Legal

Privacy Policy

Last updated: 26 March 2026 Effective date: 26 March 2026
Your privacy matters to us. This policy explains what personal data Nastrum Books collects, why we collect it, how we use it, who we share it with, and what rights you have. We keep it plain and specific — no vague legalese.

1. Who We Are

Nastrum Books is a cloud-based accounting platform developed and operated by Nastrum AI ("we", "us", "our").

For the purposes of data protection law, Nastrum AI is the data controller of personal data collected when you use the Nastrum Books website (nastrumbooks.com) and application (app.nastrumbooks.com).

When you use Nastrum Books to process data about your customers, employees, or vendors, you are the data controller for that data and we act as your data processor. Our obligations as a data processor are covered in Section 5 and our Data Processing Agreement (available on request).

Contact: hello@nastrumbooks.com

2. What Data We Collect

We collect personal data in the following categories. We collect only what is necessary.

2.1 Account & Identity Data

  • Your name and email address (collected at registration).
  • Your password — stored as a one-way hash. We never store your password in plain text and cannot read it.
  • Profile photo (optional, if you choose to upload one).

2.2 Business & Financial Data

  • Company name, address, tax registration numbers (VAT/GST/TRN), and business details you enter.
  • Financial records you create: invoices, bills, expenses, transactions, customers, vendors, items, and reports.
  • Bank account names and balances you enter manually (we do not connect to or access your actual bank accounts).
  • File attachments you upload: receipt images, invoice PDFs, documents — stored on Cloudflare R2.

This business and financial data belongs to you. We do not read, analyse, or use it for any purpose other than providing the service to you.

2.3 Billing Data

  • Your billing address and chosen payment method details are collected at checkout.
  • Payment card processing is handled entirely by our payment provider. We do not store card numbers, CVV codes, or bank account credentials on our systems.
  • We retain a record of your subscription plan, billing history, and payment status.

2.4 Usage & Technical Data

  • Pages and features you access within the application.
  • Your IP address, browser type, operating system, and device type.
  • Error logs and crash reports used to diagnose and fix technical issues.
  • Timestamps of login and key actions (for security and audit purposes).

Usage data is used to improve the product and ensure security. It is not used for advertising profiling and is not sold or shared with third parties for commercial purposes.

2.5 Communications Data

  • Emails you send to our support address and our responses.
  • Feedback or feature requests you submit.

2.6 Data About Your Customers & Third Parties

When you use Nastrum Books to manage invoices, bills, or expenses, you may enter personal data about your customers, vendors, or employees (such as their names, email addresses, and addresses). You are the data controller for this data. We process it only on your instructions as part of providing the service.

You are responsible for ensuring you have a lawful basis to process this third-party data and that doing so complies with applicable data protection laws in your jurisdiction.

3. Legal Basis for Processing

We only process your personal data where we have a lawful basis to do so. The basis depends on the type of data and the purpose:

3.1 Contract Performance

Processing your account data, business data, and billing data is necessary to provide the Nastrum Books service under our Terms of Service. This is our primary legal basis.

3.2 Legitimate Interests

We process usage and technical data on the basis of our legitimate interest in operating a secure, functional, and improving product. We also process communications data to respond to your enquiries and provide support.

3.3 Legal Obligation

We may process and retain certain data where required by applicable law, including financial record-keeping regulations, tax laws, and regulatory requirements in the jurisdictions where we operate.

3.4 Consent

Where we send marketing or product update emails, we do so on the basis of your consent. You can withdraw this consent at any time by clicking "Unsubscribe" in any marketing email or by emailing hello@nastrumbooks.com. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the service — creating and maintaining your account, processing your financial records, generating reports, and enabling all platform features.
  • Billing & payments — processing your subscription payments, issuing receipts, managing upgrades and downgrades, and handling refunds.
  • Transactional communications — sending password reset emails, billing confirmations, storage usage alerts, plan change notifications, and other service-critical messages. These cannot be opted out of while you have an active account.
  • Product communications — sending product updates, new feature announcements, and occasional tips. You can opt out at any time.
  • Security & fraud prevention — detecting and preventing unauthorised access, abuse, and fraudulent activity on the platform.
  • Product improvement — using aggregated, anonymised usage data to understand how features are used and where we can improve. Individual financial data is never used for this purpose.
  • Customer support — responding to your support requests, troubleshooting issues, and resolving disputes.
  • Legal compliance — meeting our obligations under applicable laws and responding to lawful requests from authorities.

We will never sell, rent, trade, or share your personal data or your business financial data with third parties for their own marketing or commercial purposes. We will never use your financial records to train machine learning models or for any purpose outside of operating Nastrum Books for you.

5. Who We Share Data With

We share personal data only with the sub-processors necessary to operate Nastrum Books. We do not sell data. Current sub-processors:

Sub-processor Purpose Data location
Supabase Database hosting & authentication AWS (US East)
Cloudflare Website hosting (Pages), file storage (R2), CDN, DDoS protection Global CDN; R2 storage region configured per account
Brevo Transactional email delivery (password resets, billing, alerts) EU (France)
Payment processor Subscription billing & payment processing Varies by processor

Each sub-processor is bound by a data processing agreement and is required to implement appropriate technical and organisational security measures.

We may also disclose data where required by law, court order, or lawful request from a government authority. We will notify you of such requests where we are legally permitted to do so.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will give you at least 30 days' notice before such a transfer and you will have the right to delete your account and data before the transfer takes place.

6. International Data Transfers

Nastrum Books serves users globally. Your data may be processed in countries outside your home country, including the United States and the European Union, where our sub-processors operate.

Where we transfer personal data outside the European Economic Area (EEA) or United Kingdom, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where the receiving country has been recognised as providing adequate protection.
  • Data Processing Agreements with sub-processors that include binding data protection obligations.

For users in the UAE, transfers outside the UAE are made in compliance with the UAE Personal Data Protection Law (PDPL), using appropriate contractual protections.

For users in India, we comply with the Digital Personal Data Protection Act 2023 (DPDPA) and its 2025 Rules regarding cross-border data transfers. We monitor the Government of India's list of permitted transfer destinations and will update our practices accordingly.

You may request details of the specific safeguards in place for your data transfers by emailing hello@nastrumbooks.com.

7. Data Retention

7.1 While Your Account Is Active

We retain all your account, business, and financial data for as long as your Account remains active. This is necessary to provide the service.

7.2 After Account Closure

After you close your account or your subscription is cancelled, your data is retained for 30 days in a read-only state, giving you time to export. After 30 days, your data is permanently deleted from our systems, including backups, within a further 60 days.

7.3 Inactivity — Free Plan Accounts

Free Solo plan accounts that have not recorded any user login for 12 consecutive months are subject to automatic permanent deletion of all personal data and account records. We apply a staged notification process before any deletion occurs:

  • 6 months inactive — re-engagement email
  • 9 months inactive — first deletion warning
  • 11 months inactive — final notice with data export link (minimum 30 days before deletion)
  • 12 months — all personal data and account records permanently deleted

Logging in to your account at any point resets the inactivity clock. In line with India's Digital Personal Data Protection (DPDP) Rules 2025, the final notice provides at least 48 hours' advance warning. Paid subscriptions (Team, Studio, Firm) are not subject to inactivity deletion. This policy exists to minimise unnecessary data retention in compliance with applicable privacy regulations including GDPR Article 5(1)(e).

7.4 Revoked Team Member Access

When a team member's access to an Account is revoked — for example, when the Account owner downgrades to the Solo Plan — that team member's personal data (name, email address, activity records) is retained within the Account solely to preserve the integrity of audit trails, transaction records, and attribution data. This data is not used for any other purpose. The former team member may request deletion of their personal data by contacting us at hello@nastrumbooks.com. We will remove all personal identifiers while preserving anonymised activity records required for the Account owner's financial records.

7.5 Legal Retention Obligations

We may retain certain data for longer periods where required by applicable law — for example, billing records and transaction logs may be retained for up to 7 years to comply with financial record-keeping regulations. Only the minimum data necessary for legal compliance will be retained after account closure.

7.6 Communications

Support communications are retained for up to 3 years to assist with future support requests and resolve disputes.

8. Security

We take the security of your financial data seriously. The following measures are in place:

  • Encryption in transit: all data is transmitted over TLS 1.2 or higher. Unencrypted HTTP connections are redirected to HTTPS.
  • Encryption at rest: all data stored in our database and file storage is encrypted at rest.
  • Row-level security (RLS): enforced at the database level — your data is isolated from other users' data by design, not just by application logic.
  • Password hashing: passwords are hashed using a strong one-way algorithm. We cannot retrieve or read your password.
  • Access controls: access to production data is restricted to a minimum number of authorised Nastrum AI personnel on a need-to-know basis.
  • Security reviews: we conduct regular security reviews and apply software patches and updates promptly.

While we implement strong security measures, no system is 100% immune to breach. If you believe your account has been compromised, email us immediately at hello@nastrumbooks.com.

9. Cookies & Tracking

9.1 What We Use

The Nastrum Books application uses only strictly necessary cookies required for authentication and session management. These cookies are essential for the service to function and cannot be disabled without logging you out.

We do not use advertising cookies, third-party tracking cookies, or cross-site tracking technologies. We do not build advertising profiles based on your behaviour.

9.2 Analytics

If and when we add website analytics, we will update this section to describe exactly what is collected and, where required by applicable law, we will request your consent before enabling any non-essential tracking.

9.3 Managing Cookies

You can control cookies through your browser settings. Blocking all cookies will prevent you from logging into Nastrum Books, as session cookies are required for authentication.

10. Your Rights

Regardless of your location, you have the following rights regarding your personal data held by Nastrum AI:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to correction — you can request that inaccurate or incomplete data be corrected. For account data (name, email), you can update this directly in your account settings.
  • Right to deletion ("right to be forgotten") — you can request deletion of your personal data. We will comply unless we are legally required to retain it.
  • Right to data portability — you can request your data in a machine-readable format (JSON or CSV). Nastrum Books also provides built-in CSV and PDF export tools you can use at any time.
  • Right to restrict processing — in certain circumstances, you can ask us to limit how we process your data while a dispute is resolved.
  • Right to object — you can object to processing based on legitimate interests, including direct marketing. We will stop processing for marketing immediately upon request.
  • Right to withdraw consent — where processing is based on consent (marketing emails), you can withdraw at any time without affecting prior lawful processing.
  • Right not to be subject to automated decisions — we do not make significant automated decisions about you based on your personal data.

To exercise any of these rights, email hello@nastrumbooks.com with your request and the email address associated with your account. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request. We will never charge a fee for exercising your rights.

11. Regional Rights

11.1 European Economic Area & United Kingdom (GDPR / UK GDPR)

If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR. In addition to the rights in Section 10, you have the right to lodge a complaint with your local supervisory authority:

  • EEA: your national Data Protection Authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany).
  • UK: the Information Commissioner's Office (ico.org.uk).

We ask that you contact us first so we can try to resolve your concern directly before escalating to a supervisory authority.

11.2 United Arab Emirates (UAE PDPL)

If you are located in the UAE, you have rights under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). You have the right to access, correct, erase, and port your data, withdraw consent, restrict processing, and object to processing. You may also file a complaint with the UAE Data Office.

Our lawful bases for processing under the PDPL include contract performance, legitimate interests, legal obligation, and consent (for marketing). We process data in accordance with PDPL principles of purpose limitation, data minimisation, and storage limitation.

11.3 India (DPDPA 2023 & DPDP Rules 2025)

If you are located in India, you have rights under the Digital Personal Data Protection Act 2023 (DPDPA) and the DPDP Rules 2025. As a Data Fiduciary, Nastrum AI will:

  • Collect only the personal data necessary for the specified purpose.
  • Obtain your consent before processing your personal data, presented in clear, plain language.
  • Delete your personal data within the retention periods described in Section 7, including the 12-month inactivity deletion rule.
  • Notify you and the Data Protection Board of India within 72 hours of becoming aware of a personal data breach that affects you.
  • Honour your requests to access, correct, and erase your personal data within the timeframes prescribed by law.

You may file a complaint with the Data Protection Board of India if you believe your rights under the DPDPA have been violated.

11.4 United States (CCPA/CPRA — California)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information.

We do not sell or share your personal information with third parties for their commercial purposes. There is nothing to opt out of in this regard. You can exercise your other CCPA rights by contacting us at hello@nastrumbooks.com.

11.5 Australia (Privacy Act 1988)

If you are located in Australia, we handle your personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information and to make a complaint to the Office of the Australian Information Commissioner (oaic.gov.au) if you believe we have mishandled your data.

11.6 Canada (PIPEDA)

If you are located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access your personal information and to challenge its accuracy. You may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you have a complaint.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law (GDPR, India DPDPA).
  • Notify affected users directly by email without undue delay when the breach is likely to result in a high risk to their rights.
  • Provide clear information about the nature of the breach, the data affected, the likely consequences, and the steps we are taking to address it.

If you suspect a breach or have discovered a security vulnerability, please report it immediately to hello@nastrumbooks.com. We take all security reports seriously and will respond promptly.

13. Children's Privacy

Nastrum Books is a business accounting platform intended for use by adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.

If you are a parent or guardian and believe that a person under 18 has created an account or provided us with personal data, please contact us immediately at hello@nastrumbooks.com. We will delete the data promptly upon verification.

14. Changes to This Policy

We may update this Privacy Policy from time to time as our practices change or as required by law. The "Last Updated" date at the top of this page reflects the most recent version.

For material changes — changes that significantly affect how we collect or use your data, or that reduce your privacy protections — we will notify you by email at least 30 days before the changes take effect.

For minor changes such as clarifications, typographical corrections, or the addition of new sub-processors under equivalent terms, we may update the policy without advance notice, but will always update the "Last Updated" date.

Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy. If you do not agree, you may delete your account before the changes take effect.

15. Contact & Data Requests

For any privacy-related questions, to exercise your data rights, or to raise a concern:

Nastrum AI — Privacy Team

hello@nastrumbooks.com

Subject line: Privacy Request — [your request type]

We respond to all privacy requests within 30 days. For requests under laws with shorter response deadlines (e.g. India DPDPA), we will respond within the legally required timeframe.

When submitting a request, please include: (1) the email address associated with your account; (2) a description of your request; and (3) your country of residence so we can apply the correct legal framework. We may ask you to verify your identity before processing the request.