1. Overview
We are committed to minimal data collection, strong security, and full transparency. We do not sell your personal or financial data to any third party. We do not use your data for targeted advertising. Your portfolio data is used exclusively to provide the Service to you.
🔒
Encrypted at rest & in transit
🚫
Never sold to advertisers
📤
Exportable & deletable on request
2. Data We Collect
We collect only what is necessary to provide the Service:
Identity data
Email address (used for OTP login), display name if provided.
Financial data
Portfolio holdings, invested amounts, NAVs, and transaction history extracted from CAS PDFs you upload. Raw PDF files are deleted immediately after parsing.
Profile data
Annual income, monthly expenses, insurance cover, risk profile, and financial goals you enter voluntarily.
Usage data
Pages visited, features used, API requests, session duration, and error logs — used for service improvement and fraud prevention.
Payment data
Subscription status, plan tier, and Razorpay payment reference IDs. We do not store card numbers, UPI IDs, or bank details.
AI chat history
Messages you send to the AI assistant, retained to provide conversational context. Limited to last 50 messages.
Device & log data
IP address, browser type, and OS — collected transiently for security and rate-limiting. Not stored beyond 90 days.
3. How We Use Your Data
- To provide portfolio analysis, AI-generated insights, and wealth reports
- To authenticate you via OTP and manage your account session
- To process subscription payments and issue receipts via Razorpay
- To send transactional emails (OTP, payment receipts, report delivery)
- To detect and prevent fraud, abuse, and security threats
- To improve our AI models using anonymised, aggregated data only
- To comply with applicable laws, regulations, and lawful government requests
We do not use your data for targeted advertising, behavioural profiling, or sale to data brokers.
4. Data Retention
| Data type | Retention period |
|---|---|
| Account & profile data | Until you delete your account, then 30 days for export window |
| Portfolio / holdings data | Until you delete your account or specific portfolio |
| Raw CAS PDF | Deleted immediately after parsing (within seconds) |
| AI chat history | Last 50 messages; older messages auto-purged |
| Payment records | 7 years (statutory accounting obligation under Indian Companies Act) |
| Usage / error logs | 90 days |
| Wealth report PDFs | 12 months from generation |
| API access logs (B2B) | 12 months for audit and debugging |
5. Third-Party Processors
We use the following sub-processors. Each is bound by contractual data processing obligations and is required to maintain appropriate security standards:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & OTP authentication | AWS ap-south-1 (Mumbai, India) |
| Anthropic (Claude) | AI-generated insights & chat | USA — cross-border transfer applies |
| Resend | Transactional email (OTP, receipts) | USA — cross-border transfer applies |
| Razorpay | Payment processing & subscriptions | India |
| Railway | Backend API infrastructure | USA — cross-border transfer applies |
| Vercel | Frontend hosting & edge CDN | USA / India edge nodes |
| Sentry | Application error monitoring | USA — cross-border transfer applies |
We update this list when we add or remove sub-processors. Material changes are notified per Section 13.
6. Data Security
Encryption
All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase).
Row Level Security
Database-layer RLS ensures you can only access your own data.
OTP Authentication
Passwordless login reduces credential theft risk.
Rate Limiting
API endpoints rate-limited to prevent brute-force and abuse.
Webhook Verification
All Razorpay webhooks verified via HMAC-SHA256 signatures.
Dependency Scanning
Automated scanning for known vulnerabilities in dependencies.
Despite our efforts, no system is perfectly secure. In the event of a data breach affecting your rights, we will notify you within 72 hours of discovery as required by DPDPA guidelines.
7. Your Rights (DPDPA 2023)
Under the Digital Personal Data Protection Act, 2023, you have the following rights. To exercise any of them, email privacy@reinforcementanalytics.in. We respond within 7 business days.
Right to Access (Sec. 11)
Request a copy of all personal data we hold about you. Also available via Dashboard → Settings → Export My Data.
Right to Correction (Sec. 12)
Update your profile data at any time from Dashboard → Settings. For data we hold from parsed documents, email us.
Right to Erasure (Sec. 12)
Request permanent deletion of your account and all associated data via Settings → Delete Account. Payment records are retained for 7 years as required by law.
Right to Withdraw Consent (Sec. 6)
You may withdraw consent for AI model training use of your anonymised data at any time from Settings → Privacy Preferences.
Right to Grievance Redressal (Sec. 13)
Contact our DPO (see Section 14). If unresolved within 30 days, you may escalate to the Data Protection Board of India once constituted.
Right to Nominate (Sec. 14)
You may nominate another person to exercise your DPDPA rights on your behalf in the event of death or incapacity.
Business & API Users
9. Business & API Users — Data Handling
If you are a Business User accessing the Service via API, the following additional terms apply:
- End-client data: You are the Data Fiduciary for any personal data of your end-clients that you pass through our API. You must execute a Data Processing Agreement (DPA) with us before processing end-client data. Contact legal@reinforcementanalytics.in.
- API logs: We retain API request logs (endpoint, timestamp, response code, truncated payload) for 12 months for debugging, security, and billing audit purposes.
- No AI training on B2B data: Data passed through the API by Business Users is never used to train or fine-tune our AI models.
- Data isolation: Business accounts have dedicated Supabase Row Level Security policies that fully isolate their data from consumer accounts and other business accounts.
10. Cross-Border Data Transfers
Some of our sub-processors are located outside India (see Section 5). When we transfer personal data outside India, we do so only:
- Where the transfer is necessary to provide the Service (e.g., AI processing via Anthropic)
- With contractual safeguards requiring the recipient to maintain security standards equivalent to Indian law
- Subject to any countries or sub-processors notified as restricted by the Government of India under DPDPA
We will update this section if any sub-processor is added to a restricted-transfer list under DPDPA regulations and find an alternative or cease transferring data.
11. Consent Management
When you create an account, you provide consent for us to process your personal data as described in this policy. You may withdraw consent at any time, with the following consequences:
Withdrawing essential processing consent
This requires account deletion, as the Service cannot function without processing identity, financial, and usage data. Contact us to initiate account deletion.
Withdrawing AI model training consent
Opt out at any time from Dashboard → Settings → Privacy Preferences. This does not affect your use of the Service.
Withdrawing marketing communication consent
Unsubscribe via the link in any marketing email. Transactional emails (OTP, payment receipts) cannot be opted out of while your account is active.
12. Children's Privacy
ArthaDNA is not directed at or intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@reinforcementanalytics.in and we will delete it promptly.
13. Changes to This Policy
We may update this policy from time to time. For material changes — such as new data categories, new purposes, or new sub-processors — we will notify you by email and display a notice on the platform at least 7 days before the change takes effect.
Continued use of the Service after the effective date constitutes acceptance of the revised policy.
14. Data Protection Officer
For privacy queries, data access requests, consent withdrawal, or complaints, contact our Data Protection Officer:
Organisation: Reinforcement Analytics
DPO Email: privacy@reinforcementanalytics.in
Response time: 7 business days
If your concern is not resolved within 30 days, you may escalate to the Data Protection Board of India once constituted under DPDPA 2023.