Who we are
CAHireX is a product of NestedX, a company incorporated in India. When we say "we," "us," or "our" in this policy, we mean NestedX operating the CAHireX platform at cahirex.com.
Grievance Officer & Data Fiduciary contact:
Email: hello@cahirex.com
Address: NestedX, India
We will acknowledge your request within 48 hours and resolve it within 30 days, as required by the Digital Personal Data Protection Act, 2023 (DPDPA).
What data we collect
| Data type | Why we collect it | Legal basis (DPDPA) |
|---|---|---|
| Name, email, phone | Account creation, waitlist, communications | Consent |
| Business name, GSTIN | GST invoice generation, tax filing | Consent + Legitimate use |
| Financial records (invoices, transactions) | Bookkeeping, ITR estimation, GOJO AI insights | Consent |
| Usage analytics (pages viewed, features used) | Product improvement, bug fixes | Legitimate use |
| Device info & IP address | Security, fraud prevention | Legitimate use |
| Cookies & local storage | Session management, preferences | Consent (see Cookies section) |
We do not collect Aadhaar numbers, biometric data, or any data classified as "Sensitive Personal Data" under the DPDPA unless explicitly required for a specific service and consented to separately.
How we use your data
Your data is used to provide and improve CAHireX services — generating invoices, filing returns, powering GOJO AI recommendations, and sending you relevant updates. We will never sell your personal data to third parties. Period.
Third-party processors
We work with a limited set of processors who handle data on our behalf:
- Cloud hosting — servers located in India (Mumbai region) for data residency compliance
- Payment gateway — processes subscription payments; we never store your card details
- Email/SMS service — for transactional and waitlist communications
- Analytics — anonymized, aggregated usage data only
All processors are contractually bound to process data only as we instruct, and to maintain adequate security measures.
Data retention
We retain your personal data for a maximum of 12 months after you stop using the platform or delete your account — whichever comes first. Financial records required for statutory compliance (e.g., GST records) may be retained longer as mandated by Indian tax law.
After the retention period, data is permanently deleted or irreversibly anonymized. You can request earlier deletion at any time — see "Your rights" below.
Cookies & tracking
CAHireX uses cookies to keep you logged in and remember your preferences. Here's what we use:
| Cookie type | Purpose | Duration |
|---|---|---|
| Essential (session) | Authentication, security | Until you log out |
| Preferences | Language, theme, last-used view | 12 months |
| Analytics | Anonymized usage patterns | 12 months |
We do not use advertising cookies or any third-party ad trackers. You can manage cookie preferences from your browser settings. Disabling essential cookies may affect core functionality.
Your rights under DPDPA 2023
As a Data Principal, you have the right to:
- Access — Request a summary of the personal data we hold about you
- Correction — Ask us to update inaccurate or incomplete data
- Erasure — Request deletion of your data (subject to legal retention requirements)
- Withdraw consent — Revoke any consent you've given, at any time, without affecting the lawfulness of prior processing
- Grievance redressal — File a complaint with our Grievance Officer or escalate to the Data Protection Board of India
- Nominate — Nominate another person to exercise your rights in the event of your death or incapacity
To exercise any right, email hello@cahirex.com with the subject line "DPDPA Rights Request." We will verify your identity and respond within 30 days.
Children's data
CAHireX is a business-to-business product not intended for individuals under 18. We do not knowingly collect data from minors. If we discover we've collected data from someone under 18, we will delete it promptly and notify their verifiable guardian, in accordance with the DPDPA provisions on children's data.
Data security
We use industry-standard measures to protect your data: encryption in transit (TLS 1.3), encryption at rest (AES-256), role-based access controls, regular security audits, and breach-notification procedures. In the event of a data breach, we will notify the Data Protection Board of India and affected users without unreasonable delay, as required by the DPDPA.
Cross-border transfers
Your data is primarily stored on servers within India. If any processing requires transfer outside India, it will only be to countries or entities permitted by the Central Government under DPDPA Section 16, and we will ensure equivalent protection measures are in place.
Changes to this policy
When we make material changes, we'll notify you via email or an in-app banner at least 15 days before they take effect. The "Last updated" date at the bottom always reflects the latest version.
Last updated: April 17, 2026