Privacy Policy

This Privacy Policy is published by Zarvix AI Private Limited (CIN: U62011PN2025PTC248729; GSTIN: 27AACCZ8146M1ZN), a private limited company incorporated in India. References to "Zarvix AI", "we", "us", or "our" mean Zarvix AI Private Limited.

This policy describes how we collect, use, store, and protect your personal data when you visit zarvixai.com, create an account, or use our research and backtesting tools (the "Platform"). It is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000.

Zarvix AI is an end-to-end algorithmic-trading platform for Indian markets (NSE / BSE). You can describe trading ideas in plain English (or Hindi, Hinglish, Tamil); our AI drafts the algorithm; you research and backtest it on historical NSE / BSE data; and refine it through AI chat.

Who can deploy live today

• Proprietary traders and proprietary trading desks can deploy strategies live through a connected Symphony XTS broker account, with explicit approval on every order.
• Retail traders have full access to build, research, backtest, and refine — but live deployment via retail brokers (Zerodha, Upstox, ICICI Direct, etc.) is not yet available and is gated on our NSE algo-vendorship empanelment. Coming soon.

Regardless of which user tier you are:

• We never hold customer funds, securities, or banking credentials. Your money remains with your broker.
• The AI never places trades on its own — every live order requires your explicit confirmation before it reaches the broker.
• We are not a broker, an investment adviser (RIA), a portfolio manager (PMS), or a research analyst (RA) — see our Trust page for the full scope statement.

• Account data — name, email address, password (stored hashed), and profile preferences you provide at signup.
• Usage data — strategies you create, prompts you submit, backtest configurations and results, chat conversations with the AI, feature usage events.
• Broker connection data — only if you connect a broker for live deployment. We store your Symphony XTS API keys (interactive + market-data) encrypted at rest in Azure Key Vault and use them only to route orders you have explicitly approved. We never see, request, or store your broker password, trading PIN, or 2FA token — those stay between you and the broker.
• Live-order metadata — for orders you deploy: instrument ID, exchange segment, side, lot size, timestamp, broker confirmation ID. Retained for audit and reconciliation.
• Payment data — when you subscribe, payment is processed by HDFC SmartGateway / Juspay. We receive only the transaction status, order ID, and amount. We do not store card numbers, CVVs, or full bank credentials.
• Device & log data — IP address, device/browser type, OS, timestamps, and security-relevant events (logins, password changes). Used for security and fraud prevention.
• Cookies — strictly-necessary cookies for authentication and session management, plus first-party analytics. We do not deploy advertising or cross-site tracking cookies.
• Communications — emails you send to support@zarvixai.com, support tickets, and our responses.

• To provide the Platform — running your strategies, backtests, and AI conversations.
• To bill you and process subscription payments.
• To secure the Platform — detecting abuse, brute-force attempts, and fraud.
• To route live orders to your connected broker (Symphony XTS) — only after you explicitly confirm the order. The AI never auto-trades.
• To improve the product. We measure aggregated, non-identifying platform metrics (feature usage rates, latency, error counts). Your strategies, conversations, and trade history are never used to train AI models; the LLM provider operates under contractual no-training terms on customer data.
• To send you transactional emails (account verification, password reset, payment receipts) and product announcements you have opted into.
• To meet legal, regulatory, and tax obligations under Indian law.

We process your personal data on the lawful bases of consent (signup, marketing) and legitimate use for purposes you have voluntarily provided the data, as defined under Sections 4–7 of the DPDP Act.

Your data is stored on Microsoft Azure infrastructure in the Central India region (Pune). Data resides in India. We use industry-standard encryption in transit (TLS 1.2 / 1.3) and at rest (AES-256). Database access is restricted to the application via managed identity and network firewall rules.

We share data only with the following categories of processors, strictly for the purposes listed:

• Microsoft Azure — hosting, storage, secret-management (Key Vault), and AI services (Azure OpenAI). Data-processing addendum in place. All compute and storage in the Central India region (Pune).
• HDFC SmartGateway / Juspay — payment processing. PCI DSS Level 1 certified; we do not see card details.
• Azure OpenAI — large language model APIs used for AI strategy generation. Prompts are sent over an enterprise data-protection contract under contractual no-training terms on customer data. Deployed in the Central India region; prompts and completions do not leave India.
• Symphony XTS — your broker, only if you choose to connect your XTS account for live deployment. We route the order intent (instrument ID, side, lot size, exchange segment) using the API keys you provision. We do not transmit your name, email, or other PII to the broker.
• Microsoft 365 (Outlook) — transactional email delivery (welcome, OTP, security notifications).
• Microsoft Clarity — privacy-friendly web analytics on the public marketing site only (zarvixai.com). Session counts, heatmaps, anonymized recordings. No PII profiling, no advertising trackers, no cross-site identifiers. Not loaded on authenticated dashboards or trade-data screens.
• Analytics providers — first-party platform analytics only; no advertising or cross-site tracking.

We do not sell, rent, or trade your personal data.

• Active accounts — for as long as your account exists.
• Closed accounts — up to 24 months after closure for tax, audit, and legal-compliance purposes (Income Tax Act, GST Act).
• Backups — rolling 7-day encrypted backups maintained for disaster recovery.
• Logs — 30 days for application logs; 12 months for security and audit logs.

As a Data Principal under the DPDP Act, 2023, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your account and personal data, subject to lawful retention periods.
• Withdraw consent — at any time. Withdrawal does not affect prior lawful processing.
• Grievance redressal — escalate any concern to our Grievance Officer (Section 11 below).
• Nominate — appoint another individual to exercise your rights in case of death or incapacity.

To exercise any right, email support@zarvixai.com. We will respond within 30 days as required by the DPDP Act.

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal data of minors. If you believe a minor has registered, write to us and we will delete the account.

We may update this Privacy Policy from time to time. Material changes will be communicated via email and a notice on the Platform at least 15 days before they take effect. Continued use after that period constitutes acceptance.

This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts at Pune, Maharashtra.