← Back to Home

Privacy Policy

Effective Date: December 22, 2025
Version: 1.0

Privacy Policy - NanbanCRM

Effective Date: December 22, 2025
Version: 1.0

1. Introduction

Welcome to NanbanCRM ("we," "us," "our"), a product of Digital Prolex. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SaaS CRM platform designed specifically for Indian Digital Marketing Agencies.

We are committed to protecting your privacy and personal data in compliance with Indian laws:

1.1 Legal Compliance Framework

  • Information Technology Act, 2000 (IT Act, 2000) - Section 43A (Compensation for failure to protect data)
  • IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules, 2011)
  • Digital Personal Data Protection Act, 2023 (DPDP Act) - India's comprehensive data protection legislation
  • Consumer Protection Act, 2019 - Consumer data protection provisions

1.2 Our Commitment

We implement reasonable security practices and procedures as mandated by IT Rules, 2011, including:

  • ISO 27001 aligned security controls
  • Documented information security policies
  • Regular security audits and assessments
  • Incident response and data breach management
  • Privacy by design and by default

1.3 Your Consent

By using NanbanCRM, you consent to the data practices described in this Privacy Policy. This consent is:

  • Freely given: You have a genuine choice
  • Specific: For clearly defined purposes
  • Informed: You understand what you're consenting to
  • Withdrawable: You can withdraw consent at any time

If you do not agree with this policy, please do not use our Service.

1.4 Data Fiduciary Information

Data Fiduciary: Digital Prolex
Registered Address: 465, Pillaiyar Kovil Street, Nandhimangalam, Chengam TK, Tiruvannamalai 606705, Tamil Nadu, India
Contact Email: privacy@nanbancrm.com
Grievance Officer: B. Ganesh
Grievance Email: grievance@nanbancrm.com

2. Information We Collect

2.1 Personal Data You Provide

  • Account Information: Name, email address, phone number, company name
  • Profile Information: Job title, profile photo, preferences, settings
  • Payment Information: Billing address, GST number, payment method details
  • Business Data: Leads, clients, invoices, tasks, and other CRM data you create
  • Communications: Support requests, feedback, and correspondence

2.2 Sensitive Personal Data

As defined under IT Rules, 2011:

  • Financial Information: Processed securely via Razorpay (PCI-DSS compliant)
  • Passwords: Stored using industry-standard hashing algorithms
  • Biometric Data: Not collected

2.3 Automatically Collected Data

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Data: Pages visited, features used, time spent, click patterns
  • Log Data: Access times, error logs, performance metrics
  • Location Data: Approximate location based on IP address (not precise GPS)

2.4 Data from Third Parties

  • Payment Processors: Transaction confirmations from Razorpay
  • Authentication Providers: If you use social login (Google, etc.)
  • Analytics Services: Aggregated usage statistics

3. How We Collect Information

We collect information through the following methods:

3.1 Direct Provision

  • When you register for an account
  • When you create or update your profile
  • When you input business data (leads, clients, invoices)
  • When you contact our support team
  • When you respond to surveys or feedback requests

3.2 Automated Collection

  • Cookies: Essential, functional, analytics, and marketing cookies
  • Server Logs: Automatically recorded by our servers
  • Analytics Tools: Usage patterns and performance metrics
  • Error Tracking: Application errors and debugging information

3.3 Third-Party Sources

  • Payment Processors: Transaction and billing information from Razorpay
  • Authentication Providers: Basic profile information from OAuth providers
  • Business Partners: Only with your explicit consent

3.4 Your Clients' Data

  • Data you input about your clients and leads
  • You are responsible for obtaining necessary consents from your data subjects
  • We process this data on your behalf as a Data Processor

4. How We Use Information

We use your information for the following purposes:

4.1 Service Delivery

  • Provide and maintain NanbanCRM services
  • Process transactions and send related information
  • Manage your account and provide customer support
  • Enable features and functionality you request

4.2 Service Improvement

  • Analyze usage patterns to improve features
  • Develop new products and services
  • Conduct research and analytics
  • Fix bugs and optimize performance

4.3 Communication

  • Send service updates and security alerts (required)
  • Respond to inquiries and support requests
  • Send marketing communications (with your consent)
  • Notify you of policy changes

4.4 Legal & Security

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Detect and prevent fraud or abuse
  • Protect rights, property, and safety

4.5 Personalization

  • Customize your experience based on preferences
  • Provide relevant recommendations
  • Remember your settings and choices

5. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we process your data based on the following lawful grounds:

5.1 Consent

  • You have given explicit consent for specific purposes
  • Consent is freely given, specific, informed, and unambiguous
  • You may withdraw consent at any time

5.2 Contract Performance

  • Processing is necessary to fulfill our contract with you
  • Providing the services you have subscribed to
  • Processing payments and managing your subscription

5.3 Legal Obligation

  • Processing is required by law
  • Compliance with tax laws (GST, income tax)
  • Responding to legal requests from authorities

5.4 Legitimate Interest

  • Processing is necessary for our legitimate business interests
  • Improving our services and user experience
  • Preventing fraud and ensuring security
  • Marketing our services (with appropriate safeguards)

5.5 Vital Interests

  • Processing is necessary to protect vital interests
  • Emergency situations requiring immediate action

Your Right to Withdraw Consent: You may withdraw consent at any time through:

  • Account settings
  • Cookie preferences
  • Contacting privacy@nanbancrm.com

6. Data Sharing & Disclosure

6.1 Service Providers (Data Processors)

We share data with trusted service providers who process data on our behalf:

| Provider | Purpose | Data Shared | Location | |----------|---------|-------------|----------| | Supabase | Database & Authentication | All user data | India (Mumbai Region) | | Razorpay | Payment Processing & Invoicing | Payment details, GST info | India | | Resend | Transactional Emails | Email addresses, names | Cloud infrastructure | | Meta Platforms | Ads CRM (Optional) | Only if you connect | User-controlled |

All service providers are contractually bound to:

  • Process data only as instructed by us
  • Implement appropriate security measures
  • Not share data with unauthorized third parties
  • Delete data upon contract termination
  • Comply with applicable Indian data protection laws

6.2 Legal Requirements

We may disclose data when required by:

  • Indian law, court order, or legal process
  • Government or regulatory authorities in India
  • To protect our legal rights and enforce our Terms
  • To prevent fraud or illegal activity

6.3 Business Transfers

In the event of merger, acquisition, sale of assets, or business reorganization, data may be transferred as part of the transaction with appropriate safeguards to protect your rights.

6.4 With Your Explicit Consent

We may share data with third parties when you:

  • Explicitly authorize the sharing
  • Use integrations that require data sharing (e.g., Meta Ads API)
  • Opt-in to partner services
  • Connect third-party applications

6.5 We Do NOT:

  • Sell your personal data to third parties
  • Share data for third-party marketing without consent
  • Transfer data outside India without appropriate safeguards
  • Share sensitive personal data without explicit consent

7. Data Storage & Security

7.1 Data Localization & Storage

Primary Data Storage Location: India (Mumbai Region)

Why India-based storage:

  • Faster performance for Indian users
  • Compliance with Indian data protection laws
  • Reduced latency for data access
  • Alignment with data localization requirements

Infrastructure:

  • Database: Supabase (India – Mumbai Region, ISO 27001 certified)
  • Application Hosting: Cloud infrastructure optimized for India
  • Payment Data: Razorpay (India-based, PCI-DSS Level 1 compliant)

Data Transfer: We primarily store and process data within India. Any transfer outside India (if required) will be done with:

  • Appropriate legal safeguards
  • Your explicit consent where required
  • Standard contractual clauses
  • Adequate security measures

7.2 Security Measures (Reasonable Security Practices under IT Rules, 2011)

We implement reasonable security practices and procedures as required by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

Technical Safeguards:

  • Encryption in transit (TLS 1.3/SSL)
  • Encryption at rest (AES-256)
  • Secure password hashing (bcrypt/Argon2)
  • Two-factor authentication (2FA) available
  • Regular security updates and patches
  • Firewall protection

Access Controls:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication for administrative access
  • Regular access reviews and audits
  • Session management and timeout controls

Monitoring & Detection:

  • 24/7 security monitoring
  • Intrusion detection systems (IDS)
  • Anomaly detection and alerting
  • Comprehensive audit logging
  • Real-time threat intelligence

Organizational Measures:

  • ISO 27001 aligned security policies
  • Documented security procedures and manuals
  • Regular vulnerability assessments
  • Periodic penetration testing
  • Incident response and disaster recovery plans
  • Data breach notification protocols
  • Employee security awareness training
  • Background verification of personnel with data access

7.3 Compliance with IT Act, 2000

We comply with Section 43A of the Information Technology Act, 2000, which requires us to implement and maintain reasonable security practices to protect sensitive personal data.

7.4 Your Responsibility

You are responsible for:

  • Keeping your login credentials confidential
  • Using strong, unique passwords
  • Enabling two-factor authentication
  • Not sharing account access
  • Reporting suspicious activity immediately to support@nanbancrm.com

Important: No system is 100% secure. While we implement robust security measures aligned with industry standards and Indian legal requirements, we cannot guarantee absolute security against all threats.

8. Data Retention

8.1 Retention Periods

| Data Type | Retention Period | Reason | |-----------|------------------|--------| | Active Account Data | While account is active | Service delivery | | Deleted Account Data | 30 days after deletion | Recovery period | | Backup Data | Up to 90 days | Disaster recovery | | Invoices & Financial | 8 years | Indian tax law compliance | | Consent Records | 7 years after consent | Legal compliance | | Audit Logs | 3 years | Security & compliance | | Support Tickets | 2 years after resolution | Quality assurance |

8.2 After Retention Period

When retention period expires:

  • Personal data is permanently deleted
  • Anonymized data may be retained for analytics
  • Aggregated statistics may be kept indefinitely

8.3 Account Deletion

Upon account deletion request:

  • 30-day recovery period (data can be restored)
  • After 30 days, permanent deletion begins
  • Deletion completed within 90 days
  • Some data retained for legal compliance

8.4 Legal Holds

Data may be retained longer if:

  • Required by law or court order
  • Subject to ongoing legal proceedings
  • Needed for dispute resolution
  • Required for regulatory compliance

9. Your Rights (Data Principal Rights under DPDP Act)

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

9.1 Right to Access

  • Request information about what data we hold about you
  • Obtain a copy of your personal data
  • Know how your data is being processed
  • Response Time: Within 30 days

9.2 Right to Correction

  • Request correction of inaccurate data
  • Update incomplete information
  • Modify your data through account settings
  • Response Time: Within 15 days

9.3 Right to Erasure (Right to be Forgotten)

  • Request deletion of your personal data
  • Remove data that is no longer necessary
  • Subject to legal retention requirements
  • Response Time: Within 30 days

9.4 Right to Data Portability

  • Export your data in machine-readable format
  • Available formats: JSON, CSV, ZIP
  • Transfer data to another service provider
  • Response Time: Within 30 days

9.5 Right to Withdraw Consent

  • Withdraw consent for data processing at any time
  • Manage cookie preferences
  • Opt-out of marketing communications
  • Effect: Prospective, does not affect prior processing

9.6 Right to Grievance Redressal

  • Submit complaints about data handling
  • Contact our Grievance Officer
  • Escalate to Data Protection Board of India if unresolved
  • Response Time: Acknowledgment within 24 hours, resolution within 30 days

9.7 Right to Nominate

  • Nominate another person to exercise your rights
  • In case of death or incapacity
  • Nominee can access, correct, or delete data

How to Exercise Your Rights

  1. In-App: Settings → Privacy → Data Requests
  2. Email: privacy@nanbancrm.com
  3. Grievance: grievance@nanbancrm.com

Verification: We may need to verify your identity before processing requests.

10. Cookies & Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us recognize you, remember your preferences, and improve your experience.

10.2 Types of Cookies We Use

Essential Cookies (Always Active - Required) These cookies are necessary for the Service to function and cannot be disabled:

  • Session Management: Keep you logged in
  • Authentication: Verify your identity
  • Security: Protect against fraud and unauthorized access (CSRF tokens)
  • Cannot be disabled without affecting core functionality

Functional Cookies (Optional) These enhance your experience but are not essential:

  • Remember your preferences and settings
  • Language and region preferences
  • Dashboard layout and customizations
  • Recently viewed items
  • You can disable these, but some features may not work as expected

Analytics Cookies (Optional, Non-Invasive) Help us understand how the Service is used:

  • Page views and feature usage
  • Performance metrics and load times
  • Error tracking for bug fixes
  • Aggregate user behavior patterns
  • You can opt-out at any time

Marketing Cookies (Optional) Used for advertising effectiveness (only if you consent):

  • Ad campaign performance measurement
  • Personalized content recommendations
  • You have full control over these cookies

10.3 Cookie Details

| Cookie Name | Type | Purpose | Duration | Can Disable? | |-------------|------|---------|----------|--------------| | sb-auth-token | Essential | Authentication | Session | ❌ No | | csrf_token | Essential | Security (CSRF protection) | Session | ❌ No | | preferences | Functional | User settings | 1 year | ✅ Yes | | analytics_id | Analytics | Anonymous usage tracking | 1 year | ✅ Yes | | marketing_id | Marketing | Ad tracking | 90 days | ✅ Yes |

10.4 Managing Cookies - You Have Control

Through Our Service (Recommended):

  • Cookie consent banner on first visit
  • Update preferences in account settings
  • Settings → Privacy → Cookie Preferences
  • Granular Control: Choose exactly which types of cookies to allow

Through Your Browser:

  • Block all cookies (may affect functionality)
  • Delete existing cookies
  • Set cookie preferences per site

Browser-Specific Instructions:

  • Chrome: Settings → Privacy → Cookies
  • Firefox: Options → Privacy → Cookies
  • Safari: Preferences → Privacy → Cookies
  • Edge: Settings → Privacy → Cookies

10.5 Do Not Track

We respect "Do Not Track" browser signals when technically feasible. When DNT is enabled, analytics and marketing cookies are automatically disabled.

10.6 Third-Party Cookies

Some third-party services integrated with NanbanCRM may set their own cookies:

  • Razorpay: Payment processing (razorpay.com/privacy)
  • Meta Ads: Optional ads integration (meta.com/privacy)

Important: We do not control third-party cookies. Please review their privacy policies for details.

10.7 Your Rights Regarding Cookies

Under Indian data protection laws, you have the right to:

  • Know what cookies are being used
  • Choose which cookies to accept
  • Withdraw consent at any time
  • Delete cookies from your device

To Exercise Your Rights: Contact privacy@nanbancrm.com

11. Children's Privacy

11.1 Age Requirement

NanbanCRM is NOT intended for users under 18 years of age.

11.2 No Collection from Minors

  • We do not knowingly collect personal data from children
  • We do not target our services to minors
  • Our Terms of Service require users to be 18+

11.3 Parental Rights

If you are a parent or guardian and believe your child has provided us with personal data:

  • Contact us immediately at privacy@nanbancrm.com
  • We will investigate and delete the data
  • No verification of child's identity required from parent

11.4 Discovery of Minor's Data

If we discover we have collected data from a minor:

  • We will delete the data immediately
  • We will terminate the account
  • We will notify the parent/guardian if possible

11.5 DPDP Act Compliance

Under DPDP Act 2023:

  • Verifiable parental consent required for minors
  • Since we don't serve minors, this doesn't apply
  • Any minor's data discovered will be deleted

12. International Data Transfers

12.1 Primary Storage Location

Your data is primarily stored and processed in India.

12.2 When Data May Be Transferred

Data may be transferred outside India when:

  • Using cloud service providers with global infrastructure
  • Accessing our service from outside India
  • Using third-party integrations

12.3 Transfer Safeguards

When transferring data internationally, we ensure:

Legal Mechanisms:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Binding Corporate Rules (BCRs) where relevant

Technical Measures:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Audit logging and monitoring

Contractual Protections:

  • Data Processing Agreements with all processors
  • Confidentiality obligations
  • Security requirements

12.4 DPDP Act Compliance

Under DPDP Act 2023:

  • Transfers allowed to notified countries
  • Transfers to other countries with appropriate safeguards
  • Central Government may restrict transfers to certain countries

12.5 Your Rights

Regardless of where your data is processed:

  • Your rights under DPDP Act remain protected
  • You can exercise all Data Principal rights
  • Our security standards apply globally

13. Policy Changes

13.1 Updates to This Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • New features or services
  • Legal or regulatory requirements
  • Industry best practices

13.2 Notification of Changes

For material changes, we will notify you through:

  • Email: To your registered email address
  • In-App: Notification banner or modal
  • Website: Updated policy with change summary
  • Effective Date: Updated at the top of the policy

13.3 Types of Changes

Minor Changes (No Re-consent Required):

  • Clarifications and formatting
  • Contact information updates
  • Non-material wording changes

Material Changes (Re-consent May Be Required):

  • New categories of data collection
  • New purposes for processing
  • Changes to data sharing practices
  • Changes to your rights

13.4 Your Acceptance

  • Continued use after changes constitutes acceptance
  • Material changes may require explicit re-consent
  • You will be prompted to accept updated policy
  • Refusal to accept may limit service access

13.5 Previous Versions

  • Previous versions available upon request
  • Email privacy@nanbancrm.com for historical policies
  • We maintain version history for compliance

14. Grievance Officer (Mandatory under IT Rules, 2011)

14.1 Appointment

As required by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address your privacy concerns.

Grievance Officer Details:

  • Name: B. Ganesh
  • Email: grievance@nanbancrm.com
  • Address: 465, Pillaiyar Kovil Street, Nandhimangalam, Chengam TK, Tiruvannamalai 606705, Tamil Nadu, India
  • Response Timeline: 7 working days

14.2 Grievance Officer Responsibilities

The Grievance Officer is responsible for:

  • Receiving and acknowledging complaints within 24 hours
  • Investigating data protection complaints
  • Providing resolution within 7 working days
  • Escalating complex matters to senior management
  • Maintaining comprehensive grievance records
  • Ensuring compliance with data protection laws

14.3 How to File a Grievance

Option 1: Email (Recommended) Send your grievance to: grievance@nanbancrm.com

Option 2: In-App Navigate to: Settings → Privacy & Security → Submit Grievance

Option 3: Written Communication Send by post to: 465, Pillaiyar Kovil Street, Nandhimangalam, Chengam TK, Tiruvannamalai 606705, Tamil Nadu, India

What to Include in Your Grievance:

  • Your full name and contact details (email/phone)
  • User ID or registered email (if applicable)
  • Clear description of the privacy issue or concern
  • Relevant dates and specific incidents
  • Supporting documents or screenshots (if any)
  • Desired resolution or action

14.4 Response Timeline (As per IT Rules, 2011)

  • Acknowledgment: Within 24 hours of receipt
  • Initial Response: Within 7 working days
  • Final Resolution: Within 30 days of receipt
  • Updates: We will keep you informed of progress

14.5 Escalation Process

If you are not satisfied with the Grievance Officer's resolution:

Step 1: Request escalation to senior management Email: legal@nanbancrm.com

Step 2: Contact the Data Protection Board of India (Once established under DPDP Act, 2023)

Step 3: Legal Remedies You may seek legal remedies as per:

  • Information Technology Act, 2000
  • Digital Personal Data Protection Act, 2023
  • Consumer Protection Act, 2019
  • Other applicable Indian laws

14.6 Record Keeping

We maintain detailed records of all grievances including:

  • Date and time of receipt
  • Nature of the grievance
  • Investigation steps taken
  • Resolution provided
  • Time taken for resolution
  • Follow-up actions

Note: All grievances are handled with strict confidentiality and in accordance with Indian data protection laws.

15. Contact Information

15.1 Privacy Inquiries

For questions about this Privacy Policy or our data practices:

Privacy Team:

  • Email: privacy@nanbancrm.com
  • Response Time: Within 48 hours

15.2 Data Requests

To exercise your Data Principal rights:

Data Rights:

  • Email: privacy@nanbancrm.com
  • In-App: Settings → Privacy → Data Requests
  • Response Time: Within 30 days

15.3 Grievances

For complaints about data handling:

Grievance Officer:

  • Name: B. Ganesh
  • Email: grievance@nanbancrm.com
  • Phone: undefined

15.4 General Support

For general questions about our service:

Support Team:

  • Email: support@nanbancrm.com

15.5 Legal Matters

For legal inquiries:

Legal Team:

  • Email: legal@nanbancrm.com

15.6 Registered Office

Digital Prolex 465, Pillaiyar Kovil Street, Nandhimangalam, Chengam TK, Tiruvannamalai 606705, Tamil Nadu, India

By using NanbanCRM, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Last Updated: December 22, 2025
Version: 1.0

By using NanbanCRM, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Terms of ServicePrivacy PolicyContact Legal