Privacy Policy
How BossMa Studio Works collects, uses, and protects your personal information across all products and services.
Last Updated: April 14, 20261. Who We Are
BossMa Studio Works Private Limited (CIN: U62099KA2024PTC215560, PAN: AAOCB4124H), registered at Bengaluru, Karnataka, India ("BossMa", "we", "our", or "us") is the data controller and data fiduciary for all personal data collected through: bossma.in; NariBot (Paise Ki Saathi) via IVR, WhatsApp, SMS, and missed call; NariBot PaaS for institutional partners; NariBot WhatsApp Subscription for individual users; and any associated dashboards, APIs, or partner integrations.
This Privacy Policy is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and applicable international frameworks including the EU GDPR where relevant to non-resident users.
2. Data We Collect
2.1 Information You Provide Directly
| Category | Examples | Source |
|---|---|---|
| Identity data | Name, SHG name, district, state | Registration, IVR onboarding, trainer entry |
| Contact data | Mobile number (mandatory), WhatsApp number | Registration, missed call, WhatsApp opt-in |
| Livelihood data | Daily sales, product type, income, costs, surplus | Voice conversation, WhatsApp, SMS, Voice-to-Ledger |
| Financial profile data | SHG membership duration, loan history, scheme participation | Voice conversation, trainer input |
| Language preference | Preferred language for interaction | Auto-detected (BHASHINI) or user-selected |
| Consent records | Consent timestamp, channel, version accepted | DPDP-compliant consent flow at onboarding |
| Institutional data (PaaS) | Organisation name, contact person, billing details | Partner onboarding forms, contracts |
2.2 Information Collected Automatically
- Call metadata: duration, timestamp, caller ID, IVR response sequences
- WhatsApp message metadata (not content beyond what you send to NariBot)
- Website: IP address, browser type, pages visited, session duration (via cookies)
- API usage logs: request volume, response times, error rates (PaaS partners)
- NariScore computation inputs: aggregated ledger entries over rolling 180-day windows
2.3 Information We Do Not Collect
- Aadhaar numbers, PAN, or government identity documents unless separately consented for a specific service
- Bank account credentials or payment instrument details (processed by third-party gateways only)
- Biometric data
- Personal data of minors — NariBot is intended for adults (18+) only
3. Why We Use Your Data
| Purpose | Legal Basis (DPDP / GDPR) |
|---|---|
| Delivering NariBot livelihood guidance via voice, WhatsApp, SMS | Consent; Contract performance |
| Generating NariScore — 180-day credit-readiness profile | Explicit consent at onboarding |
| Producing Digital Aajeevika Register (DAR) ledger entries | Consent; Legitimate interest of partner organisation |
| Sending proactive guidance, scheme alerts, missed-call callbacks | Consent |
| Partner dashboards and DAR exports | Contract (PaaS agreement); Consent |
| Improving NariBot AI responses | Legitimate interest (anonymised/aggregated only) |
| Compliance, audit, and legal obligations | Legal obligation |
| Billing and subscription management | Contract performance |
| Security, fraud prevention | Legitimate interest; Legal obligation |
We do not sell your personal data. We do not use your livelihood or income data for targeted advertising.
4. Consent Under DPDP Act, 2023
In compliance with Section 6 of the DPDP Act: consent is obtained before data processing begins, at the start of every NariBot interaction, in the user's preferred language. Consent notices are clear, plain-language, and specific to each purpose. You may withdraw consent at any time by saying "band karo" during a call, messaging STOP on WhatsApp, or contacting privacy@bossma.in. Withdrawal does not affect the lawfulness of prior processing. For users onboarded by institutional partners, the partner obtains consent on our behalf under their Data Processing Agreement.
5. Data Sharing and Third-Party Processors
5.1 With Partner Organisations (PaaS Clients)
Institutional partners receive aggregated dashboards and DAR-format exports for their enrolled women. Individual data is shared only with the enrolling partner, under a signed Data Processing Agreement.
5.2 Technology Sub-Processors
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Google Cloud Platform (GCP) | Hosting, compute, Firestore database | India (asia-south1) |
| Supabase | Structured data storage (women, trainers, NariScore records) | India / migrating to Yotta Cloud India |
| Google Gemini (Vertex AI) | AI conversation engine, Voice-to-Ledger extraction | Google Cloud India region |
| BHASHINI (MeitY, Govt. of India) | ASR, TTS, translation in Indian languages | India (government infrastructure) |
| Samora AI | IVR telephony, WhatsApp delivery, SMS delivery | India |
| Razorpay (or equivalent) | Subscription billing | India |
5.3 Legal Disclosure
We may disclose personal data to law enforcement or regulatory authorities if required by applicable law or court order.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Voice conversation transcripts | 24 months from last interaction |
| NariScore records | 36 months from generation |
| DAR ledger entries | 60 months (NRLM reporting requirement) |
| Consent records | Duration of relationship + 5 years |
| Billing and subscription records | 8 years (GST and Companies Act) |
| Website analytics (anonymised) | 26 months |
| Deleted account data | 30 days then purged, except legally required records |
7. Your Rights as a Data Principal
- Right to access — request a summary of personal data we hold about you
- Right to correction — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your personal data (subject to legal retention obligations)
- Right to withdraw consent — at any time, for any consent-based processing
- Right to grievance redressal — raise a complaint with our Grievance Officer
- Right to nominate — nominate another to exercise your rights in case of death or incapacity
To exercise any right, contact privacy@bossma.in with your registered mobile number. We respond within 30 days. EEA users also have GDPR rights including data portability, restriction of processing, and right to object.
8. Security Measures
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption at rest for all databases containing personal data
- Role-based access controls — only authorised personnel access personal data
- Firebase Phone Auth OTP for trainer dashboard access
- Regular security reviews of GCP and Supabase infrastructure
- No storage of voice call recordings beyond transcript extraction
In the event of a personal data breach likely to result in risk to data principals, we will notify the Data Protection Board of India within 72 hours and affected users without undue delay.
9. Cookies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Session management, security | Session |
| Analytics (Google Analytics) | Anonymised traffic measurement | 26 months |
| Meta Pixel | Page view tracking for campaign measurement | 90 days |
You can opt out of analytics cookies via browser settings or our cookie banner. Strictly necessary cookies cannot be disabled without affecting site functionality.
10. Children's Data
NariBot is intended exclusively for adults (18+). We do not knowingly collect data from minors. If you believe a minor's data has been collected, contact privacy@bossma.in and we will delete it promptly.
11. Grievance Officer
Contact our Grievance Officer
Name: Madhavi Shapeti, Founder-Director & Grievance Officer
Email: privacy@bossma.in
Address: BossMa Studio Works Pvt. Ltd., Bengaluru, Karnataka — 560001
Response: Acknowledgement within 48 hours · Resolution within 30 days
If unsatisfied, escalate to the Data Protection Board of India once constituted under the DPDP Act, 2023, or to your local data protection authority.
12. Changes to This Policy
Material changes will be communicated via WhatsApp notification to active NariBot users, email to PaaS partner contacts, and a notice on bossma.in. The "Last Updated" date reflects the most recent version. Continued use after notification constitutes acceptance.