DPDP Act 2023India’s data-protection law takes effect 13 May 2027.Read the Act
NamoID
Product

Developers

OverviewSDKs, quickstart, frameworksDocumentationSoonGuides & integrationAPI referenceSoonEndpoints & schemas
PricingCompliance

Company

AboutWho we are & why we build thisBlogProduct & engineering notesSecurityHow we protect your dataContacthello@namoid.in
Sign inComing soonBook a demo

Privacy Policy

Effective 2026-06-22

We wrote this to be read, not just filed away. It covers what we collect, why we collect it, and what you can do about it. If anything here is unclear, just email us and we’ll explain it like a person.

NamoID is operated by PolyMindsLabs Pvt. Ltd. For this website and for NamoID customer accounts, PolyMindsLabs Pvt. Ltd. is the Data Fiduciary.

Two kinds of user

If you signed up at namoid.in to use NamoID for your own application, you're a customer and we're your Data Fiduciary.

If you signed into someone else's app via NamoID, you're an end-user. The controlling privacy policy is the one published by that app. We process your data on their behalf.

What we collect

From customers: account email, full name, hashed password, MFA enrolment metadata, your org / project / OAuth-client configurations, login history, audit events.

From end-users signing into customer apps: identifiers (email/phone), profile fields the customer asked for (name, DOB, ToS acceptance), authentication credentials (WebAuthn public keys, encrypted TOTP secrets, backup-code hashes), provider links (encrypted upstream tokens), consent records, session metadata.

For Aadhaar offline-KYC we store only the masked number (last 4 digits + name hash + signature-verification result). Never the full 12-digit Aadhaar number, never the full XML, never your photograph.

Why we collect it (§5)

We process each category of personal data for a specific, limited purpose:

DataPurpose
Email, name, password hashAuthenticate you and secure your account.
MFA / passkey credentialsProvide strong, phishing-resistant sign-in.
Org / project / client configRun the service you set up.
Login history, audit eventsSecurity, fraud investigation, and DPDP audit obligations.
End-user identifiers + profile fieldsSign users into the customer app they chose.
Consent recordsProve lawful basis and honour withdrawal.
Demo-booking / enquiry detailsRespond to your request and follow up.

Where the data lives

NamoID stores user data in a single in-country (India) region, and our self-hosted PostHog analytics stays within our own infrastructure, so no third-party analytics vendor receives your data. Some processing necessarily reaches servers outside India, in each case limited to what the feature needs:

  • Social login. Clicking "Continue with Google / GitHub / LinkedIn" sends the OAuth handshake to their (US-based) servers; the profile returns in-country.
  • OTP & phone verification. Depending on the channel your customer enables (SMS, WhatsApp, or Truecaller), message delivery and number lookup may use providers located outside India.
  • Booking a demo. Opens Calendly (US-based), which processes the name, email, and scheduling details you enter.

We transfer personal data outside India only as permitted under §16 of the DPDP Act and only to deliver the feature you or your customer chose.

Who we share with

  • The customer whose app you signed into: the fields you consented to at sign-in.
  • Cloud hosting (in-country region).
  • Managed transactional email + SMS providers, for sending OTPs.
  • Upstream OAuth providers: only what you authorise at their consent screen.
  • DigiLocker / UIDAI, only when you initiate KYC.
  • Calendly (US), if you book a demo: it receives the contact and scheduling details you submit on their booking page, under their own privacy policy.
  • Law enforcement, when compelled by valid Indian legal process.

We don't sell your data, ever. We run no advertising or cross-site tracking cookies. The only analytics we use is PostHog, self-hosted, and anonymous by default (details below).

Cookies

We set a small number of strictly-necessary cookies so the dashboard and hosted-login flow can sign you in: an HttpOnly session cookie, a CSRF token, and a hosted-flow state cookie that lives for the duration of an OAuth handshake. None of these are used for tracking; all are first-party.

For product analytics we use PostHog, self-hosted on our own infrastructure, so no third-party analytics vendor receives your data. By default it runs cookieless and anonymous: it sets no cookies, stores no personal data, and isn't tied to your identity, so there's nothing to consent to. If you accept the cookie banner, we additionally store a single first-party analytics cookie so we can recognise repeat visits and improve the product. Decline, or use the Cookie preferences control, and analytics stays fully anonymous. We never enable session recording.

How long we keep it

  • Cookie-consent choice: in your browser until you clear it.
  • Server / access logs: up to 90 days, then deleted.
  • PostHog analytics events: up to 12 months, then purged from our self-hosted instance.
  • Demo-booking and email enquiries: until the enquiry is resolved, or 24 months, whichever comes first.
  • Grievance correspondence: 3 years, for regulatory record-keeping.
  • Customer and end-user account data: for the life of the account. On deletion we soft-delete immediately and hard-delete after 30 days (DPDP §8(7)).

Children's data (§9)

We do not knowingly collect personal data from anyone under 18, except where a customer has enabled NamoID's parental-consent gate. Where that gate is enabled, we process a child's data only after verifiable parental consent (for example, via a DigiLocker-verified guardian). We do not carry out behavioural tracking, profiling, or targeted advertising on any user identified as a child, consistent with §9 of the DPDP Act.

Data breach notification (§8(6))

If a personal data breach affects your data, we will notify the Data Protection Board of India and the affected individuals without undue delay and in the manner prescribed by the Board, consistent with §8(6) of the DPDP Act. For breaches affecting an end-user of a customer's app, we notify the customer (the Data Fiduciary) so they can inform their users.

Your rights (DPDP §§11–14)

  • Access (§11): ask what personal data we hold about you and how we use it.
  • Correction & erasure (§12): correct, complete, or delete your data. We pass corrections on to anyone we shared the data with, and erasure cascades to our data processors.
  • Grievance redressal (§13): raise a complaint with our grievance officer (below).
  • Nomination (§14): nominate another person to exercise these rights on your behalf in the event of your death or incapacity. To register a nomination, email hello@namoid.in.

To exercise any of these, email hello@namoid.in. We acknowledge within 7 business days and aim to resolve within 30 days. If you signed into a customer's app, send rights requests to that customer; we'll help them fulfil it.

If your complaint is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India, the statutory authority under the DPDP Act.

Grievance officer

Uddeshya Vijayvergiya, Grievance Officer, PolyMindsLabs Pvt. Ltd.
PolyMindsLabs Pvt. Ltd., Jaipur, Rajasthan 302020, India
Email: hello@namoid.in
Office hours: Mon–Fri 10:00–18:00 IST
Acknowledgement SLA: 7 business days · Resolution target: 30 days.

Changes to this policy

We will notify registered customers by email at least 30 days before a material change takes effect. If you have accepted analytics cookies and the policy changes materially, we will ask for your consent again.