Privacy Policy
Last updated: April 20, 2026
This Privacy Policy explains how Arthaprapti Fintech Solutions Pvt. Ltd. ("Company," "we," "us," or "our") collects, uses, stores, protects, shares, retains, and exports personal data when you use Naksha (नक्शा), our privacy-first family financial address book and related public, customer, agent, aggregator, support, and admin services.
We are a DPIIT-recognised startup (Recognition No. DIPP250684) incorporated in India, with registered office at Ranchi, Jharkhand, India. This policy applies to the active public website at arthaprapti.com and the connected Naksha portal and API surfaces that support customers and distribution partners. naksha.arthaprapti.com is not an active public domain for this policy.
Policy version 1.1 is effective from April 20, 2026. The authorised privacy contact is Chanchal Kumari Jha. Privacy queries should be sent to legal@arthaprapti.com and grievances should be sent to grievance@arthaprapti.com.
1. Scope
This is a single platform privacy policy covering customer, partner, public website, support, and operational data. Separate agreements or notices may add role-specific obligations, but they do not reduce the protections described here.
| Who | How this policy applies |
|---|---|
| Customers and family members | Direct subscribers, invited partners or spouses, household members, gift or launch recipients, referral recipients, and child profiles created by a parent or guardian under Virasat. |
| Distribution partners | Agents, aggregators, zone or district partners, partner applicants, and partner support users who use Naksha for enrollment, referral, training, commission, KYC, or payout workflows. |
| Public visitors and leads | Visitors to arthaprapti.com, launch waitlist members, contact-form users, partner applicants, media or support correspondents, and anyone who interacts with public Naksha surfaces. |
| Operations users | Admin and support users who handle onboarding, billing, Life Signal operations, grievances, erasure, data export, partner review, and audit workflows. |
2. How We Collect Information
We collect information directly from you, through product workflows you initiate, from authorised referral or partner workflows, and from service providers that help us complete transactions or communications.
| Source | Examples |
|---|---|
| Direct entry | Information you provide during signup, login, profile updates, onboarding, financial address book setup, Digital Tijori setup, Life Signal configuration, support, and account settings. |
| Referral, invite, and assisted flows | Information resolved from customer invite, gift, agent referral, launch, waitlist, and household invite links. Assisted enrollment is limited to onboarding support and does not give agents ongoing customer vault access. |
| Partner onboarding and activity | Information submitted by agents or aggregators during profile setup, KYC, payout setup, training, referrals, commission tracking, network management, and support. |
| Payments and provider callbacks | Payment order, subscription, payment status, webhook identifiers, notification status, message delivery metadata, and limited callback payloads from payment and communication providers. |
| Browser, device, and security events | IP address, user agent, session state, authentication cookies, local or session storage values needed for theme, language, PWA prompts, signup context, invite context, launch waitlist state, and aggregator drafts. |
3. Information We Collect
Customer, household, and family data
Customer data includes account information, family continuity records, financial address book metadata, Digital Tijori metadata, personal letters, Life Signal state, subscriptions, payment status, support history, and communication logs.
| Data category | Data collected |
|---|---|
| Identity, account, and profile | Name, mobile number, optional email, date of birth, address line 1, address line 2, city, state, pincode, language preference, plan, household role, onboarding state, account status, password hash, consent records, IP address, user agent, login and session timestamps. |
| Financial address book | Category, subtype, institution, branch, contact number, access-method label, status, maturity date, ownership scope, child linkage, nominee linkage or name, sutradhaar or family contact, and notes. We store the location map, not account credentials. |
| Digital Tijori and letters | App name, app type, mobile-only flag, notes, ownership scope, and the personal and family letters you choose to write inside Naksha. All letters are encrypted at rest and released only to your designated nominees. |
| Family continuity | Emergency contacts, witnesses, margdarshaks, nominees, spouse or household invites, family-back-home contacts, priority call contacts, child names, child dates of birth, relationships, and guardian instructions. |
| Life Signal and release | Life Signal cadence, check-in state, missed counts, next due time, reminder logs, witness or emergency-contact notifications, operations cases, contact attempts, release decisions, and admin release metadata. |
| Scoring, subscriptions, and payments | Readiness score inputs and results, plan and subscription status, Razorpay order, payment, subscription, and plan identifiers, payment status, renewal and verification events, invoices, and external payment-event records. |
| Support and communication | Support ticket subjects, messages, attachments, notification delivery events, WhatsApp, SMS, email, or IVR dispatch metadata, and replies needed to resolve the issue. |
Distribution-partner data
Agent, aggregator, and partner records are separate from customer financial address book data. Partner KYC and payout workflows collect additional information that would be blocked in customer vault fields.
| Partner category | Data collected |
|---|---|
| Agents | Name, mobile, email, city, state, display or referral code, agent type, password hash, status, KYC status, PAN reference, PAN image metadata or object-storage path, payout bank details, IFSC, UPI ID, bank acknowledgements, training access, referral counts, subscriber counts, commission and payout records, support tickets, and login timestamps. |
| Aggregators and network partners | Name, organisation name, contact person details, mobile, email, city, state, tier, status, KYC status, PAN or GST identifiers, PAN image metadata or object-storage path, payout bank details, IFSC, UPI ID, active agent count, network volume, override commission, payout history, support tickets, and login timestamps. |
| Partner applicants | Full name, mobile, email, occupation, expected monthly users, application message, contact consent, privacy consent, IP address, user agent, submission time, and review status. |
4. What We Do Not Collect In Customer Vaults
Naksha is designed as a financial address book for customers. In customer financial address book, Digital Tijori, letter, and onboarding fields, our Sensitive Data Guard blocks or warns against sensitive values that would turn a map into an access key.
- Bank account numbers, credit or debit card numbers, CVV, and card PINs.
- UPI IDs, UPI PINs, net-banking credentials, passwords, OTPs, or access tokens.
- Aadhaar numbers, raw PAN, biometric data, credit scores, balances, transaction history, full statements, or financial-account credentials.
- Customer vault fields should contain institution names, branches, categories, contacts, status notes, maturity reminders, nominees, and family guidance, not credentials.
This customer-vault promise is intentionally scoped. For agent and aggregator KYC, tax, and payout workflows, Naksha may collect PAN, GST, PAN image metadata or files, bank account details, IFSC, and UPI payout IDs where operationally or legally required. Those routes are separate from customer financial address book storage and are subject to role-based access control, audit, masking, and review.
5. How We Use Information
We process personal data only for lawful, product, contractual, security, legal, or consent-backed purposes connected to Naksha.
| Purpose | Use |
|---|---|
| Service delivery and contract performance | Create accounts, run onboarding, maintain customer profiles, store customer financial address book data, operate household plans, provide support, and make customer settings available. |
| Life Signal and family-release workflow | Send check-ins and reminders, process missed check-ins, contact witnesses or emergency contacts, open operations cases, and perform manual release verification where the product rules require it. |
| Readiness scoring and product feedback | Calculate completion scores, surface missing setup items, and improve product reliability without using customer vault contents for advertising. |
| Payments, invoices, commissions, TDS, and GST | Create payment orders, verify subscription payments, maintain invoices and payment records, calculate agent or aggregator commissions, process payout records, and support tax compliance. |
| Communications and support | Send OTPs, service updates, renewal reminders, Life Signal messages, support replies, admin messages, and grievance responses through approved communication channels. |
| Security, fraud prevention, and audit | Authenticate users, protect sessions, prevent abuse, block sensitive customer vault data, audit privileged actions, investigate incidents, and preserve evidence needed for compliance. |
| Legal, regulatory, and grievance handling | Respond to valid legal requests, enforce terms, handle complaints, process erasure or data export requests, investigate agent misconduct, and defend or resolve disputes. |
6. Data Sharing And Processors
We do not sell, rent, or trade personal data. We share only the minimum information required for service delivery, legal compliance, security, support, payment, messaging, tax, and grievance purposes.
| Recipient | Data shared |
|---|---|
| Razorpay | Payment order, subscription, payment, invoice, and status data needed to process and verify customer subscriptions. Naksha does not store card numbers, CVV, or net-banking credentials. |
| AiSensy / WhatsApp, MSG91 SMS and email where enabled, and Exotel IVR | Deliverable phone numbers, email addresses where provided, template variables, message content, delivery status, and call or notification metadata needed for OTPs, reminders, Life Signal, support, and partner communications. |
| AWS KMS and infrastructure processors | Key-management operations in ap-south-1, PostgreSQL records, Redis operational cache, MinIO or object-storage files, deployment infrastructure, backups, logs, and monitoring needed to run the platform. |
| Authorised agents and aggregators | Limited enrollment, referral, network, and commission data. Agents and aggregators are not given unrestricted access to customer vault contents after enrollment. |
| Family, nominees, witnesses, and emergency contacts | Only the alert, verification, contact, or release information required by your Life Signal and household settings. Financial address book contents are not sent through WhatsApp, SMS, or IVR providers as plaintext. |
| Tax authorities, regulators, law enforcement, and dispute forums | Minimum legally required records, such as commission, payout, TDS, GST, payment, audit, grievance, or account records, when disclosure is required by law or necessary to defend legal rights. |
Communication providers must receive usable delivery identifiers, such as phone numbers or email addresses, to deliver messages. We therefore do not claim that such delivery data is shared only in encrypted form. We do not send customer vault contents through WhatsApp, SMS, IVR, or email as plaintext messages.
7. Security And Encryption
- Customer vault fields, nominee or family contact details, personal letters, instruments, and Digital Tijori content use AES-256-GCM encryption where the current data model supports encrypted storage.
- Every subscriber has a data encryption key protected through AWS KMS envelope encryption in
ap-south-1, with per-operation IVs and authenticated encryption context. - Passwords are stored as hashes, not plaintext. Session and role access are controlled separately for customer, agent, aggregator, and admin portals.
- Some operational metadata, such as status values, timestamps, object storage paths, audit references, payment identifiers, and provider delivery statuses, may be stored as structured records so the platform can function and be audited.
- Privileged admin, partner, release, export, erasure, and support actions are logged for audit and misuse investigation.
8. Storage, Residency, And Infrastructure
Naksha is operated for Indian families and is configured around India-first infrastructure. Core application records are stored in PostgreSQL, operational cache and session state use Redis, attachments and uploaded files may use MinIO or object storage, and key-management operations use AWS KMS in ap-south-1.
Third-party processors may process limited delivery, payment, support, tax, and operational metadata according to their own infrastructure and contracts. If a future provider or feature changes the transfer model, we will update this policy and any required notices before relying on that processing.
9. Life Signal Privacy
- Life Signal stores check-in cadence, reminders, missed counts, state, next due time, and operations history needed to run the workflow.
- Reminders and alerts may be sent to you, witnesses, emergency contacts, or nominated family contacts according to your plan and configuration.
- Alerts ask contacts to check on the account holder or help verify the situation. They do not include customer vault contents.
- Step 9 final release is a manual operations process. It is not an automatic unlock, and release requires separate verification and access controls.
- You remain responsible for keeping contact details, nominee choices, household settings, and Life Signal configuration accurate.
10. Children And Guardian Consent
Users under 18 may not independently create a Naksha account. Under Virasat and related family features, a parent or lawful guardian may create child profiles, child investment linkages, birthday letters, and guardian briefings. The parent or guardian is treated as the Data Principal's representative for the child where applicable.
We do not use child profile data for targeted advertising, behavioural profiling, or unrelated tracking. Any child-account transfer, independent account invitation, or age-18 transition will be described only when the product supports that process.
11. Cookies And Browser Storage
Our public website and portals use cookies and browser storage for authentication, security, product continuity, preferences, and temporary workflow state. We do not currently use advertising or third-party analytics trackers.
| Storage type | Use |
|---|---|
| Essential cookies | HttpOnly authentication cookies and session cookies used to keep customer, agent, aggregator, and admin users signed in securely. |
| Local and session storage | Theme, language, PWA prompt state, launch waitlist joined state, signup, invite, referral or gift context, aggregator onboarding drafts, transient UI state, and legacy login context where still present. |
| No advertising trackers | We do not currently use Google Analytics, Facebook Pixel, PostHog, Mixpanel, Plausible, Clarity, third-party advertising cookies, fingerprinting, or behavioural ad profiling. |
12. Your Rights And How To Exercise Them
Naksha is a Data Fiduciary for the personal data it determines how and why to process. Depending on your role and the applicable law, you may request access, correction, export, erasure, consent withdrawal, grievance redressal, and representative nomination handling.
| Right | How to exercise it |
|---|---|
| Access and export | Customers can request a data export from account settings where supported, or by emailing the privacy contact. Admin-mediated exports are available for compliance operations. |
| Correction | You can update supported profile, family, contact, financial-address-book, Digital Tijori, and partner profile fields in the relevant portal, or request correction through support. |
| Erasure | Customers can submit an erasure request in settings. The request is reviewed and processed through the existing admin erasure workflow, with compliance traces retained where law, audit, tax, security, or dispute handling requires it. |
| Consent withdrawal | Where the portal does not yet provide a safe self-service consequence for withdrawal, email legal@arthaprapti.com or raise a privacy support ticket. We will explain the service impact before closing or erasing any account. |
| Grievance and Board complaint | You can contact the grievance officer at grievance@arthaprapti.com. If you are not satisfied with the resolution, you may use remedies available under the DPDP Act and applicable rules. |
| Representative nomination | Self-service DPDP representative nomination is not yet a live account setting. Until it is implemented, submit representative instructions to the privacy contact for manual verification and handling. |
Customer data exports may include decrypted sensitive family-continuity details. Download and store any export securely, and avoid sending it over unsecured channels.
13. Retention And Erasure
Retention depends on data type, account state, legal obligations, product operation, tax requirements, audit needs, and dispute handling. We have not added automated destructive retention purges as part of this policy update.
| Data type | Retention approach |
|---|---|
| Active customer account and vault data | Retained while your account or subscription is active and while needed to provide the service, resolve support issues, or meet legal obligations. |
| Erasure and closure requests | Customer erasure requests follow a manual verification and completion workflow with a 30-day target. The current workflow anonymizes or deletes customer-owned records where supported and retains necessary compliance traces. |
| Payment, invoice, payout, TDS, and GST records | Retained for tax, accounting, audit, and dispute requirements, commonly up to seven years where applicable law requires or supports that period. |
| Life Signal, security, access, and communication logs | Retained only as long as needed for service reliability, dispute handling, audit, incident investigation, and compliance. Automated destructive retention purges are not enabled without a reviewed rollout plan. |
| Partner and grievance records | Retained for the duration of the partner relationship or grievance process and for a reasonable post-relationship period needed for compliance, commissions, misconduct investigations, and disputes. |
14. Agent-Assisted Enrollment
Authorised agents or partners may help explain Naksha, share referral or invite links, assist a family during onboarding where the product flow permits it, and track limited referral or enrollment status. They must use company-approved materials and obtain customer consent before assisting.
- Agents and aggregators do not own customer accounts or customer data.
- Agents and aggregators do not receive unrestricted ongoing access to customer financial address book or Digital Tijori contents.
- Network partners may view limited customer enrollment, referral, progress, renewal, and commission data needed for their role.
- Suspected agent misconduct, cash collection, misrepresentation, or unauthorised account access should be reported to grievance@arthaprapti.com.
15. Grievance Redressal
For privacy complaints, agent misconduct, platform issues, billing or payout disputes, account access issues, correction requests, or content concerns, contact:
- Grievance officer / authorised privacy contact: Chanchal Kumari Jha
- Email: grievance@arthaprapti.com
- Postal location: Ranchi, Jharkhand, India
- Acknowledgement target: within 48 hours of receipt.
- Resolution target: within 30 days of acknowledgement, unless the matter requires more time due to legal, provider, security, or evidence dependencies.
16. Policy Updates
We may update this Privacy Policy as the product, law, providers, or operations change. For material changes that affect how we process your personal data, we aim to give registered users at least 30 days' notice by email, WhatsApp, in-app notification, platform notice, or partner communication channels, unless an immediate update is required for law, security, fraud prevention, or service continuity.
17. Contact
- Company: Arthaprapti Fintech Solutions Pvt. Ltd.
- DPIIT Recognition: DIPP250684
- Privacy and legal email: legal@arthaprapti.com
- Grievance email: grievance@arthaprapti.com
- General support: support@arthaprapti.com
- Phone: +91 74796 55531
- Registered office: Ranchi, Jharkhand, India