Privacy Policy
Effective date: 05 May 2026
1. Data We Collect
We collect only the data required to provide the service:
| Name (first & last) | Account identification and personalised display |
| Email address | Authentication, account recovery, and service notices |
| PAN (optional) | Pre-fill ITR schedule; stored AES-256 encrypted — never in plaintext |
| Trade data (broker imports) | FIFO lot matching, P&L computation, and ITR summary generation |
| Family member details | Minor income clubbing under Sec 64(1A) as required by the Income Tax Act |
| Subscription & billing metadata | Plan, status, billing period, and Razorpay subscription/customer reference IDs — required to provide paid features. Card details are never seen or stored by us. |
| Support ticket content | Subject, category, and description you submit via the in-app support form — used solely to respond to your request |
| Activity logs | In-app events such as login, file imports, plan changes, and payments — used for audit, debugging, and security monitoring |
| IP address & usage logs | Security monitoring, abuse prevention, and rate limiting |
2. How We Use Your Data
Your data is used exclusively for:
- Computing capital gains (LTCG / STCG), F&O, and intraday P&L
- Generating ITR-ready Schedule CG exports
- Displaying your portfolio, tax liability estimates, and LTCG exemption utilisation
- Sending transactional emails (email verification, password reset)
- Maintaining security and preventing abuse
We do not use your data for advertising, profiling, or sale to third parties.
3. Legal Basis for Processing
Under the DPDP Act 2023, we process your personal data on two bases:
- Explicit consent given at account creation — for processing related to providing the core service, computing tax figures, and sending account communications.
- Performance of contract — for users on a paid plan, processing of billing and subscription data is necessary to deliver the paid Service you have contracted for, including charging your subscription, issuing receipts, and managing renewals or cancellations.
You may withdraw consent at any time by requesting account deletion (see Section 8). Withdrawal of consent will result in deletion of your account and all associated data. For paid subscriptions, billing records may be retained for the period required by applicable law (e.g. tax and accounting records).
4. Data Storage & Security
- All data is stored on Supabase (PostgreSQL), hosted on AWS infrastructure in the ap-south-1 (Mumbai) region — data remains within India.
- PAN numbers are encrypted using AES-256 (pgcrypto) before storage. The encryption key is never stored alongside the data.
- All connections use TLS 1.2 or higher.
- Row-Level Security (RLS) policies ensure users can only access their own data.
- We do not store payment card details. Card data is captured and processed entirely by Razorpay (PCI-DSS Level 1 compliant) and never touches our servers. We store only non-sensitive subscription metadata — plan, status, period-end date, and Razorpay subscription/customer reference IDs.
5. Data Sharing
We do not sell, rent, or trade your personal data. Data is shared only with:
| Supabase Inc. | Database and authentication infrastructure (data processor) |
| Vercel Inc. | Application hosting and edge delivery |
| Razorpay Software Pvt. Ltd. | Payment processing for paid subscriptions — receives name, email, and billing details. PCI-DSS Level 1 compliant; cards stored on Razorpay, never on our servers. |
| Resend (Resend Inc.) | Transactional email delivery — verification, password reset, payment receipts, billing notices. Receives recipient email address and message content. |
| Functional Software, Inc. (Sentry) | Application error monitoring — may capture user ID, URL path, browser, and stack traces when errors occur. Configured to scrub form inputs and personal identifiers. |
| Upstash, Inc. | Rate limiting and abuse prevention — receives IP address and request endpoint only. |
| Legal / regulatory authorities | Only when required by law or court order |
All processors above are bound by data processing agreements and applicable data protection law. Razorpay and Resend are India-based; Supabase, Vercel, Sentry, and Upstash are international processors with appropriate cross-border safeguards.
6. Cookies & Tracking
VriddhiQ itself sets only essential cookies — specifically, the Supabase session cookie required to keep you signed in. We do not use marketing analytics or advertising trackers.
When you start a paid subscription, the Razorpay checkout flow is loaded from Razorpay’s domain and may set its own cookies inside the checkout iframe to secure the payment session. Similarly, our error-monitoring SDK (Sentry) may set a session-scoped identifier to correlate errors. These third-party cookies are governed by Razorpay’s and Sentry’s respective privacy policies and are limited to those specific contexts.
7. Your Rights Under DPDP Act 2023
As a Data Principal, you have the right to:
| Access | Request a summary of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete personal data |
| Erasure | Request deletion of your account and all associated personal data |
| Grievance redressal | File a complaint with our Grievance Officer (see Section 10) |
| Nomination | Nominate another person to exercise rights on your behalf in case of death or incapacity |
To exercise any of these rights, email support@vriddhiq.com from your registered email address. We will respond within 30 days.
8. Account Deletion
You may permanently delete your account directly from your Profile page → Danger Zone → Delete account. You will be asked to confirm by typing your email address. On confirmation, all personal data is immediately and permanently deleted — transactions, family members, broker accounts, PAN details, and your login credentials.
Deletion is immediate and irreversible. Residual data in encrypted database backups is purged within 30 days as backups roll over. We may retain anonymised, non-identifiable aggregate statistics (e.g. total trade count) that cannot be linked back to you.
9. Data Retention
We retain your personal data for as long as your account is active. If you request deletion, primary data is removed immediately and residual backup copies are purged within 30 days. If your account remains inactive for 3 consecutive years with no login, we will notify you by email before deleting the account. Billing records associated with paid subscriptions may be retained for the period required by applicable tax and accounting law.
10. Grievance Officer
Grievance Officer — VriddhiQ Technologies
Kailash Raval, Proprietor
In accordance with the Digital Personal Data Protection Act 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, we have appointed a Grievance Officer to address concerns about our data handling practices.
Email: grievance@vriddhiq.com
Complaints will be acknowledged within 48 hours and resolved within 30 days.
11. Children's Data
VriddhiQ is intended for users aged 18 and above. By creating an account, you self-attest that you are at least 18 years old. Minor family members may be added by an adult account holder (parent/guardian) solely for computing income clubbing under Sec 64(1A) of the Income Tax Act — minors cannot register accounts directly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in law or our practices. Material changes will be notified by email to registered users at least 15 days before taking effect. The effective date at the top of this page will always reflect the latest version.
13. Disclaimer
VriddhiQ provides tax computation tools for informational purposes only. It is not a SEBI-registered investment advisor. Figures shown are estimates — verify with a qualified Chartered Accountant before filing your ITR.