Privacy Policy

1. Who we are

IndiaPulse (the “Platform”) is an equity-research and analytics tool for Indian markets, operated as a personal project at this stage. For the purposes of India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) we are the Data Fiduciary. You are the Data Principal.

This policy applies to indiapulse websites, mobile apps (iOS), and any data you submit to us when using them.

2. What we collect

Only what we need to make the product work. Specifically:

2.1 Account information

• Email + name + profile picture — collected when you sign in. Either you provide them on email signup, or Google passes them to us via OAuth.
• Password hash (email-signup users only) — never the password itself; we store a one-way bcrypt hash.
• Google OAuth identifier — the opaque sub claim Google issues. Used only to recognise you on return visits.

2.2 Product-usage data

• Watchlists — the tickers you choose to follow.
• Portfolios — positions you enter for analysis. We treat this as sensitive financial data: encrypted at rest, never sold, never shared outside the platform.
• Journal entries — the notes you save against trades.
• Alert subscriptions — which signals you want notified about.

2.3 Device + technical data

• Session cookie — a signed JWT, used only for keeping you logged in.
• Device push token (iOS app only, if you opt-in to push notifications) — Apple-issued APNs token. Used solely to send you the alerts you subscribed to.
• IP address + user-agent — captured in server logs for security and abuse-prevention. Retained 30 days, then discarded.

2.4 What we do not collect

• Your bank, broker, or demat credentials. Ever. We never ask for them.
• Your phone number — unless you voluntarily provide it for SMS alerts (not yet a feature).
• Any biometric data, location, microphone, or camera access.
• Behavioural ad-targeting profiles. We don’t run ad networks.

3. Why we collect it (lawful purposes)

Under DPDPA § 7, our lawful basis for processing is your consent + legitimate use:

• To provide the product (signed-in features like watchlists, portfolios, alerts).
• To secure the platform (rate-limiting, abuse detection from logs).
• To improve the product (aggregate usage patterns — never tied to identifiable users).
• To comply with legal requirements (tax, regulator requests, court orders).

We do not use your data for advertising, profile-based scoring, or sale to third parties.

4. Who we share it with

A short, named list:

We do not sell or rent personal data to anyone. Disclosure to law enforcement happens only on receipt of a valid legal order, and we will resist over-broad requests.

5. Cross-border transfer

Application servers run in Mumbai (Google Cloud asia-south1). Database storage is in Singapore (Neon, ap-southeast-1) for regional latency reasons. APNs traffic transits Apple’s global infrastructure. All transfers happen under contractual safeguards equivalent to the EU’s Standard Contractual Clauses, and DPDPA does not currently restrict transfer to either jurisdiction.

6. How long we keep it

• Account, watchlists, portfolios, journal entries — until you delete them or close your account.
• Server logs (IP + user-agent) — 30 days, then permanently discarded.
• Backups — rolling 7-day window; deleted data falls out within a week.
• Push tokens — until you uninstall the app, revoke notifications in iOS settings, or delete your account.

7. Your rights

Under DPDPA § 11–13, you have the right to:

• Access a copy of the personal data we hold about you.
• Correct anything inaccurate.
• Erase your account and all associated data.
• Withdraw consent at any time (note: this may break product features that require your data).
• Nominate a person to exercise these rights on your behalf if you become incapacitated.
• Lodge a grievance with our Grievance Officer; if unresolved, escalate to the Data Protection Board of India.

To exercise any of these rights, email the Grievance Officer (section 11). We respond within 30 days as required by DPDPA.

8. Cookies

We use exactly one cookie: a signed session JWT to keep you logged in. It is HTTP-only, Secure, SameSite=Lax, and expires when you sign out (or after 30 days of inactivity, whichever is first). We don’t use third-party analytics cookies, ad cookies, or fingerprinting.

9. Children

IndiaPulse is intended for adult investors only and is not targeted at users under 18. Under DPDPA § 9, we do not process the personal data of minors, do not engage in behavioural monitoring of minors, and do not target advertising to them. If you believe a minor has created an account, please notify our Grievance Officer and we will delete the account immediately.

10. Security

All data in transit is TLS 1.2+. Database storage is encrypted at rest. Passwords are bcrypt-hashed (work factor 12). Access to production infrastructure is restricted to operators with 2FA on their Google Cloud accounts. We have not yet completed a formal SOC 2 / ISO 27001 audit — that is on the roadmap once revenue justifies it.

If you spot a security issue, please email security@indiapulse.org rather than disclose it publicly. We will acknowledge within 48 hours and credit you in the fix announcement if you wish.

11. Grievance Officer / Contact

For any privacy-related question, complaint, or rights request, contact our designated Grievance Officer (DPDPA § 10):

(Email aliases above forward to the founder’s personal inbox until the team scales beyond a single operator.)

12. Changes to this policy

We may update this policy as features or regulations change. Material changes will be notified by email to registered users and a banner on the site at least 14 days before they take effect. The “Last updated” date at the top of this page tracks the most recent revision.