01I. Categories of personal data collected
Upon authentication via the Google OAuth provider, the operator receives the data principal's electronic-mail identifier and full name. In the course of using the service, the following further categories of data are stored:
- The credit balance and prevailing plan status of the data principal
- Records of payment transactions effected through the Razorpay gateway
- Records of redemption of any coupon issued by the operator
- Reservations, namely credits temporarily withheld for batches in flight
- Entries in the audit log evidencing administrative actions on the account
The operator does not collect the telephone number, postal address, payment-instrument particulars, government-issued identifiers, or any data emanating from the data principal's computer save those tabs of the eMBook portal to which the extension is expressly directed.
02II. Purposes of collection
The aforesaid categories are collected for the sole purpose of furnishing the SaaS service: namely, the gating of automation by credit, the processing of payments through Razorpay, and the discharge of financial-records retention obligations imposed by the Reserve Bank of India and other applicable regulators.
No personal data is sold, brokered, or shared for the purpose of advertising. The operator carries on no advertising business and offers no aggregated-data product.
03III. Treatment of spreadsheet content
The operator does not retain the content of the spreadsheet templates uploaded by the data principal.
The extension parses the .xlsx file in question on the client side, by means of the SheetJS library, within the data principal's own browser. Only the count of rows and those asset-values which, in real time, are being entered into the eMBook page traverse the DOM automation. No part of the file, its rows, or its measurements is transmitted to the operator's servers.
Measurement data, project identifiers, contractor identifiers, and any further content of the data principal's spreadsheets shall remain upon the data principal's own machine.
04IV. Payment processing
Payments are processed by Razorpay Software Private Limited. Upon the purchase of credits, the particulars of the payment instrument — namely card number, UPI identifier, and bank credentials — are handled by Razorpay alone. The operator does not at any time observe such particulars.
From Razorpay the operator receives, and stores, the payment identifier, the amount paid, the credits issued, and the transaction status. The privacy policy of Razorpay is available at razorpay.com/privacy.
05V. Use of cookies
The operator sets strictly-necessary authentication cookies, by means of the Supabase SSR client (@supabase/ssr), for the sole purpose of maintaining the data principal's session.
No analytics cookie, advertising tracker, or third-party profiling cookie is set by the operator. No banner of consent is presented in respect thereof, the cookies in question being exempt from the requirement of consent under §7(d) of the said Act.
06VI. Rights of the data principal
Pursuant to the Digital Personal Data Protection Act, 2023, the data principal shall have the following rights, exercisable in the manner indicated:
- Right of access — by means of a JSON export downloadable from the account page;
- Right of rectification — by application to the administrative support of the operator;
- Right of erasure — by self-service deletion at the account page, subject to a grace period of thirty (30) days prior to permanent anonymisation;
- Right of withdrawal of consent — by deletion of the account;
- Right of grievance redressal — by application to the Data Protection Officer (vide §VIII below).
07VII. Retention
Records of transactions are retained for the discharge of regulatory audit obligations. Entries of the audit log are retained indefinitely, in conformity with the operator's HARD-13 invariant, to the end that administrative actions remain accountable.
Upon deletion of the account, the name and electronic-mail identifier of the data principal shall be expunged thirty (30) days thereafter, and replaced by a deterministic placeholder of the form deleted-{uuid}@purged.invalid. Records of transactions and audit entries shall be retained for compliance, the personal identifiers having been removed.
08VIII. Office of the Data Protection Officer
Communications relating to data protection, or for the exercise of any right enumerated above, may be addressed to the Data Protection Officer at support.emb@axynerp.com, or by way of the contact page.
A substantive response shall be furnished within thirty (30) days as prescribed by the said Act.