QoshQosh
Login

Legal

Privacy Policy

Last updated: April 5, 2026

1. Our Privacy Commitment

At Qosh, privacy is not a compliance checkbox — it is a foundational principle. We handle your financial and business data with the same care and discretion you would expect from a trusted partner. Our commitments to you are simple:

  • We collect only what we need to deliver and improve the Service.
  • We do not sell your data — ever.
  • Your data is yours. We process it to serve you, not to monetize it.
  • We give you meaningful control over your data, including the right to access, correct, and request deletion.
  • We are transparent about what we collect, why we collect it, and who we share it with.
  • We use industry-standard security practices to protect your data from unauthorized access.

This Privacy Policy explains in detail how we collect, use, store, and protect your personal and business data when you use the Qosh platform. Please read it carefully.

2. Overview

This Privacy Policy describes how Qosh AI Solutions LLP collects, uses, stores, and protects your personal and business data when you interact with Qosh — including through our marketing website at qosh.ai, our web application at app.qosh.ai, our desktop runtime, APIs, WhatsApp integrations, and related services (collectively, the "Service"). This includes any information you share directly on our website, such as when signing up for early access, creating an account, requesting a demo, or filling out any other form or inquiry.

This policy applies to all users of the Service — including individuals, business owners, chartered accountants, and team members of organizations that subscribe to Qosh. By using the Service, you agree to the collection and use of information in accordance with this policy.

If you have questions, concerns, or requests relating to your data, you may contact us at privacy@qosh.ai at any time.

3. Who We Are

Qosh AI Solutions LLP ("Qosh", "we", "us", or "our") is a limited liability partnership registered under the laws of India, with its registered office in Mumbai, Maharashtra. We operate the Qosh platform — an AI-powered accounting and finance automation service accessible via app.qosh.ai and our desktop runtime application.

For questions regarding this Privacy Policy or your personal data, contact us at privacy@qosh.ai.

4. Scope

This Privacy Policy applies to all personal data we collect, process, and store when you use the Qosh platform, including our web application, desktop runtime, APIs, WhatsApp integrations, and related services. By accessing or using our services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

5. Notice to Users of Our Customers and End Users

Qosh is a business-to-business (B2B) platform. Our direct customers are typically businesses, chartered accountant firms, and finance teams ("Customers") who use Qosh to manage accounting and financial workflows for themselves or on behalf of their own clients ("End Users").

If you are an End User of a Qosh Customer — for example, an SME whose CA firm uses Qosh to process your financial documents — your data is processed by Qosh on behalf of that Customer. In this context, Qosh acts as a data processor and the Customer acts as the data controller responsible for your personal data.

We process your data only under the instructions of the Customer and for the purpose of delivering the Service to them. We do not independently use End User data for our own marketing or commercial purposes.

If you have questions or requests relating to your personal data — such as accessing, correcting, or deleting your information — you should contact the Customer (i.e., the CA firm or business) who manages your account with Qosh. If you are unable to reach them or believe your data is being processed unlawfully, you may contact us at privacy@qosh.ai and we will assist to the extent we are able.

Qosh is not responsible for the privacy practices of its Customers in their dealings with End Users. Customers are independently responsible for obtaining any necessary consents from their clients and for complying with applicable data protection laws in respect of End User data.

6. Data We Collect

3.1 Account Information

When you create an account, we collect your full name, email address, phone number (optional), company name, designation, and authentication credentials (securely hashed).

3.2 Financial and Business Data

To provide our services, we process financial and accounting data you submit or sync, including: ledger and master data from Tally ERP or other accounting systems; vouchers, invoices, purchase orders, and bank statements; GST registration numbers (GSTN), PAN, bank account details (account numbers, IFSC codes); transaction records, tax computations, and compliance-related data.

3.3 Documents

We process documents you upload or send via WhatsApp, including PDFs, images, and spreadsheets. Document metadata (file name, type, size, upload source, timestamps) is stored alongside the documents.

3.4 WhatsApp Data

If you use our WhatsApp integration, we collect sender phone numbers, message identifiers, timestamps, and documents shared via WhatsApp. This data is processed in accordance with Meta's WhatsApp Business API terms.

3.5 Usage and Technical Data

We automatically collect login timestamps, session data, IP addresses, browser type, device information, and platform usage patterns to maintain and improve our services.

3.6 Team and Organization Data

For multi-user accounts, we store team member information, roles (Owner, Admin, Accountant, Operator, Viewer), permissions, and tenant relationships between CA firms and their SME clients.

7. How We Use Your Data

We process your data for the following purposes:

  • Providing, operating, and maintaining the Qosh platform and its features
  • Processing and classifying financial documents using AI/ML models
  • Syncing data with your accounting software (e.g., Tally ERP)
  • Facilitating document collection via WhatsApp and email
  • User authentication, authorization, and account management
  • Communicating with you about your account, service updates, and support
  • Ensuring security, preventing fraud, and complying with legal obligations
  • Generating anonymized analytics and insights to improve our services
  • Improving our services, including platform features, AI accuracy, and user experience, using aggregated and anonymized usage data

8. Legal Basis for Processing

We process your personal data only where we have a valid legal basis to do so. Depending on the nature of the processing, the applicable legal bases under Indian law (including the Digital Personal Data Protection Act, 2023, the IT Act, 2000, and the SPDI Rules, 2011) and, where applicable, equivalent international standards, are as follows:

  • Contractual necessity: Processing that is necessary to provide the Service you have subscribed to — including account management, document processing, AI automation, and software integrations.
  • Consent: Where you have provided explicit consent — for example, by signing up on our website, agreeing to our Terms of Use, or opting in to receive communications from us. You may withdraw consent at any time by contacting us at privacy@qosh.ai, though withdrawal does not affect the lawfulness of prior processing.
  • Legitimate interests: Where processing is necessary for our legitimate business interests — such as improving the Service, ensuring security, preventing fraud, and conducting internal analytics — provided these interests are not overridden by your privacy rights.
  • Legal obligation: Where processing is required to comply with applicable laws, regulations, court orders, or government directives.
  • Vital interests: In rare circumstances, where processing is necessary to protect your vital interests or those of another person.

Where Qosh processes data as a data processor on behalf of a Customer (see Section 5), the Customer is the data controller and is responsible for establishing the legal basis for that processing.

9. AI and Machine Learning

Qosh uses artificial intelligence and machine learning to process, classify, and extract information from your documents. To deliver these capabilities, we work with a select group of third-party and/or self-hosted open-source AI infrastructure providers. We do not publicly disclose the specific providers we use, as this is part of our proprietary technology stack. These providers are bound by strict data processing agreements and are permitted to use your data only to fulfil the specific task requested — not for their own model training or any other purpose.

Qosh does not use your identifiable business data to train any AI model. We select third-party AI providers based on their published data handling commitments and, where available, enter into data processing agreements that restrict the use of your data for training purposes. However, the data practices of third-party providers are ultimately governed by their own terms and policies, which may change over time. We encourage you to review the applicable policies of any AI service providers whose outputs you rely upon. Only anonymized and aggregated data, stripped of all personally identifiable information, may be used by Qosh to improve our own AI accuracy and service quality.

AI-generated outputs are provided for informational and assistive purposes only. You are responsible for reviewing and verifying all AI outputs before relying on them for financial, accounting, tax, or compliance decisions.

10. Data Storage and Residency

Qosh is built on a data-minimization philosophy. We collect and retain only what is necessary to deliver, operate, and improve the Service. Depending on the deployment mode you choose, documents submitted for processing may be stored to support features such as audit trails, document retrieval, and historical records — but only within your account environment and accessible only to you and the team members you authorize.

You choose how your data is stored through two modes:

  • Local data mode: Your business data and ledger records remain on your own device and local environment at all times. Nothing is synced to our servers unless you initiate it. This is the recommended mode for users with strict data residency requirements.
  • Cloud mode: Your business data is stored in encrypted, access-controlled cloud infrastructure. Data is stored in a manner that is logically isolated per organization and is not accessible to other users or third parties.

Regardless of the mode selected, a minimal set of metadata (such as authentication tokens, session data, and operational logs) is maintained in our infrastructure solely to ensure the Service functions correctly. We may also retain data temporarily as cache, for error recovery, or where reasonably required for service continuity — but only for as long as necessary for those purposes.

11. Data Sharing and Third Parties

We share your data only to the extent necessary to operate the Service. The categories of third parties we work with are:

  • Cloud infrastructure providers: Amazon Web Services (AWS) for storage, compute, and database (PostgreSQL).
  • AI/ML infrastructure providers: AI services used solely for document processing and classification tasks, including Qwen (self-hosted open-source model) and select third-party providers we do not disclose for competitive reasons. These providers do not receive your data for any purpose other than completing the specific task requested.
  • Communication platforms: Meta (WhatsApp Business API) for document collection; Amazon SES for transactional email delivery.
  • Workflow and pipeline services: Kestra, used internally for orchestrating automated accounting workflows.
  • Legal and regulatory authorities: When required by law, court order, or government directive.

We do not sell, rent, or trade your personal data. All third-party service providers are contractually required to process your data only under our instructions and to maintain security standards consistent with industry best practices.

12. Data Security

We implement reasonable security practices and procedures consistent with industry standards, including: encryption of data in transit (HTTPS/TLS) and at rest; secure hashing of passwords; Fernet-based encryption for sensitive document passwords; role-based access controls and tenant-level data isolation; token-based authentication with short-lived session tokens; WireGuard encrypted tunnels for local data mode; and regular security monitoring and access logging.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

13. Data Retention

Our default is to retain as little data as possible for as short a time as possible. Financial documents and business data are processed to complete the requested task and are not held in persistent storage beyond what the Service requires to function (for example, to display past entries, maintain audit trails, or allow you to retrieve processed records within the platform).

We may retain certain data for longer periods where it is necessary to: provide ongoing service functionality; comply with legal or regulatory obligations; resolve disputes or enforce our agreements; or improve the reliability and accuracy of our services. In such cases, retention is limited to the minimum necessary for that purpose.

Upon account termination or a verified deletion request, we will delete or anonymize your personal data within 90 days. Anonymized data that cannot be linked back to you may be retained and used without restriction.

14. Your Rights

Subject to applicable law, including the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital Personal Data Protection Act, 2023 (as and when effective), you have the right to:

  • Access information about the personal data we hold about you
  • Request correction of inaccurate or incomplete personal data
  • Request erasure of your personal data (subject to legal retention requirements)
  • Withdraw your consent to data processing at any time
  • Nominate a representative to exercise your rights in case of death or incapacity
  • Lodge a grievance with our Grievance Officer or the Data Protection Board of India

To exercise any of these rights, contact us at privacy@qosh.ai. We will respond within a reasonable timeframe, not exceeding 30 days.

15. Cookies and Tracking

We use essential cookies and similar technologies to maintain your session, authenticate your identity, and ensure platform functionality. We may use analytics tools to understand usage patterns and improve our services. You may control cookie preferences through your browser settings.

16. Google reCAPTCHA

We use Google reCAPTCHA on our website and platform to protect against spam, bots, and fraudulent submissions. reCAPTCHA is a service provided by Google LLC and works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis.

The use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service. By using our Service, you acknowledge that Google may collect and process information about your interaction with reCAPTCHA challenges, which may include your IP address and behavioral signals, solely for the purpose of determining whether you are a human user. This information is processed by Google in accordance with its own privacy practices.

Qosh does not have access to, nor does it store, the raw data collected by reCAPTCHA beyond what is returned as a verification result (pass or fail). We use this result solely to protect our platform from automated abuse.

17. Children's Data

Qosh is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will promptly delete such data.

18. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside India where our service providers operate (including the United States). We ensure that such transfers are conducted in compliance with applicable Indian data protection laws and that appropriate safeguards are in place to protect your data.

19. Grievance Officer

In accordance with the Information Technology Act, 2000 and applicable rules, our Grievance Officer can be contacted at:

Grievance Officer
Qosh AI Solutions LLP
Mumbai, Maharashtra, India
Email: grievance@qosh.ai

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of our services after such changes constitutes your acceptance of the revised policy.

21. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra.