Home/ Legal/ Privacy

Privacy Policy

We treat your data the way we'd want ours treated — collected sparingly, used for what we said we'd use it for, and never sold. This page explains the details.

Effective
15 Apr 2026
Version
v3.2
Jurisdiction
India · DPDP Act, 2023
Read time
~7 min

01TL;DR summary

Skip the legal-ese — here's what matters in two minutes.

  • We collect only what we need to run the app: account info, things you save (watchlists, screeners), and basic device telemetry.
  • We never sell personal data to third parties.
  • Your portfolio data is read-only — we get it from your broker via SEBI-approved Account Aggregators, with your consent, and you can revoke that consent any time.
  • Analytics and crash reporting are anonymised. You can opt out from settings.
  • You can export or delete your account from Settings → Data in two clicks.
Heads-upThe full document below is the legally binding version. The summary above is for convenience only.

02Data we collect

Three buckets — listed in the order they leave your device:

Account dataName, email, phone (verified via OTP), and a hashed password. If you sign in with Google, we receive your email, name, profile picture, and Google account ID — we never receive your Google password or any other Google data. PAN is collected only if you choose to link a portfolio.
Activity dataWatchlists, alerts, screener queries, fund comparisons, blog reads — the things you do inside the app.
Device dataBrowser, OS, screen size, IP (truncated), and crash logs. Used to debug and prevent fraud, retained 90 days.

We do not collect contacts, photos, location, or any financial data your broker doesn't already share via the Account Aggregator framework.

03How we use it

  • Run the product. Authenticate you, save your watchlists, send price alerts you opted into.
  • Improve the product. Aggregated, anonymised analytics tell us which screens are slow and which features are unused.
  • Communicate. Transactional emails (alerts, OTPs, statements) are always on. Newsletters are opt-in and one-click off.
  • Comply with law. SEBI, RBI and the Income Tax Department occasionally require us to retain or share specific records.

04Who we share with

We share data only with the categories below, only when needed, and under signed data-processing agreements:

InfrastructureAWS Mumbai (compute, storage), Cloudflare (CDN, DDoS).
Identity & paymentsRazorpay, Digio for KYC and OTPs.
Sign-in providersGoogle (only if you choose "Sign in with Google"). Our use of data received from Google is limited to authenticating you and creating your account; it complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer data to Google beyond the OAuth handshake.
Account AggregatorsSEBI-licensed AAs (e.g. CAMSFinServ, Finvu) — only with your explicit consent, only for the duration you set.
AnalyticsSelf-hosted PostHog. No data leaves our infrastructure.
RegulatorsSEBI, RBI, IT Dept, on lawful written request.
We do not, and will not, sell or rent personal data to advertisers, data brokers, or any third party for marketing purposes.

05Storage and security

Data sits in encrypted Postgres clusters in ap-south-1 (Mumbai). At rest: AES-256. In transit: TLS 1.3 only. Backups are encrypted and rotated for 30 days.

Access inside FinlyticsLab is role-based and audit-logged. Engineers have read access only on a break-glass basis, with peer approval and a 24-hour audit trail.

06Your rights

Under the DPDP Act, 2023 you have the right to:

  • Access a copy of all data we hold on you, in machine-readable JSON.
  • Correct anything inaccurate.
  • Erase your account and associated data — irreversible after a 30-day cooling-off window.
  • Withdraw consent for any specific purpose, without affecting the rest of the service.
  • Nominate someone to exercise these rights on your behalf in case of incapacity.

Self-serve from Settings → Data, or email privacy@finlyticslab.in. We respond within seven working days.

07Cookies and tracking

We use three types of cookies, all first-party:

  • Essential — login session, CSRF token. Cannot be disabled.
  • Preference — theme, default chart range. You can clear them; the app still works.
  • Analytics — anonymous PostHog ID. Disabled by default in the EU/UK; opt-in elsewhere via the cookie banner.

No third-party tracking pixels, no Facebook/Google ad cookies, no fingerprinting.

08Children

FinlyticsLab is not intended for users under 18. We do not knowingly collect data from minors. If you believe a child has signed up, email privacy@finlyticslab.in and we'll delete the account within 48 hours.

09Changes

We review this policy every six months. Material changes (new data categories, new sharing partners, jurisdiction changes) are emailed to all active users 14 days before they take effect, with a clear summary of what's different.

Older versions are archived at finlyticslab.in/privacy/archive.

10Grievance officer

If you believe your rights have been violated and our team hasn't resolved your concern, escalate to our Grievance Officer:

NameAanya Sridhar
Emailgrievance@finlyticslab.in
AddressFinlyticsLab Technologies Pvt. Ltd., Level 4, Salarpuria Sanctity, Bellandur, Bengaluru 560103.
Response SLA5 working days for acknowledgement, 30 days for resolution.
Have a privacy concern?
Our DPO replies personally — usually within two working days.
Contact us → privacy@finlyticslab.in