Privacy Policy

NerveBase Labs ("NerveBase", "we", "us") operates a document-intelligence platform that reads PDFs from cloud-storage folders you designate, extracts structured data, and makes it searchable for your team. This policy explains what we collect, why, how it's used, where it lives, and the controls available to you. Questions: support@nervebase.ai.

1. Information we collect

• Account data: email address, hashed password (Supabase Auth bcrypt), session tokens, IP address of sign-in events, and timestamps. If you sign in with Google, we receive your basic Google profile (email + name + Google account ID) and DO NOT receive your Google password.
• Google Drive integration: the Google account email of any Drive you connect, the OAuth refresh and access tokens (encrypted at rest with AES-256-GCM keyed off our application secret, never stored in plaintext), and the list of Drive folders you choose to watch (folder IDs + names + paths).
• Documents: PDFs that arrive in your watched folders. We store the file itself in Microsoft Azure Blob Storage (India region), plus extracted fields (vendor, date, amount, document type, line items) in a Postgres database hosted on Supabase. SHA-256 hashes of each file are kept for deduplication.
• Operational logs: request IDs, ingestion pipeline events, extraction-service traces, and error reports (Sentry). Logs are retained for 30 days then permanently deleted.
• Caches: dedup hashes and rate-limit counters in Upstash Redis (TTL ≤ 7 days).

We do not collect: payment card numbers (Early Access is free; no billing system yet), advertising identifiers, location data, or biometric data. We do not use cookies for advertising or third-party tracking — only first-party session cookies (Supabase Auth) and CSRF tokens.

2. Google API Services User Data Policy — Limited Use

NerveBase's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• User-facing features only. We use Google user data exclusively to provide and improve the user-facing features of NerveBase — ingesting your documents, extracting structured fields, returning answers to your own queries.
• No transfer except as needed. We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger/acquisition/sale of assets with appropriate notice.
• No advertising. We do not use Google user data for serving advertisements, including retargeting or personalised / interest-based ads.
• No human reading. NerveBase employees do not read your Google user data, except (a) with your explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymised.
• No use to train generalised AI/ML models. Your documents and extracted fields are not used to train any general-purpose AI/ML model. The extraction microservice calls Azure OpenAI under a zero-retention agreement: prompts and responses are not retained, logged, or used to improve the underlying models.

3. Google Drive scopes

We request the minimum scopes required for the feature you authorise:

• openid and email — for identity (so we know whose Drive you connected and can show the email on the Settings page).
• drive.file — during the verification test phase. Limited to files NerveBase creates; effectively means we read nothing existing in your Drive.
• drive.readonly — post-verification only. Lets us read the PDFs in the specific folders you explicitly designate via our folder picker. We never modify, move, share, or delete Drive files; we only read.

You can revoke our access at any time from your Google Account permissions page or from Settings → Sources inside NerveBase.

4. How we use your data

• To detect new documents in your watched folders (via Drive change webhooks plus a per-minute polling fallback).
• To download those documents into NerveBase's storage and run extraction (OCR + structured field detection).
• To answer questions you ask about your documents inside the app, returning citations to the source files.
• To send transactional emails (signup confirmation, password reset, support replies, account-deletion confirmations).
• To debug issues, monitor reliability, and detect abuse — using only anonymised request IDs and metadata, never the document contents.

5. Sub-processors

We use the following third-party services to operate NerveBase. Each has signed a Data Processing Agreement equivalent to the EU SCC; we audit them annually.

• Microsoft Azure (India region) — compute (Container Apps), object storage (Blob), AI extraction (Azure OpenAI under zero-retention agreement), Key Vault for secrets, ACR for images.
• Supabase (AWS ap-south-1) — Postgres database, authentication, transactional email SMTP.
• Upstash (AWS) — Redis cache for deduplication hashes and rate limits.
• Sentry (US) — error reporting and performance monitoring. Configured to scrub email addresses, file contents, and Authorization headers before transmission.
• Google LLC — only for the Google Drive and OAuth flows you yourself initiate.

6. Where your data lives

Primary data residency is in India (Azure Central India region and AWS ap-south-1 via Supabase). Sentry error logs may be processed in the United States. We do not transfer data to any other region. If we ever change data residency, we will email all account holders at least 30 days in advance.

7. Security

• All network traffic in transit uses TLS 1.2+.
• OAuth refresh tokens are encrypted at rest using AES-256-GCM with a per-connection AAD (Additional Authenticated Data). The encryption key lives in Azure Key Vault and never leaves the server.
• Database access is restricted by row-level security: a user can only read or modify rows belonging to their own company / workspace, enforced by thecompany_id JWT claim that the client cannot mutate.
• Service-principal credentials for cloud resources are rotated quarterly. CI/CD secrets are scoped to least-privilege service principals.
• We run automated dependency vulnerability scans on every pull request. Critical CVEs are patched within 7 days.

8. Retention & deletion

• Documents: kept until you delete them from NerveBase or until your account is deleted.
• OAuth tokens: kept until you disconnect the source or delete your account. Revoked at Google immediately on disconnect.
• Operational logs: 30 days, then irreversibly deleted.
• Caches (Redis): TTL ≤ 7 days, auto-purged.
• Account deletion: from Settings → Account, click Delete account. We process the request within 30 days (SLA) and email you when complete. You can also email support@nervebase.ai with a deletion request from your account email.

9. Your rights

Depending on where you live, you may have rights under the GDPR (EU/UK), the DPDP Act (India), the CCPA (California), or similar regimes. You can:

• Access your data — email us; we'll provide a JSON export within 30 days.
• Correct your data — most fields editable from Settings; otherwise email us.
• Delete your data — Settings → Account → Delete account, or email us.
• Object to processing — email us; we will pause your account.
• Lodge a complaint with your local data-protection authority.

10. Children

NerveBase is not intended for users under 18. We do not knowingly collect data from children. If you believe we have, email us and we will delete it within 7 days.

11. Changes to this policy

We will email all account holders at least 30 days before any material change to this policy. Non-material clarifications (typos, contact info) may be made without notice; we keep an effective-date stamp at the top of the page.

12. Contact

Privacy questions, data-access requests, or complaints: support@nervebase.ai.

NerveBase Labs · 1012, Signature Business Park, near Fine Arts, Chembur, Mumbai 400071, India.