Legal

Privacy Policy

Effective Date: 1 January 2025 · Last Updated: April 2025 · Version 1.2

Short version: We collect only what's necessary to provide the service. We do not sell your data. Broker API keys are encrypted at rest. You can request deletion of your account and data at any time by emailing [email protected].

Data Controller
What We Collect
How We Use Your Data
Third-Party Services
Security
Data Retention
Your Rights
Cookies & Local Storage
India — PDPB Notice
International Users — GDPR & Others
Children's Privacy
Changes to This Policy
Contact & Data Requests

1. Data Controller

The data controller for personal data processed through CapXone is CapXone Technologies, operating at [email protected].

2. What We Collect

Category	Data Collected	Purpose
Account	Email address, display name, username, profile picture (optional), password (stored only as a securely salted one-way hash, never in plain text)	Authentication, account management
Broker Credentials	API key, API secret (encrypted at rest), broker username	Broker API integration for order execution
Trade Data	Orders, positions, holdings, P&L, trade journal entries	Analytics, journaling, strategy backtesting
Payment Data	Razorpay order/payment ID, plan name, amount, billing cycle. We do not store card numbers or bank details.	Subscription management, billing records
Usage & Technical	IP address (hashed after 90 days), browser user-agent, pages visited, feature usage events	Security, rate limiting, product improvement
Auth Events	Login timestamps, device fingerprint (hashed), failed login attempts	Fraud prevention, security alerts
Communications	Emails sent to support	Customer support

3. How We Use Your Data

Service delivery: Authenticating your account, routing orders to brokers, displaying your portfolio and P&L
Security: Detecting suspicious logins, enforcing rate limits, maintaining audit trails
Product improvement: Understanding how features are used (aggregated, anonymised analytics)
Communications: Transactional emails (account verification, payment confirmations, plan expiry warnings). We do not send marketing emails without consent.
Legal compliance: Responding to lawful requests from authorities

We do not: sell your data, use it for advertising, train AI models on your trade data without consent, or share it with third parties except as described below.

4. Third-Party Services

Provider	Purpose	Data Shared	Privacy Policy
Razorpay	Payment processing (India)	Name, email, payment amount	razorpay.com/privacy
NOWPayments	Crypto payment processing (Global)	Order ID, amount (no PII)	nowpayments.io/privacy-policy
Google OAuth	Optional sign-in with Google	Email, display name, profile picture	policies.google.com/privacy
Sentry	Error monitoring	Stack traces, anonymised request metadata (no PII)	sentry.io/privacy
Broker APIs (Zerodha, etc.)	Order execution & market data	Your API key (sent to broker), order parameters	Each broker's own policy
SMTP Provider	Transactional emails	Email address, message content	Varies by provider

All third-party providers are contractually bound to process data only for the described purposes and in compliance with applicable data protection laws.

5. Security

Passwords: Stored only as a strong, salted one-way hash — never in plain text.
Broker API keys: Encrypted at rest with strong, industry-standard encryption, and decrypted only transiently while an order is being placed on your behalf.
Transport: All communication is encrypted in transit via TLS 1.2+.
Sessions: Time-limited and server-side revocable, with automatic expiry after inactivity. Changing your password or signing out invalidates active sessions immediately.
Database: All data access uses parameterised queries to prevent injection-class attacks.
Rate limiting: All authentication endpoints rate-limited to prevent brute force attacks.
2FA: TOTP (authenticator app) and PIN second factor available for all users.

Despite these measures, no internet-based system can guarantee absolute security. You are responsible for keeping your credentials confidential.

6. Data Retention

Active accounts: Data retained for the duration of the account's active life.
After account deletion: Personal data deleted within 30 days. Anonymised aggregated analytics may be retained indefinitely.
Payment records: Retained for 7 years as required by Indian financial regulations (GST compliance).
Auth event logs: Retained for 90 days for security investigation purposes.
Usage/page-view data: Automatically purged after 90 days.

7. Your Rights

You have the following rights with respect to your personal data:

Access: Request a copy of all personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your account and personal data ("right to be forgotten").
Portability: Request your trade data and account data in a machine-readable format (JSON/CSV).
Objection: Object to processing for analytics or product improvement purposes.
Withdrawal: Withdraw consent for optional data processing at any time.

To exercise any of these rights, email [email protected] with your registered email and a clear description of your request. We will respond within 30 days.

8. Cookies & Local Storage

CapXone uses minimal cookies and browser local storage:

Session cookie: Secure, HttpOnly, SameSite=Lax. Required for authentication. Expires on session end or after configured idle timeout.
CSRF token: Short-lived cookie for form submission security.
User preferences: Theme (dark/light), currency preference stored in localStorage. Not synced to our servers.
No advertising cookies. No cross-site tracking. No third-party analytics cookies (e.g., Google Analytics).

9. India — Digital Personal Data Protection

We are committed to compliance with India's Digital Personal Data Protection Act (DPDPA) 2023 and the existing provisions of the Information Technology Act 2000 and associated rules.

You may raise a complaint with the Data Protection Board of India once it is constituted.
For data processing grievances, contact our designated grievance officer at [email protected].
Personal data of Indian users is processed on servers located in India or regions with adequate data protection standards.

10. International Users — GDPR & Others

EU/EEA (GDPR): If you are in the European Economic Area, you have additional rights under the General Data Protection Regulation, including the right to lodge a complaint with your local supervisory authority. Our legal basis for processing is primarily contractual necessity (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)).

UK: Equivalent rights apply under the UK GDPR and Data Protection Act 2018.

California (CCPA): California residents may request disclosure of categories of personal information collected and have the right to opt out of any sale of personal information (we do not sell personal information).

For cross-border data transfers, we rely on standard contractual clauses or adequacy decisions where applicable.

11. Children's Privacy

The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will promptly delete it. Contact [email protected] if you believe a minor has registered.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent in-app notice at least 7 days before the new policy takes effect. Your continued use of the Platform after the effective date constitutes acceptance.

13. Contact & Data Requests

CapXone Technologies — Data Privacy
Email: [email protected]
Response time: Within 30 days of receipt of your request.

This Privacy Policy was last updated in April 2025.