Privacy Policy.

Who we are

This policy applies to [XYNNLIT LEGAL ENTITY NAME] ("Xynnlit", "we", "us"), operating the website at xynnlit.com and providing offshore bookkeeping and accounting services to CPA firms, accounting practices, and businesses primarily based in the United States and Canada.

Our registered office is at [REGISTERED ADDRESS, AHMEDABAD, INDIA]. We're an India-incorporated entity that serves clients globally. If you're contacting us about a specific concern, the fastest route is privacy@xynnlit.com.

What we collect

We collect information in three buckets. Knowing which bucket your data falls into helps you understand what we do with it.

1. Information you give us directly

• Your name, work email, firm name, role, and phone number when you fill out a contact form, book a Calendly call, or email us.
• Anything you tell us during a call, on chat, or in writing — about your firm, your clients, or what you're looking for.
• Documents you send us as part of a pilot or active engagement (more on this below in Client and end-client data).

2. Information collected automatically when you visit the site

• Standard log data: IP address, browser type, device, operating system, the pages you visit, referring URL, and timestamps.
• Cookies and similar tech — see Cookies and tracking.
• If we run analytics (Google Analytics or similar), aggregated traffic data about how visitors use the site.

3. Information from third parties

• Public business data (LinkedIn, firm websites) when we research a prospect before a call.
• Information from referrers — if someone introduces you to us, they may share your name and context.
• Calendly, our email provider, and similar tools pass along basic data when you book a call or open an email from us.

How we use it

We use the information above for the following reasons, and only these reasons:

• To respond to you. If you fill out the contact form or book a call, we use your details to reply, schedule, and follow up.
• To deliver our services. If you become a client, we use the information you and your end-clients share to do the actual bookkeeping work.
• To run our business. Billing, accounting on our side, internal reporting, hiring decisions about who staffs your account.
• To improve the site. Understanding which pages get read, where people drop off, what to write next.
• To stay legal. Responding to lawful requests, tax authorities, audits, and so on.

We don't sell your data. We don't share your data with advertisers. We don't use it to train AI models. We don't do behavioural ad targeting. None of that is our business model.

Client and end-client data

This is the section that actually matters for the CPA firms and accounting practices that hire us.

When you engage Xynnlit, we access financial records, login credentials, employee data, vendor details, and other materials belonging to your end-clients. Legally, you are the data controller (or business, depending on jurisdiction) for that information, and Xynnlit is the data processor (or service provider). We act on your written instructions and on the scope agreed in our engagement letter.

Specifically:

• We sign a mutual NDA with every client firm before any access is granted.
• Every Xynnlit team member who touches your work has signed an individual confidentiality agreement that survives termination of their employment.
• Credentials flow through your password vault (Keeper, 1Password, LastPass, or equivalent). Nothing sensitive ever travels through email or chat.
• Two-factor authentication is mandatory on every client login.
• Access is granted on a need-to-know basis to the smallest team that can do the work.
• For U.S. financial information, we follow safeguards consistent with the kind of obligations CPA firms have under the Gramm-Leach-Bliley Act and AICPA Code of Professional Conduct §1.700, even though those rules technically apply to you, not to us.

If you require a formal Data Processing Agreement or Business Associate Agreement, ask. We sign them.

Who we share with

We share information only with the parties below, and only as needed:

• Service providers we depend on to run the business — cloud hosting, email, calendar, payment processors, accounting tools. Each is contractually bound to confidentiality and to use the data only to provide their service to us.
• Professional advisors — our lawyers, accountants, and auditors, when needed.
• Authorities — when we're legally required to disclose information, for example in response to a valid court order or tax inquiry. We'll push back on overreach and notify you wherever the law allows us to.
• A successor — if Xynnlit is ever acquired or merged, your data may transfer to the new entity, which would be bound by this policy or a stricter equivalent.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

Cookies and tracking

This site uses a small number of cookies and similar technologies. Here's the honest breakdown:

• Strictly necessary cookies that keep the site functional. These can't be turned off without breaking things.
• Analytics cookies (if active) that tell us in aggregate which pages people read. We may use Google Analytics or a privacy-friendlier alternative. No personally identifying data is sent.
• No advertising or behavioural-targeting cookies. We don't run ads.

You can block or delete cookies in your browser settings. If you're in a jurisdiction that requires a cookie banner (EU, UK, parts of the U.S.), one will appear on your first visit and you can opt out of non-essential cookies there.

Cross-border transfers

Xynnlit operates from India. When you send us information from the United States, Canada, the EU, the UK, or anywhere else, that data is transferred to and processed in India.

For EU/UK personal data, we rely on Standard Contractual Clauses (SCCs) and supplementary measures where required. For U.S. data, our contracts and security practices are designed to meet the obligations our CPA-firm clients face under their own state and federal rules.

How long we keep data

We keep information only for as long as we need it, then we delete or anonymise it.

• Prospect data (from contact forms and calls that didn't become engagements): up to 24 months from last contact, unless you ask us to delete sooner.
• Active client data: for the duration of the engagement plus the period needed for our records, your records, and applicable tax/audit/legal retention rules — typically 7 years.
• End-client financial records we process on your behalf: per your instructions and per the engagement letter. By default, we return or destroy them within a defined window after engagement end.
• Website logs: 12 months unless needed longer for security investigation.

Security

The short version is in our public Security page. The shorter version: encrypted transit (TLS 1.2+), encrypted storage, mandatory 2FA, password-vault-only credential handling, restricted device access, NDAs at every layer, documented workpapers for every adjustment.

No system is perfectly secure. If a breach affecting your information ever occurs, we'll notify you without undue delay and well within the deadlines required by applicable law (typically 72 hours under EU GDPR-style regimes; sooner where contractually agreed).

Your rights

Depending on where you live, you have some or all of these rights:

• Access — ask what we hold about you.
• Correction — fix what's wrong.
• Deletion — ask us to delete it (subject to legal/contractual retention).
• Restriction or objection — limit how we use it.
• Portability — get a copy in a usable format.
• Withdraw consent — where our basis for processing was your consent.
• Complain — to a supervisory authority (your local data protection regulator).

To exercise any of these, email privacy@xynnlit.com. We'll respond within 30 days, sooner where required.

If the data we hold about you is end-client data we process on behalf of a CPA firm, please contact that firm directly — they're the controller, and we have to route your request through them.

California, EU, and UK notes

California (CCPA / CPRA)

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act. California residents have the right to know, delete, correct, and limit use of sensitive personal information. We do not use sensitive personal information for purposes outside those permitted by §7027(m) of the CCPA regulations.

EU / UK (GDPR / UK GDPR)

Our lawful bases for processing are: performance of a contract (when you engage our services), legitimate interests (running and improving our business in ways that don't override your rights), consent (where you've given it, e.g. for non-essential cookies), and legal obligation (tax, audit, fraud prevention).

Where required, our EU/UK representative can be reached at [EU/UK REPRESENTATIVE NAME & CONTACT — fill in only if applicable].

India (DPDP Act, 2023)

Our Grievance Officer under the Digital Personal Data Protection Act, 2023 is:

• [GRIEVANCE OFFICER NAME]
• Email: grievance@xynnlit.com
• Address: [REGISTERED ADDRESS, AHMEDABAD]

Children

This is a B2B website and service. We don't knowingly collect data from anyone under 18. If we discover we have, we'll delete it.

Changes to this policy

We'll update this policy from time to time. When we do, we'll change the "Last updated" date at the top and, for material changes, notify active clients directly.