Privacy Policy
This Privacy Policy explains how Sealar by Finamana ("Sealar", "we", "us", "our") collects, uses, stores, shares and protects personal data when you use our self-help Will creation web application available at willcraft-a583e.web.app (the "Service"). It is drafted in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") of India and applicable rules thereunder.
By using the Service, you ("you", "the Data Principal") consent to the practices described in this Policy. If you do not agree, please do not use the Service.
Contents
- Who we are (Data Fiduciary)
- What personal data we collect
- Purposes for which we process your data
- Lawful basis
- How and where your data is stored
- Sharing with third parties & processors
- Retention
- Your rights as a Data Principal
- Children and beneficiaries who are minors
- Security measures
- Cookies and local storage
- International data transfers
- Changes to this Policy
- Grievance Officer & contact
1. Who we are (Data Fiduciary)
For the purposes of the DPDP Act, the Data Fiduciary in respect of personal data processed through the Service is:
Finamana — a financial planning practice operated by Amit Kallianpur.
Mumbai, Maharashtra, India.
Contact: amit.kallianpur@gmail.com
2. What personal data we collect
We collect only the minimum personal data needed to help you draft a valid Will. Categories of data include:
| Category | Examples | Source |
|---|---|---|
| Identity | Full name, father’s/husband’s name, date of birth, PAN (optional), religion, residential address, marital status | Provided by you in the wizard |
| Account | Google account name, email address, profile photo URL, Firebase user ID | Google Sign-in (with your consent) |
| Family | Spouse, children (name, DOB, relation), other dependents | Provided by you |
| Financial | Immovable property descriptions, bank account details (institution, branch, account number, type), mutual fund folios and unit balances, demat accounts and holdings, insurance policies, other assets | Provided by you, or imported from a Consolidated Account Statement (CAS) you upload |
| Will-related | Executor and alternate executor details, specific bequests, residuary beneficiary, guardian for minor children, witness names & addresses | Provided by you |
| Technical / log | Browser type, IP address (transient, used by Firebase for security), timestamps of saves | Automatically from your device |
What we do NOT collect: bank passwords, OTPs, debit/credit card numbers, biometric data, location data, browsing history outside the Service, or contacts. The CAS PDF you upload is parsed entirely in your browser and is not transmitted to our servers; only the specific asset rows you tick are saved to your draft.
3. Purposes for which we process your data
- To allow you to create, save, resume and download a Last Will and Testament tailored to your information.
- To authenticate you securely (so only you can access your draft).
- To save your draft to a private record so you can return and edit it.
- To generate a downloadable PDF of your Will on your device.
- To respond to your support requests and Data Principal rights requests.
- To detect and prevent abuse, fraud and security incidents.
We do not use your data for advertising, profiling for marketing purposes, training third-party AI models, or selling to brokers.
4. Lawful basis
We process your personal data on the lawful basis of your consent, given when you sign in and use the Service. You may withdraw consent at any time by deleting your draft and signing out (see §8 below). Some processing necessary to comply with a legal obligation (e.g. responding to a lawful court order) may continue to the limited extent required by law.
5. How and where your data is stored
Your wizard data is stored in Google Cloud Firestore, hosted in the asia-south1 (Mumbai) region. Each user’s draft sits in a private document at the path /wills/{your-firebase-user-id}. Firestore security rules enforce that only the signed-in owner can read or write that document; no other user, and no employee of Finamana, has direct access in the normal course of business.
When you click “Generate my Will (PDF)”, your draft is sent to a Google Cloud Function (also in asia-south1, Mumbai) that renders the PDF. The generated PDF is stored in Google Cloud Storage (asia-south1) at the path wills/{your-firebase-user-id}/will.pdf, accessible only to you. The Cloud Function is stateless — it does not retain your data after the PDF is produced and uploaded.
Static assets (HTML, JS, CSS) are served by Firebase Hosting over HTTPS with HSTS enabled. Authentication is handled by Firebase Authentication using Google Sign-in (OAuth 2.0).
6. Sharing with third parties & processors
We share personal data only with the following processors, strictly to the extent needed to operate the Service:
| Processor | Purpose | Data shared | Region |
|---|---|---|---|
| Google LLC — Firebase Authentication | Identity verification & session management | Google account email, name, photo URL, OAuth tokens | Global (Google IAM) |
| Google LLC — Cloud Firestore | Storage of your wizard draft and codicil drafts | All wizard data you enter, account identifiers, timestamps | asia-south1 (Mumbai) |
| Google LLC — Cloud Functions | Server-side PDF rendering on demand | The full content of your saved Will / codicil at the moment you click Generate | asia-south1 (Mumbai) |
| Google LLC — Cloud Storage | Persistent storage of your generated PDF for re-download from the dashboard | Generated PDF file | asia-south1 (Mumbai) |
| Google LLC — Firebase Hosting | Web hosting of the Service’s static pages | Standard web request logs (IP, user agent, request path) | Google CDN edge |
| Google LLC — Google Sign-in (OAuth 2.0) | Federated identity flow | Authentication tokens; we receive only your email, name, and photo URL | Global |
| Google LLC — Google Fonts | Delivery of the “Cormorant Garamond” serif typeface used in the wizard preview and the rendered PDF | Your IP address & user-agent (no other data; loaded by your browser, not by us) | Google CDN edge |
| Google LLC — Gmail SMTP (App Password) | Sending the founder a notification email when a new waitlist signup lands | The waitlist signup’s email, name, city, and reason — only triggered for waitlist signups, never for wizard data | Google SMTP |
| Cloudflare, Inc. — cdnjs | Delivery of one open-source JavaScript library (PDF.js, used to parse Consolidated Account Statements client-side) | None apart from your IP & user-agent as part of the file request | Cloudflare CDN edge |
All processors above are bound by Google’s and Cloudflare’s respective Data Processing Addenda. We do not sell your personal data, do not run third-party advertising trackers, and do not share your draft with any other party.
7. Retention & deletion
We retain your draft Will and associated personal data for as long as your account exists with the Service.
You can permanently delete all of your data at any time by signing in, opening the My documents page, and clicking “Delete my account & data”. This is a one-click action (with a confirmation step) and removes:
- Your Will draft and all codicil drafts in Firestore
- Any generated PDF copies in Cloud Storage
- Your authentication record (so the same Google account can sign up again later as a new user, if you wish)
We will, in addition, action any deletion request received by email at the Grievance Officer (§14) within 30 days. Backup copies maintained by Firebase for disaster-recovery purposes are purged within Google’s standard backup retention windows (typically 7 to 30 days, depending on the service).
8. Your rights as a Data Principal
Under the DPDP Act you have the following rights:
- Right to access — obtain confirmation of, and a summary of, the personal data we process about you.
- Right to correction and erasure — have inaccurate data corrected, and request erasure of personal data that is no longer necessary for the purposes for which it was collected.
- Right of grievance redressal — raise grievances with our Grievance Officer (§14) and, if unsatisfied, with the Data Protection Board of India.
- Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
- Right to withdraw consent — withdraw consent at any time, with the same ease as it was given.
To exercise any of these rights, email amit.kallianpur@gmail.com with the subject line "DPDP Rights Request" and a description of your request. We will verify your identity (using the email address linked to your Google account) before actioning the request.
9. Children and beneficiaries who are minors
The Service is not intended for use by individuals under 18 years of age (a Will under Indian law must be executed by an adult of sound mind). We do not knowingly create accounts for minors.
If you list a child under 18 as a beneficiary, guardian-of-minor or dependent, you do so as their parent or natural guardian. We process the minor’s details (typically name and date of birth) solely for inclusion in your Will document. We process this data with your verifiable parental consent and do not collect any additional personal data about the minor.
10. Security measures
We use the following technical and organisational measures, proportionate to the risk:
- Transport encryption: HTTPS with HSTS for all client–server traffic.
- Authentication: Google OAuth 2.0; we never see or store your password.
- Access control: Firestore security rules restrict each draft to its owning Firebase user ID.
- At-rest encryption: Firestore encrypts data at rest using AES-256 by default.
- Defensive HTTP headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- Client-side PDF parsing: CAS files you upload are parsed entirely in your browser and are not transmitted to our servers.
- Minimum-data principle: optional fields (e.g. PAN) can be left blank.
No internet-facing service can be guaranteed 100% secure. In the unlikely event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required by the DPDP Act.
11. Cookies and local storage
The Service uses essential cookies set by Firebase Authentication to keep you signed in across page loads. We do not use third-party advertising cookies, marketing pixels, or analytics trackers in the wizard or landing page. Disabling these essential cookies will prevent you from signing in.
12. International data transfers
Your wizard data is stored in Google’s asia-south1 (Mumbai) data centre. However, Google is a global service provider; certain operational metadata (e.g. authentication tokens, system logs) may be processed in other Google data centres outside India. Google’s contractual commitments and applicable law govern such transfers.
13. Changes to this Policy
We may update this Policy from time to time. The updated version will be published at this URL with a new "Last updated" date. Where changes are material, we will make a reasonable effort to notify you via the email address linked to your account. Continued use of the Service after the update constitutes acceptance of the revised Policy.
14. Grievance Officer & contact
Pursuant to Section 8(9) of the DPDP Act, our Grievance Officer is:
Mr. Amit Kallianpur
Grievance Officer, Sealar by Finamana
Mumbai, Maharashtra, India
Email: amit.kallianpur@gmail.com
Response timeline: within 30 days of receiving a verified grievance.
If you are unsatisfied with the response, you may approach the Data Protection Board of India as constituted under the DPDP Act.