Privacy Policy

NRI Retire Wise (referred to as "we", "us") is the controller of personal data described in this policy. For privacy questions, requests, or complaints, contact support@nriretirewise.com.

<<verify: full legal entity name and registered address — to be added during legal review>>

• Account data — email address, display name (optional), authentication identifiers from Supabase.
• Plan data — the retirement-planning inputs you enter: date of birth, gender, country of residence, country of retirement, household members' ages and locations, expense estimates, asset and liability balances, future income/expense expectations. Some of this is sensitive (e.g. dependent ages).
• Billing metadata — Stripe customer and subscription identifiers. Card details are entered on Stripe-hosted pages and we never see or store them.
• Communication preferences — whether you opted in to product updates / marketing emails.
• Advisor referrals (optional) — if you actively request an advisor introduction, we record your email, your plan's zone (red/amber/green), monthly need, and FIRE target so the advisor can be matched.
• Technical data — IP address and minimal request metadata as part of normal web-server operation. We do not store request logs beyond what our hosting provider retains.
• Cookies — see the Cookie Policy for the full list.

• Directly from you when you create an account, enter plan inputs, subscribe to Pro, or contact us.
• Automatically through cookies and similar technologies (only the strictly-necessary ones, until you consent to more).
• From our processors (Stripe, Supabase, Resend) when they process events on our behalf — e.g. a successful payment confirmation.

We use a small number of processors. We sign data-processing agreements with each and only share what each one needs to do its job.

• Supabase (database + authentication) — stores your account and plan data.
• Vercel (hosting) — serves the application.
• Stripe (payments) — processes Pro-tier subscriptions; handles all card data on its own infrastructure.
• Resend (email) — delivers sign-in links and any plan alerts you've enabled.
• Independent financial advisors — only if you actively request an advisor referral, and only the fields you explicitly submit.

We do not sell your data and do not share it with advertisers or data brokers.

Our processors operate globally. Where personal data is transferred outside your home jurisdiction, we rely on the safeguards each processor provides:

• Supabase, Vercel, Stripe, Resend each publish their own GDPR / international-transfer terms (typically Standard Contractual Clauses for EU data).
• <<verify: hosting region for the Supabase project — to be confirmed during legal review>>.

• Account data — until you delete your account, plus a 30-day grace period to recover from accidental deletion.
• Plan data — until you delete the plan or your account.
• Authentication / session logs — up to 12 months.
• Billing records — retained for up to 7 years where required by tax / accounting law, even after you delete your account.
• Email delivery logs (Resend) — typically 30 days, per Resend's policy.
• Audit log of privacy actions — kept for as long as the corresponding account, then deleted with it (except where retention is legally required).
• Advisor referrals — anonymised if you delete your account; commercial records of introductions may be retained as long as legally required.

Under the EU/UK GDPR (and equivalent UAE, US-state, and other rights frameworks where applicable), you have the right to:

• Access — get a copy of your data (we provide a one-click JSON export).
• Rectification — correct inaccurate data via your profile settings.
• Erasure — delete your account and personal data, subject to legal retention obligations.
• Restriction — ask us to stop processing while a dispute is resolved.
• Objection — opt out of marketing or other processing based on legitimate interests.
• Portability — receive your data in a machine-readable format (the export is JSON).
• Withdraw consent — at any time, without affecting processing already done.
• Lodge a complaint — with your local supervisory authority (e.g. your national EU data-protection authority, the UK ICO, or the UAE Data Office).

Use the Privacy center to action most rights immediately, or email support@nriretirewise.com.

We use only the cookies necessary to keep you signed in, plus any functional / analytics / marketing cookies you opt in to. Read the full Cookie Policy, or change your preferences any time via Cookie settings.

NRI Retire Wise is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We rely on industry-standard practices through our processors:

• TLS encryption in transit for all connections to the application.
• Encryption at rest for the Supabase database.
• Row-level security so users can only ever read or modify their own records.
• Stripe-hosted payment pages — card data never touches our infrastructure.
• Magic-link / OAuth authentication; no password storage.

See SECURITY.md for our vulnerability-disclosure contact and process.

We may update this policy as the product, processors, or applicable laws change. Material changes will be flagged on the home page and / or via email if you have an account. The "Last updated" date at the top of this page tracks the latest revision. Continued use after a change constitutes acceptance of the updated policy.