Legal · Compliance
Compliant by design
HRAReceipt.in is architected so that document data never leaves your browser.
Below: precise claims for India's DPDP Act 2023 and the EU GDPR, each linked to the technical guarantee that supports it.
— Some things should never leave your browser.
In this section
Last reviewed: May 2026
What our servers receive when you generate a document: nothing.
Document fields (your name, your landlord's PAN, your salary, your GSTIN — every field you type) are processed in your browser via JavaScript and rendered to PDF client-side. The resulting PDF is built on your device and downloaded directly. Our servers never see any of it.

India · Digital Personal Data Protection Act 2023
DPDP Act 2023
India's Digital Personal Data Protection Act 2023 (the "DPDP Act") regulates how Data Fiduciaries process personal data of Data Principals (individuals) in India. The DPDP Rules 2025 are being rolled out in phases; full compliance is required by 13 May 2027.
HRAReceipt.in's architectural posture is compliant by design: the categories of personal data the DPDP Act regulates (name, address, PAN, financial details, employment data) are processed entirely in your browser and never transmitted to our servers. We cannot disclose, sell, lose, or breach data we never receive.
What our servers do store:
- Razorpay payment references (transaction IDs) — required for refund handling and the statutory 7-year record-keeping obligation under the Information Technology Act and CGST Rules. No card data, no UPI ID, no cardholder name (Razorpay tokenises and holds those, not us).
- Hashed corporate access codes — for the optional corporate plan. We store a SHA-256 hash of the code (not the code itself) plus a wallet balance counter. We cannot reverse the hash to recover the code.
- Aggregate operation counters — total documents generated per-day, with no identifier tying a count to an individual user.
DPDP Act §6 Notice (data we don't collect):
The DPDP Act requires a clear notice listing the personal data being collected and the purpose. Because we collect no personal data through document generation, no §6 notice is rendered at the document forms. Razorpay's separate notice applies at the payment step (Razorpay is a separate Data Fiduciary under the DPDP Act).
For the legal text, see the Ministry of Electronics & Information Technology DPDP framework and the Act text via PRS Legislative Research.

European Union · General Data Protection Regulation
GDPR
HRAReceipt.in serves a meaningful NRI audience filing Indian Income Tax Returns from the EU, UK, UAE, Singapore, and the US. Many of those users are EU data subjects. The same browser-only architecture that satisfies the DPDP Act also satisfies GDPR's data-minimisation, purpose-limitation, and storage-limitation principles (Articles 5(1)(b), (c), (e)).
GDPR Article-by-article posture:
- Art. 5(1)(c) — Data minimisation: we process no personal data server-side from the document generators. Razorpay payment references are the minimum necessary to support refunds.
- Art. 6 — Lawful basis: the lawful basis for the small set of server-side data we do hold (Razorpay refs, hashed codes) is contract performance (Art. 6(1)(b)) — needed to deliver the paid PDF.
- Art. 13 — Information to data subjects: see our Privacy Policy.
- Art. 15–22 — Data-subject rights: because we hold no document data, most rights (access, rectification, portability) have nothing to act on. For payment-reference data, request via support@hrareceipt.in — we respond within the 30-day window.
- Art. 28 — Processors: Razorpay (payment processor, EU cross-border via SCC), Vercel (hosting), Cloudflare (CDN). No other sub-processors.
- Art. 32 — Security: TLS in transit, HSTS, hashed corporate codes, no plain-text secrets at rest.
- Art. 33 — Breach notification: we have no document-data breach surface; payment-ref breaches would be reported within 72 hours per the Article.
Disclosure and contact
HRAReceipt.in is operated from India. The claims above describe architectural invariants of the live site as of the last-reviewed date. For DPDP-related requests, GDPR data-subject requests, or audit inquiries, contact support@hrareceipt.in. See also our Privacy Policy.
References
Last reviewed: 21 May 2026