Trust & Security

U62011PN2025PTC248729 — Zarvix AI Private Limited, Pune, MH.

27AACCZ8146M1ZN

DIPP233049 — Zarvix AI Private Limited is recognized as an eligible startup by the Department for Promotion of Industry and Internal Trade (DPIIT), Ministry of Commerce and Industry, Government of India, under the Startup India initiative. Verify the certificate number on the official portal at https://www.startupindia.gov.in/content/sih/en/startupgov/validate-startup-recognition.html (Certificate Type: "Certificate of Recognition" → enter DIPP233049).

Zarvix AI is admitted to the Microsoft for Startups Founders Hub program. Production infrastructure runs on the program's Azure subscription (Central India region) with Azure OpenAI, PostgreSQL Flexible Server, Container Apps, and Key Vault. This is a benefits + technical-support program, not equity investment — Microsoft has no ownership stake in Zarvix AI Private Limited.

Zarvix AI is a software technology provider. We are NOT a broker, an investment adviser (RIA), a portfolio manager (PMS), or a research analyst (RA) — and we do not perform any of those activities. We never hold or touch client funds. We do not give specific buy/sell recommendations — the AI drafts strategies you author and approve. Every order is initiated by you through your own SEBI-registered broker. The activities that require SEBI registration are not in our product surface.

Every live order routes through a SEBI-registered broker API that handles exchange-assigned Algo-ID issuance. Symphony XTS is wired end-to-end today; additional brokers follow the same pattern.

Privacy policy describes lawful bases (consent + legitimate use). Data minimisation — we only store what we need to operate. Your DPDP rights (access, correction, deletion, withdrawal of consent) — invoke them at privacy@zarvixai.com. See /privacy for the full policy.

We operate as an intermediary under the IT Act 2000. A grievance contact and published response SLA are listed below, per Rule 3(2) of the IT (Intermediary Guidelines) Rules 2021.

The LLM only drafts strategies and explanations. Every order flows through your broker login with explicit confirmation. There is no AI-initiated trading path anywhere in the codebase.

All quote / option-chain / OHLC data comes from your broker feed or our binary historical archive (NSE/BSE). The frontend has NO synthetic-quote rendering paths. The AI cannot fabricate prices.

Confirmation is a hard rule in code, not a configurable flag. Drafts → review → approve → execute. There is no path that skips a step.

Your strategies, conversations, trade history, and account data are never used as training data. The LLM provider operates under contractual no-training terms.

Azure OpenAI deployed in the centralindia region (Pune). No prompts or completions leave India. Content-safety filters are active on all model calls.

Each assistant message ships with the tool calls it ran, their arguments and durations, plus a compute receipt (model + token count + wall-clock). You can audit exactly what the AI touched.

All API auth uses HttpOnly + Secure + SameSite cookies. The frontend never sees the bearer token; a server-side proxy at /api/v1 injects it. An XSS hole would not yield session tokens.

Strict-Transport-Security max-age=63072000 with includeSubDomains and preload. Content-Security-Policy locks script + style + connect sources. X-Frame-Options: DENY. Cross-Origin-Opener-Policy: same-origin.

Permissions-Policy disables camera, geolocation, and gates microphone access behind explicit user action. Payment scope limited to self.

Database passwords, broker API keys, and LLM provider keys live in Azure Key Vault, not in code or container env. Rotation handled per-quarter.

Azure Front Door + managed certificates. No HTTP listener; HTTPS-only with HSTS preload.

No user data — personal, strategy, trade, or behavioural — is sold, rented, licensed, or syndicated to any third party. No advertising trackers, no behavioural profiling, no data marketplaces. The only third parties that touch your data are the sub-processors listed below, each strictly to operate the platform for you.

Strategies you build on Zarvix are yours. Multi-tenant isolation is enforced in every database query — only your account can read your strategies; another user's session cannot return them. We do not share your strategies with other users, sell them, or use them to train AI models (Azure OpenAI operates under contractual no-training terms on customer data). Internal database access is application-only via Azure managed identity; humans at Zarvix do not browse user strategies in normal operations, and any access for support / debugging requires your explicit request. You can export your strategies and run them on any other platform — no lock-in.

Email and one-time password for waitlist + login. Broker API keys (encrypted via Azure Key Vault) only if you connect a broker. Strategy definitions, backtest results, AI conversations. That is the entire surface — no advertising trackers, no behavioural profiling.

No trading PIN, no 2FA token, no banking credentials. The broker login flow runs in your browser direct to the broker — those secrets never touch our servers.

All compute and storage in the Azure centralindia region. No data leaves India for primary operations. The Azure OpenAI deployment serving the chat is also in India.

Active accounts: retained while the account is in use. Closed accounts: hard-deleted within 30 days of closure (with the exception of records we must retain for tax, anti-fraud, or regulatory compliance). Backups purge on a 30-day rolling cycle.

All hosting, databases, caches, secret storage, and binary data archives run on Azure, in the centralindia region.

AI model serving for the chat and strategy assistant. Centralindia deployment. Contractual no-training-on-customer-data terms.

Live order routing — only invoked when you explicitly connect your XTS broker account. We never see your broker password; only the API keys you provision.

Welcome emails, OTP delivery, security notifications. Routed via outlook.com.

Domain DNS only. No application traffic.

Privacy-friendly web analytics — session counts, heatmaps, and anonymized session recordings for the public marketing site (zarvixai.com). No personally-identifiable profiling, no advertising trackers, no cross-site identifiers. Used only on the public marketing surface; not loaded on authenticated dashboards or trade-data screens. Operated by Microsoft.

Spoofing, layering, quote-stuffing, wash trading, and other forms of market manipulation are prohibited. Strategies that pattern-match to these behaviours will be blocked at the risk-gate layer before they reach the exchange.

Only connect broker accounts you legally own. We log every order against the authenticated user; impersonation or shared-account abuse is a hard-stop.

Our APIs are for use through our products. Automated scraping, model-extraction, and reverse-engineering of the platform are prohibited per the Terms.