Privacy Policy

Last updated: March 1, 2026 — Version 1.0

1. Introduction

This Privacy Policy describes how Nimaxiom Service Private Limited ("Nimaxiom," "we," "us," or "our"), the company behind NimeDocs, collects, uses, discloses, and protects personal data when you visit our website at https://nimedocs.com (the "Website"), use our NimeDocs application (the "Service"), or otherwise interact with us.

NimeDocs is a Salesforce AppExchange managed package for document automation that operates as a 100% Salesforce-native application. The Service enables organizations to generate documents, presentations, and spreadsheets directly within their Salesforce environment.

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018 ("CCPA"), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 of India, and other applicable data protection laws.

By accessing our Website or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of our Website and Service.

This Privacy Policy is incorporated into and subject to our Terms of Service.

2. Data Controller and Data Processor Roles

For the purposes of applicable data protection law, the roles are as follows:

2.1 Website and Direct Interactions

Nimaxiom Service Private Limited is the data controller (as defined under GDPR Article 4(7)) for personal data collected through our Website, marketing communications, sales interactions, and customer support channels. We determine the purposes and means of processing such data.

2.2 Customer Salesforce Data

When the NimeDocs application is installed in a customer's Salesforce org, the customer is the data controller and Nimaxiom provides software that runs within the Customer's Salesforce environment. Nimaxiom does not access, transmit, store, or process Customer Data. All data processing is performed by the Salesforce platform on behalf of the Customer. The Salesforce platform's own privacy and security controls govern the processing of data within the customer's org.

Because NimeDocs's architecture ensures that no Customer Data is transferred to Nimaxiom, a traditional Data Processing Agreement (DPA) is not required. If you have questions about this architecture, please contact us at privacy@nimaxiom.com.

3. Information We Collect

3.1 Information You Provide Directly

We may collect personal data that you voluntarily provide to us, including:

• Contact information: Name, email address, phone number, job title, and company name when you fill out contact forms, request a demo, or sign up for a trial.
• Account information: Business email address and company details when you subscribe to our Service.
• Communication data: Any information you provide when you contact our support team, participate in surveys, or communicate with us via email.
• Billing information: Payment details (processed by our third-party payment processor; we do not store full credit card numbers on our systems).

3.2 Information Collected Automatically

When you visit our Website, we automatically collect certain information, including:

• Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage data: Pages visited, time spent on pages, referring URLs, click paths, and other interaction data.
• Cookies and similar technologies: As described in our Cookie Policy.

3.3 Customer Salesforce Data

NimeDocs is 100% Salesforce-native. All document generation and data processing occurs entirely within your Salesforce org using Salesforce's native infrastructure. This means:

• Your Salesforce data (including CRM records, contact information, opportunity data, and any other object data) never leaves your Salesforce org.
• We do not have access to, copy, or transmit your Salesforce data to external servers.
• Generated documents are stored as Salesforce Files (ContentVersion) within your org.
• All processing is subject to Salesforce's own security architecture, including field-level security, sharing rules, and object permissions.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

• Service delivery: To provide, maintain, and improve the NimeDocs Service, including processing your subscription, providing customer support, and delivering product updates.
• Communication: To respond to your inquiries, send transactional emails (e.g., subscription confirmations, service notifications), and provide technical support.
• Marketing (with consent): To send you product news, feature announcements, and promotional materials where you have provided your consent or where we have a legitimate interest to do so. You may opt out at any time.
• Analytics and improvement: To understand how our Website and Service are used, identify trends, and improve the user experience.
• Legal compliance: To comply with applicable laws, regulations, and legal processes, and to protect our rights and the rights of others.
• Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.

5. Legal Basis for Processing (GDPR)

Under the GDPR (Article 6(1)), we process personal data only where we have a valid legal basis. We do not intentionally process special categories of personal data as defined by Article 9 GDPR. The legal bases we rely on are:

• Consent (Article 6(1)(a)): Where you have given clear, affirmative consent for us to process your personal data for specific purposes, such as receiving marketing communications. You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Performance of a contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract to which you are party, or to take steps at your request prior to entering into a contract. This includes processing necessary to provide the NimeDocs Service under your subscription agreement.
• Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests or those of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include improving our Service, ensuring network security, preventing fraud, and conducting direct marketing to existing customers.
• Legal obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject, such as tax reporting or responding to lawful requests from public authorities.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share your personal data only in the following limited circumstances:

• Salesforce (Platform Provider): NimeDocs operates on the Salesforce platform. Your use of NimeDocs is also subject to Salesforce's privacy policy and terms of service. Salesforce's processing of data within your org is governed by your agreement with Salesforce.
• Payment processors: We use third-party payment processors to handle billing transactions. These processors receive only the information necessary to process payments and are contractually obligated to protect your data.
• Analytics providers: We use analytics services (such as Google Analytics) to understand Website usage. These providers may collect anonymized or pseudonymized data subject to their own privacy policies.
• Professional advisors: We may share data with our lawyers, accountants, auditors, and insurers where necessary for professional advice, litigation, or insurance purposes.
• Legal requirements: We may disclose personal data where required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Nimaxiom, our users, or the public.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

7. International Data Transfers

Nimaxiom Service Private Limited is based in India. If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data protection laws that restrict international data transfers, please be aware that your personal data may be transferred to and processed in India.

Where we transfer personal data outside the EEA or UK, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V (Articles 44-49), including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• Binding Corporate Rules where applicable.
• Your explicit consent where no other safeguard is available and you have been informed of the risks.

You may request a copy of the safeguards we use for international transfers by contacting us at privacy@nimaxiom.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention practices are as follows:

• Account and subscription data: Retained for the duration of your subscription and for a period of 3 years after termination, unless a longer retention period is required by law (e.g., for tax or accounting purposes).
• Contact and communication data: Retained for 3 years after your last interaction with us, unless you request earlier deletion.
• Marketing consent records: Retained for as long as your consent is valid and for 3 years thereafter as evidence of consent.
• Website usage data and analytics: Retained in anonymized or aggregated form for up to 26 months.
• Billing records: Retained for a minimum of 8 years as required by Indian tax and accounting regulations.
• Support tickets: Retained for 3 years after resolution.

When personal data is no longer required, we securely delete or anonymize it using industry-standard methods. Where deletion is not immediately possible (e.g., data stored in backups), we ensure that the data is isolated and protected from further processing until deletion is possible.

9. Your Rights Under the GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the GDPR (Articles 15-22). These rights are not absolute and may be subject to exemptions:

• Right of access (Article 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and to request a copy of such data in a structured, commonly used, machine-readable format.
• Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data and to have incomplete personal data completed.
• Right to erasure (Article 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other legal basis applies), where you object to processing, or where the data has been unlawfully processed.
• Right to restriction of processing (Article 18): You have the right to request the restriction of processing where the accuracy of the data is contested, where the processing is unlawful, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification.
• Right to data portability (Article 20): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately.
• Right to withdraw consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making of this nature.

To exercise any of these rights, please contact us at privacy@nimaxiom.com. We will respond to your request without undue delay and in any event within one month of receipt, as required by GDPR Article 12(3). This period may be extended by two further months where necessary. If we require an extension, we will inform you within the initial one-month period and provide the reasons for the delay. You also have the right to lodge a complaint with your local supervisory authority.

10. Your Rights Under the CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and, as amended, the California Privacy Rights Act (CPRA):

• Right to know (Section 1798.100): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete (Section 1798.105): You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions (e.g., where retention is necessary for completing a transaction, detecting security incidents, or complying with legal obligations).
• Right to correct (Section 1798.106): You have the right to request correction of inaccurate personal information.
• Right to opt-out of sale or sharing (Section 1798.120): You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell or share (as defined by the CCPA/CPRA) your personal information.
• Right to non-discrimination (Section 1798.125): We will not discriminate against you for exercising any of your CCPA rights. We will not deny goods or services, charge different prices, or provide a different level of quality because you exercised your rights.
• Right to Limit Use of Sensitive Personal Information (Section 1798.121): You have the right to limit our use of sensitive personal information. We do not use sensitive personal information for purposes beyond those permitted by the CCPA.

We do not sell or share personal information as defined by the CCPA/CPRA. A "Do Not Sell or Share My Personal Information" link is not required as we do not engage in such activities.

To exercise any of these rights, please contact us at privacy@nimaxiom.com or submit a request through our Website. We will verify your identity before processing your request and respond within 45 days, as required by law.

California "Shine the Light" (Cal. Civ. Code § 1798.83): California residents may also request information about our disclosure of personal information to third parties for direct marketing purposes. As stated above, we do not disclose personal information to third parties for their own direct marketing purposes.

11. Your Rights Under Indian Law

If you are located in India, your personal data is protected under the Information Technology Act, 2000 (as amended) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").

Under these provisions, you have the right to:

• Access and review: You may review the personal information and sensitive personal data or information (as defined under Rule 3 of the SPDI Rules) we hold about you and request corrections to any inaccuracies.
• Withdraw consent: You may withdraw your consent to the collection and use of your sensitive personal data or information at any time by writing to us. Please note that withdrawal of consent may affect our ability to provide certain services to you.
• Grievance redressal: You may contact our Grievance Officer (details below) with any complaints regarding the processing of your personal data. We will address your grievance within 30 days of receipt.

We maintain reasonable security practices and procedures as mandated by Section 43A of the Information Technology Act and the SPDI Rules, including the implementation of documented information security policies, encryption of sensitive data in transit and at rest, and regular security assessments.

Additionally, we are committed to compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") as its provisions come into effect. We will update this policy to reflect any additional obligations arising from the DPDPA and its subordinate rules.

12. Children's Privacy

NimeDocs is a business-to-business service and is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 16.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete such data from our systems. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at privacy@nimaxiom.com.

13. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and understand user behavior. Cookies are small text files stored on your device by your web browser.

We use the following categories of cookies:

• Essential cookies: Necessary for the operation of the Website (e.g., session management, security).
• Analytics cookies: Help us understand how visitors interact with our Website by collecting and reporting information anonymously.
• Functional cookies: Enable enhanced functionality and personalization (e.g., remembering your preferences).

For detailed information about the specific cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or regulatory requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post a prominent notice on our Website.
• Where required by law (including GDPR Article 12), notify you by email if we have your email address on file.

We encourage you to review this Privacy Policy periodically. Your continued use of the Website or Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes, except where further consent is required by applicable law.

15. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, as required by GDPR Article 34.

16. Contact Us