Privacy Policy
How NepFI collects, uses, stores, and protects personal data when you use our website, create an account, or sign in with Google.
Last updated: 24 June 2026
1. Introduction
NepFI ("we", "us", or "our") operates the NepFI platform, including the public website, accounts service, customer dashboard, and product workspaces. This Privacy Policy explains what personal data we process, why we process it, and the rights available to you under applicable law, including the EU General Data Protection Regulation (GDPR) where it applies.
Data controller: NepFI, Delaware, United States (and global operations). For privacy enquiries contact hello@nepfi.com.
2. Information we collect
We collect information you provide directly, information generated when you use NepFI, and limited information from third-party sign-in providers.
- Account data: name, email address, password hash, locale and security preferences.
- Authentication data: session identifiers, device metadata, IP address, and security logs.
- Google Sign-In data: when you choose Google, we receive your Google account identifier, name, email address, and profile picture URL from Google. We do not receive your Google password.
- Product usage data: workspace activity necessary to operate features you enable (for example portfolio holdings, ledger entries, or payroll records you enter).
- Support and communications: messages you send to us and records of support requests.
- Technical data: browser type, operating system, request timestamps, and diagnostic logs collected for security and reliability.
3. Legal bases for processing (GDPR)
Where GDPR applies, we rely on the following legal bases:
- Contract: to create and administer your account and provide the services you request.
- Legitimate interests: to secure the platform, prevent fraud, improve reliability, and understand aggregate usage — balanced against your rights.
- Consent: for optional marketing communications and non-essential cookies where required. You may withdraw consent at any time.
- Legal obligation: to comply with tax, accounting, anti-money-laundering, or lawful requests from authorities.
4. Google Sign-In
If you register or sign in with Google, Google provides us with basic profile information according to the permissions you approve on Google's consent screen. We use that information only to authenticate you, populate your NepFI profile, and communicate service-related notices.
Google's use of information collected through Google Sign-In is described in Google's Privacy Policy (Google's Privacy Policy). NepFI does not sell Google user data and does not use Google user data for advertising profiles.
- You can disconnect Google Sign-In by contacting support or, where available, removing the linked provider in account settings.
- If you revoke NepFI's access in your Google Account permissions, you may need another sign-in method to access NepFI.
7. International transfers
NepFI is operated from Global. If you access NepFI from the European Economic Area, United Kingdom, or other regions with data-transfer rules, we implement appropriate safeguards such as Standard Contractual Clauses with subprocessors where required.
8. Data retention
- Account data is kept while your account is active.
- After account deletion, we remove or anonymise personal data within 30 days, except where longer retention is required for legal, security, or billing records.
- Security and audit logs may be retained for up to 12 months.
9. Your rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated personal data.
- Restrict or object to certain processing.
- Receive a portable copy of data you provided.
- Withdraw consent where processing is consent-based.
- Lodge a complaint with your local data protection authority.
To exercise these rights, email hello@nepfi.com or delete your account from MyAccount settings. For product support, email support@nepfi.com. We respond within 30 days.
10. Security
We use encryption in transit (TLS), encryption at rest for sensitive credentials, access controls, and audit logging. No method of transmission over the Internet is 100% secure; we continuously improve our safeguards.
11. Children's privacy
NepFI is not directed to children under 16. We do not knowingly collect personal data from children. Contact us at hello@nepfi.com if you believe a child has provided personal data and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version on this page with an updated date. Material changes will be notified by email or in-product notice where appropriate.
13. Contact
Questions about this Privacy Policy: hello@nepfi.com. Postal address: NepFI, Delaware, United States (and global operations).