Privacy Policy

1. Comprehensive Overview & Fiduciary Commitment to Data Stewardship

This Privacy Policy ("Policy") serves as the definitive governing document for the collection, processing, and protection of personal, technical, and financial data by ChartX Capital Private Limited ("ChartX", "the Company", "We", "Us"). In an era of increasing digital surveillance and data commodification, ChartX operates on a foundational principle of Data Fiduciary Responsibility. We do not view your information as a resource to be "mined," but as a trusted asset to be "stewarded" in strict alignment with the Information Technology Act, 2000, and the Digital Personal Data Protection (DPDP) Act, 2023 of India, alongside global best practices such as GDPR and CCPA.

Our virtual-first operational model ensures that your data is not tethered to physical paper trails but is protected within high-availability, encrypted cloud environments. This Policy disclosure is designed to be exhaustive, covering every facet of your digital interaction with the ChartX Terminal, our research APIs, and our community intelligence networks. By utilizing our services, you are entering into a "Data Trust" agreement where privacy is not merely a compliance checkbox but a core architectural pillar.

2. Detailed Taxonomy of Data Collection Architectures

To provide a high-frequency research environment, we must process various streams of data. We categorize these into granular sub-sectors to provide absolute transparency into what we "know" about you.

A. Primary Identity & Verified Persona Data

This tier represents the "Anchor Data" required to establish a secure user identity. It includes your full legal name, verified mobile number (authenticated via cryptographically secure OTP), and email address. For users accessing institutional-grade features or connecting to regulated broker APIs, we may facilitate the collection of PAN and Aadhaar details through secure, temporary bridges to e-KYC providers. Crucially: ChartX does not store raw Aadhaar numbers; we only maintain the verification tokens provided by authorized UIDAI intermediaries.

B. Financial Intelligence & Transactional Metadata

We treat financial data with extreme sensitivity. While we facilitate subscriptions through PCI-DSS Level 1 compliant partners like Cashfree and Razorpay, our internal servers never "see" or "store" your credit card numbers, CVV codes, or UPI PINs. We do, however, process and store:

• Subscription Lifecycles: Historical records of upgrades, downgrades, and trial periods.
• Billing Geometry: Your GST status, billing country (for tax localization), and transaction success/failure error codes.
• Referral Lineage: Data regarding who referred you to the platform and associated promotional credit balances.

C. Terminal Telemetry & Behavioral Echoes

To optimize the performance of the ChartX "Digital Luminary" engine, we monitor how you interact with our tools. This includes:

• Interaction Density: Which technical indicators (Ichimoku Clouds, Fibonacci Retracements, MACD) you deploy most frequently. This data is aggregated to decide which features deserve the most engineering resources.
• Latency Profiles: The speed at which your local browser renders market data packets. This helps us optimize our Content Delivery Network (CDN) nodes.
• Heatmapping (Anonymized): Where your cursor spends time within the terminal to improve UX ergonomics.

D. Network & Environment Fingerprinting

For security and anti-fraud purposes, we collect technical identifiers including your IP address (masked at the subnet level for analytics), browser engine version, screen resolution, and operating system build. This prevents "Account Takeover" (ATO) by flagging logins that deviate significantly from your established environment profile.

3. The Lifecycle of a Data Packet: Processing & Logic

Understanding how we use your data is as important as knowing what we collect. Our processing logic is governed by three primary pillars:

Cross-Asset Intelligence: We may analyze your research patterns across different asset classes (e.g., comparing your NIFTY 50 interest vs. Bank Nifty) to curate the "Market Intelligence" section of your dashboard. This is performed via a "Local-First" logic where possible, reducing the need for server-side profiling.

4. Global Data Sovereignty & International Transfers

ChartX is a virtual-first entity, but we respect the physical laws of data sovereignty. For our Indian users, all financial and identity data is stored on servers located within the Republic of India, in strict accordance with Reserve Bank of India (RBI) mandates. For our global users, data may be processed in Tier-4 data centers located in Singapore, the European Union, or North America, depending on your geographic proximity to our nodes.

When we transfer data across borders, we utilize Standard Contractual Clauses (SCCs) and ensure that the receiving jurisdiction provides "Adequate Protection" as defined under the DPDP Act. We do not transfer your personal data to countries that lack robust data protection frameworks unless explicitly required for a specific transaction (e.g., an international wire transfer).

5. The "Obsidian" Security Architecture

Our security protocols are modeled after institutional-grade banking systems. We call this the "Obsidian" framework—designed to be impenetrable and transparently auditable.

6. Deep-Dive: Cookies, LocalStorage & Synthetic Tracking

The ChartX experience is highly customized, which requires the use of persistent storage technologies. We categorize our "Tracking Technologies" into four functional groups:

• Strictly Essential Cookies used for authentication and CSRF (Cross-Site Request Forgery) protection. Without these, you cannot log in.
• State Persistence (LocalStorage) Techniques used to remember if you prefer Dark Mode, which chart layout you last used, and your custom indicator settings. These remain on your device and are not "phoned home" unless you sync to the cloud.
• Performance Intelligence Anonymized trackers that tell us which pages load slowly. We use this to debug the terminal in real-time across different global regions.

You can opt-out of Performance and Functional tracking through your browser settings, though this will significantly degrade the "Digital Luminary" terminal experience.

7. Data Retention & The "Right to be Forgotten"

We do not believe in digital hoarding. Our retention policy is governed by the "Purpose Limitation" principle. Once data is no longer needed for its primary purpose or regulatory compliance, it is either permanently deleted or rendered in an irreversibly anonymous format (Synthetic Data).

A. Retention Schedules

• Identity Data: Retained for the duration of your active account + 180 days after closure (to facilitate account recovery if you change your mind).
• Financial Records: Retained for 7 Fiscal Years as per Indian Income Tax and GST mandates.
• Security & Access Logs: Retained for 12 months to support forensic auditing and legal hold requirements.

B. Exercising Your Rights

Under the DPDP Act and GDPR, you have the right to request the deletion of your data. When you trigger the "Right to be Forgotten" through our compliance desk:

1. We will verify your identity via MFA to prevent "Malicious Deletion" attempts.
2. Your PII will be purged from our production databases within 72 hours.
3. Backups will be updated within our 30-day rotation cycle.
4. You will receive a "Digital Clearance Certificate" via email once the process is complete.

8. Protection of Minors

ChartX is designed for users who are at least 18 years of age. We do not knowingly collect or solicit personal information from anyone under the age of 18. If we learn that we have collected personal information from a minor without parental consent, we will delete that information as quickly as possible. If you believe that a minor has provided us with personal information, please contact our compliance desk immediately.

9. Disclosure Mandates: When We Share Data

We only share your data in three specific, high-threshold scenarios:

• Authorized Broker Integrations: When you use our API Bridge to trade via Kotak Neo, Upstox, or Dhan, we share the necessary session tokens and trade parameters required to execute your request.
• Service Operations: Sharing encrypted identity tokens with our sub-processors (Cloud, Payments, Mailing) purely for the purpose of running the service.
• Legal & Statutory Necessity: If served with a valid court order or a direct request from SEBI/RBI/Law Enforcement, we will disclose the specific information requested. We will always attempt to notify you of such requests unless legally prohibited from doing so.

10. Modifications & Digital Consent

We reserve the right to modify this Policy at any time. Changes will be notified via a "Policy Update" banner on the terminal and via email. Your continued use of the platform after the "Effective Date" of a new policy constitutes your "Deemed Consent" to the updated practices. We encourage you to review this page periodically to stay informed about how we are protecting your data.