Privacy Policy

This Privacy Policy describes how Nearfo (operated by Nearfo Technologies Private Limited, hereinafter "Nearfo", "we", "us") collects, stores, uses, shares, and protects personal data of users of the Nearfo mobile application, website nearfo.com, and related services (the "Services"). By creating an account or using the Services in any manner, you acknowledge that you have read and agreed to this Policy. Nearfo acts as a Data Fiduciary under Section 2(i) of the DPDPA 2023 and as an Intermediary under Section 2(1)(w) of the IT Act, 2000.

3.1 Information You Provide Directly

• Account Registration: phone number, name, date of birth, gender (optional), profile photo, bio, handle, interests.
• Identity Verification (KYC/KYB): for business owners and creators withdrawing earnings — PAN, business documents, bank details (via Razorpay KYC).
• User-Generated Content: posts, reels, stories, comments, messages, live streams.
• Communications: messages with other users, support tickets, feedback.

3.2 Information Collected Automatically

• Device Information: device model, OS version, identifiers, network info, app version.
• Usage Data: features accessed, screens viewed, time spent, content interactions.
• Location Data: approximate location from GPS/IP/network. You can disable precise location via device settings or the in-app "Hide City on Profile" toggle. Approximate distance for hyperlocal discovery is core to our Services.
• Log Data: IP address, timestamps, crash reports, error logs.

3.3 Information from Third Parties

• Razorpay: payment confirmation metadata (no card numbers — Razorpay is PCI-DSS compliant).
• Firebase/GCM: device tokens for push notifications.
• AWS Textract: receipt OCR for Nearfo Cash cashback.
• Cloudflare: CDN/security logs, TURN call signaling.
• AdMob: ad identifiers (subject to your AAID limit-ad-tracking settings).

3.4 Information We Do NOT Collect

• Service Delivery: account management, authentication, content delivery, hyperlocal discovery, payments, cashback.
• Personalization: relevant posts/reels/businesses based on location, interests, engagement.
• Safety and Moderation: detect fraud, abuse, spam, anti-markup violations, fake reviews.
• Communication: transactional (OTP, receipts), with consent — marketing.
• Customer Support: respond to queries and grievances.
• Legal Compliance: court orders, RBI/SEBI/Income Tax obligations (TDS 26Q).
• Analytics: improve features, fix bugs, prevent crashes.
• Research: aggregated/anonymised market insights.

Under Sections 6 and 7 of the DPDPA 2023, we process your personal data based on: (a) Consent for non-essential processing (personalised ads, marketing); (b) Certain Legitimate Uses including voluntary provision for a specified purpose, compliance with law (KYC/TDS), court orders, medical emergency, public interest functions. You may withdraw consent at any time. Withdrawal does not affect lawfulness of prior processing.

We do not sell your personal data. We share only in limited circumstances:

6.1 With Other Users

Your public profile info (name, handle, avatar, posts) is visible per your privacy settings. Control via in-app Account Privacy.

6.2 With Service Providers (Data Processors)

All processors are contractually bound to data security and purpose limitation.

6.3 With Authorities (Legal Disclosure)

We disclose only when required by valid order under Indian law (e.g., Section 91 CrPC, Section 69 IT Act), to comply with IT Rules 2021, or to prevent imminent harm.

6.4 Business Transfers

In case of merger/acquisition/sale, data may transfer to the acquirer subject to equivalent protection. You will be notified.

6.5 With Your Consent

Third-party sharing only with your explicit consent.

• Active accounts: retained while active.
• Account deletion: active systems within 30 days; backups within 90 days.
• Financial records: 8 years (Income Tax Act 1961, GST law).
• KYC documents: 5 years post account closure (RBI Master Direction on KYC).
• User identification (IP, device): 180 days post closure (IT Rules 2021, Rule 3(1)(j)).
• Content takedowns/abuse reports: until legal limitation expires (typically 3 years).
• Anonymised analytics: indefinitely in aggregated form.

Most data is stored on servers in India (AWS Mumbai). Limited categories may transfer outside India (e.g., Sentry, Cloudflare edge). Pursuant to Section 16 of the DPDPA 2023, we transfer outside India only to countries not restricted by the Central Government.

On nearfo.com we use: Strictly Necessary (auth, CSRF — cannot be disabled); Functional (language, theme); Analytics (anonymised); Advertising (only with explicit consent). Manage via cookie banner or browser. Mobile app uses SharedPreferences/secure tokens (no cookies).

Under Sections 11-14 of the DPDPA 2023:

10.1 Right to Information (Section 11)

Request a summary of personal data processed, processing activities, and Data Processors with whom data is shared.

10.2 Right to Correction and Erasure (Section 12)

Request correction, completion, updating, or erasure of personal data. Most actions via Settings → Account → Edit Profile / Delete Account.

10.3 Right to Grievance Redressal (Section 13)

Contact our Grievance Officer (Section 15).

10.4 Right to Nominate (Section 14)

Nominate another individual to exercise your rights in event of death/incapacity.

10.5 Right to Withdraw Consent

Withdraw at any time. Use unsubscribe in marketing emails or disable in-app notifications.

10.6 Account Deletion

Delete via Settings → Account → Delete Account or via our account-deletion page. Processed within 30 days.

Under Section 9 DPDPA 2023, we do not process data of children (under 18) without verifiable parental consent. No tracking, behavioural monitoring, or targeted advertising directed at children. If your child has registered, contact admin@nearfo.com immediately. See our Child Safety Standards.

Per Rule 8 SPDI Rules 2011 and Section 8(5) DPDPA 2023:

• Encryption in transit: TLS 1.2+ (HTTPS, WSS).
• Encryption at rest: sensitive PII (name, email, phone, city, DOB) via AES-256-GCM.
• Authentication: OTP + bcrypt + tokensValidFrom (instant device-wide logout).
• Network isolation: production DB on private network.
• Access control: role-based for staff; full audit log of admin actions.
• Monitoring: Sentry, real-time Slack alerts, anomaly detection.
• Regular audits: internal security review quarterly.
• Vendor management: contractual equivalence on security standards.

In a breach likely to result in risk: notify the Data Protection Board of India per Section 8(6) DPDPA 2023; notify affected Data Principals via in-app/email/SMS with nature/consequences/mitigation; publish summary on website if affecting many users.

We may update this Policy from time to time. "Last Updated" date reflects the most recent revision. For material changes: 30-day in-app/email notice; fresh consent required if a new lawful basis. Continued use after effective date = acceptance.

15.1 Grievance Officer (IT Rules 2021 Rule 3(2)(a))

• Name: Akash More
• Designation: Founder & Grievance Officer
• Email: admin@nearfo.com
• Postal Address: C/o Arpit Keaote, Rahatgaon Shegaon Road, Amravati, Maharashtra, India
• Hours: Mon-Fri, 10AM-6PM IST (excluding public holidays)

Acknowledgement: within 24 hours. Resolution: within 15 days.

15.2 Data Protection Officer (DPDPA)

A DPO will be appointed upon notification as a Significant Data Fiduciary under Section 10 DPDPA 2023. Until then, the Grievance Officer serves as DPDPA point of contact.

15.3 Data Protection Board of India

If dissatisfied, you may approach the Data Protection Board of India under the DPDPA 2023.

• General: admin@nearfo.com
• Privacy: admin@nearfo.com
• Grievance: admin@nearfo.com
• Postal: C/o Arpit Keaote, Rahatgaon Shegaon Road, Amravati, Maharashtra, India
• Website: nearfo.com

This Policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of competent courts at Mumbai, Maharashtra.