Privacy Policy

1. Introduction

Welcome to Nijam (nijam.co) - a multi-entity invoicing, compliance, and financial operations platform. We serve businesses in both India and the United States, providing GST-compliant invoicing, sales tax automation, AI-powered receipt scanning, and more.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our platform, website, and related services (collectively, the “Services”). By accessing or using Nijam, you acknowledge that you have read and understood this policy.

2. Information We Collect

3. How We Use Your Information

• a.Service Delivery: To create and manage your account, generate invoices, process payments, calculate taxes, produce compliance reports, and deliver the core functionality of the platform.
• b.Tax & Regulatory Compliance: To compute GST (CGST, SGST, IGST), US sales tax at the state/county/city level, generate GSTR-1 reports, track economic nexus thresholds, and flag 1099-NEC obligations.
• c.Security & Fraud Prevention: To detect unauthorized access, monitor for suspicious activity, enforce role-based access controls, and maintain immutable audit trails for all financial transactions.
• d.Communications: To send transactional emails (invoice delivery, payment confirmations, filing reminders), security alerts, and service announcements. We do not send unsolicited marketing emails.
• e.AI-Powered Features: To process receipts and documents through our Nijam AI for line-item extraction, tax ID validation, HSN code suggestion, and ITC/deduction classification.
• f.Platform Improvement: To analyze usage patterns (in aggregate), diagnose technical issues, improve accuracy of tax calculations, and develop new features.

4. Data Storage & Security

We take the security of your financial data seriously. Our infrastructure implements the following safeguards:

• Encryption at Rest & in Transit: All data is encrypted using AES-256 at rest and TLS 1.2+ for all data in transit.
• Database: Your data is stored in Supabase-managed PostgreSQL databases with automated backups, point-in-time recovery, and disaster recovery capabilities.
• Tenant Isolation:Each organization’s data is logically isolated using row-level security (RLS) policies. No organization can access another’s data, even within shared infrastructure.
• Access Controls: Role-based access control (RBAC) ensures that users only see data appropriate to their role (CEO, CFO, Accountant, CA). Sensitive PII is masked for junior roles.
• Audit Trails: Every financial record change is logged with immutable audit trails, including who made the change, when, and what was modified.

5. Data Sharing & Third Parties

We do not sell your personal information. We share data only with the following categories of service providers, strictly to operate the platform:

• Payment Processors: Razorpay (India) and Stripe (USA) process payment transactions on your behalf. They receive only the data necessary to complete the transaction.
• Email Delivery: Resend handles transactional email delivery (invoices, payment confirmations, alerts). They process recipient email addresses and email content.
• AI Processing: Receipt images and documents uploaded for AI scanning are processed by our AI models for data extraction. This data is not used to train third-party models and is not retained beyond the processing session.
• Infrastructure: Supabase (database hosting), Vercel (application hosting), and related cloud providers process data as part of service delivery.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or enforceable governmental request.

6. India-Specific Rights (DPDPA 2023)

If you are a user based in India, the Digital Personal Data Protection Act, 2023 (DPDPA) grants you the following rights as a Data Principal:

• Right to Access: You may request confirmation of whether we process your personal data and obtain a summary of the data and processing activities.
• Right to Correction & Erasure: You may request correction of inaccurate data or erasure of data that is no longer necessary for the purpose it was collected.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Right to Grievance Redressal: You may raise grievances with our designated Grievance Officer (see Contact Information below) or escalate to the Data Protection Board of India.
• Consent Management: We obtain clear, informed consent before collecting personal data. Consent requests are presented in plain language and are specific to the purpose of processing.
• Data Localization: Financial data of Indian entities is stored on servers within India or in jurisdictions that provide adequate levels of data protection, in compliance with applicable regulations.

7. USA-Specific Rights (CCPA & State Privacy Laws)

If you are a resident of the United States, applicable state privacy laws - including the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA) - may provide you with the following rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the purposes of processing, and the categories of third parties with whom we share data.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., data required for legal compliance or completing a transaction).
• Right to Opt-Out of Sale: We do not sell personal information. If this ever changes, we will provide a clear opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will receive equal service and pricing regardless of whether you exercise these rights.
• Right to Correct: You may request correction of inaccurate personal information that we maintain about you.

California Residents:Under the CCPA/CPRA, you may also designate an authorized agent to make requests on your behalf. We may require verification of your identity and the agent’s authority before processing such requests.

Virginia & Colorado Residents: You may also appeal a denial of your privacy request by contacting us at support@nijam.co.

8. Cookies & Tracking

• Session Cookies: We use strictly necessary session cookies to maintain your authentication state and preferences while you use the platform. These cookies expire when you close your browser or after a defined session timeout.
• No Third-Party Trackers: We do not use third-party advertising trackers, social media pixels, or analytics cookies that track you across other websites.
• Cloudflare Turnstile:We use Cloudflare Turnstile on certain forms (registration, login) to prevent automated abuse. Turnstile is a privacy-preserving CAPTCHA alternative that does not track users across websites. It is subject to Cloudflare’s Privacy Policy.

9. Children’s Privacy

Nijam is a business-to-business financial platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 13 (as defined by COPPA) or minors under 18. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it. If you believe a minor has provided us with personal information, please contact us at support@nijam.co.

10. Data Retention

We retain your data for as long as your account is active and as necessary to fulfill the purposes outlined in this policy. Specific retention periods include:

• Financial Records: Invoices, tax filings, and transaction records are retained for a minimum of 8 years from the date of creation, in compliance with Indian (Income Tax Act, GST Act) and US (IRS) record-keeping requirements.
• Account Data: Retained for the duration of your active account plus 30 days after account closure to allow for reactivation.
• Usage & Device Data: Retained for up to 24 months for analytics and security purposes, then anonymized or deleted.
• AI-Processed Documents: Uploaded receipts and scanned documents are retained only as long as needed to deliver extraction results and are purged from processing pipelines within 30 days.

Upon account deletion request, we will remove or anonymize your personal data within 30 days, except where retention is required by law. You may request data export before deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a prominent notice on the platform at least 15 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

We aim to respond to all privacy-related inquiries within 48 hours and resolve requests within 30 days.

13. Google User Data & Gmail Integration