Privacy Policy
This Privacy Policy describes how Nirmeva Studio ("Company," "we," "us," "our," or "Nirmeva") collects, uses, discloses, and otherwise processes personal information in connection with our website www.nirmeva.com and the services we provide. This policy is binding and applies to all visitors, clients, and data subjects. By accessing our website or engaging our services, you agree to the terms of this Privacy Policy.
1.Definitions & Regulatory Framework
This Privacy Policy is established in compliance with the following regulatory frameworks:
- Digital Personal Data Protection Act, 2023 (DPDP Act) — Applicable in India, governs processing of digital personal data.
- General Data Protection Regulation (GDPR) (EU/2016/679) — For data subjects in the EU and EEA.
- California Consumer Privacy Act (CCPA) — For data subjects residing in California, USA.
- Information Technology Act, 2000 (IT Act) — For data security and protection obligations in India.
- TRAI Guidelines — For communication and marketing.
Key Definitions
- Personal Data: Any information relating to a natural person who can be directly or indirectly identified.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Data Controller: The entity that determines the purposes and means of processing.
- Data Processor: An entity that processes data on behalf of the controller (Nirmeva Studio, when acting in this capacity).
- Data Subject: The natural person to whom personal data relates.
2.Information We Collect
2.1 Information Provided Directly by You
When you contact us, we collect:
- Full name, email address, and phone number
- Company/organization name and designation
- Project details, business requirements, and technical specifications
- Any other information voluntarily provided in correspondence
2.2 Information Collected Automatically
When you visit our website, we automatically collect limited technical data through Google Analytics (configured in cookieless mode):
- Pages visited, time spent, referring source and exit pages
- Browser type, device type, and operating system
- IP address (anonymized) and general geographic location (country/city level)
- Click patterns and user interactions (aggregated)
2.3 Client-Provided Data
When clients engage us for development, we may process client business data, end-user data embedded in applications, files, documents, and system logs. In these cases, the client acts as the Data Controller and Nirmeva Studio acts as the Data Processor under a formal DPA.
3.Legal Basis for Processing
We process personal data only when we have a lawful basis to do so:
| Processing Activity | Legal Basis |
|---|---|
| Responding to inquiries and providing quotes | Legitimate interest / Contract performance |
| Project delivery and client communication | Contract performance |
| Website analytics | Legitimate interest (cookieless, anonymized) |
| Legal compliance and record-keeping | Legal obligation |
| Providing contractual services and support | Contract performance |
| Portfolio showcase with redacted data | Legitimate interest / Contractual permission |
We do not process personal data for purposes incompatible with the original collection purpose without explicit consent.
4.How We Use Information
| Purpose | Data Categories | Duration |
|---|---|---|
| Responding to inquiries | Name, email, phone, message content | Correspondence + 12 months |
| Creating and executing service contracts | Contact info, project requirements | Contract + 3 years |
| Providing software development services | Project data, client data (as processor) | As per contract/DPA |
| Improving website functionality | Anonymized analytics data | Ongoing (aggregated) |
| Portfolio showcase (with consent) | Project details (redacted) | Per contract or consent |
| Legal and regulatory compliance | Relevant data as required by law | As required by law |
Promotional Communications
We do not send unsolicited marketing emails. Any communication is based on explicit opt-in consent, existing business relationship, or compliance with TRAI and GDPR requirements. You can unsubscribe at any time by contacting us.
5.Data Processors & Third Parties
5.1 Third-Party Service Providers
We use limited third-party service providers for essential infrastructure. All processors have signed DPAs ensuring compliance with GDPR, DPDP Act, and data protection standards.
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Google Analytics 4 (Alphabet Inc.) | Website analytics | Anonymized visitor data, device info |
| Vercel (Vercel Inc.) | Website hosting | Website files, server logs |
| Cloudinary (Cloudinary Ltd.) | Image CDN | Images and media (no personal data) |
| SendGrid (Twilio Inc.) | Email delivery | Email addresses, message content (in transit) |
5.2 Data Sharing Policy
- We do NOT sell, rent, or trade personal data for marketing or commercial purposes.
- We do NOT share data with data brokers or third-party marketers.
- We only share data as necessary for contractual performance, legal compliance, or explicit consent.
- All processors are bound by strict confidentiality agreements.
5.3 Disclosure for Legal Reasons
We may disclose personal information when required by law, court order, or legal process. We will provide notice to data subjects when legally permissible.
7.Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law:
| Data Category | Retention Period | Basis |
|---|---|---|
| Website inquiry data (no project outcome) | 12 months from last contact | Legitimate interest |
| Active client project data | Duration of contract | Contract performance |
| Client records (post-project) | 3 years after completion | Legal, tax, and accounting |
| Analytics data (anonymized) | 13 months | GA4 default retention |
| Backup and recovery data | Max 90 days | Business continuity |
| Data subject deletion requests | Deleted within 30 days | Data subject rights |
Data Deletion
When retention periods expire or upon request, we permanently delete personal data through secure deletion methods. Legal and accounting records required by Indian tax law (Income Tax Act, 1961) are retained for the prescribed 7-year period.
8.Client Data & Data Processing
8.1 Our Role as Data Processor
When Nirmeva Studio develops software, applications, ERP systems, or AI solutions for clients, we frequently process personal data on behalf of the client:
- The Client is the Data Controller: Responsible for determining purposes of processing, obtaining consent, and ensuring compliance.
- Nirmeva is the Data Processor: We process data strictly according to the client's written instructions under a formal DPA.
- Processor Obligations: We implement appropriate technical and organizational measures and maintain records of processing.
8.2 Data Processing Agreements (DPA)
All clients requiring us to process personal data must enter into a formal DPA covering: scope, duration, purpose, security measures, sub-processor arrangements, data subject rights, breach notification procedures, and data return/deletion upon termination. No processing commences until a signed DPA is in place.
8.3 Sub-Processors
If we engage third-party sub-processors, we will provide advance notice, obtain explicit written authorization, ensure equivalent data protection obligations, and remain liable for any breach by sub-processors.
8.4 Portfolio & Case Studies
Before any portfolio publication: all proprietary data is redacted, no end-user personal data is visible, sensitive information is obscured, explicit client consent is obtained, and client names may be withheld upon request.
9.Data Security & Protection
9.1 Security Measures
- Encryption: Data in transit uses TLS 1.2+. Sensitive data at rest is encrypted.
- Access Controls: Personal data access is limited to authorized personnel with legitimate business need.
- Authentication: Multi-factor authentication is used for accessing sensitive systems.
- Regular Audits: Periodic security audits and vulnerability assessments are conducted.
- Staff Training: All team members receive data protection and privacy training.
- Secure Deletion: Data is securely deleted using industry-standard methods.
9.2 Limitations
No method of transmission over the internet is 100% secure. While we use reasonable efforts to protect your data, we cannot guarantee absolute security. You acknowledge this inherent risk when providing information to us.
9.3 Data Breach Notification
In the event of a confirmed data breach, we will: assess severity without unreasonable delay; notify affected data subjects within 30 days if there is risk to their rights; notify relevant regulatory authorities as required; and provide guidance on protective steps. Notification will include the nature of the breach, likely consequences, and measures taken.
10.Your Rights & Requests
Under applicable data protection laws (DPDP Act 2023, GDPR, CCPA), you have the following rights:
10.1 Right to Access
Request access to personal data we hold about you — what data, how it's used, its sources, recipients, and retention period. We will respond within 30 days (extendable to 60 days for complex requests).
10.2 Right to Rectification
Request correction of inaccurate, incomplete, or outdated personal data. Corrections will be made and affected parties notified without undue delay.
10.3 Right to Erasure
Request deletion of personal data when: the data is no longer necessary; you withdraw consent; you object to processing; or processing is unlawful. Exceptions: We may retain data if required by law or for legal claims.
10.4 Right to Data Portability
Obtain your personal data in a structured, machine-readable format (CSV, JSON). We will provide your data within 30 days of request.
10.5 Right to Object & Restrict Processing
Object to processing on grounds relating to your particular situation — we will discontinue unless we have compelling legitimate grounds. You may also request we restrict how we use your data while a dispute is investigated.
10.6 How to Exercise Your Rights
Send a written request to the contact details in Section 14. Include sufficient information to identify yourself and describe your request. Identity verification may be required. We will not charge a fee unless your request is manifestly unfounded or excessive.
11.International Data Transfers
Nirmeva Studio is based in India. When we transfer personal data outside India, we ensure compliance through Standard Contractual Clauses (SCCs), Adequacy Decisions, Explicit Consent, and Data Processing Agreements with equivalent safeguards.
Our key international providers — Google Analytics (USA), Vercel (USA), and Cloudinary (USA) — have all signed data protection amendments complying with GDPR and DPDP Act. By providing personal data to Nirmeva, you consent to processing in multiple jurisdictions as necessary to deliver our services.
12.Children & Age Policy
We do not knowingly collect personal data from children under 13 years of age. If we become aware of such data, we will delete it immediately, notify the child's parent or legal guardian, and comply with applicable children's privacy laws (COPPA, GDPR Article 8, DPDP Act guidelines).
Minors (13–18) may submit general inquiries. A parent or guardian's consent is required before we process any personal data from minors for contractual purposes. Only individuals aged 18 and above can enter into legally binding contracts for our professional services.
13.Policy Changes & Updates
Nirmeva Studio reserves the right to update this Privacy Policy at any time to reflect changes in business practices, new regulatory requirements, improved privacy practices, or stakeholder feedback.
For material changes: we update the "Last Updated" date, post the new version on our website, and notify existing clients via email. Continued use of our website after changes indicates acceptance of the updated policy. If you disagree with changes, you have the right to withdraw consent or cease use of our services.
14.Contact & Grievance Redressal
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
14.1 Grievance Redressal Process
- Step 1: Contact Nirmeva Studio using the contact information above, describing your grievance in detail.
- Step 2: We will acknowledge receipt within 2 business days.
- Step 3: We will investigate and provide a response within 30 days of the complaint.
- Step 4: If unresolved, you have the right to escalate to relevant data protection authorities.
14.2 Regulatory Authorities
- India: Data Protection Board of India (DPBI) — dpdpb.gov.in
- European Union: Your local Data Protection Authority (DPA)
- California, USA: California Privacy Protection Agency (CPPA)
- Other jurisdictions: Your national/regional data protection regulator
Note: Filing a regulatory complaint does not affect your ability to pursue other remedies.
Legal Disclaimer
This Privacy Policy constitutes a binding legal agreement between you and Nirmeva Studio. The policies described herein are based on current laws in India, the European Union, and the United States, including the DPDP Act 2023, GDPR, and CCPA. For a formal Data Processing Agreement (DPA), contact us directly.
Effective Date: 8 May 2026 | Last Updated: 8 May 2026