← Back to home

Privacy Policy

Last updated: 9 July 2026 · version privacy-2026-07-09

Quick read

  • You control your account data — access, correct, or delete it any time by emailing [email protected].
  • We never train shared AI models on your strategies or conversations, and we never sell your data.
  • Strategies are private until you trade them live. Strategies you deploy for live trading become regulated trading records the law requires us to keep — even after you delete your account.
  • Your data is processed within India — app and storage in Central India (Pune), AI inference in South India — see Section 6.

The full policy below carries the legal detail for anyone who wants the complete picture.

1. Who we are

This Privacy Policy is published by Zarvix AI Private Limited (CIN: U62011PN2025PTC248729; GSTIN: 27AACCZ8146M1ZN), a private limited company incorporated in India. "Zarvix AI", "we", "us", or "our" mean Zarvix AI Private Limited.

It describes how we collect, use, store, and protect your personal data when you visit zarvixai.com, create an account, or use our tools (the "Platform"). It is published under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the SPDI Rules, 2011.

2. What the Platform does today

Zarvix AI is an end-to-end algorithmic-trading platform for Indian markets (NSE / BSE). You describe trading ideas in plain language; our AI drafts the algorithm; you research and backtest it on historical NSE / BSE data; and you refine it through AI chat.

Live trading in the Research Preview

  • Live trading / order execution is not offered in the Research Preview — the Platform does not place orders, does not connect to a broker, and does not touch your funds or securities in this preview.
  • Any future live-execution capability (for eligible proprietary/institutional users, via their own broker terminal) will be governed by additional terms and is not part of, or available in, this preview.
  • We never hold customer funds, securities, or banking credentials. Your money stays with your broker.
  • The AI never places trades on its own — every live order requires your explicit confirmation.
  • We are not a broker, an investment adviser (RIA), a portfolio manager (PMS), or a research analyst (RA) — see our Trust page.

3. What personal data we collect

  • Account data — name, email, date of birth (for the 18+ gate), password (stored hashed), and profile preferences.
  • Usage data — strategies you create, prompts you submit, backtest configurations and results, AI conversations, and feature-usage events.
  • Broker connection data — only if you connect a broker for live deployment. We store your Symphony XTS API keys encrypted at rest and use them only to route orders you explicitly approve. We never see, request, or store your broker password, trading PIN, or 2FA token.
  • Live-order and deployment metadata — for orders you deploy: instrument ID, exchange segment, side, lot size, timestamp, broker confirmation ID, and the deployed strategy logic. Retained as regulated records (Section 7).
  • Payment data — processed by HDFC SmartGateway / Juspay. We receive only transaction status, order ID, and amount. We do not store card numbers, CVVs, or bank credentials.
  • Device & log data — IP address, device/browser type, OS, timestamps, and security events (logins, password changes, consent records). Used for security and fraud prevention.
  • Cookies — strictly-necessary cookies for authentication and session management, plus first-party analytics. No advertising or cross-site tracking cookies.
  • Communications — emails you send to support, support tickets, and our responses.

Third-party sign-in (Google, Microsoft, GitHub). You can create and access your account using Google, Microsoft, or GitHub. When you do, we receive a limited set of profile information — your name, email, profile picture (where available), and a unique identifier for your account with that provider. We do not receive or store your password for that provider. We use this only to create and secure your account, recognise you when you return, and contact you about your account. Your use of the provider is also governed by its own privacy policy. You can disconnect a linked sign-in method any time from account settings or by emailing [email protected].

4. How we use your data

  • To provide the Platform — running your strategies, backtests, and AI conversations.
  • To bill you and process subscription payments.
  • To secure the Platform — detecting abuse, brute-force attempts, and fraud.
  • To route live orders to your connected broker only after you explicitly confirm the order. The AI never auto-trades.
  • To improve the product. We measure aggregated, non-identifying metrics (feature usage, latency, error counts). Your strategies, conversations, and trade history are never used to train shared AI models. Any use of your content to improve our service is per-user, opt-in, and default OFF (the improvement toggle), and covers FAILURES ONLY.
  • To send you transactional and service emails (verification, password reset, payment receipts, security notices). We send no promotional email unless you opt in to the offers toggle (default OFF).
  • To meet legal, regulatory, and tax obligations under Indian law.

We process your personal data on the lawful bases of consent and legitimate use under Sections 4–7 of the DPDP Act. Financial information is treated as "sensitive personal data" under the SPDI Rules and collected with explicit consent at the broker-connect step.

5. Where your data is stored

Your data is stored on Microsoft Azure infrastructure in the Central India region (Pune). We use industry-standard encryption in transit (TLS 1.2 / 1.3) and at rest (AES-256). Database and cache access run over a private network, restricted to the application via managed identity and firewall rules.

Encryption of your content. We are rolling out per-user encryption of your strategies, AI conversations, and memories so that nobody — founder, support staff, or support AI — can read them without your explicit, logged grant. The exact controls in force at any time are described on our Trust page.

6. Sharing and sub-processors

We share data only with the following processors, strictly for the purposes listed:

  • Microsoft Azure — hosting, storage, secret-management (Key Vault), and AI services (Azure AI Foundry). Data-processing addendum in place; compute and storage in Central India (Pune), AI inference in South India.
  • HDFC SmartGateway / Juspay — payment processing. PCI DSS Level 1; we do not see card details.
  • Symphony XTS — your broker, only if you connect your XTS account. We route order intent (instrument ID, side, lot size, exchange segment) using the API keys you provision; we do not transmit your name, email, or other PII to the broker.
  • Microsoft 365 (Outlook) — transactional email delivery (verification, OTP, security notices).
  • Microsoft Clarity — privacy-friendly web analytics on the public marketing site only. No PII profiling, no advertising trackers; not loaded on authenticated dashboards or trade-data screens.
  • Cloudflare — network security and content delivery, including Turnstile bot-protection on our public signup and waitlist forms. To verify a submission comes from a human, Cloudflare may process your IP address and browser characteristics; no advertising or cross-site tracking is involved.
India-resident AI inference. Your prompts and AI responses are processed within India: application and data services run in the Central India region and AI model inference runs on Azure AI Foundry in the South India region, both under enterprise data-protection terms with no training on customer data. Model calls are made with server-side retention disabled, and your conversation history is stored only in our own India-resident database — encrypted at the field level in addition to disk encryption.

We do not sell, rent, or trade your personal data.

7. How long we keep your data (retention schedule)

Different categories of data are kept for different periods. Some are erased with your account; some the law requires us to retain.

  • Strategies — kept for the life of your account; permanently deleted when you delete your account.
  • AI chats and memories — kept while active and automatically erased after 90 days of inactivity (a conversation untouched for 90 days, a memory neither used nor reinforced for 90 days). Deleting a chat removes it from your account immediately and it is permanently erased within 30 days. Everything is permanently deleted when you delete your account.
  • Backtests and simulations — kept for the life of your account; deletable on request and removed on account deletion.
  • Live trading records — deployments, orders, positions, AI trade-decision logs and the deployed strategy logic — retained for at least 5 years after the transaction, as required by the PMLA and SEBI, and retained even after you delete your account.
  • Payment and subscription records — retained for the period required by tax and anti-money-laundering law (typically 5–7 years). On erasure we anonymize your identity but keep the financial record where the law requires.
  • Security and audit logs (sign-in events, consent records, administrative access) — retained 2–5 years for security forensics and as proof of consent.
  • Abandoned signups — an unconverted signup record is purged within 90 days.
  • Backups — encrypted backups carry a rolling tail of up to 35 days beyond the live deletion before they roll off.
Private until you trade it live. Strategies you only build or backtest stay private and are deleted with your account. Strategies you deploy for live trading become part of regulated trading records — an immutable snapshot of the deployed logic is kept for at least 5 years, is producible to SEBI, the exchange, and your broker, and is retained even after you delete your account, because it documents real orders that were placed in the market. Trading and payment records subject to this legal hold cannot be erased on request while the retention period runs.

8. Your rights under the DPDP Act

As a Data Principal you have the right to:

  • Access — a copy of the personal data we hold about you.
  • Correction — to correct inaccurate or incomplete data.
  • Erasure — to delete your account and personal data, subject to the legal-retention periods in Section 7.
  • Withdraw consent — at any time. Withdrawal does not affect processing already carried out.
  • Grievance redressal — escalate any concern to our Grievance Officer (Section 10), and onward to the Data Protection Board of India.
  • Nominate — appoint someone to exercise your rights on your behalf in case of death or incapacity.

To exercise any right, email [email protected]. We respond within 30 days as required by the DPDP Act.

9. Children

The Platform is not intended for users under 18. We do not knowingly collect minors’ data, and signup enforces an 18+ date-of-birth gate. If you believe a minor has registered, write to us and we will delete the account.

10. Grievance Officer

Akshay Bagade · Zarvix AI Private Limited · [email protected] — for data-protection complaints, escalations, or rights requests under the DPDP Act, 2023 (1-month response SLA under the SPDI Rules). Unresolved concerns may be escalated to the Data Protection Board of India.

11. Changes to this policy

We may update this policy. Material changes are communicated via email and a notice on the Platform, and we will ask you to re-accept on your next sign-in. Continued use after a non-material update constitutes acceptance.

12. Governing law

This policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts at Pune, Maharashtra.

Zarvix AI Private Limited · CIN U62011PN2025PTC248729 · Regd. office: Gate No. 183, Plot No. 01, Flat No. 408, D-Wing, Baramati, Pune – 413102, Maharashtra · [email protected] · GSTIN: 27AACCZ8146M1ZN · DPIIT (Startup India): DIPP233049 · Backed by Microsoft for Startups