1. Who We Are
NRI Tools ("Service") is operated by Dharv Technologies LLP, a limited liability partnership incorporated in India (hereinafter "we", "us", or "our").
We are the data controller for personal data processed through this Service. Questions about your data can be sent to: privacy@nritools.com
Because we actively offer services to individuals in the European Union and European Economic Area, we comply with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) in addition to applicable Indian data-protection law.
2. What Data We Collect
2.1 Account Data
- Name and email address — provided during sign-up or obtained from Google OAuth.
- Profile photo URL — only if you sign in with Google and Google shares it.
- Password hash — stored using bcrypt if you register with email/password. We never store your plain-text password.
2.2 Profile & Preferences
- Country of residence — the country you select in the Salary Calculator or Settings page (stored as an ISO country code, e.g. "NL").
- Indian city — optionally provided for localised property or banking data.
- Pro subscription status — whether your account is on the free or Pro plan.
2.3 Tool Data (created by you)
- Documents — document type, expiry date, country of issue, and any notes you enter for passport, OCI, visa, or other documents.
- Remittance entries — NRO repatriation records including date, amount, and Form 15CA reference.
- Tax records — Indian and foreign income figures, TDS/TCS details you enter for DTAA calculations.
- Property calculations — property price, loan details, and expected appreciation inputs.
- Rate alerts — your target EUR→INR rate and notification email preference.
- Community posts and comments — content you publicly post in the Community forum.
- Feedback & suggestions — messages you submit via the feedback form, including the category and the page you were on.
2.4 Analytics Data (with your consent)
If you consent to analytics cookies, we collect usage data via Google Analytics 4 and Mixpanel:
- Google Analytics 4 — pages visited, session duration, device and browser type, approximate geographic region (country/city). Google Analytics uses cookies to identify returning visitors. We use GA4 in Consent Mode v2: before you consent, only anonymous, cookieless aggregate signals are sent.
- Mixpanel — product events such as which tools you use (e.g. "Salary Calculator opened"), feature interactions, and conversion steps (e.g. "Rate Alert Created"). This helps us understand which features are most valuable and where to improve the product. Mixpanel stores a user identifier in
localStorage.
Analytics are optional. You can decline at the cookie banner or withdraw consent at any time by clearing your browser storage (localStorage key: nri-cookie-consent).
We do not use advertising trackers, retargeting pixels (no Meta Pixel), or behavioural advertising of any kind.
2.5 Automatically Collected Data
- Session data — encrypted session cookies issued by NextAuth.js to keep you signed in.
- Server logs — Vercel (our hosting provider) records IP addresses, browser type, and request paths for security and uptime monitoring. These logs are retained for 30 days by Vercel and are not linked to your account by us.
3. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases (GDPR Art. 6):
| Purpose | Legal Basis |
|---|---|
| Creating and maintaining your account | Performance of a contract (Art. 6(1)(b)) |
| Providing the tools (document tracker, tax calculator, etc.) | Performance of a contract (Art. 6(1)(b)) |
| Sending document-expiry reminder emails | Performance of a contract (Art. 6(1)(b)) |
| Sending rate-alert notification emails | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, uptime monitoring | Legitimate interests (Art. 6(1)(f)) |
| Analytics (GA4 + Mixpanel) — understanding product usage | Consent (Art. 6(1)(a)) — only after you accept the cookie banner |
| Processing feedback / suggestions | Legitimate interests (Art. 6(1)(f)) — improving the Service |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
- To authenticate you and maintain your session.
- To store and display the data you enter in our tools.
- To send transactional emails: document expiry reminders, rate alerts, and payment receipts (via Resend).
- To process subscription payments and issue invoices.
- To respond to your feedback and improve the Service.
- To comply with applicable law, including Indian tax and accounting obligations.
We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal effects.
5. Who We Share Data With
We share data only with sub-processors who help us run the Service:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Neon (neon.tech) | PostgreSQL database hosting | US-East (or EU region if configured) |
| Vercel | Application hosting & serverless functions | US-East (edge caching globally) |
| Resend | Transactional email delivery | US (AWS us-east-1) |
| Google OAuth | Sign-in via Google (only if you choose it) | Google servers globally |
| Google Analytics 4 | Page analytics (consent required) | US (Google LLC) |
| Mixpanel | Product event analytics (consent required) | US (Mixpanel Inc.) |
| Razorpay | Payment processing (Indian users) | India |
| Stripe | Payment processing (international users) | US / EU |
All sub-processors are bound by data processing agreements. We do not share your data with any other third party unless required by law.
6. International Data Transfers
Dharv Technologies LLP is based in India. Our hosting providers (Neon, Vercel, Resend) are based primarily in the United States. Transfers of personal data from the EU/EEA to these processors are carried out under appropriate safeguards — specifically, Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR), as incorporated in each provider's Data Processing Agreement.
You may request a copy of the relevant SCC documentation by emailing privacy@nritools.com.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account & profile data | Until you delete your account, then 30 days before permanent erasure |
| Tool data (documents, tax records, etc.) | Until you delete the entry or delete your account |
| Community posts & comments | Until deleted by you (or us for policy violations); up to 30 days to propagate deletion |
| Feedback & suggestions | 12 months, then anonymised or deleted |
| Payment records | 7 years (Indian Companies Act / GST compliance) |
| Server access logs (Vercel) | 30 days (retained by Vercel, not us) |
8. Cookies & Local Storage
8.1 Strictly necessary (always set)
- next-auth.session-token — an encrypted session cookie so you stay logged in. Expires after 30 days or when you sign out.
- next-auth.csrf-token — a CSRF protection token. Session-scoped.
- nri-cookie-consent (localStorage) — stores your analytics consent choice ("accepted" or "rejected"). Not a cookie; stored in browser local storage. Not transmitted to our servers.
8.2 Analytics cookies (only with your consent)
- _ga, _ga_*, _gid — set by Google Analytics 4 to distinguish unique visitors and track sessions. Expire after 2 years (_ga) and 24 hours (_gid).
- mp_* — set by Mixpanel in localStorage to identify returning users and track product events. Persists until manually cleared.
Analytics cookies are only set after you click "Accept analytics" on the cookie banner. You may withdraw consent at any time by clearing site data in your browser settings or by clearing the nri-cookie-consent key from localStorage.
Before consent, Google Analytics 4 operates in Consent Mode v2 — it sends anonymous, cookieless aggregate signals to Google (no personal data, no cookies). Mixpanel does not load at all without consent.
We do not use advertising cookies, retargeting pixels, or social media cookies.
9. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights under the GDPR. To exercise any of them, email privacy@nritools.com. We will respond within 30 days.
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate data.
- Right to erasure (Art. 17) — request deletion of your account and associated data ("right to be forgotten"). Note: payment records are retained for legal compliance.
- Right to restriction of processing (Art. 18) — ask us to suspend processing while a dispute is resolved.
- Right to data portability (Art. 20) — receive your tool data in a structured, machine-readable format (JSON/CSV).
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to lodge a complaint — you may complain to your national supervisory authority (e.g. the Dutch AP, German DSK, or Irish DPC) if you believe we are not complying with GDPR.
10. Security
We implement appropriate technical and organisational measures to protect your data:
- Passwords are hashed with bcrypt (cost factor 12) and never stored in plain text.
- All data in transit is encrypted via TLS (HTTPS).
- Database access is restricted to our application servers via Neon's connection pooling with environment-variable credentials.
- Session tokens are encrypted and stored in httpOnly cookies (not accessible to JavaScript).
- API endpoints require authentication; unauthenticated requests are rejected.
No system is 100% secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33–34).
11. Children's Privacy
NRI Tools is not directed at children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, please contact us at privacy@nritools.com and we will delete the account promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you by email. Continued use of the Service after changes are posted constitutes your acceptance of the revised policy.
13. Contact Us
For any privacy-related questions or to exercise your rights, contact us at:
Dharv Technologies LLP
India
Email: privacy@nritools.com
We aim to respond to all requests within 30 days. For complex requests this may be extended by a further two months, in which case we will notify you within the initial 30-day period.