Privacy & Cookie Policy
Controller: Rayabari Networks Media LLP (“RNMLLP”), operating Maximiser.ai
**Address:**Sagar Nagar, Visakhapatnam, Andhra Pradesh, India
Contact: contact@maximiser.ai
Effective date: 04/05/2026 Last updated: 04/05/2026
1. Who we are and what this Policy covers
This Privacy & Cookie Policy (“Policy”) explains how RNMLLP collects, uses, stores, shares, and otherwise processes personal data and similar information when you access or use the Maximiser.ai websites, applications, dashboards, early-access experiences, and related services (collectively, the “Services”).
Maximiser.ai provides tools and informational experiences related to credit and debit card products, rewards, perks, location-aware suggestions (where enabled), and AI-assisted explanations. Unless we tell you otherwise for a specific program, RNMLLP is responsible for deciding why and how your personal data is processed in connection with those Services.
This Policy does not govern third-party websites, banks, card issuers, payment networks, or social platforms that may be linked from the Services.
2. Categories of personal data we may process
The following categories reflect types of data the Maximiser.ai codebase is designed to handle. Your production configuration (feature flags, enabled integrations, staging vs. live databases) determines what is actually collected. Maintain an internal Record of Processing Activities and reconcile it with this Policy at least annually and whenever you ship material new features.
2.1 Account registration and authentication
When you create or access an account, RNMLLP and its authentication infrastructure providers may process:
- Email address and password (or equivalent credentials managed by the authentication provider);
- Name or display name;
- Region or country selection and localization preferences;
- Plan or subscription tier, role (for example end-user vs. privileged administrative roles where applicable);
- Signup date, last active timestamps, login counts, trial or entitlement end dates, and throttling flags used to protect service integrity and cost;
- Two-factor authentication (2FA) configuration and, where enabled, time-limited verification values needed to complete sign-in.
2.2 Early access, waitlist, and launch communications
If you provide data during early access period / launch mode or similar experiences, we may collect:
- Full name;
- Email address;
- Optional WhatsApp or similar messaging identifiers if you request them for launch or operational alerts;
- Submission timestamp and an internal identifier.
Technical disclosure: The codebase supports more than one storage mechanism for early-access interest, including a Firestore collection used by the in-app dialog and a separate Postgres table used by an alternate server action. Your published Policy and internal data map must reflect which mechanism is authoritative in production, or disclose both if both may receive submissions in any environment.
2.3 Card portfolio, recommendations, and financial intelligence
Depending on configuration, we may process:
- Card records you or the user enters or imports, including product names, issuer or network metadata, imagery, benefit parameters, and related structured fields stored in user-scoped or shared catalogs as implemented;
- Recommendation interactions, including dismissals or feedback events logged with an account identifier where instrumented;
- Outbound “apply” or similar link interactions where instrumented.
2.4 Payouts, banking details, and partner economics
For users who participate in earner, partner, or similar payout programs, the data model anticipates storage of bank or payment details, which may include:
- Account holder name;
- Bank name;
- Account number;
- IFSC or similar routing identifiers;
- UPI identifiers;
- PayPal email or similar;
- Integration identifiers such as Razorpay contact or fund-account references when used.
2.5 Location and proximity
Where enabled, the Services may request browser geolocation and process:
- Latitude and longitude (or a coarse location depending on device/browser behavior) to support nearby-perk discovery and related UX;
- Optional geofence pulse zones associated with a profile, including labels (for example office/home), dwell-time estimates, and last-visited timestamps when persisted.
2.6 Onboarding, preferences, and inferred profiles
We may store:
- Onboarding answers as free-form or structured responses;
- Optional behavioral profile attributes;
- Search history entries (query text and timestamps);
- Applied card identifiers;
- Cached financial summary text with freshness metadata.
2.7 Activity logs, diagnostics, and abuse prevention
The Services may log user activity events (for example to a Firestore `user-activity` collection) containing:
- A user identifier (in many call sites this is the user’s email—consider pseudonymization where feasible);
- An event type;
- A JSON details object with contextual metadata;
- Optional cost weight or token count metadata associated with paid API or model usage.
2.8 Communications and push notifications
We may process email addresses for transactional messages and, where you have obtained separate consent where required, marketing messages. We may also process FCM or similar push tokens if mobile notifications are enabled.
2.9 User-generated content (earner / submissions)
Certain flows allow users to submit URLs, article text, or other materials tied to an account for review or incentives. Such content may include personal data about third parties. Your Terms of Use should prohibit unlawful submissions; your privacy program should define moderation, retention, deletion, and appeals.
2.10 AI-assisted features
Inputs you provide to AI features may be transmitted to model providers configured in your deployment (for example Google Gemini or other vendors). Outputs are probabilistic and may be wrong. List subprocessors and describe model logging, training, and human review practices according to your vendor contracts. *
2.11 Cookies, local storage, and similar technologies
The Services use browser storage (such as sessionStorage) for session continuity (for example post-login actions, tour flags). Provider SDKs may set cookies for authentication, security, or analytics.
3. How and why we use personal data (purposes)
We process personal data to:
- Provide, maintain, personalize, and improve the Services;
- Authenticate users, secure accounts, and detect or prevent fraud or abuse;
- Operate early-access lists and communicate about launches where permitted;
- Analyze usage to improve models, features, and reliability;
- Comply with law and respond to lawful requests from public authorities;
- Enforce our Terms of Use and protect the rights, safety, and property of RNMLLP, users, and the public;
- Bill and reconcile costs for third-party APIs where applicable.
We will not use personal data for materially incompatible purposes without providing notice and, where required, obtaining consent.
4. Legal bases (India-first, with cross-border awareness)
For users in India, RNMLLP intends to rely on a combination of:
- Consent, where the law requires consent for a given processing activity (for example certain marketing messages or sensitive processing where consent is mandated);
- Legitimate uses compatible with applicable Indian digital personal data law for activities that do not require consent or where consent is not the exclusive basis;
- Legal obligations where processing is necessary to comply with law.
For users outside India, additional statutes (for example the GDPR in the EU/UK) may apply. This Policy does not limit non-waivable rights.
5. Sharing and disclosure
We may disclose personal data to:
- Cloud and authentication providers (for example Google Firebase / Google Cloud) subject to their data processing terms;
- AI, search, maps, and communications vendors you configure;
- Payment processors (for example Razorpay, PayPal) when those features are live;
- Professional advisers under confidentiality obligations;
- Acquirers or investors under strict confidentiality in a corporate transaction;
- Law enforcement or regulators when required by applicable law or lawful process, or when necessary to protect vital interests.
We do not “sell” personal data in the sense of exchanging user lists for cash. If you later introduce advertising personalization or data monetization, update this Policy and user controls.
7. Retention
We retain personal data only as long as necessary for the purposes in Section 3, plus any legal, tax, or regulatory retention period, litigation hold, or backup window. Technical logs may be capped or rotated by implementation.
7. Security
We implement technical and organizational measures appropriate to the risk, including access control, separation of duties for administrative accounts, encryption in transit where supported by providers, and monitoring. No system is perfectly secure. If we become aware of an incident that poses a material risk to individuals, we will take steps in line with applicable law, which may include notification to users or regulators.
8. Your rights and choices
Depending on applicable law, you may have the right to:
- Access personal data RNMLLP holds about you;
- Correct inaccurate or incomplete data;
- Delete data where retention is no longer necessary (subject to exceptions);
- Export certain data in a portable format where feasible;
- Withdraw consent where processing is consent-based, without affecting the lawfulness of processing prior to withdrawal;
- Object to certain processing where the legal framework provides an objection right;
- Nominate a representative in case of death or incapacity where the law provides such a mechanism.
Exercise rights: Email contact@maximiser.ai with a clear description of your request. We may need to verify identity before fulfilling requests.
9. Automated processing and AI
Some features involve automated processing and large language models. Outputs may be inaccurate or incomplete and are not financial, legal, or tax advice.
10. Children
The Services are not directed to children below the age where parental consent is required under applicable law.
11. Changes to this Policy
We may update this Policy to reflect legal, technical, or business changes. We will post the revised Policy with a new effective date and, where required, provide additional notice or obtain consent. If you do not agree to changes, you must stop using the Services where permitted.
12. Contact and grievance handling
Rayabari Networks Media LLP (RNMLLP)
Sagar Nagar, Visakhapatnam, Andhra Pradesh, India
Privacy inquiries and data rights: contact@maximiser.ai
Cookie Policy (integrated summary)
Cookies and similar technologies (including pixels, SDK identifiers, and local/session storage) help authenticate sessions, remember preferences, secure the Services, and (if enabled) measure performance or deliver support diagnostics.
13. Sensitive personal data and special categories
Certain fields in the Services’ data model may be treated as sensitive or special-category personal data under applicable law, including financial account identifiers, precise location history, government identifiers if you collect them, or biometric data if you ever add such features. RNMLLP will process sensitive categories only where a lawful basis exists (for example explicit consent where required), with enhanced access controls, purpose limitation, and data minimization.
14. Data minimization and pseudonymization
Where feasible, RNMLLP will limit collection to what is adequate, relevant, and necessary, and will explore pseudonymization or aggregation for analytics and model evaluation. For example, activity logs that currently key on email should be reviewed for migration to opaque user IDs to reduce re-identification risk. Engineering and legal teams should jointly approve any expansion of identifiers logged in `user-activity` or similar stores.
15. Profiling and personalization
“Profiling” in privacy law can mean analyzing aspects of a person’s life to evaluate preferences or behaviors. Maximiser.ai may personalize dashboards, card suggestions, and insight ordering based on usage patterns, region, portfolio composition, and interaction history. RNMLLP does not intend to profile in a way that produces solely automated legal or similarly significant effects without human oversight unless a feature is explicitly designed that way and lawfully offered.
16. Marketing and promotional communications
Where law requires opt-in consent for promotional email, SMS, or WhatsApp messages, RNMLLP will obtain and record that consent separately from transactional notices. Users may withdraw marketing consent through unsubscribe links or by emailing contact@maximiser.ai. Transactional messages about security, account status, or legally required notices may continue where permitted even after marketing opt-out.
17. Testimonials, case studies, and public references
If you display user testimonials or screenshots that contain personal data, obtain written permission that specifies channels and duration. Remove or anonymize upon request unless retention is legally required.
18. Research, benchmarking, and aggregate statistics
RNMLLP may compute aggregate or de-identified statistics about card usage trends, regional uptake of features, or model quality metrics. Aggregates must be designed to reasonably prevent re-identification of individuals.
19. Law enforcement and government access requests
If RNMLLP receives a lawful request for personal data from a government agency, we will review the request for validity, scope, and jurisdiction. We may challenge overbroad or unlawful demands where permitted. Unless prohibited by law or a court order, we may provide a high-level transparency report about the number and type of requests received.
20. APIs, integrations, and enterprise clients
If you offer API keys, white-label, or enterprise deployments, additional controllers may be involved. Contracts should specify roles (controller vs. processor), subprocessing rights, audit rights, breach notice timelines, and data return/deletion at contract end. This consumer-facing Policy should link to a B2B DPA where relevant.
21. Beta and experimental features
Experimental features may process data differently from stable releases. RNMLLP will provide reasonable notice before expanding processing in a materially new way and will obtain consent where required. Beta participants should assume higher defect rates and more frequent logging for debugging unless you configure otherwise.
22. Accuracy and user responsibility
Users should keep account information accurate. RNMLLP may correct obvious typographical errors in submissions. Users must not submit false payout or identity information. Inaccurate data may degrade recommendations and could violate anti-fraud laws.
23. Accessibility of this Policy
RNMLLP will endeavor to present this Policy in a readable format and language. If you need this Policy in another language or accessible format, email contact@maximiser.ai and we will try to accommodate reasonable requests subject to resource constraints.
24. Third-party SDKs and embedded content
If the Services embed videos, maps, chat widgets, or social plugins, those third parties may collect data independently. [TODO: product] inventory each SDK and either block until consent or disclose in the cookie annex.
25. Employee and contractor access
Only authorized personnel and vendors under contract may access personal data, and then only on a need-to-know basis. Access may be logged. Violations of internal policy may result in disciplinary action and contractual remedies.
26. Annex A — Non-Indian users (informational)
Users accessing the Services from outside India may benefit from additional rights under local laws. Nothing in this Policy is intended to waive rights that cannot be waived. If local law conflicts with a provision here, local law may override to the extent applicable. RNMLLP’s primary establishment for this Policy is India; foreign users should understand that courts or authorities in India may have jurisdiction over certain disputes as set out in the Terms of Use.
27. Annex B — California residents (only if you intentionally market to California)
If RNMLLP becomes subject to the California Consumer Privacy Act as amended, California residents may have additional rights (access, deletion, opt-out of sale/share, correction, limitation of use of sensitive personal information). RNMLLP does not intend to sell or share personal information as defined under CCPA without appropriate contracts and notices.
28. Annex C — European Economic Area / UK users (only if you target those markets)
If you target the EEA or UK, GDPR-style rights (lawful basis transparency, data portability, objection to certain processing, complaints to supervisory authorities) may apply.
29. Operational details tied to current engineering patterns (non-exhaustive)
To reduce mismatch between engineering reality and public commitments, RNMLLP documents the following implementation-adjacent facts for counsel to verify against production:
- Authentication: Credential handling is expected to rely on industry-standard identity providers (for example Firebase Authentication). Password policies, reset flows, and session duration should follow provider capabilities and RNMLLP’s security configuration.
- Primary application database patterns: Many user-facing records are stored in Firestore collections. Some auxiliary flows may use Postgres via Drizzle ORM for specific tables such as an alternate waitlist capture path. Your privacy notice must not claim only one database if both remain reachable in any deployed environment.
- Activity telemetry: A global activity list may be maintained with a hard cap to bound storage. Counsel should assess whether capped-but-global storage creates cross-user access risks for administrators and whether role-based access controls meet Indian reasonable security practices expectations.
- AI inference: Prompts and structured inputs may be transmitted to third-party model APIs. Vendor logging, training on customer data (opt-in vs. opt-out), and geographic regions for inference must be taken from the actual vendor configuration, not assumed.
- Maps and places: If Google Maps or similar APIs are used, those vendors receive query parameters that may imply location even when precise coordinates are not stored by RNMLLP. Disclose recipient identity and purpose (for example place search, distance calculation).
- Email delivery: If transactional or marketing email is sent via a provider (SendGrid, SES, etc.), that provider processes personal data as a processor or sub-processor and should be listed in your subprocessor register.
- Client-side storage: Session-scoped storage may retain post-login redirect intents or tour completion flags. While often low sensitivity, it can indirectly reveal feature usage on a shared device; users should log out on shared computers and consider private browsing where appropriate.
RNMLLP will update this Policy if any of the above materially changes.
30. No waiver
Failure to enforce any provision of this Policy is not a waiver of RNMLLP’s rights.
31. Relationship to the Terms of Use
In the event of a conflict between this Policy and the Terms of Use regarding dispute resolution, limitation of liability, or governing law, the Terms of Use typically control contractual matters, while this Policy controls privacy representations—[TODO: Indian counsel] confirm no unintended conflict and cross-link definitions (Personal Data, Services, User) consistently across documents.
32. Record-keeping and audit
RNMLLP will maintain internal records of:
- Processing purposes and categories;
- Categories of recipients;
- Cross-border transfers, if any;
- Retention schedules;
- Security assessments and vendor reviews.
Such records may contain business confidential information and are not publicly posted in full, but regulators may request access under law.
33. User education and financial safety
Maximiser.ai may display educational content about cards, rewards, and benefits. Educational content is not personalized financial advice unless a separately licensed professional explicitly undertakes that role, which is outside the standard product scope. RNMLLP processes personal data to power personalization, but users remain responsible for verifying terms with issuers and for safeguarding passwords, OTP codes, and device unlock mechanisms. RNMLLP will never ask for your full card PAN by email; beware phishing that impersonates the brand. Report suspected impersonation to contact@maximiser.ai promptly so RNMLLP can investigate and coordinate with providers.