Nexback Privacy Policy

Privacy Policy

Last Updated: 12/12/2025

This Privacy Policy explains how Nexback Technology Pvt. Ltd. (“Nexback”, “we”, “us”, or “our”) collects, uses, stores, and protects client information while providing the Review Management System and related services. By using our services, you consent to the data practices described in this policy.

1. Information We Collect

We collect only the information necessary to process purchases, deliver purchased reviews, generate invoices, and manage client accounts.

1.1 Client Purchase Data

• Selected product
  
  

• Brand / Model
  
  

• Quantity of reviews purchased
  
  

• Location filters (State, District)
  
  

• Demographic filters (Age Range, Gender)
  
  

1.2 Contact & Business Information

Collected via the Client Information Form or during purchase:

• Company Name
  
  

• Contact Number
  
  

• Email ID
  
  

• Type of Entity (company type / structure)
  
  

1.3 Payment Information

We do not store card numbers, UPI PINs, bank credentials, or any sensitive payment data.

All payment processing is handled by our payment partner Razorpay. We receive only:

• Payment status (Success / Failure)
  
  

• Order ID
  
  

• Payment ID
  
  

• Razorpay signature
  
  

• Transaction metadata
  
  

1.4 Account & Authentication Data

• Email address
  
  

• Encrypted (hashed) password
  
  

• Auto-generated password for first-time clients (sent via secure transactional email)
  
  

• Login tokens (JWT) stored in cookies or via API
  
  

• Permanent and temporary review-access tokens
  
  

1.5 Usage & Review Access Data

When a purchase is processed, we store:

• Filters used
  
  

• Purchased review IDs
  
  

• Review quantities and purchase history
  
  

• Access tokens (temporary and permanent)
  
  

1.6 Invoice & Billing Records

For each successful payment:

• Invoice details
  
  

• Invoice PDF stored securely on AWS S3
  
  

• Billing metadata (amount, date, reference IDs)
  
  

1.7 Automatic Logs & System Data

Our servers automatically log:

• API request metadata
  
  

• Errors
  
  

• Webhook validation events
  
  

• Authentication attempts
  
  

• Payment processing results
  
  

These logs may contain:

• Email IDs
  
  

• Order IDs
  
  

• Filter metadata
  
  

Logs are used solely for debugging, fraud prevention, and operational monitoring.

2. How We Use Your Information

We process collected data for the following purposes:

2.1 Service Provision

• Generating review sets based on applied filters
  
  

• Preventing duplicate review delivery
  
  

• Displaying previously purchased reviews (“Existing Reviews”)
  
  

• Managing review access through permanent and temporary tokens
  
  

2.2 Account Management

• Creating user accounts
  
  

• Providing secure login access
  
  

• Sending auto-generated passwords to new clients
  
  

• Enabling password reset functionality
  
  

2.3 Payment & Billing

• Creating Razorpay orders
  
  

• Processing and verifying payments
  
  

• Validating Razorpay signatures
  
  

• Handling Razorpay webhooks
  
  

• Generating PDF invoices and sending them via email
  
  

• Storing invoices on AWS S3 for future access
  
  

2.4 Communication

We send transactional emails only, including:

• Order confirmations
  
  

• Payment verification
  
  

• Invoice delivery
  
  

• Password creation and reset emails
  
  

• Review access links
  
  

We do not send promotional or marketing emails without explicit client consent.

2.5 Security & Fraud Prevention

• Token-based authentication (JWT)
  
  

• Signature validation
  
  

• Anti-duplicate review checks
  
  

• Logging and monitoring for anomaly detection
  
  

3. Cookies & Authentication Tokens

We use httpOnly cookies to store a client_token for secure authentication.

Cookies are used to:

• Authenticate returning clients
  
  

• Maintain login sessions
  
  

• Provide access to purchased reviews
  
  

Cookies contain JWT tokens only, not passwords or sensitive personal data.
Disabling cookies may limit or prevent certain features from functioning.

4. Data Storage, Hosting, and Security

4.1 Databases

Client data is stored in MongoDB Atlas, featuring:

• Encryption at rest
  
  

• Encryption in transit
  
  

• Automatic backups
  
  

• Cluster-level security controls
  
  

4.2 File Storage

Invoices and generated PDFs are stored on Amazon AWS S3 using:

• Private buckets
  
  

• Access control policies
  
  

• Secure, temporary access URLs
  
  

4.3 Password Security

Client passwords are:

• Hashed and salted using industry-standard algorithms
  
  

• Never stored or transmitted in plain text
  
  

• Auto-generated for new users and delivered securely via email
  
  

We use short-lived and long-lived authentication tokens that automatically expire based on their intended purpose.

4.4 Token Security

Permanent and temporary tokens use:

• JWT signing
  
  

• Expiration controls
  
  

• Token-type enforcement
  
  

4.5 Data Retention

We retain:

• Purchase history
  
  

• Invoice records
  
  

• Review access logs
  
  

• Payment metadata
  
  

As required for:

• Auditing
  
  

• Tax and financial compliance
  
  

• Fraud prevention
  
  

5. Third-Party Disclosure

We do not sell or trade your personal information.

We may share information only with:

5.1 Payment Processor (Razorpay)

Transaction data required for payment processing and verification.

5.2 Cloud & Infrastructure Providers

Including:

• MongoDB Atlas (database hosting)
  
  

• AWS S3 (invoice storage)
  
  

• Email service providers (transactional emails)
  
  

All third parties comply with applicable security and privacy standards.

5.3 Legal Requirements

We may disclose data when required by:

• Law enforcement agencies
  
  

• Court orders
  
  

• Regulatory authorities
  
  

6. Client Rights

6.1 Access

Clients may view:

• Historical purchase data
  
  

• Previously purchased reviews (“Existing Reviews”)
  
  

6.2 Correction

Clients may request updates to:

• Company Name
  
  

• Contact Number
  
  

• Email ID
  
  

6.3 Account Deletion

Clients may request account deletion.
Certain data may be retained where legally required for:

• Billing
  
  

• Tax audits
  
  

• Fraud prevention
  
  

6.4 Password Updates

Clients may request:

• Password reset
  
  

• Custom password setup
  
  

7. Data Protection & Compliance

We follow industry-standard security practices, including:

• Encrypted databases
  
  

• Hashed passwords
  
  

• Secure token-based authentication
  
  

• PCI-compliant payment processing (via Razorpay)
  
  

• Restricted internal access controls
  
  

While we implement strong safeguards, no system is 100% secure.
Clients are responsible for maintaining password confidentiality.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.
Continued use of our services constitutes acceptance of the updated policy.

9. Contact Information

For privacy concerns, data correction requests, or account deletion requests, contact:

📧 nexback2025@gmail.com

Legal Disclaimer

This document is provided for informational and planning purposes only and does not constitute legal advice. You must consult a qualified legal professional to draft, review, and finalize your Privacy Policy and Terms & Conditions to ensure compliance with all applicable laws in your operating jurisdiction.