Legal

Privacy Policy

Last updated: 2026-05-24

This is a representative draft. Final language is subject to review by legal counsel before any production launch.

Nrivana, Inc. ("Nrivana", "we", "us") provides a private cross-border financial view to customers ("you"). This policy describes how we collect, use, store, and share information when you use Nrivana.

1. What we collect

We collect the minimum information needed to operate the service:

  • Account identity from your sign-in provider. When you sign in with Google or Microsoft, we receive a stable user identifier, your email address, and a display name (where you have shared one).
  • Bank link tokens. When you connect a bank through our partner Plaid, we receive an encrypted access token for each linked institution. We store this token, encrypted, on our servers. We never receive or store your bank password.
  • Audit log of significant events. When you link or unlink an institution, we record a short event (timestamp, item identifier, institution name) for security and support purposes. This log is retained for one year.
  • Identity-verification details. If you submit KYC information, we validate the full values long enough to check the format and eligibility. We store only derived or masked values, such as the tax-ID last four, PAN last four, DOB year, and jurisdiction flags.
  • Product metadata you choose to provide. This includes preferences, virtual-bank waitlist email and interest, and tax-document metadata such as filename, year, tag, file type, and file size. File bytes are not stored until the separate document-storage flow ships.
  • Standard server logs. Our infrastructure provider (Cloudflare) records technical request information (timestamp, IP, request path) for fraud-prevention and reliability purposes.

2. What we do not store

We intentionally do not store:

  • Your bank passwords.
  • Your account balances, transaction history, account numbers, or account holder names on our servers. (Your browser may cache the most recent snapshot locally for instant display; this cache is cleared when you sign out.)
  • Payment card numbers (we are not in the cardholder data flow).
  • Full social security numbers, ITINs, PANs, full addresses, or full dates of birth. KYC submission uses them only to validate and derive the masked record described above.

3. How we use information

We use the information above only to:

  • Authenticate you and protect your account.
  • Re-fetch your account data from your bank on demand so you can see it in Nrivana.
  • Comply with legal and regulatory obligations.
  • Communicate with you about service issues, security disclosures, and significant changes to this policy.

4. Who we share with

We share information only with the small number of vendors who help us deliver the service:

  • Plaid, Inc. for bank account linking and data retrieval.
  • Google LLC (Firebase Authentication) for sign-in.
  • Cloudflare, Inc. for hosting, network protection, and encrypted storage of your bank link tokens.

We do not sell your information. We do not share it for advertising purposes. We may disclose information if compelled by valid legal process; in such cases we will, where lawful, notify you.

5. Where information is stored

Encrypted bank link tokens and audit events are stored on Cloudflare's global key-value infrastructure. Authentication identity is held by Google (Firebase). Bank account data itself is held by your banks and by Plaid; Nrivana retrieves it on demand and does not retain a server-side copy.

6. Encryption

All connections between your browser and Nrivana use HTTPS. Bank link tokens are encrypted with AES-256-GCM before being stored. The encryption key is held as a Cloudflare Worker secret and is rotated on a documented cadence.

7. Your rights

You can, at any time, from inside Nrivana:

  • Unlink any individual bank you have connected, which revokes the access token at Plaid and removes it from our storage.
  • Close your Nrivana account. This revokes every linked bank at Plaid, removes every stored bank-link token, marks the account closed, and writes a short deletion receipt for one year. Your ledger — audit events, KYC state, preferences, tax metadata, and deletion receipts — is retained so compliance records stay intact and you can reactivate later. Your sign-in identity is not removed by this soft-close flow.

Depending on where you live, you may have additional rights under local law (for example, GDPR or CCPA) — to access, correct, port, or object to processing of your information. Email privacy@nrivana.productexperts.cc to exercise any of these rights.

8. Children

Nrivana is not directed to children under 18. We do not knowingly collect information from anyone under 18.

9. Changes to this policy

If we make a material change to this policy we will notify you by email and update the "last updated" date above. Continued use of Nrivana after such a change constitutes acceptance of the updated policy.

10. Contact

Privacy questions: privacy@nrivana.productexperts.cc.