Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 16 May 2026

1. Who We Are

NRI Tools ("Service") is operated by Dharv Technologies LLP, a limited liability partnership incorporated in India (hereinafter "we", "us", or "our").

We are the data controller for personal data processed through this Service. Questions about your data can be sent to: privacy@nritools.com

Because we actively offer services to individuals in the European Union and European Economic Area, we comply with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) in addition to applicable Indian data-protection law.

2. What Data We Collect

2.1 Account Data

  • Name and email address — provided during sign-up or obtained from Google OAuth.
  • Profile photo URL — only if you sign in with Google and Google shares it.
  • Password hash — stored using bcrypt if you register with email/password. We never store your plain-text password.

2.2 Profile & Preferences

  • Country of residence — the country you select in Settings (stored as an ISO country code, e.g. "AE").
  • Indian city — optionally provided for localised property, banking, or embassy data.
  • NRI since year — optionally provided to personalise tool recommendations.
  • Subscription plan — whether your account is on Free, Lite, or Pro plan.
  • Saved gross salary and currency — stored when you use the Salary Calculator and choose to save results.

2.3 Tool Data (created by you)

  • Documents — document type, expiry date, country of issue, document number, and notes for passport, OCI, visa, PAN, or other documents.
  • Document vault files — encrypted file references for documents you upload.
  • Remittance / NRO repatriation records — date, amount, currency pair, Form 15CA reference, and purpose code.
  • Tax records — Indian and foreign income figures, TDS/TCS details, and DTAA calculation inputs.
  • Property records — property name, location, purchase price, loan details, tenant information, EMI schedules, and tax due dates.
  • Wealth and investment records — mutual fund holdings, fixed deposits, equity positions, and investment goals.
  • Insurance policies — policy name, provider, premium, and renewal dates.
  • Indian phone numbers — phone number, provider, and recharge schedule.
  • Residency tracker entries — India visit dates for the 182-day NRI rule calculation.
  • Return planner data — target return date and destination.
  • Pre-departure checklist progress — which checklist items you have marked complete.
  • Budget planner data — monthly income and expense categories.
  • Bank locker records — bank name, branch, locker number, rent due dates.
  • Rate alerts — your target exchange rate, currency pair, and notification preferences.
  • Family profiles — names, relationships, and document details for family members you add.
  • Community posts and comments — content you publicly post in the Community forum.
  • Feedback & suggestions — messages you submit via the feedback form.

2.4 Analytics Data (with your consent)

If you consent to analytics cookies, we collect usage data via Google Analytics 4 and Microsoft Clarity:

  • Google Analytics 4 — pages visited, session duration, device and browser type, approximate geographic region. We use GA4 in Consent Mode v2: before you consent, only anonymous cookieless aggregate signals are sent.
  • Microsoft Clarity — anonymised session recordings and heatmaps to understand usability issues. No keystroke logging on sensitive fields.

Analytics are optional. You can decline at the cookie banner or withdraw consent by clearing the nri-cookie-consent key from your browser localStorage.

We do not use advertising trackers, Meta Pixel, or behavioural advertising of any kind.

2.5 Automatically Collected Data

  • Session data — encrypted session cookies issued by NextAuth.js to keep you signed in.
  • Server logs — Vercel records IP addresses, browser type, and request paths for security and uptime monitoring. Retained for 30 days by Vercel and not linked to your account by us.
  • Geolocation (IP-derived) — approximate country derived from your IP address to personalise pricing and tool content. We do not store your precise location.

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases (GDPR Art. 6):

PurposeLegal Basis
Creating and maintaining your accountPerformance of a contract (Art. 6(1)(b))
Providing tools (document tracker, tax calculator, remittance, property, wealth, etc.)Performance of a contract (Art. 6(1)(b))
Sending all transactional emails (reminders, alerts, onboarding)Performance of a contract (Art. 6(1)(b))
Processing subscription payments (Free, Lite, Pro)Performance of a contract (Art. 6(1)(b))
Security, fraud prevention, uptime monitoringLegitimate interests (Art. 6(1)(f))
Analytics (GA4 + Clarity)Consent (Art. 6(1)(a)) — only after you accept the cookie banner
Processing feedback / suggestionsLegitimate interests (Art. 6(1)(f))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

4. How We Use Your Data

  • To authenticate you and maintain your session.
  • To store and display the data you enter across all tools.
  • To send transactional emails: document expiry reminders, rate alerts, property EMI reminders, onboarding emails, and payment receipts (via ZeptoMail by Zoho).
  • To process subscription payments and issue GST-compliant invoices.
  • To personalise tool content based on your country and profile.
  • To respond to your feedback and improve the Service.
  • To comply with applicable law, including Indian tax and accounting obligations.

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal effects.

5. Who We Share Data With

We prefer not to share your data. NRI Tools is not an advertising business. We do not sell your personal data, share it with data brokers, or use it for targeted advertising. Sharing is limited to service providers that are technically necessary to run the Service, each receiving only the minimum data required for their specific function:

  • Cloud infrastructure — Vercel (application hosting) and Neon (database hosting) store and serve the app and your account data.
  • Transactional email — ZeptoMail by Zoho delivers your reminders, alerts, and account emails. They receive your email address, name, and the content of each email we send you.
  • Authentication — Google OAuth receives your name, email, and profile photo only if you choose to sign in with Google. If you use email/password, Google receives nothing.
  • Payment processing — Razorpay processes subscription payments. They receive your name, email, and payment details.
  • File storage — Backblaze B2 stores encrypted files you upload to your Document Vault. File content is encrypted before it leaves your browser.
  • Analytics (consent-only) — Google Analytics 4 and Microsoft Clarity receive anonymised usage data only after you accept the cookie banner. If you decline or withdraw consent, neither service receives any data from you.

We will not share your data with any other third party unless compelled by a valid legal order from a competent authority. If that happens and we are legally permitted to notify you, we will do so.

6. International Data Transfers

Dharv Technologies LLP is based in India. Our hosting providers (Neon, Vercel) are based primarily in the United States. Transfers of personal data from the EU/EEA are carried out under Standard Contractual Clauses (SCCs) (Art. 46(2)(c) GDPR), as incorporated in each provider's Data Processing Agreement.

You may request a copy of the relevant SCC documentation by emailing privacy@nritools.com.

7. Data Retention

Data typeRetention period
Account & profile dataUntil you delete your account, then 30 days before permanent erasure
Tool data (documents, property, wealth, reminders, etc.)Until you delete the entry or delete your account
Document vault filesDeleted immediately on account deletion
Community posts & commentsUntil deleted by you (or us for policy violations)
Feedback & suggestions12 months, then anonymised or deleted
Payment records7 years (Indian Companies Act / GST compliance)
Server access logs (Vercel)30 days (retained by Vercel)

8. Cookies & Local Storage

8.1 Strictly necessary (always set)

  • next-auth.session-token — encrypted session cookie. Expires after 30 days or sign-out.
  • next-auth.csrf-token — CSRF protection token. Session-scoped.
  • nri-cookie-consent (localStorage) — stores your analytics consent choice. Not transmitted to our servers.

8.2 Analytics cookies (only with your consent)

  • _ga, _ga_*, _gid — Google Analytics 4. Expire after 2 years (_ga) and 24 hours (_gid).
  • _clck, _clsk — Microsoft Clarity session identifiers. Expire after 1 year and 1 day respectively.

We do not use advertising cookies, retargeting pixels, or social media cookies.

9. Your Rights Under GDPR

If you are in the EU/EEA, email privacy@nritools.com to exercise any of the following rights. We respond within 30 days.

  • Right of access (Art. 15) — request a copy of the personal data we hold.
  • Right to rectification (Art. 16) — ask us to correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your account and data. Payment records are retained for legal compliance.
  • Right to restriction of processing (Art. 18) — suspend processing while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your tool data in a machine-readable format (JSON/CSV).
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to lodge a complaint — with your national supervisory authority (e.g. Dutch AP, German DSK, Irish DPC).

10. Security

  • Passwords hashed with bcrypt (cost factor 12) — never stored in plain text.
  • All data in transit encrypted via TLS (HTTPS). HSTS enforced.
  • Database access restricted to application servers via Neon connection pooling with environment-variable credentials.
  • Session tokens encrypted and stored in httpOnly cookies.
  • Document vault files encrypted at rest and accessed via signed URLs with short expiry.
  • API endpoints require authentication; unauthenticated requests are rejected.

In the event of a data breach likely to risk your rights, we will notify affected users and the relevant supervisory authority within 72 hours (GDPR Art. 33–34).

11. Children's Privacy

NRI Tools is not directed at children under 16. If you believe a child has created an account, email privacy@nritools.com and we will delete it promptly.

12. Changes to This Policy

When we make material changes, we will update the "Last updated" date above and, where required, notify you by email. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact Us

Dharv Technologies LLP
G-1, Flat No. 87, Vidhansabha Nagar, Mansarovar
Jaipur, Rajasthan — 302020, India
Privacy: privacy@nritools.com
Support: support@nritools.com

Privacy Policy — NRI Tools - NRI Tools