Data Protection & Privacy Policy

Effective Date: March 28, 2026 (Updated)

Compliance with DPDP Act, 2023

Your privacy is paramount. We comply with India's Digital Personal Data Protection Act, 2023.

1. Information We Collect

We collect the following personal data to provide our services:

Identity Data: Name, Email Address, Phone Number (for authentication).
Trading Data: Trading Journal entries, P&L statements (only if uploaded by you).
Technical Data: IP Address, Device info, browser type for security and analytics.

1A. AI-Processed Data

When you use DRISHTI AI or AI Trade Analysis features, we process:

Your trade journal entries — sent to AI models (Claude/GPT) for behavioural pattern analysis. We do NOT share your data with these providers for their training purposes.
Your portfolio holdings — used to generate factual alerts about upcoming corporate events (earnings dates, dividends) from public filings.
XP and gamification data — stored in our database to track your journaling progress. This data is never shared externally.

AI analysis is performed on-demand only when you request it. We do not continuously monitor or analyse your data in the background.

2. Purpose of Processing

We process your data solely for:

Providing educational analytics and journal insights.
Authenticating your account and preventing fraud.
Communicating service updates and support.
Legal compliance (record keeping).

3. Consent & Control

By signing up, you explicitly consent to the processing of your data for the above purposes. You have the right to withdraw consent at any time by deleting your account.

4. Data Minimization & No Selling

We strictly adhere to purpose limitation.We DO NOT sell, trade, or rent your personal data to third-party brokers, advertisers, or signal providers.

5. Security Measures

We employ industry-standard security measures to protect your data:

Encryption in transit: All data is transmitted over TLS/HTTPS encrypted connections.
Encryption at rest: Database storage is encrypted using cloud-provider encryption (MongoDB Atlas).
Authentication: Firebase Auth with secure session tokens. Passwords are hashed using bcrypt (12 rounds).
Access controls: Role-based access (RBAC) restricts personal data to authorized personnel only.
CSRF protection: All state-changing requests are protected by CSRF tokens.
Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
Content Security Policy: Strict CSP headers prevent XSS and injection attacks.
No third-party tracking: We do not use third-party advertising trackers or sell data to advertisers.
Regular audits: We conduct regular security and performance audits of our codebase and infrastructure.

6. Your Rights

Under the DPDP Act 2023, you have the right to:

Access specific personal data we hold about you.
Request correction of inaccurate data.
Request erasure of your data (Right to be Forgotten).
Register a grievance regarding data processing.

7. Account Deletion & Data Retention

You may delete your account at any time from Settings. Upon requesting deletion:

Your account is disabled immediately and a 24-hour grace period begins, during which you can cancel the deletion.
After 24 hours, all personal information is permanently and irreversibly erased, including your name, email, phone number, authentication credentials, individual trade records, holdings, portfolio data, financial goals, support tickets, and all other personally identifiable information.
We retain anonymized, aggregated statistics that cannot be used to identify you in any way. This includes aggregated trading performance metrics (such as win rate and profit factor), anonymized behavioural patterns, subscription category, and feature usage counts.
Anonymized data is linked only via a one-way cryptographic hash (SHA-256) that cannot be reversed to identify the original user. Dates are stored at month-level precision only.
This anonymized data is used solely for improving our AI models, behavioural analysis research, and platform development, in compliance with the Digital Personal Data Protection Act, 2023 (Sections 8(7), 12(1), and 17).

We do not sell, share, or transfer anonymized data to any third party. It is used exclusively for internal research and product improvement.

8. Email Communications & Consent

We send the following types of email communications:

Transactional emails (account verification, password reset, payment receipts) — sent without separate consent as they are necessary for service delivery.
Weekly Trading Digest — contains YOUR personal trade statistics only. Sent only if you have opted in via the weeklyDigestEnabled setting. You can unsubscribe at any time via the one-click unsubscribe link in each email or from Settings → Notifications.
Trial and subscription notifications — sent during your trial period to inform you of trial status. These cease after trial expiry or subscription activation.

We never send unsolicited marketing emails, stock tips, or third-party promotional content. All emails contain only your own data or factual service information.

9. Public Data Sources

ArthaLearn ingests and displays publicly available data from:

SEBI (sebi.gov.in) — Circulars, press releases, and regulatory orders via official RSS feed.
BSE/NSE — Corporate filings, earnings dates, corporate actions (dividends, splits, board meetings).

This data is sourced from government and exchange websites, displayed for informational purposes only, and is not modified, editorialized, or used to generate investment advice.

10. Grievance Redressal

For any privacy concerns or to exercise your rights, please contact our Grievance Officer:

Email: support@arthalearn.com
Location: Guwahati, Assam, India

1A. AI-Processed Data

When you use DRISHTI AI or AI Trade Analysis features, we process:

Your trade journal entries — sent to AI models (Claude/GPT) for behavioural pattern analysis. We do NOT share your data with these providers for their training purposes.

Your portfolio holdings — used to generate factual alerts about upcoming corporate events (earnings dates, dividends) from public filings.

XP and gamification data — stored in our database to track your journaling progress. This data is never shared externally.

AI analysis is performed on-demand only when you request it. We do not continuously monitor or analyse your data in the background.

5. Security Measures

We employ industry-standard security measures to protect your data:

Encryption in transit: All data is transmitted over TLS/HTTPS encrypted connections.

Encryption at rest: Database storage is encrypted using cloud-provider encryption (MongoDB Atlas).

Authentication: Firebase Auth with secure session tokens. Passwords are hashed using bcrypt (12 rounds).

Access controls: Role-based access (RBAC) restricts personal data to authorized personnel only.

CSRF protection: All state-changing requests are protected by CSRF tokens.

Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.

Content Security Policy: Strict CSP headers prevent XSS and injection attacks.

No third-party tracking: We do not use third-party advertising trackers or sell data to advertisers.

Regular audits: We conduct regular security and performance audits of our codebase and infrastructure.

7. Account Deletion & Data Retention

You may delete your account at any time from Settings. Upon requesting deletion:

Your account is disabled immediately and a 24-hour grace period begins, during which you can cancel the deletion.

After 24 hours, all personal information is permanently and irreversibly erased, including your name, email, phone number, authentication credentials, individual trade records, holdings, portfolio data, financial goals, support tickets, and all other personally identifiable information.

We retain anonymized, aggregated statistics that cannot be used to identify you in any way. This includes aggregated trading performance metrics (such as win rate and profit factor), anonymized behavioural patterns, subscription category, and feature usage counts.

Anonymized data is linked only via a one-way cryptographic hash (SHA-256) that cannot be reversed to identify the original user. Dates are stored at month-level precision only.

This anonymized data is used solely for improving our AI models, behavioural analysis research, and platform development, in compliance with the Digital Personal Data Protection Act, 2023 (Sections 8(7), 12(1), and 17).

We do not sell, share, or transfer anonymized data to any third party. It is used exclusively for internal research and product improvement.

8. Email Communications & Consent

We send the following types of email communications:

Transactional emails (account verification, password reset, payment receipts) — sent without separate consent as they are necessary for service delivery.

Weekly Trading Digest — contains YOUR personal trade statistics only. Sent only if you have opted in via the weeklyDigestEnabled setting. You can unsubscribe at any time via the one-click unsubscribe link in each email or from Settings → Notifications.

Trial and subscription notifications — sent during your trial period to inform you of trial status. These cease after trial expiry or subscription activation.

We never send unsolicited marketing emails, stock tips, or third-party promotional content. All emails contain only your own data or factual service information.

9. Public Data Sources

ArthaLearn ingests and displays publicly available data from:

SEBI (sebi.gov.in) — Circulars, press releases, and regulatory orders via official RSS feed.

BSE/NSE — Corporate filings, earnings dates, corporate actions (dividends, splits, board meetings).

This data is sourced from government and exchange websites, displayed for informational purposes only, and is not modified, editorialized, or used to generate investment advice.