Privacy Policy

Profitma ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Profitma platform at https://profitma.app. This policy is compliant with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000. By using the Platform, you consent to the data practices described in this Policy.

We collect the following categories of information: 2.1 Information you provide directly: • Full name and email address (during registration) • Password (stored as a bcrypt hash — we never store plaintext passwords) • Optional profile details 2.2 Trade and financial data (via Zerodha Kite Connect): • Executed trade orders (symbol, quantity, price, time, type) • Daily P&L summaries • We do NOT access your account balance, bank details, or funds 2.3 Usage data: • Pages visited, features used, session duration • Device type, browser, operating system • IP address (used for rate limiting and security) 2.4 Communications: • Emails you send to our support team We do NOT collect: • Aadhaar, PAN, or government ID numbers • Bank account or payment card details (handled entirely by our payment gateway) • Zerodha login credentials

We use your data solely for the following purposes: • To provide and operate the Platform (analytics, Trader Score, reports) • To authenticate your account and maintain session security • To sync your trade data via Zerodha Kite Connect • To process subscription payments • To send transactional emails (account confirmation, payment receipts) • To send product updates and feature announcements (you may unsubscribe at any time) • To detect and prevent fraud, abuse, or security incidents • To comply with applicable legal obligations We do NOT: • Sell, rent, or trade your personal data to third parties • Use your trade data to make trading decisions for our own account • Share your data with advertisers or marketing networks

Under the Digital Personal Data Protection Act, 2023, we process your personal data based on: • Consent: You explicitly consent to data processing when you create an account and connect your Zerodha account • Contract performance: Processing necessary to provide the Service you subscribed to • Legitimate interests: Security monitoring, fraud prevention, and product improvement • Legal obligation: Compliance with Indian laws, tax regulations, and court orders You have the right to withdraw consent at any time by deleting your account.

When you connect your Zerodha account: • We use OAuth 2.0 — Zerodha authenticates you directly and issues us a temporary access token • Access tokens are stored encrypted in our database using industry-standard encryption • We use access tokens only to fetch your trade history via the Kite Connect API • Tokens expire daily (Zerodha's policy) and must be re-authorised by you each session • You can revoke our access at any time from Zerodha's app or from your Profitma Settings page We are not affiliated with Zerodha Broking Ltd. Your use of Zerodha is governed by Zerodha's own Privacy Policy.

We share your data only with trusted service providers necessary to operate the Platform: • Cloud infrastructure: AWS / Google Cloud (hosting and database storage in India where possible) • Payment processing: Razorpay (processes payment; we do not store card details) • Email delivery: Transactional email providers (e.g., SendGrid or Resend) • Error monitoring: Sentry (anonymised crash/error logs) All third-party providers are contractually required to: • Process data only for the specified purpose • Maintain adequate security standards • Not disclose data to further parties without consent We may disclose your data if required by law, court order, or government authority under Indian law.

We implement industry-standard security measures: • Passwords: bcrypt hashing (never stored in plaintext) • Data in transit: TLS 1.2+ encryption for all API communications • Database: Encrypted at rest; access restricted to authorised personnel • API access: JWT-based authentication with short expiry • Kite tokens: AES-256 encrypted before storage • Rate limiting: Protection against brute-force and abuse Despite these measures, no system is completely secure. You use the Platform at your own risk and should protect your account credentials carefully. In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware, as required by applicable law.

We retain your data for the following periods: • Account data: For the duration of your account, plus 90 days after deletion (to allow recovery) • Trade data: For the duration of your account • Payment records: 7 years (required by Indian tax and accounting regulations) • Server logs: 30 days rolling After the retention period, data is securely deleted or anonymised.

Under India's Digital Personal Data Protection Act, 2023, you have the following rights: • Right to Access: Request a copy of the personal data we hold about you • Right to Correction: Request correction of inaccurate or incomplete personal data • Right to Erasure: Request deletion of your account and personal data (subject to legal retention requirements) • Right to Grievance Redressal: Lodge a complaint with us or with the Data Protection Board of India • Right to Nominate: Nominate another individual to exercise these rights on your behalf in case of death or incapacity To exercise any of these rights, contact us at privacy@profitma.app. We will respond within 30 days.

We use the following: • Authentication cookie (profitma_token): Stores your JWT session token; required for the Platform to function; expires after 24 hours • localStorage / sessionStorage: May store UI preferences (e.g., theme, selected date range) We do NOT use advertising cookies or third-party tracking cookies. You can clear cookies at any time via your browser settings, but this will log you out of the Platform.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, we will promptly delete the account and associated data.

Your data is primarily stored and processed in India. When we use third-party service providers located outside India, we ensure adequate data protection through contractual safeguards in compliance with the DPDP Act, 2023. By using the Platform, you consent to your data being processed in India and in countries where our service providers operate.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 7 days before they take effect. Continued use of the Platform after changes take effect constitutes acceptance of the revised Policy.

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of the Grievance Officer are: Name: Grievance Officer, Profitma Email: privacy@profitma.app Response time: Within 30 days of receipt of complaint If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted.

For any privacy-related questions, requests, or concerns: Email: privacy@profitma.app Website: https://profitma.app We are committed to working with you to resolve any privacy concerns promptly and fairly.