Privacy Policy

Last updated: June 2026 — operational draft pending legal review.

1. What we collect

• Account data: name, email, phone number, password hash.
• KYC data: PAN, Aadhaar (last 4), selfie, document scans — only when you submit KYC.
• Trade data: orders, payment method, counterparty proofs, chat messages.
• Technical: IP address, browser fingerprint, session timestamps for security.

2. How we use it

Account data is used to authenticate you. KYC data is reviewed by trained staff and stored in a dedicated, access-logged bucket separate from order proofs. Trade data is used to match counterparties, resolve disputes, and meet retention obligations under Indian law.

3. Who can see what

Only staff with the explicit KYC permission can view KYC documents, and every access is logged. Only staff with the orders permission can view your order history. Other customers see only the data needed to settle a trade with you (e.g. UPI handle, name on bank account) — never your KYC.

4. Retention

KYC and transaction records are retained for at least 5 years per PMLA. You may request deletion of marketing data; transaction records cannot be deleted while regulatory retention applies.

5. Security

All data is encrypted at rest and in transit. Sessions use industry-standard JWT bearer tokens with rotation. Passwords are hashed with bcrypt by the auth provider — we never see your password.

6. Your rights

You may request a copy of your data, correct inaccuracies, or close your account at Grievance & Support.