Privacy Policy

Firmly is a software tool for Indian startup founders to draft and send offer letters. The service is operated under the Firmly brand at tryfirmly.in. You can reach the team on WhatsApp at +91 70327 51255.

When you use Firmly, we collect:

• Account info — from Google when you sign in: name, email, profile photo.
• Company details — that you enter during onboarding or via the dashboard: company legal name, registered office address, city, CIN, GSTIN, contact details (phone, email, website), logo image, signatory name and title, signature image.
• Offer letter content — that you enter into the wizard: candidate name, candidate email, candidate address (optional), role, employment type, compensation amount, start date, duration, ESOP details (if applicable), expiry date, and the clauses you select.
• Sent-letter records — when you send an offer letter to a candidate via Firmly: the candidate's email, the date sent, and a status flag.
• Server logs — standard request information (IP address, user agent, request path, timestamp) retained for security and abuse prevention.

We use this data only to operate the service:

• Render your letters and generate PDFs.
• Email PDFs to candidates when you click Send to candidate.
• Sign you in and keep your draft list available.
• Detect and prevent abuse of the service.
• Comply with applicable law.

We do not sell your data. We do not use your data or your candidates' data to train any AI model.

When you enter a candidate's personal data into Firmly, you are the data controller under the Digital Personal Data Protection Act, 2023 — you decide what data to enter, why, and what to do with it. Firmly acts as the data processor: we process candidate data only to operate the service for you.

What this means in practice:

• You should only enter candidate data you have a lawful basis to process — typically because the candidate gave you their information for the purpose of receiving an offer letter.
• Candidate rights requests (access, correction, deletion) come to you, not to us. Use your dashboard to view, edit, or delete the offer letter that contains the candidate's data.
• If a candidate contacts us directly, we will forward the request to the founder whose account contains the data.

We are responsible for protecting the data while it sits in our systems — encryption in transit, access controls, the storage details below.

Firmly relies on a small set of sub-processors:

• Database — Amazon RDS (PostgreSQL) in the Mumbai (ap-south-1) region. All data — accounts, companies, offer letters — lives here.
• Authentication — Google OAuth handles sign-in. Better Auth manages the session cookie issued by Firmly.
• Email delivery — Resend delivers offer-letter PDFs to candidates. Resend stores the email content and recipient address per its own retention policy.
• Hosting — The application is hosted on Vercel. Vercel may process request metadata (IP, user agent) for routing and abuse detection.

Firmly uses a single first-party session cookie set by Better Auth to keep you signed in. We don't set advertising, analytics, or third-party tracking cookies. The Google sign-in flow may briefly set Google's own cookies during the OAuth redirect; those are governed by Google's privacy policy.

Under the DPDP Act 2023, you have the right to:

• Access the personal data we hold about you and your company.
• Correct any inaccurate data — most fields are editable from your dashboard.
• Request deletion of your account and all associated data.
• Withdraw consent where we rely on consent (you can stop using the service at any time).
• Nominate someone to act on your behalf in case of incapacity.

To exercise any of these, message us on WhatsApp at +91 70327 51255. We will respond within 30 days.

• Active accounts — we retain your data while your account is active.
• Deleted accounts — on a deletion request we erase your company + offer-letter data within 30 days. A small amount of metadata may be retained longer where required by law.
• Server logs — retained for 90 days.

Firmly is for businesses. We don't knowingly create accounts for anyone under 18. If you believe a minor has signed up, email us and we'll close the account.

We may update this policy. Material changes will trigger an in-app notice on your next sign-in, and the Last updated date at the top of this page will change.

For any privacy question — including DPDP rights requests — message us on WhatsApp at +91 70327 51255.