Privacy Policy
1. Introduction & Data Controller
TradeThesis Inc. ("TradeThesis", "we", "us", "our") is the data controller responsible for personal data processed through the TradeThesis platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website and services.
This policy is published in compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021), and applicable global standards including the General Data Protection Regulation (GDPR) for EU/EEA users.
By registering for or using TradeThesis, you consent to the collection and use of your data as described in this policy.
2. Data We Collect
a) Identity & Account Data
- Full name and email address (provided at registration)
- Password — stored as a bcrypt hash only; your plaintext password is never stored or transmitted
- Account creation date and email verification status
b) Usage & Activity Data
- Watchlist items (ticker symbols and notes)
- Alerts created (type, conditions, trigger history)
- Strategies and backtest configurations
- Screener filters and saved screens
- AI terminal conversation history
- Digest reading behavior (articles viewed)
c) Device & Technical Data
- IP address, browser type and version, operating system
- Device fingerprint (via FingerprintJS — see Section 9)
- Auth tokens stored in browser localStorage (not cookies)
- Access timestamps and session duration
d) Market Preference Data
- Tickers searched and analyzed on the Platform
- Indicators and time periods most frequently used
Note: We do not collect or infer any information about your actual investments, brokerage accounts, or real-money portfolio.
3. Legal Basis for Processing
Under the DPDP Act 2023 and GDPR, we process your data on the following legal bases:
- Consent: Account registration — you explicitly consent to this policy when you create an account.
- Contractual Necessity: Delivering the service you registered for, including account management, alerts, and watchlists.
- Legitimate Interests: Security monitoring, fraud prevention, abuse detection, and aggregated product analytics.
- Legal Obligation: Compliance with Indian law, including the IT Act, DPDP Act, and responses to valid court orders or regulatory requests.
4. How We Use Your Data
We use your data to:
- Authenticate and secure your account;
- Deliver core platform features (market data, AI analysis, alerts, watchlists, strategies);
- Personalize your experience based on usage patterns and preferences;
- Send service-related communications (alert notifications, account security alerts);
- Detect, investigate, and prevent fraud, abuse, and unauthorized access;
- Improve and develop the platform using aggregated, anonymized analytics;
- Comply with applicable legal and regulatory obligations.
We do not use your data for targeted advertising. We do not build advertising profiles. We do not share your data with advertising networks.
5. Data Sharing & Third Parties
We do NOT sell your personal data.
We share data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Binance | Cryptocurrency market data | Ticker symbols (no PII) |
| OpenRouter / Anthropic | AI query processing | Query text (no account PII sent) |
| Upstash Redis | Data caching infrastructure | Session data, cached results |
| Database host (cloud) | Data persistence | All account data (encrypted at rest) |
| Legal authorities | Court orders, legal compliance | As required by law |
6. Data Retention
- Account data: Retained while your account is active, plus 90 days following account deletion to allow for reactivation or dispute resolution.
- Conversation & activity logs: 12-month rolling window.
- Alert & notification history: 6 months.
- Legal / compliance records: 7 years, as required under Indian regulatory requirements (Income Tax Act, Companies Act).
- Anonymized aggregated analytics: Retained indefinitely (no personally identifiable information).
After the applicable retention period, data is securely deleted or anonymized.
7. Your Rights
Under India's DPDP Act 2023, you have the right to:
- Access: Obtain a summary of the personal data we hold about you.
- Correction & Completion: Request correction of inaccurate or incomplete personal data.
- Erasure: Request deletion of your personal data (subject to legal retention requirements).
- Grievance Redressal: Lodge complaints with our Grievance Officer; unresolved complaints may be escalated to the Data Protection Board of India.
- Withdraw Consent: Withdraw consent at any time (note: this may affect your ability to use the service).
Additional rights for EU/EEA users (GDPR):
- Data portability — receive your data in a structured, machine-readable format;
- Right to object — object to processing based on legitimate interests;
- Right to restrict processing;
- Right to lodge a complaint with your local supervisory authority.
To exercise any of these rights, email mohit@tradethesis.in with the subject line "Data Rights Request". We will respond within 30 days.
9. Device Fingerprinting (FingerprintJS)
We use FingerprintJS to generate a probabilistic device fingerprint for the following limited purposes:
- Waitlist anti-abuse: Preventing duplicate or fraudulent signups during our early-access phase.
- Security anomaly detection: Identifying unusual access patterns that may indicate account compromise.
FingerprintJS processes browser attributes, screen resolution, timezone, and installed font signals. The resulting fingerprint is a hashed identifier — no raw individually identifying combination is stored by us. This data is not used for advertising or tracking across sites. For full details, refer to FingerprintJS's own privacy policy.
10. Data Security
We implement industry-standard security measures:
- Passwords: bcrypt hashing — plaintext passwords are never stored or logged.
- Data in transit: TLS/HTTPS encryption on all connections.
- Data at rest: Encrypted at the infrastructure level.
- Authentication: JWT tokens with expiry, refresh token rotation, and automatic invalidation on logout.
- Access controls: Role-based access with the principle of least privilege for internal systems.
Breach Notification: In the event of a confirmed personal data breach, we will notify affected users within 72 hours, consistent with our obligations under the DPDP Act 2023.
No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security of your data.
11. Children's Privacy
TradeThesis is not directed at, and does not knowingly collect personal data from, persons under 18 years of age. If you believe a minor has registered for an account, please contact us immediately at mohit@tradethesis.in and we will promptly delete the account and associated data.
12. International Data Transfers
AI query processing by OpenRouter and Anthropic involves the transfer of query text to servers located in the United States. We rely on:
- Standard contractual clauses between us and our AI processing partners;
- Anthropic's published Data Processing Agreement and privacy commitments.
Your account data, authentication records, watchlists, alerts, and activity logs remain on infrastructure within India or in compliant cloud regions. We do not transfer personally identifiable information to AI providers — only query content (e.g., the question you ask the AI terminal).
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 15 days advance notice via email to your registered address or via an in-platform banner notification. The "Effective Date" at the top of this page reflects the date of the latest revision.
Your continued use of the Platform after the effective date of the revised policy constitutes your acceptance of the changes.
15. Contact Us
For general privacy questions, data rights requests, or to withdraw consent, contact us at: