Privacy Policy

This Privacy Policy explains how Arthaprapti Fintech Solutions Pvt. Ltd.("Company," "we," "us," or "our"), a company incorporated under the laws of India with its registered office in Ranchi, Jharkhand (DPIIT Recognition No. DIPP250684), collects, uses, stores, and protects your information when you use the Naksha (नक्शा) platform ("Service").

Naksha is a privacy-first family financial address book that stores only the metadata of your financial instruments — such as institution names, branch locations, instrument types, and nominee details. We never store account numbers, passwords, PINs, card numbers, UPI IDs, PAN, Aadhaar, or any sensitive credentials.

By creating an account or using any part of the Service, you consent to the collection and use of your information as described in this policy, in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1. Information We Collect

Personal Information

When you register for Naksha, we collect:

• Full name
• Phone number (used as your primary identifier)
• City of residence
• Preferred language
• Email address (optional, for notifications)

Financial Metadata

Within your Digital Tijori, you may record metadata about your financial instruments. This includes:

• Institution names (e.g., "State Bank of India")
• Branch locations (e.g., "Main Road, Ranchi")
• Instrument types (e.g., "Savings Account," "Term Insurance")
• Nominee names and relationships
• Locker information (branch, location — never locker numbers or keys)
• Policy or scheme names (never policy numbers)

Important: We store only the what and where — never the how to access. Your nominees receive a map to your financial life, not the keys to it.

Digital Tijori Data

If you use the Digital Tijori vault, you may store names and descriptions of digital assets, applications, and subscriptions. We store only identifiers and descriptions — never login credentials, passwords, or access tokens.

Communication Data

• Life Signal responses: Your replies to periodic WhatsApp check-in messages (e.g., confirming you are well)
• Support messages: Any communication you send to our support team

Technical Information

We automatically collect:

• IP address (at the time of registration and login)
• User agent string (browser and device information)
• Device type and operating system
• Consent timestamps (exact date and time you agreed to terms)
• Login timestamps and session identifiers

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To create and maintain your Naksha account, store your financial metadata securely, and calculate your Readiness Score
• Life Signal operation: To send periodic WhatsApp check-in messages and process your responses through our 9-step escalation protocol
• Nominee release: To securely deliver your financial metadata to designated nominees upon completion of the Life Signal protocol (Step 9 is never automated and always requires manual verification by our operations team)
• Readiness Score calculation: To compute how comprehensively you have recorded your financial metadata and configured nominee access
• Notifications: To send subscription reminders, plan renewal notices, and important service updates via WhatsApp, SMS, or email
• Compliance: To comply with applicable Indian laws, regulatory requirements, and to respond to lawful requests from authorities
• Security: To detect and prevent fraud, unauthorised access, and abuse of the Service

3. What We Never Collect

Naksha is architecturally designed to never collect or store sensitive financial credentials. Our Sensitive Data Guard actively blocks the following from being entered or stored:

• Bank account numbers
• Credit or debit card numbers
• UPI IDs or UPI PINs
• Aadhaar numbers
• PAN (Permanent Account Number)
• Passwords, PINs, or OTPs
• Account balances
• Transaction history
• Biometric data

If any of the above is accidentally entered, our Sensitive Data Guard will detect and block it before it reaches our servers. This is a technical safeguard, not just a policy.

4. Encryption & Security

Your data is protected by multiple layers of encryption and security controls:

Encryption at Rest

• AES-256-GCM encryption: All financial metadata stored in your Digital Tijori is encrypted using the AES-256-GCM authenticated encryption algorithm — the same standard used by governments and financial institutions worldwide
• AWS KMS envelope encryption: Encryption keys are managed through AWS Key Management Service using envelope encryption. A master key in KMS encrypts per-record data encryption keys (DEKs), ensuring that even if database storage is compromised, data remains unreadable without access to KMS
• Fresh IV per operation: A unique Initialisation Vector (IV) is generated for every encryption operation, preventing pattern analysis across encrypted records
• member_id as AAD:The member's unique identifier is used as Additional Authenticated Data (AAD) in the GCM construction, cryptographically binding each encrypted record to its owner and preventing record-swapping attacks

Nominee Data Protection

• All nominee personally identifiable information (PII) is encrypted using the same AES-256-GCM scheme
• SHA-256 hashes of nominee phone numbers are maintained for efficient lookups without exposing the underlying data

Encryption in Transit

• All data transmitted between your device and our servers uses TLS 1.2 or higher
• API endpoints enforce HTTPS exclusively

Access Controls

• Role-based access control (RBAC) across all system components
• JWT-based authentication with short-lived tokens
• All administrative actions are logged in an append-only audit log that cannot be modified or deleted

5. Data Storage & Residency

• Indian data residency: All your data is stored exclusively on servers located in India. We do not transfer, replicate, or back up your data to servers outside India under any circumstances
• Primary database: PostgreSQL, hosted on Indian infrastructure, with encrypted storage volumes
• Cache layer: Redis (via Upstash), used solely for session management and temporary operational caching — no financial metadata is stored in cache
• No cross-border transfer: Your data never leaves Indian jurisdiction. All third-party services we use either operate within India or process only transactional data (such as payment confirmations) that does not include your financial metadata

6. Third-Party Services

We use the following third-party services to operate Naksha. Each receives only the minimum data necessary for its function:

• AiSensy (WhatsApp Business API): Receives your phone number and template message content to deliver Life Signal check-ins, notifications, and service alerts via WhatsApp
• MSG91 (SMS gateway): Receives your phone number and OTP or notification text to deliver SMS messages for authentication and alerts
• Exotel (IVR / voice calls): Receives your phone number to make automated and operator-assisted voice calls as part of the Life Signal escalation protocol
• Razorpay (payments): Processes subscription payments for Naksha plans (Raah ₹1,499/yr, Saath ₹2,999/yr, Virasat ₹4,999/yr). We store only the Razorpay payment_id and payment status in our database — we neverstore card numbers, CVV, or banking credentials. All payment processing occurs entirely on Razorpay's PCI DSS-compliant infrastructure
• Resend (email): Receives your email address (if provided) and email content to deliver service notifications, plan renewal reminders, and important updates
• Upstash Redis (cache): Stores temporary session tokens and operational cache data. No financial metadata or personal information is stored in Redis

None of these services receive your financial metadata, Digital Tijori contents, or nominee details.

7. DPDP Act 2023 Compliance

Naksha is designed from the ground up to comply with India's Digital Personal Data Protection Act, 2023. Our compliance measures include:

Consent

• Explicit, informed consent is captured at the time of registration before any personal data is collected
• Each consent record includes the exact timestamp, IP address, and user agent string of the device used to provide consent
• Consent records are stored in our append-only audit log and cannot be retroactively modified

Right to Access

• You may request a complete copy of all personal data we hold about you at any time by contacting us at info@arthaprapti.com
• We will respond to access requests within 72 hours

Right to Erasure

• You may request deletion of your account and all associated personal data
• Erasure requests follow a 30-day process: your request is logged, verified, confirmed by an administrator, and then all personal data is permanently deleted from our primary database
• Certain data may be retained beyond erasure where required by law (see Data Retention section)

Consent Withdrawal

• You may withdraw your consent for data processing at any time by contacting us or through your account settings
• Withdrawal of consent will result in the inability to use the Service, as the Service cannot function without processing your personal data

Data Protection Officer

• We will appoint a Data Protection Officer (DPO) upon request or as required under the DPDP Act
• All data protection inquiries may be directed to info@arthaprapti.com

8. Your Rights

Under the DPDP Act 2023 and our commitment to transparency, you have the following rights:

• Access your data: Request a complete summary of all personal data and financial metadata we hold about you
• Request correction: Ask us to correct any inaccurate or incomplete personal data
• Request erasure: Ask us to permanently delete your account and all associated data, subject to our 30-day verification process and legal retention requirements
• Withdraw consent: Revoke your consent for data processing at any time (note: this will terminate your access to the Service)
• Data portability: Request an export of your data in a structured, commonly used, machine-readable format
• Complain to the Data Protection Board of India: If you believe your data rights have been violated, you may file a complaint with the Data Protection Board of India as established under the DPDP Act

To exercise any of these rights, contact us at info@arthaprapti.com or call +91 74796 55531.

9. Data Retention

• Active accounts: All personal data and financial metadata is retained for the full duration of your active subscription
• Inactive accounts: Upon account closure or subscription expiry, your data is retained for 7 years as required by applicable Indian financial regulations, after which it is permanently deleted
• Audit logs: All entries in our audit_logs table are permanent and append-only. Audit records are never updated or deleted, ensuring a complete and tamper-proof trail of all system actions
• Payment records:Razorpay payment identifiers and statuses are retained in accordance with Razorpay's policies and Reserve Bank of India (RBI) requirements

10. Cookies & Tracking

• We use essential cookies only — strictly necessary for maintaining your authenticated session and basic site functionality
• We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts
• We do not serve advertisements or share your browsing data with advertisers
• We do not use fingerprinting, cross-site tracking, or any behavioural profiling techniques
• Our privacy-respecting approach means you will never see targeted ads based on your use of Naksha

11. Children's Privacy

• Users under the age of 18 years may not create a Naksha account independently and require verifiable guardian consent
• Under the Virasat plan(₹4,999/yr family plan), parents or guardians may create and manage children's profiles as part of the family unit. All children's data is managed entirely by the parent or guardian account holder
• We do not knowingly collect personal data from children without guardian consent. If we become aware that we have collected data from a child without appropriate consent, we will delete such data promptly

12. Changes to This Policy

• We will notify you of any material changes to this Privacy Policy at least 30 days in advance via email (if provided) and WhatsApp notification
• The updated policy will be posted on this page with a revised "Last updated" date
• Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy
• If you disagree with any changes, you may exercise your right to erasure and close your account before the changes take effect

13. Contact for Data Requests

For any questions, concerns, or requests related to your personal data or this Privacy Policy, please contact us:

• Email: info@arthaprapti.com
• Phone: +91 74796 55531
• Address: Arthaprapti Fintech Solutions Pvt. Ltd., Ranchi, Jharkhand, India

We endeavour to respond to all data-related requests within 72 hours of receipt.