1 Information We Collect
We collect information necessary to provide, secure, and improve our eSign services. This includes:
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, Aadhaar number, PAN, date of birth, photograph | Provided by you during onboarding |
| Contact Data | Email address, mobile number, postal address | Provided by you or your organisation |
| Verification Data | OTP sessions, biometric face-match results, liveness scores | Generated during E-sign sessions |
| Document Data | Signed documents, metadata, timestamps, IP addresses | Created during signing workflows |
| Technical Data | IP address, device type, browser, OS, session logs | Collected automatically via our platform |
| Usage Data | Pages visited, features used, workflow completion rates | Cookies and analytics |
| Transaction Data | Billing details, payment history, subscription plan | Provided during service procurement |
We do not store raw Aadhaar biometric data. Biometric verification is performed in real time through UIDAI-approved APIs and results are discarded immediately after the session.
2 How We Use Your Information
We use collected information for the following purposes:
- Service Delivery: To process E-sign requests, authenticate identities, and complete document workflows.
- Compliance & Audit: To maintain tamper-proof audit trails as required by the IT Act, 2000 and UIDAI/RBI regulations.
- Security & Fraud Prevention: To detect and prevent unauthorised access, identity fraud, and platform abuse.
- Customer Support: To respond to queries, resolve disputes, and provide onboarding assistance.
- Platform Improvement: To analyse usage patterns, fix bugs, and enhance product features.
- Marketing Communications: To send product updates or promotional offers — only with your explicit consent.
- Legal Obligations: To comply with applicable laws, court orders, or regulatory directives.
We do not sell your personal information to any third party.
3 Legal Basis for Processing
Our processing of personal data rests on one or more of the following grounds under applicable data-protection laws (including the Digital Personal Data Protection Act, 2023):
- Consent: You have given explicit consent (e.g., Aadhaar OTP verification, marketing emails).
- Contractual Necessity: Processing is required to perform a contract with you or your organisation.
- Legal Obligation: We are required by law to process certain data (e.g., audit logs, KYC records).
- Legitimate Interests: We have a legitimate interest in fraud prevention, platform security, and service improvement.
4 Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We may share your information only in the following limited circumstances:
- UIDAI / Government APIs: Aadhaar-based verification is processed through UIDAI-approved Authentication Service Agencies (ASAs/AUAs) as legally mandated.
- API Partners & Integrations: Data is exchanged only as necessary to complete your workflow (CRM, LOS, or banking platform).
- Sub-processors: Trusted cloud and infrastructure providers (AWS — India region) bound by strict data-processing agreements.
- Legal Authorities: When required by law, court order, or a regulatory authority including RBI, SEBI, or UIDAI.
- Business Transfers: In a merger or acquisition, data may be transferred subject to the same privacy protections.
5 Data Security
We implement industry-leading security measures to protect your personal data:
- Encryption: All data in transit uses TLS 1.2+ and at rest uses AES-256.
- Access Controls: Role-based access control (RBAC) restricts sensitive data to authorised personnel only.
- Infrastructure: VPC isolation, network firewalls, and DDoS protection on all environments.
- Compliance Standards: Platform aligned with ISO 27001 security management standards.
- Data Residency: All personal data is stored within India unless otherwise agreed in writing.
- Penetration Testing: Regular third-party security audits and vulnerability assessments.
- Watermarking: Signed documents carry tamper-evident watermarks and unique transaction IDs.
While we take every reasonable measure, no system is entirely infallible. In the event of a data breach affecting your rights, we will notify you in accordance with applicable law.
6 Data Retention
We retain personal data only as long as necessary to fulfil the purposes outlined here or as required by law:
| Data Type | Retention Period |
|---|---|
| Aadhaar OTP session data | Deleted immediately after session ends |
| Biometric face-match results | Not retained; processed in real-time only |
| Signed documents & audit trail | 7 years (IT Act, 2000) |
| Customer account data | Duration of contract + 3 years |
| Transaction & billing records | 8 years (GST/tax compliance) |
| Marketing consent records | Until consent is withdrawn |
After the retention period expires, data is securely deleted or anonymised using industry-standard methods.
7 Your Rights
Subject to applicable laws, including the Digital Personal Data Protection Act (DPDPA) 2023, you have the following rights:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion where data is no longer necessary, subject to legal retention requirements.
- Right to Withdraw Consent: Withdraw consent for marketing communications at any time, without affecting prior processing.
- Right to Grievance Redressal: Lodge a complaint with our Data Protection Officer or the Data Protection Board of India.
- Right to Nominate: Nominate an individual to exercise your rights in case of incapacitation or death, as permitted under DPDPA 2023.
To exercise any right, contact info@nextbigbox.io. We will respond within 30 days of receiving a verified request.
8 Cookies & Tracking
Our website uses cookies and similar technologies to enhance your experience and analyse usage:
- Essential Cookies: Required for authentication and session management. Cannot be disabled.
- Analytics Cookies: Help us understand how users interact with our platform (e.g., Google Analytics). Collected anonymously.
- Marketing Cookies: Used for targeted advertising on third-party platforms. Active only with your consent.
You may manage cookie preferences through your browser settings or our cookie consent banner. Declining non-essential cookies will not affect access to core features.
9 Third-Party Services
Our platform may link to third-party websites or integrate with external services that operate under their own privacy policies. We are not responsible for their data practices. Key third-party integrations include:
- UIDAI Authentication APIs (Aadhaar e-KYC and eSign)
- Payment gateways for billing (e.g., Razorpay)
- Cloud infrastructure providers (AWS India / Azure India)
- Telecom partners for OTP delivery
10 Children's Privacy
Our Services are intended for businesses and adults aged 18 and above. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor's data has been collected, we will promptly delete it. Please contact info@nextbigbox.io if you believe this has occurred.
11 Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify registered users via email or an in-platform notification.
- Post a prominent notice on our website for at least 30 days.
Your continued use of our Services after any update constitutes acceptance of the revised Policy.
12 Contact Us
For questions, concerns, or requests about this Privacy Policy or our data practices, please contact our Data Protection Officer:
Hari Vihar, Kakrola, New Delhi 110078