Privacy Policy

NAMA OS (“NAMA”, “we”, “us”, “our”) is a SaaS platform for travel businesses, operated by Narayan Mallapur (A 902, Vaishnavi Nakshatra, Tumkur Road, Yeshwantpur, Bengaluru 560 022, Karnataka, India).

This Privacy Policy applies to all users of the NAMA OS platform accessible at getnama.app and any related subdomains or APIs.

This policy covers personal data collected when you register for an account, use the platform, interact with our customer support, or visit our website. It does not cover data practices of third-party services you may connect to NAMA OS.

When you register or manage your account:

• ▸Full name
• ▸Email address
• ▸Phone number
• ▸Company / agency name
• ▸Role within your organisation
• ▸Profile photo (optional)

Data you enter or import while using the platform:

• ▸Customer / traveller names, email addresses, and contact details
• ▸Lead enquiries and communication history
• ▸Itinerary details: destinations, dates, accommodation, transport
• ▸Quotations, invoices, vouchers, and booking documents
• ▸Vendor profiles and contracted rates
• ▸Financial records including payment amounts and status
• ▸Imported CSV files (leads, rate cards)

Automatically collected when you use the platform:

• ▸IP address and approximate geolocation (country/city)
• ▸Browser type and version
• ▸Device type and operating system
• ▸Pages visited and features used
• ▸Session duration and login timestamps
• ▸Error logs and performance metrics

When you use NAMA OS communication tools:

• ▸Emails sent and received via the platform (SMTP/IMAP)
• ▸WhatsApp messages routed through the platform
• ▸Chat history with NAMA Copilot (AI assistant)
• ▸Support messages sent to our team

• ▸Authenticating you and maintaining your session
• ▸Displaying your CRM, leads, itineraries, bookings, and documents
• ▸Running AI-assisted features (lead scoring, itinerary suggestions, copilot)
• ▸Generating PDFs (invoices, quotations, vouchers)
• ▸Processing payments via integrated payment gateways

• ▸Account registration confirmation
• ▸Password reset and security alerts
• ▸Onboarding drip sequence (Day 0 welcome, Day 1 tips, Day 3 social proof, Day 7 re-engagement)
• ▸Follow-up reminders generated by automations you configure
• ▸Invoices and quotations sent to your clients on your behalf
• ▸Infrastructure alerts (Sentinel) if you configure thresholds

• ▸Understanding which features are used most
• ▸Identifying and fixing bugs and performance issues
• ▸Aggregate, anonymised benchmarks for Smart Pricing features
• ▸Improving AI model prompts and outputs (no data is shared with model providers to train public models without consent)

We rely on the following legal bases:

• ▸Contractual necessity — processing required to deliver the service you subscribed to
• ▸Legitimate interests — security monitoring, fraud prevention, product analytics
• ▸Consent — marketing emails and optional feature usage analytics (you can withdraw at any time)
• ▸Legal obligation — retaining financial records as required by law

NAMA OS stores all persistent data in:

Application servers run on Railway (United States). The frontend is served via Vercel's global edge network.

• ▸Database storage encrypted with AES-256 at rest (managed by Neon / AWS)
• ▸Sensitive credentials (SMTP/IMAP passwords) are Fernet-encrypted before database storage
• ▸API keys and secrets stored as environment variables, never in source code

• ▸All data transmitted over HTTPS (TLS 1.2+)
• ▸HSTS headers enforced on all NAMA OS domains
• ▸Internal service-to-service calls use Railway private networking or HTTPS

• ▸Role-based access control (RBAC) with 6 permission tiers: Owner, Org Admin, Sales Manager, Ops Executive, Finance Admin, View Only
• ▸Attribute-based conditions (ABAC): geography, product type, deal size, shift hours
• ▸All API routes require authentication via HttpOnly JWT cookies
• ▸Admin-only features protected by page-level role guards
• ▸Audit logs maintained for permission changes and sensitive operations

In the event of a data breach affecting your personal data, we will notify you and, where applicable, the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR.

We do not sell, rent, or broker your personal data or your customers' data to any third party. Data is shared with the above sub-processors solely to operate the platform on your behalf.

If you are located in the EU/EEA, UK, or a jurisdiction with equivalent data protection law, you have the following rights:

Email your request to:

We will respond within 30 days. We may ask you to verify your identity before processing the request.

These cookies are required for the platform to function:

Store your preferences to improve your experience:

• ▸Currency preference (stored in localStorage, not a cookie)
• ▸Onboarding progress (localStorage key: nama_onboarding_v2)
• ▸Dashboard checklist state (localStorage)
• ▸Product tour completion state (localStorage)

These preferences are stored in your browser's localStorage and are never sent to our servers.

We use Sentry for error monitoring. Sentry may store a cookie or fingerprint to correlate error sessions. No advertising or cross-site tracking cookies are used.

We do not use Google Analytics, Meta Pixel, or any advertising trackers.

You can control cookies through your browser settings. Disabling the session cookie will prevent you from logging in. Clearing localStorage will reset your preferences and onboarding progress but will not delete any server-side data.

Your data is retained for as long as your account remains active or as needed to provide the service. We will not delete your data due to inactivity without prior notice.

• ▸Upon a verified deletion request, we will delete your personal data and all associated business data within 30 days
• ▸You will receive written confirmation once deletion is complete
• ▸Backups containing your data are purged on their natural rotation cycle (maximum 30 additional days)

Certain financial records (invoices, payment records) may be retained for up to 7 years as required by applicable accounting and tax law, even after account closure. These records will be kept in a restricted archive inaccessible to the service.

Audit logs and automation run logs are retained for 12 months for security and debugging purposes, then automatically purged.

NAMA OS is operated from India, with infrastructure hosted in the United States (Railway, Neon, Vercel). If you are located in the EU/EEA or UK, your data will be transferred to and processed in the US.

Safeguards in place:

• ▸Sub-processors (Neon, Railway, Vercel) are covered by EU Standard Contractual Clauses (SCCs) in their own DPAs
• ▸All transfers occur over HTTPS/TLS encrypted connections
• ▸We select sub-processors that maintain SOC 2 Type II or equivalent certifications

NAMA OS is a business platform intended for use by individuals who are at least 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact privacy@getnama.app and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• ▸Update the "Last updated" date at the top of this page
• ▸Send an in-app notification and/or email to registered account owners
• ▸Provide at least 14 days' notice before material changes take effect

Continued use of NAMA OS after the effective date constitutes acceptance of the revised policy.

For all privacy-related questions, data access requests, or deletion requests:

We aim to respond to all privacy requests within 5 business days and to resolve them within 30 days.