Privacy Policy

1. Who we are

Nomira (“Nomira”, “we”, “us”) is a women-only solo-travel intelligence platform operated from India. As of the date above we are a pre-incorporation entity; once incorporation completes this policy will list the registered name and address. Our Resident Grievance Officer details are at /legal/grievance-officer.

2. What this policy covers

This policy applies to every personal data point we collect when you visit our website, create an account, submit content, make a purchase, or otherwise interact with the Nomira platform. It does not apply to third-party services we link to : those have their own policies.

3. What we collect

3.1 Account data

• •Email address (required for sign-up and magic-link login)
• •Phone number (required for verified-contributor status; SMS OTP only : we do not call you)
• •First name and home city (optional, profile only)
• •Selected username and avatar image (avatar uploaded to Supabase Storage bucket avatars)

3.2 Verification data

• •Government ID + selfie photouploaded as a single “selfie-with-ID” image (Aadhaar, passport, or driving license). Stored briefly in Supabase Storage bucketid-verification.
• •Photo deletion on approval: when our human moderator approves a verification, the photo is immediately deleted from storage. We retain only a boolean flag (id_verified) on your profile and an audit-log entry of the moderator’s decision.
• •We do not run automated biometric matching, liveness detection, or gender classification on this photo.

3.3 Content you submit

• •Beware Board reports: photos, GPS coordinates, and venue links you attach. EXIF metadata is stripped on publication unless you explicitly opt in to keep it.
• •Community posts and replies: the content you type plus a timestamp.
• •Trip Vault documents (only if you opt in): booking confirmations, insurance, emergency contacts, ID scans you choose to upload. Encrypted at rest; never shared.
• •Stay verifications:photos of accommodations you submit for the “verified stay” flag. Processed via Anthropic Claude API for consistency analysis (cross-border transfer to the United States : see Section 7).

3.4 Usage and analytics

• •Page views, scroll depth, click events via PostHog (cookie- consent-gated; you can opt out via the footer).
• •Affiliate-link click events to affiliate_clicks table — outbound merchant tracks the conversion separately.
• •Server error data via Sentry. We strip request bodies and cookies; only error stack traces are retained.

3.5 Payment data

• •We use Razorpay (India) and Stripe (international) for payments. We never see or store your card details : only a payment-status reference. Your billing data is governed by Razorpay’s and Stripe’s respective privacy policies.

4. Why we collect it (legal basis)

Under DPDP Act 2023 and GDPR, every collection has a basis:

• •Contract : we cannot run an account-bound platform without your email; we cannot let you publish without verifying you are a woman.
• •Consent : Trip Vault docs, optional analytics, EXIF retention, marketing email, location-tagging on Beware reports. You can withdraw consent any time without affecting past lawful processing.
• •Legitimate interest : error logs, fraud detection on verification submissions, audit logs of moderator decisions. We balance these against your privacy and minimize retention.
• •Legal obligation : moderation audit logs retained 180 days under IT Rules 2021; tax records retained as required by Indian tax law.

5. How we use it

• •To run your account and let you sign in
• •To verify you as a woman traveler before publishing
• •To display your published content (Beware reports, community posts, intel cards) attributed to your chosen handle
• •To moderate content against our Code of Conduct
• •To send transactional email (verification approval, weekly digest if subscribed, password resets)
• •To process membership payments (via Razorpay / Stripe)
• •To improve the product (privacy-respecting analytics)
• •To investigate and respond to grievances and abuse

6. Who we share it with

We share personal data with the following processors. We do not sell personal data to anyone, ever.

We have or will have a Data Processing Agreement with each processor before processing personal data. We disclose any new processor on this page within 30 days of integration.

7. Cross-border transfers

Some of our processors operate from outside India. Specifically: Anthropic (US) for stay-photo analysis; Resend (US) for email; Sentry, PostHog, Stripe (mixed jurisdictions). These transfers are necessary to provide the platform.

We rely on the standard contractual clauses and the processor’s adequacy frameworks where applicable. Once DPDP Act rules around cross-border transfer are notified, we will update this policy and our processor agreements within 90 days.

8. How long we keep it

• •Account data: until you delete your account. On deletion, we run our purge process within 30 days.
• •Verification photos: until human moderator decision. Deleted from storage upon approval. For rejected verifications, retained 30 days for fraud-prevention re-review, then deleted.
• •Beware report photos: retained while the report is published. EXIF stripped before storage by default.
• •Payment records: retained per Indian tax law (currently 8 years for invoice-related records).
• •Moderation audit logs: retained 180 days minimum under IT Rules 2021, longer where retained for legal reasons.
• •Server logs: 30 days, then automatically purged.
• •Analytics: aggregate retained indefinitely; user-level data purged 90 days after collection.

9. Your rights

Under the DPDP Act 2023 (and GDPR / CCPA where applicable to you), you have the right to:

• •Access a copy of the personal data we hold about you
• •Correct any inaccurate data
• •Erase your account and all associated data
• •Port your data in a machine-readable format
• •Withdraw consent for any consent-based processing
• •Lodge a grievance with our Resident Grievance Officer or, on appeal, with the Grievance Appellate Committee under Rule 3A IT Rules 2021
• •Nominate a person to exercise your rights in the event of your incapacity (DPDP Act §14)

You can exercise most rights from /settings (download data, edit profile, delete account). For requests we cannot complete from the UI, email privacy@nomira.in. We respond within 30 days, typically faster.

10. Children

Nomira is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, email privacy@nomira.in and we will purge the account within 7 days.

11. Cookies and similar technologies

We use cookies for:

• •Strictly necessary : sign-in session, CSRF protection. These are always set; cannot be disabled.
• •Analytics (PostHog) : only set after you accept via the consent banner. Manage at /settings.
• •Functional : locale, accessibility preferences. Set after consent.

We do not use third-party advertising cookies. We do not embed social-media trackers (no Meta Pixel, no Google Tag Manager retargeting).

12. Security

Personal data is encrypted in transit (HTTPS) and at rest (Supabase Postgres encryption). Verification photos are stored in a private bucket with row-level security policies preventing cross-user access. Access by staff is limited to admins and moderators; every access is logged. We will publish a security incident report within 72 hours of becoming aware of any breach that affects you, in line with DPDP Act §8(6).

13. International users

If you access Nomira from the European Economic Area, the UK, or California, additional rights and information apply under GDPR / UK GDPR / CCPA / CPRA. The substantive protections in this policy meet or exceed those baselines. To exercise any jurisdiction-specific right, email privacy@nomira.in and identify the framework you are invoking.

14. Changes to this policy

Material changes : adding a new processor, changing a retention period, narrowing your rights : are announced via email to all registered users at least 30 days before they take effect. Non-material changes (typo fixes, clearer wording) take effect on publication. The version date at the top of this page is authoritative.

15. Contact

Privacy questions: privacy@nomira.in
Grievance Officer (under IT Rules 2021): grievance@nomira.in
Postal: [Registered office to be added once Pvt Ltd registration completes]