1. Data controller
NomadPilot Technologies Pvt Ltd — Grievance Officer: Vikram Chawla, vc@nomadpilot.app. Response time: 30 days.
2. What we collect
- Account: Email, password hash, name, date of birth. Basis: contract. Retained until deletion.
- Traveller profile: Passport, nationality, EES fields, visa history, trips. Basis: contract. Retained 3 years.
- Payments: Order history only — Razorpay holds card data, we never store card numbers. Retained 7 years (tax law).
- Analytics (consent only): Anonymised page views, feature usage. Retained 12 months.
- Marketing (consent only): Email, destination interests. Retained until unsubscribe.
3. Third-party processors
- Supabase — database and authentication
- Vercel — hosting
- GROQ — AI (no personal data sent)
- Razorpay — payments (card data never touches our servers)
- Resend — email delivery
Data stored in India (Supabase) and EU (Vercel CDN).
4. Your rights
- Access / export: Email vc@nomadpilot.app
- Delete account: Account Settings → Delete Account (processed within 30 days)
- Withdraw consent: Cookie banner at bottom of page, anytime
- Complaints: Lodge with your local data protection authority
5. Cookies
Necessary (always on): Auth, CSRF, rate limiting.
Analytics + Marketing (consent required): Manage via cookie banner anytime.
6. Children
NomadPilot requires users to be 18+. We do not knowingly collect data from children. Compliant with DPDP (India) child data protection requirements.
7. Security
HTTPS/TLS in transit. Passwords hashed with bcrypt. Encryption at rest via Supabase. We do not sell your data. Breach notification within 72 hours.
8. Regional laws
GDPR (EU): Art. 6(1)(a)+(b). Rights under Art. 15–22.
CCPA (California): We do not sell data. Right to know, delete, opt out.
DPDP (India): Data fiduciary obligations met. Rights to access, correct, erase, port.
PIPEDA (Canada): Principle-based consent.
9. Contact
Email: vc@nomadpilot.app
© 2026 NomadPilot. All rights reserved.