Redressal You have the right to have your grievances addressed in a timely manner. Please contact our Grievance Officer (details below) to raise any concerns regarding the processing of your personal data.

Right to Nominate Under the DPDP Act, you have the right to nominate an individual who may exercise your rights in the event of your death or incapacity.

Right to Withdraw Consent Where we process your personal data based on your consent, you have the right to withdraw such consent at any time by contacting us using the details provided in Section 16 of this Policy. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Please note that withdrawal of consent may affect our ability to provide certain Services to you.

11.1 Duties of Data Principals

Under Section 15 of the DPDP Act, 2023, Data Principals also have certain duties, including:

  • Complying with all applicable laws while exercising rights under the DPDP Act;
  • Not filing false or frivolous complaints or grievances with the Data Fiduciary or the Data Protection Board;
  • Not furnishing false or misleading personal data or suppressing material information when providing personal data for any document, unique identifier, proof of identity, or proof of address; and
  • Providing only verifiable and authentic information when exercising the right to correction or erasure.

11.2 Exercising Your Rights

To exercise any of the above rights, please contact our Grievance Officer using the details provided in Section 16. We may request reasonable verification of your identity before processing your request. We will endeavour to respond to your request within a reasonable time and in any event within the timeframes prescribed by applicable law.

If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India, as established under the DPDP Act, 2023.

12. Children's Privacy

Our Website and Services are not directed at or intended for use by individuals below the age of 18 years. We do not knowingly collect personal data from children.

In the event that we need to process personal data of a child (as defined under Section 9 of the DPDP Act, 2023), we will do so only with the verifiable consent of the child's parent or lawful guardian, and in compliance with the provisions of the DPDP Act and its rules.

We will not undertake processing of a child's personal data that is likely to cause any detrimental effect on the well-being of the child, and we will not engage in tracking, behavioural monitoring, or targeted advertising directed at children.

If we become aware that personal data of a child has been collected without verifiable consent from a parent or lawful guardian, we will take reasonable steps to delete such data promptly.

If you believe that we may have inadvertently collected personal data from a child, please contact us immediately using the details provided in Section 16.

13. Cross-Border Data Transfers

KSMG & CO primarily stores and processes personal data within India. However, in certain circumstances, your personal data may be transferred to, stored in, or processed in jurisdictions outside India — for example, where our service providers (such as cloud hosting or analytics providers) maintain servers or operations in other countries.

Any such transfer will be carried out in compliance with applicable provisions of the DPDP Act, 2023 (including any restrictions notified by the Central Government regarding transfer of personal data to specific jurisdictions), and the IT Rules, 2011, and only to jurisdictions or entities that provide an adequate level of protection for personal data, or where appropriate contractual safeguards have been implemented. We will ensure that all cross-border transfers of personal data are subject to appropriate data protection agreements and security measures.

14. Third-Party Links

Our Website may contain links to websites, platforms, or services operated by third parties. These links are provided for your convenience and informational purposes only. We do not control the content, privacy practices, or security measures of any third-party website. The inclusion of a link on our Website does not imply any endorsement, association, or recommendation by KSMG & CO.

We encourage you to review the privacy policy of every third-party website you visit before providing any personal data. We accept no responsibility or liability for the privacy practices or content of any third-party website.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make changes, we will revise the "Last Updated" date at the top of this Policy and post the updated version on our Website.

If we make material changes that significantly affect how we process your personal data, we will endeavour to notify you through a prominent notice on our Website or, where practicable, by email. We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

Your continued use of our Website or Services after the posting of any revised Policy constitutes your acknowledgement of the changes and your agreement to be bound by the updated Policy.

16. Contact Us and Grievance Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

KSMG & CO

91Springboard, D-107, Sector 2
Noida, Uttar Pradesh 201301, India

Email: contact@ksmg.co

Telephone: +91 99993 54616

Grievance Officer

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the provisions of the Digital Personal Data Protection Act, 2023, we have designated the following Grievance Officer:

Name: Ms Nisha Garg Designation: Partner Email: info@ksmg.co Telephone: +91 99993 54616 Address: 91Springboard, D-107, Sector 2, Noida, Uttar Pradesh 201301, India

The Grievance Officer shall address your grievance within a reasonable time, and in any event within thirty (30) days of receipt of the grievance, or within such other timeframe as may be prescribed under applicable law.

If you are not satisfied with the resolution provided by our Grievance Officer, you may escalate the matter to the Data Protection Board of India as established under the DPDP Act, 2023, or approach the appropriate authorities under the IT Act, 2000.