In a world driven by apps, SaaS tools, and streaming platforms, GST compliance is no longer limited to Indian startups. Global platforms selling digital services to users in India must now follow OIDAR rules, collect GST correctly, and at the same time comply with strict digital privacy laws. At Ebizfiling, we often see founders struggle with a common concern: how much user data is necessary for tax compliance without creating issues with regulators or user trust. This article explains how global platforms can strike the right balance.
Under Indian GST, OIDAR means online information and database access or retrieval services that are delivered over the internet, with minimal human intervention, directly to the recipient. Typical examples are SaaS subscriptions, cloud storage, digital courses, e books, streaming and paid software downloads.
For a foreign platform that serves individual users or unregistered entities in India, key points are:
If you provide OIDAR services to users located in India who are not GST registered, you must obtain a special GST registration in India and charge IGST, commonly at 18 percent.
There is no turnover threshold for foreign OIDAR suppliers. Even a small volume of B2C sales can trigger registration.
From 1 October 2023, the definition of “non taxable online recipient” was widened to cover almost any unregistered recipient in India, which pulled more foreign platforms into the OIDAR net.
For global platforms, the biggest challenge is simple: the data you must collect for GST Compliance is the same data privacy laws want you to protect and minimize. To charge GST correctly under OIDAR rules, a platform needs certain user information, such as the customer’s country, billing details and transaction history. These details help determine whether GST applies, what rate to charge and how to support your returns during an audit. Sometimes, platforms also use IP addresses or payment instrument country to validate user location, much like EU VAT rules that expect at least two consistent pieces of evidence.
But this information also contains personal data, which triggers privacy obligations in India, the EU, and the US. This is where the balance becomes important.
Most global platforms operate under three major privacy frameworks:
India’s DPDP Act 2023, which allows processing of personal data when required by law. Since GST obligations fall into this category, platforms are permitted to store and use billing and transaction data for tax purposes. The DPDP Act still expects minimization, purpose limitation and deletion once the tax retention period is over.
EU GDPR, which gives a lawful basis for processing when it is necessary to comply with a legal obligation, including VAT rules. GDPR even states that the user’s right to erasure does not apply when invoices or tax records must be kept for statutory periods, often up to 10 years in the EU.
California CCPA and similar US laws, which allow users to request deletion of personal data but make clear that businesses may refuse deletion for information required to comply with tax or audit laws.
Across all these frameworks, one principle stays consistent: you can collect and retain personal data when GST Compliance requires it, but only for that purpose. You cannot over-collect, store it longer than needed, or use it for unrelated profiling or marketing unless you have a separate legal basis.
This intersection is exactly where many global platforms struggle. At Ebizfiling, we help clients create a structure where tax data is collected in a minimal, transparent and lawful way, while privacy expectations remain fully respected.
|
Region |
Digital Tax Rule |
Record Retention |
Privacy View |
|
India |
GST on OIDAR to unregistered users; foreign suppliers must register and charge IGST. |
6–8 years |
DPDP Act allows retention when required by law. |
|
EU |
VAT on digital services based on customer location, including non-EU suppliers. |
Around 10 years |
GDPR permits retention under legal obligation with minimization and security. |
|
US (California) |
State sales tax on digital services based on economic nexus rules. |
4–7 years |
CCPA allows retention for legal obligation despite deletion requests. |
From our experience at Ebizfiling, global clients can reduce risk by using some simple but strict habits:
Collect only required data: Capture just the fields needed for GST, EU VAT or US sales tax and avoid gathering anything extra.
Rely on legal obligation: Use the “legal obligation” basis to store tax records and explain this clearly in your privacy notice.
Keep tax data separate: Store OIDAR GST information in a restricted archive, away from marketing or analytics systems.
Set strict retention limits: Follow the longest tax retention rule and delete or anonymize data automatically once it expires.
Respond clearly to deletion requests: Remove what you can, but keep invoices and tax records you are legally required to retain.
Strengthen security: Use encryption, limited access, and regular checks to protect data you must store for longer periods.
At Ebizfiling, we work as a compliance partner for foreign digital businesses entering India. Our approach is simple and practical:
We understand your platform model, revenue flows, and where your users are based.
We map your supplies to OIDAR or other GST categories and confirm if and when GST Compliance in India is mandatory.
We obtain your non resident GST registration and help you set up a clean tax invoice format for Indian customers.
We coordinate with your tech team on what data needs to be captured in your checkout or billing system, so tax and privacy needs are balanced.
We handle monthly or quarterly OIDAR GST returns, review reconciliations and flag any risk areas before a notice arrives.
This way, you focus on product and growth, while we quietly hold the compliance layer together in the background.
For global platforms, GST Compliance for OIDAR services is non negotiable, but it does not have to clash with digital privacy laws. When you collect only the data you need, store it securely, and use it only for tax and clearly explained purposes, regulators on both sides are more comfortable, and users are more likely to trust you. Ebizfiling helps you design that balance so your cross border growth is supported by solid, future ready compliance.
OIDAR Compliance Roadmap for Foreign Startups
GST Registration for OIDAR Service Providers in India
Why User Location Matters for OIDAR India?
Not every platform needs registration. However, if you supply OIDAR services to unregistered users in India, GST registration is usually required even without a physical presence or any turnover threshold.
Most platforms rely on indicators such as billing address, phone country code, IP address, and payment country. If two consistent signals point to India, the transaction should be treated as taxable in India.
Users can request deletion, but privacy laws in India, the EU, and California allow businesses to retain personal data needed to meet legal obligations, including tax record keeping, even after a deletion request.
Collecting more data than reasonably required for GST compliance may violate data minimization and purpose limitation principles, leading to regulatory scrutiny, fines, and reputational damage.
Retention periods vary by country, but many tax laws expect records to be kept for 6 to 10 years. A practical approach is to follow the strictest applicable rule across major markets.
In most legal frameworks, consent is not required. Processing data to meet a legal obligation is a separate lawful basis, but users must still be clearly informed about such processing.
No, unless there is a proper legal basis. Data collected for GST compliance cannot be reused for marketing or profiling without consent or another valid justification under privacy laws.
The EU also taxes digital services based on customer location and requires non-EU suppliers to charge VAT, similar to India’s approach for foreign OIDAR suppliers.
Apart from GST compliance, platforms must issue clear notices, respect user rights, secure personal data, and comply with cross-border data transfer rules, requiring coordination between tax, legal, and IT teams.
Ebizfiling reviews your business model, confirms OIDAR applicability, manages GST registration, and supports invoicing, returns, and data flows to align GST compliance with privacy requirements.
OIDAR for Metaverse Platforms: Do Virtual Events Fall Under GST? Introduction Metaverse platforms now host virtual events, digital shows, and…
Compliance Calendar in the Month of January 2026 Introduction As January 2026 begins, businesses, professionals, and taxpayers must prepare for…
OIDAR Compliance for API Companies: What Backend Tools Miss in GST? Let's Understand Let’s understand how GST and OIDAR apply…
Do Digital Nomads Abroad Trigger OIDAR for India? Introduction Many digital nomads sell online services while living outside India. However,…
Foreign Apps Using Freemium Models Need OIDAR Registration Introduction Freemium models are a popular way for foreign apps to quickly…
Why User Location Matters for OIDAR India? To Start With, User location plays a critical role in how India applies…
Leave a Comment