Privacy Policy

1What we collect on the marketing site (this site)

This website (the pages at /, /buy, /terms, /privacy) collects:

• Reservation email: when you reserve a launch-price slot, we store your email in a list so we can deliver the DMG and activation passkey after payment. Used only for delivery and transactional updates. Never sold, never shared, never used for marketing without consent.
• Server logs: our hosting provider keeps standard request logs (IP, user-agent, timestamp) for ~30 days for abuse prevention.
• Payment confirmation: UPI / bank transfers go through your bank and PhonePe / Yes Bank. We see the same transaction reference you see. We do not see your card, account number, or banking credentials.
• Anonymous diagnostics via Google Analytics 4: page views, button-click events (e.g. which CTA you clicked, which FAQ you opened), UTM source/medium/campaign parameters from the URL you arrived on, and JavaScript error descriptions are sent to Google Analytics 4 (Google LLC, US). We use this to understand which landing pages convert and where users drop in the funnel. IP addresses are auto-anonymised by GA4 to /16 (IPv4) or /80 (IPv6); we have not enabled Google Signals or ad personalisation. See §5b below for the full event list.

No Facebook Pixel. No Hotjar. No session recording. No A/B testing platform. No CRM.

1bTax Twin — what we store when you use the /twin tool

Tax Twin is a separate acquisition product: two questions, a 30-second tax-leak calculator, email-verified before the full answer unlocks. It is the only Sajag surface that stores personal data on our servers — Sajag the desktop app remains strictly local.

• Your email: stored so we can email the 6-digit verification code, send your playbook 10 minutes later, and re-engage you next tax season. Retained for 18 months from last interaction — after which the row is hard-deleted. Delete sooner anytime by emailing connect@sajag.club.
• The three numbers you typed: annual CTC, housing situation (rent / loan / own), monthly rent or EMI. Used to compute your gap and personalise the playbook email.
• Your OTP (hashed): the 6-digit code is stored as SHA-256 with a per-row salt; plaintext lives only in the outgoing email and is cleared from our DB the moment you verify.
• Your IP + browser user-agent: persisted on the Twin row for abuse-tracking (rate limits, single-IP enumeration detection). Never sold, never correlated with the desktop app, deleted on user deletion request.

Twin data processors:

• Resend (US) — sends the OTP and three follow-up emails (welcome, 3-day nudge, March retrospective). Each marketing email carries an unsubscribe link in the footer; clicking it stops all future drips. The transactional OTP email is exempt from unsubscribe (you can't read the code if you opt out of the email).
• Google Cloud Run (asia-southeast1, Singapore) — hosts the business API + the Postgres row.
• Telegram (international) — verified-lead summaries (email + the three answers) are forwarded to the founder's Telegram bot for operational monitoring. Transparent disclosure: the email is sent in plaintext to the bot. Listed here so you can make an informed call before submitting.

If you convert from Tax Twin to a Sajag buyer: you pay the same price as everyone else (no special Twin discount). We link the Twin row to your Order row so conversion attribution works. The link can be severed on deletion request — the Order survives (we need it for accounting + DMG re-issue), the Twin row goes.

2What the Sajag app collects (the software you install)

The desktop application sends anonymous diagnostics to Google Analytics 4 — screen names you visit (e.g. /dashboard/net-worth), button-click events (e.g. upload_success), and JavaScript error descriptions. The diagnostics payload only contains screen and event identifiers; your financial data — uploaded PDFs, transactions, balances, PAN, DOB, passphrases — never leaves your Mac. See §5b for the full event catalogue and the exact shape of every field we send.

When you upload a bank statement, CAS, EPF passbook, bureau report, Form 16, or insurance policy, those PDFs are parsed locally by Python running on your own machine. The extracted numbers go into a SQLite database at backend/data/fire.db. The original PDF is stored at backend/data/uploads/. Nothing about the contents — values, amounts, PAN numbers, fund names — is ever sent off your Mac.

3Sensitive credentials — PAN, DOB, mobile, bank IDs

To unlock password-protected PDFs (almost every Indian financial PDF is encrypted), Sajag needs to try common password derivations: PAN + DOB, name + DOB, mobile last-4, and the bank-specific schemes used by HDFC / SBI / ICICI / Axis / Kotak / Yes Bank statement exports.

You enter these credentials once during onboarding. They are stored locally in the same SQLite database alongside your other data, encrypted at rest by your local.sajag backup mechanism if you choose to enable it. They are never transmitted — we have no endpoint to send them to.

4The few things that DO leave your machine (and only with your action)

• UPI deeplink at payment time: when you click “Pay” on /buy, your UPI app makes a transaction with our PhonePe / Yes Bank merchant ID. This goes through India’s NPCI rails. We see only what your bank shows on the receipt.
• AMFI NAV refresh (optional, on by default): once a day Sajag fetches the latest mutual-fund NAVs from portal.amfiindia.com — a public file, the same one anyone can download. AMFI’s server sees your IP address (the standard signal any HTTP fetch leaks); no personal identifiers, no folio numbers, no PAN ever leave your machine in this request. Disable it in Settings if you’d rather not even share an IP; the rest of the app continues to work, your NAVs just freeze on the last refresh.

Every other operation — net-worth math, FIRE projection, tax optimisation, debt strategy, brutal-honesty findings — runs entirely on your machine. Sajag has no LLM / AI dependency in the shipped product; all calculations are rule-based and deterministic. The same inputs always produce the same outputs.

5Cookies & local storage on this site

The marketing site (sajag.club) uses:

• localStorage entries:sajag_reservation_* for your reservation acknowledgement;sajag_ga_cid a UUID we generate so GA4 can deduplicate sessions without us needing third-party cookies; and sajag_utm to preserve marketing attribution across pages you visit during one session. All of these are first-party, on this domain, never read by third parties.
• Analytics cookies: Google Analytics 4 sets _ga and _ga_<measurement-id> cookies (~14 months) so GA can attribute repeat visits to the same browser. You can clear them from your browser settings any time.

The Sajag app, when running locally on your machine (localhost), uses browser localStorage to remember your last-selected theme and member view, and to keep the GA client_id stable across cookie clears.

5bAbout diagnostics — what we send

Sajag sends the following kinds of events to Google Analytics 4 on every page load (across both this website and the desktop app):

• Page views — the screen name you’re on (e.g. /dashboard/net-worth,/buy). No URL query strings that might carry order ids or PANs are forwarded.
• Button-click / interaction events — short labels like hero_cta_click,upload_open,calculator_run,milestone_achieved. We capture the type of feature touched, never the values shown.
• UTM source/medium/campaign from the URL you landed on (storefront only) — to attribute referrals + ad campaigns.
• JavaScript errors — the first 120 characters of an error message + which page it happened on. Stack traces and query strings are stripped before sending.

What we never send: uploaded PDFs, account numbers, balances, PAN, DOB, passphrases, member names, individual transactions, calculator outputs, or any field value you typed into a form. The diagnostics payload is metadata about which screens + buttons you touched, not what the screens contained.

GA4 receives your IP address (auto-anonymised to /16 for IPv4 or /80 for IPv6), browser user-agent, locale/timezone, and a Sajag-generated client_id UUID. Google may use this data under their Privacy Policy; we have disabled Google Signals and Ad Personalisation on our property so the data is not used for cross-site advertising.

To delete your historical GA data: email the Grievance Officer (§7b) with subject line Delete my GA client_id. We submit the deletion via GA4’s User Data Deletion API within 7 working days. Clearing your browser cookies + the localStorage entries above also detaches the current session from any prior client_id.

6Data deletion

Because we don’t store your financial data, there’s nothing for us to delete on our end. To delete the data Sajag holds locally:

• Delete the file backend/data/fire.db.
• Delete the folder backend/data/uploads/.
• Delete any .sajag backup files you created.

For the reservation list and payment records on our end, email connect@sajag.club with the subject “Delete my email”. We’ll remove your email within 7 days and reply to confirm. Note: Indian tax law requires us to retain payment records for 7 years; the email-to-name mapping cannot be deleted earlier than that.

7Third parties involved

The full list of third parties that ever touch Sajag-related data:

• Razorpay Software Pvt. Ltd. — payment gateway for the /buy flow. Visible to them: your name (as entered in Checkout), email, payment instrument (UPI handle, card BIN, netbanking bank, wallet provider), amount, payment id, and your IP address at the moment of payment. Razorpay’s own privacy policy applies to the data they retain. We receive only the payment id, order id, and signature — never your card or PIN.
• PhonePe / Yes Bank (fallback only) — direct UPI payment if Razorpay is briefly unavailable. Visible: amount, your UPI handle, transaction reference, timestamp.
• Resend — transactional email delivery (purchase confirmation, refund updates). Visible to them: your email address, the email subject, and the email body text.
• Google Cloud (Cloud Run + Cloud SQL) — storefront and order-management hosting. Visible to them: standard server logs (IP, user-agent, request paths) for the buy flow only. The desktop product runs entirely on your machine and does not touch any cloud.
• Backblaze B2 — DMG file delivery. Each buyer’s personalised .app is uploaded once and served via a signed URL with a 30-day expiry.
• AMFI India (only if NAV refresh is enabled, default on) — a public NAV file download from your machine. They see your IP address; nothing else.
• Google LLC — Google Analytics 4 as a data processor for the storefront and the desktop app. Data processed in the United States. We have configured GA4 with anonymize_ip enabled, Google Signals + Ad Personalisation disabled, and data retention set to the GA4 maximum of 14 months. The payload we send (see §5b) is metadata about which screens and buttons you touched — never financial values. To request deletion of your historical GA client_id’s data, email the Grievance Officer (§7b) with subject line Delete my GA client_id and we’ll submit a request via GA4’s User Data Deletion API.

No advertising networks. No data brokers. No CRM. No LLM / AI provider.

7aYour rights as a Data Principal (DPDPA 2023)

Under India’s Digital Personal Data Protection Act, 2023, you have the right to:

• Access any personal data we hold about you (email, payment records, order history).
• Correct inaccuracies.
• Erase your data after the legally-required retention window has lapsed.
• Nominate someone to exercise these rights in your absence.
• Withdraw consent for any processing not required by law.
• Delete your GA4 client_id history — email the Grievance Officer (§7b) with subject Delete my GA client_id; we submit the deletion via GA4’s User Data Deletion API within 7 working days.
• Grievance redressal — see Section 7b below.

To exercise any right, email connect@sajag.club with the subject line DPDPA request. We respond within 7 working days.

Retention: reservation emails kept indefinitely while your license is active. Order + payment records retained for 6 years (Rule 6F of the Income Tax Rules, 1962, read with §44AA of the Income Tax Act, 1961). Server logs ~30 days. On account deletion, we erase reservation emails within 30 days; payment records remain for the statutory tax-retention window.

7bGrievance Officer

Yash Gupta, founder of Turnet India, is the designated Grievance Officer under §8(10) of the Digital Personal Data Protection Act, 2023 (read with §13, which sets out a Data Principal’s right to grievance redressal). Email: connect@sajag.club with subject line Grievance — DPDPA. Acknowledgement within 48 hours; resolution target 30 days. If unsatisfied, you may escalate to the Data Protection Board of India.

Personal data breach: in the unlikely event of a breach affecting your personal data, we will notify you and the Data Protection Board within 72 hours of discovery.

8Children

Sajag is built for adults running household finances. We don’t knowingly accept reservations from anyone under 18. If you believe a minor has reserved a slot, email us and we’ll remove the entry.

9Security

The biggest part of our security story is what we don’t do: we don’t hold a database of your financial life, so there’s nothing to breach. The reservation list is a single-table store with email and timestamp only.

On your machine, your fire.db is a regular SQLite file with whatever filesystem permissions your OS gave it. We strongly recommend enabling FileVault (macOS) or LUKS (Linux) disk encryption — Sajag’s privacy posture leans on your machine’s own security.

10Jurisdiction & changes

This policy is governed by Indian law. Disputes go to the courts at Bengaluru, Karnataka.

We may update this policy. Material changes (anything that broadens what data we hold) will be sent to existing customers via email at least 14 days before they take effect. The current version always lives at this page with the effective date at the top.