Who we are
Nervebase is a documentary intelligence platform operated by Saket Sanganeria, an individual proprietor based in Mumbai, Maharashtra, India, doing business as "Nervebase". References to "Nervebase", "we", "us" or "our" mean this proprietorship. References to "you" or "the customer" mean the business or individual that creates a Nervebase account and connects their data sources.
This policy explains what personal information and customer data we process when you use the Nervebase service available at https://nervebase.ai (the "Service"), how we handle data accessed through Google APIs, and the rights you have under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws.
Scope of this policy
This policy covers data processed through the Nervebase Service, including data ingested from Google services (Gmail and Google Drive) under your authorisation. It does not cover websites, products or services operated by third parties that we link to or integrate with; those are governed by their own privacy policies.
Data we collect and process
Account information
When you create a Nervebase account we collect your name, business email address, organisation name, GSTIN (where provided), and authentication credentials. We use this information to create your account, provide the Service, and contact you about service-related matters.
Data accessed through Gmail
If you connect a Gmail inbox, you authorise Nervebase to access that inbox using the gmail.readonly scope of the Gmail API. We use this access only to:
- Detect new email messages that arrive in the inbox after you connect it.
- Read the metadata of those messages (sender, subject, received timestamp) and identify PDF attachments.
- Download PDF attachments that appear to be financial documents so they can be backed up to your Google Drive and processed by our extraction pipeline.
We do not read, store, or transmit the body text of your email messages beyond what is required to identify and download PDF attachments. We do not access messages sent before you connected the inbox unless you explicitly request a historical backfill. We never send email on your behalf and we do not request the gmail.send or gmail.modify scopes.
Data written to Google Drive
If you connect a Google Drive account, you authorise Nervebase to access that Drive using the drive.file scope of the Google Drive API. The drive.file scope grants access only to files that Nervebase itself creates inside your Drive — Nervebase cannot see, read, or modify any other file in your Drive.
Within that limited scope, we use the access only to:
- Create a top-level folder named "Nervebase" inside your Drive (the parent folder for all backups).
- Create year, month, and document-category subfolders within that parent folder.
- Upload PDF copies of documents captured from your connected Gmail inboxes or uploaded by you directly.
- Read back the files we created to verify successful upload, support search and retrieval, and serve PDFs to you when you query the Service.
Files uploaded to your Drive remain your property. You can revoke our access at any time, and you may delete the Nervebase folder from your Drive without affecting your Nervebase account (although doing so will limit the Service's ability to retrieve original PDFs).
Extracted document data
After a PDF is captured, we use AI to extract structured data fields from it — for example, vendor name, invoice number, GSTIN, invoice date, line items, tax components, and totals. This extracted data is stored in our database (hosted on Supabase, in the Mumbai, India region) so that you can search, filter, and analyse your documents.
Extracted data may include personal information about third parties named in your documents (for example, a vendor's contact name or a customer's address). We process this information solely to provide the Service to you, in our capacity as a data processor acting on your instructions.
Operational and audit data
We maintain logs of system events (document captured, document backed up, extraction completed, errors encountered) and an immutable audit trail of state changes for each document. These logs are used for operating the Service, debugging, security monitoring, and meeting our retention obligations. Personally identifying values inside the audit log are redacted after 90 days in line with our internal redaction policy.
Information we do not collect
We do not collect or process your Google account password, your Google Workspace contacts, your calendar, your Google Photos, or any Google service data outside the explicit scopes listed above. We do not use cookies or tracking technologies to build advertising profiles.
How we use Google user data
Nervebase's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google user data only to provide and improve the Service's user-facing features (capturing financial PDFs from Gmail, backing them up to your Drive, extracting and indexing their contents).
- We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features (for example, the AI extraction subprocessor described in Section 7), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
- We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
- We do not allow humans to read Google user data except (a) with your explicit affirmative consent for specific messages or files, (b) when necessary for security purposes such as investigating abuse, (c) when necessary to comply with applicable law, or (d) where the data has been aggregated and anonymised and is used for internal operations.
Where data is stored
Nervebase application data and extracted document fields are stored in Supabase (PostgreSQL) infrastructure hosted in Mumbai, India (ap-south-1). PDF files are temporarily held in Supabase Storage for no more than sixty seconds while being uploaded to your Google Drive, after which the transit copy is deleted. The permanent home for your PDFs is your own Google Drive account, which you control.
AI extraction is performed by Azure OpenAI Service in Microsoft's India regions (Central India and South India). Document content sent to Azure OpenAI is not used to train Microsoft's or OpenAI's foundation models.
How long we keep data
Account information is retained for as long as your account is active and for up to 90 days after termination, after which it is deleted or anonymised. Extracted document data is retained for as long as you remain a customer; on termination, you may export your data, after which it is deleted within 30 days.
PDF files are not retained on Nervebase infrastructure beyond the brief transit window described above. Audit logs are retained for the period required to meet our security and compliance obligations, with personally identifying values redacted after 90 days.
Subprocessors
We use the following third-party subprocessors to operate the Service. Each is bound by contractual confidentiality and security obligations:
| Subprocessor | Purpose |
|---|---|
| Supabase, Inc. | Database, file storage (transit only), authentication |
| Microsoft Corporation (Azure OpenAI Service, India regions) | AI document classification and field extraction |
| Upstash, Inc. | Deduplication index (file hashes only, no document content) |
| Google LLC | Source data (Gmail) and customer-controlled storage destination (Drive). Customer holds the relationship. |
| Functional Software, Inc. (Sentry) & Axiom Systems, Inc. | Error and performance monitoring |
We will update this list before adding new subprocessors that have material access to customer data.
Sharing and disclosure
We do not sell personal information. We share data only with the subprocessors listed above (under contract), with your authorised users, with parties you explicitly direct us to share with, with professional advisers under confidentiality, and where required by law (with notice to you unless legally prohibited).
Security
We protect customer data using industry-standard technical and organisational measures, including encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, row-level security in our database, audit logging, and the principle of least privilege for engineering access. We require all employees and contractors to sign confidentiality agreements and complete security training. We notify affected customers of any personal data breach without undue delay and within the timelines required by applicable law.
Your rights
Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal information, to withdraw consent, to restrict or object to processing, and to lodge a complaint with a data protection authority. Customers in India have the rights set out in the Digital Personal Data Protection Act, 2023, including the right to nominate another individual to exercise rights on your behalf.
To exercise any of these rights, contact us at the address in Section 13. We will respond within the timeframes required by applicable law.
Revoking Google access
You can revoke Nervebase's access to your Gmail or Drive at any time by visiting myaccount.google.com/permissions and removing Nervebase. Revoking access will stop new captures and backups but will not delete data already processed; to delete that data, contact us as set out in Section 13 or delete your Nervebase account from the application settings.
Children
Nervebase is a business product and is not directed at individuals under 18. We do not knowingly process the personal information of children. If you believe we have inadvertently collected such information, contact us so we can delete it.
Contact us
Questions, requests, or complaints relating to this policy or your personal information can be sent to:
Saket Sanganeria, Proprietor
Email: info@nervebase.ai
Postal address: 1012, Signature Business Park, Postal Colony, Chembur, Mumbai 400071, Maharashtra, India
Grievance Officer (DPDP Act): Saket Sanganeria — reachable at info@nervebase.ai.
Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects when the current version became effective. Material changes will be notified to active customers by email or in-app notice at least 30 days before they take effect.