We use cookies

    We use essential cookies for sign-in and your theme preference. We also use a first-party cookie to remember which campaign brought you here, which helps us improve our marketing. No third-party trackers, no advertising cookies. Privacy Policy.

    FeaturesHow It WorksFree toolsContact
    Log inGet Started

    Privacy Policy

    Last updated: May 10, 2026

    This Privacy Policy explains how Notwen, operated by [TODO: Legal Entity Name] ("Notwen", "we", "us", or "our"), with its registered office at [TODO: Registered Office Address], collects, uses, discloses, and safeguards personal data when you use the Notwen website, applications, and related services (collectively, the "Service"). It also describes the choices and rights you have. Please read it together with our Terms of Service.

    1. Our Role and Yours

    Notwen processes two distinct categories of personal data, and our role is different for each:

    • Your data (account holder): When you sign up and use the Service, Notwen is the controller (data fiduciary under the Digital Personal Data Protection Act, 2023) of your personal data. This Policy describes how we handle it.
    • Your clients' data (recipient data): When you upload client details or send invoices, contracts, or messages through Notwen, you are the controller (data fiduciary) of that data and Notwen acts as a processor on your behalf. You are responsible for the lawful basis, notice, and consent required for that processing under applicable law. The terms in this Policy and our Terms of Service together form the data-processing addendum that governs that processing.

    2. Information We Collect

    We collect personal data in the following categories:

    • Identifiers and account information: name, email address, password (stored as a hashed value), profile picture, business name, country, and time zone. If you sign in with Google, we receive your name, email, and profile picture from Google.
    • Business and financial data: invoices, contracts, client details, expenses, tasks, line items, tax identifiers (such as GSTIN, PAN, VAT), bank account information you choose to enter, currency preferences, and other records needed to provide the Service.
    • Communications metadata: when you send invoices or other messages through the Service, we retain a log of each send including sender and recipient addresses, subject, message identifiers from our email provider, timestamps, delivery status, and the user who initiated the send. We retain a copy of the rendered message body for audit and dispute resolution.
    • AI prompts and outputs: the text and data you submit to AI Features and the resulting drafts, classifications, recommendations, and summaries.
    • Device and usage data: browser type, operating system, device identifiers, IP address, language, referring/exit pages, pages visited, features used, clicks, session duration, and crash and performance data.
    • Cookies and similar technologies: see Section 14.
    • Communications with us: the content of support requests, feedback, and survey responses, including any attachments you provide.
    • Payment data: if you purchase a paid plan, our payment processor collects card or other payment-instrument details directly. We receive a transaction reference, a masked identifier, and billing address — we do not see or store full card numbers.

    Sensitive personal data and information (SPDI). Some of the data above (passwords, financial information including bank-account details and payment-instrument information) is treated as SPDI under India's Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. We collect SPDI only with your consent, for the purposes set out in this Policy, and protect it using reasonable security practices.

    3. Sources of Information

    We collect personal data: (a) directly from you when you register, configure your Account, enter Content, communicate with us, or buy a Subscription; (b) automatically when you use the Service (cookies, server logs, analytics, error monitoring); and (c) from third parties you authorize, such as Google when you sign in with Google.

    4. How We Use Your Information

    We use your information to:

    • Provide, maintain, secure, and improve the Service;
    • Process your invoices, contracts, and financial data on your instructions;
    • Transmit invoices, reminders, and contract emails to recipients you specify;
    • Generate AI-powered financial insights, drafts, and recommendations (see Section 6);
    • Send transactional communications (account verification, password resets, billing notices, security alerts, important Service updates);
    • Provide customer support and respond to your requests;
    • Maintain audit logs and communication metadata for dispute resolution and regulatory record-keeping;
    • Detect, investigate, and prevent fraud, spam, abuse, and security incidents;
    • Conduct internal analytics, research, and product development using de-identified or aggregated data;
    • Comply with legal obligations and respond to lawful requests; and
    • Enforce our Terms and protect our rights, property, or safety, and those of our users and third parties.

    5. Lawful Bases for Processing

    If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR (and equivalents):

    • Performance of a contract — to provide the Service and process Subscriptions.
    • Legitimate interests — to operate, secure, and improve the Service, prevent fraud and abuse, run analytics on aggregated data, and communicate about our products. We balance these interests against your rights and interests.
    • Consent — for non-essential cookies, optional features, and where required by law. You may withdraw consent at any time.
    • Legal obligation — to comply with tax, accounting, anti-fraud, anti-money-laundering, and other laws.

    If you are in India, we process personal data under the Digital Personal Data Protection Act, 2023, primarily on the basis of your consent and for the legitimate uses recognised under that Act (such as performance of the Service you have requested, compliance with law, and security).

    6. AI Features and Automated Decision-Making

    Notwen uses AI to provide financial insights, invoice and contract drafts, expense categorization, cash-flow forecasts, email drafts, and similar recommendations ("AI Features"). Your business data (invoices, contracts, expenses, prompts, and selected metadata) may be processed by AI models, including third-party large-language models and machine-learning systems, to generate these outputs.

    We do not use your data, or your clients' personal data, to train third-party AI models. Our AI sub-processors are contractually required to refrain from using your inputs for training. We may use de-identified, aggregated data to evaluate, monitor, and improve our Service and AI Features.

    AI Features may produce inaccurate, incomplete, or biased output. AI output is informational only and is not legal, tax, financial, or accounting advice. You are required to review and verify every AI output before relying on it. The Service does not make decisions that produce legal or similarly significant effects on you solely by automated means; AI Features assist you but do not act without your initiation. If you would like to ask a human to review a particular AI suggestion, contact support@notwen.app.

    7. Sharing and Disclosure

    We do not sell your personal information or your clients' personal information, and we do not share it for cross-context behavioural advertising. We disclose data only with the following categories of recipients:

    • Cloud hosting: Microsoft Azure hosts our application servers, databases, and file storage.
    • Email delivery: Azure Communication Services transmits invoices, contracts, and notification emails on your behalf. Recipient email addresses, subject lines, and message bodies pass through this provider.
    • AI processing: selected AI providers process specific inputs to generate insights and drafts. We require these providers to refrain from training on your data.
    • Authentication: Google, when you choose to sign in with Google.
    • Payment processing: our payment processor collects payment-instrument data directly to process Subscription payments.
    • Analytics, error monitoring, and security: service providers that help us understand usage, identify bugs, and protect against abuse.
    • Customer support and operations tools: tools that help us respond to your requests, manage tickets, and run our business.
    • Professional advisors: auditors, accountants, lawyers, insurers, and consultants under confidentiality.
    • Legal and regulatory: when required by law, regulation, court order, subpoena, or legitimate request from a public authority, or to protect rights, property, or safety.
    • Business transfers: in connection with a merger, acquisition, financing, restructuring, or sale of assets, with reasonable notice to you.
    • With your consent: for any other purpose disclosed to you and authorized by you.

    All sub-processors are bound by written agreements imposing confidentiality and data-protection obligations consistent with this Policy and applicable law. We will give reasonable notice of material changes to our sub-processor list before they take effect; you may request the current list by emailing support@notwen.app.

    8. International Data Transfers

    Your data may be stored or processed in regions outside your country of residence, including data centers operated by Microsoft Azure. Where required by law, we rely on appropriate safeguards to protect cross-border transfers, such as the European Commission's Standard Contractual Clauses (with any required supplementary measures), the UK International Data Transfer Agreement / UK Addendum, the Swiss SCCs, and equivalent mechanisms. For transfers from India, we transfer personal data only to jurisdictions that are not restricted by the Central Government under Section 16 of the Digital Personal Data Protection Act, 2023, and apply contractual safeguards.

    You may request a copy of the safeguards we use by emailing support@notwen.app.

    9. Data Storage and Security

    We implement reasonable administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS), encryption at rest, access controls, authentication, audit logging, vulnerability monitoring, periodic security reviews, and staff training. These practices are intended to comply with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and equivalent standards.

    No method of electronic transmission or storage is fully secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for using strong, unique passwords.

    Security incidents. If we become aware of a personal-data breach affecting you, we will notify you and the appropriate regulator (including the Data Protection Board of India under the DPDP Act and other authorities under applicable law) without undue delay and in accordance with the timelines required by law.

    10. Data Retention

    We retain personal data for as long as your Account is active and for the periods needed to provide the Service, comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements. As a guide:

    • Account profile and Content: for the life of your Account; deleted or anonymized within 30 days of Account closure, except as noted below.
    • Communications metadata, message identifiers, and delivery status logs: up to 24 months for audit, deliverability, and abuse-prevention purposes.
    • AI prompt and output logs: up to 12 months for safety, abuse-prevention, and quality monitoring.
    • Billing and invoicing records (between Notwen and you): as required by tax and accounting law, typically up to 8 years from the end of the relevant financial year.
    • Security logs and fraud/abuse records: as long as reasonably needed to investigate and prevent recurrence.
    • Legal-hold or active-dispute data: until the matter is resolved.
    • Backups: rolling backups overwrite older data within reasonable cycles after deletion from production systems.
    • De-identified or aggregated data: may be retained indefinitely for analytics and improvement.

    11. Your Rights

    Subject to applicable law, you may have the right to:

    • Access the personal data we hold about you;
    • Correct inaccurate or incomplete data;
    • Request deletion or erasure of your data;
    • Receive your data in a portable, machine-readable format;
    • Withdraw consent for data processing;
    • Object to or restrict certain processing;
    • Opt out of marketing communications and certain analytics; and
    • Lodge a complaint with a data-protection authority in your jurisdiction.

    To exercise these rights, contact support@notwen.app. We will verify your identity (typically by validating control of the email associated with your Account) before acting on a request and respond within the timelines required by applicable law (generally within 30 days). If we deny a request, we will explain why and how you may appeal.

    If you are a Recipient of a communication sent through Notwen and want to exercise rights over that data, please contact the Notwen user (the apparent sender) directly. They are the controller of that data; we will assist them in responding to your request.

    12. India-Specific Rights (DPDP Act, 2023)

    If you are in India, in addition to the rights above, you have the right to:

    • Obtain a summary of personal data being processed and the activities undertaken with respect to that data;
    • Nominate another individual to exercise your rights in the event of your death or incapacity;
    • Withdraw consent at any time, with the same ease with which it was given;
    • Have your grievances redressed by us before approaching the Data Protection Board.

    To make a nomination or exercise any DPDP right, email our Grievance Officer at support@notwen.app.

    13. EEA, UK, Switzerland, and U.S. State Rights

    EEA, UK, and Switzerland. Under the GDPR and equivalent laws, you have the rights described in Section 11 and the right to lodge a complaint with the supervisory authority in your country of residence, work, or where the alleged violation occurred. We do not currently appoint an EU/UK representative; if this changes, we will update this Policy.

    California (CCPA/CPRA). California residents may request access to, correction of, deletion of, and a portable copy of personal information; may opt out of "sale" or "sharing" (we do not sell or share for cross-context behavioural advertising); and may limit use of sensitive personal information. We do not discriminate against you for exercising these rights. You may designate an authorized agent to make a request, and you may appeal a denial by replying to our response. We honour Global Privacy Control (GPC) signals as a request to opt out of sale/sharing for the browser or device that sends the signal.

    Other U.S. states. Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as those laws come into effect) have similar rights of access, correction, deletion, portability, opt-out of targeted advertising and profiling, and appeal of denied requests. To exercise these rights, contact support@notwen.app.

    We do not currently respond to browser "Do Not Track" signals other than GPC.

    14. Cookies and Similar Technologies

    We use the following limited categories of cookies and similar technologies:

    • Strictly necessary: session and authentication cookies and access tokens that let you sign in, stay signed in, and use the Service securely. These cannot be disabled without breaking the Service.
    • Functional / preferences: local storage entries that remember your theme (light/dark), language, and similar preferences.
    • Security: tokens used to protect against cross-site request forgery and abuse.
    • Analytics (where enabled): first-party measurement to understand which features are used and to detect issues. We do not use third-party advertising, retargeting, or cross-site tracking cookies.

    You can control cookies through your browser settings, including blocking or deleting them. Blocking strictly necessary cookies will prevent you from using the Service.

    15. Marketing, Phone, and SMS Communications

    We send transactional communications (such as account, security, and billing notices) that are necessary to provide the Service; you cannot opt out of these while you have an Account. If we send you marketing emails, each will include an unsubscribe link, and we will honour your choice. If you provide a phone number, we may use it for transactional purposes (such as security alerts). Where we send marketing SMS, we will obtain any required consents, and you can opt out by replying STOP. We comply with applicable telecom and anti-spam laws (including India's TRAI regulations, the U.S. CAN-SPAM Act and TCPA, and the EU ePrivacy Directive).

    16. Children's Privacy

    The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it. Where applicable law requires verifiable parental consent for processing of children's data, we will not knowingly process such data without that consent.

    17. Account Holder Death or Incapacity; Nomination

    Account access is personal to the Account holder. Under the DPDP Act, you may nominate another individual to exercise your data-protection rights in the event of your death or incapacity by sending a written request to our Grievance Officer that identifies the nominee and includes appropriate proof of identity and authority. We may require additional documentation (such as a death certificate, succession certificate, court order, or probated will) before granting any access or honouring any request. Notwen has no obligation to identify or locate potential successors and is not responsible for the legal sufficiency of documents you provide.

    18. Changes to This Policy

    We may update this Privacy Policy from time to time. We will revise the "Last updated" date at the top of this page. If a change is material, we will give you reasonable advance notice (typically by email or in-app notice). Please review this Policy periodically.

    19. Grievance Officer and Contact

    If you have questions, concerns, or complaints about this Policy or our handling of personal data, please contact support@notwen.app.

    In compliance with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000 (and rules thereunder), our Grievance Officer is:

    • Name: [TODO: Grievance Officer Name]
    • Designation: [TODO: Designation]
    • Email: support@notwen.app
    • Address: [TODO: Registered Office Address]

    We acknowledge grievances within 48 hours and aim to resolve them within one month of receipt, in accordance with applicable law.