← Back to home

Privacy Policy

Last updated: 11 June 2026 · version privacy-2026-06-11

Quick read

  • You control your account data — access, correct, or delete it any time by emailing [email protected].
  • We never train shared AI models on your strategies or conversations, and we never sell your data.
  • Strategies are private until you trade them live. Strategies you deploy for live trading become regulated trading records the law requires us to keep — even after you delete your account.
  • Most processing is in India (Azure, Pune); some AI inference may use Azure OpenAI in Sweden Central — disclosed in Section 6.

The full policy below carries the legal detail for anyone who wants the complete picture.

1. Who we are

This Privacy Policy is published by Zarvix AI Private Limited (CIN: U62011PN2025PTC248729; GSTIN: 27AACCZ8146M1ZN), a private limited company incorporated in India. "Zarvix AI", "we", "us", or "our" mean Zarvix AI Private Limited.

It describes how we collect, use, store, and protect your personal data when you visit zarvixai.com, create an account, or use our tools (the "Platform"). It is published under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the SPDI Rules, 2011.

2. What the Platform does today

Zarvix AI is an end-to-end algorithmic-trading platform for Indian markets (NSE / BSE). You describe trading ideas in plain language; our AI drafts the algorithm; you research and backtest it on historical NSE / BSE data; and you refine it through AI chat.

Who can deploy live today

  • Proprietary traders and trading desks can deploy live through a connected Symphony XTS broker account, with explicit approval on every order.
  • Retail traders have full access to build, research, backtest, and refine; live deployment via retail brokers is not yet available (gated on NSE algo-vendorship empanelment).
  • We never hold customer funds, securities, or banking credentials. Your money stays with your broker.
  • The AI never places trades on its own — every live order requires your explicit confirmation.
  • We are not a broker, an investment adviser (RIA), a portfolio manager (PMS), or a research analyst (RA) — see our Trust page.

3. What personal data we collect

  • Account data — name, email, date of birth (for the 18+ gate), password (stored hashed), and profile preferences.
  • Usage data — strategies you create, prompts you submit, backtest configurations and results, AI conversations, and feature-usage events.
  • Broker connection data — only if you connect a broker for live deployment. We store your Symphony XTS API keys encrypted at rest and use them only to route orders you explicitly approve. We never see, request, or store your broker password, trading PIN, or 2FA token.
  • Live-order and deployment metadata — for orders you deploy: instrument ID, exchange segment, side, lot size, timestamp, broker confirmation ID, and the deployed strategy logic. Retained as regulated records (Section 7).
  • Payment data — processed by HDFC SmartGateway / Juspay. We receive only transaction status, order ID, and amount. We do not store card numbers, CVVs, or bank credentials.
  • Device & log data — IP address, device/browser type, OS, timestamps, and security events (logins, password changes, consent records). Used for security and fraud prevention.
  • Cookies — strictly-necessary cookies for authentication and session management, plus first-party analytics. No advertising or cross-site tracking cookies.
  • Communications — emails you send to support, support tickets, and our responses.

Third-party sign-in (Google, Microsoft, GitHub). You can create and access your account using Google, Microsoft, or GitHub. When you do, we receive a limited set of profile information — your name, email, profile picture (where available), and a unique identifier for your account with that provider. We do not receive or store your password for that provider. We use this only to create and secure your account, recognise you when you return, and contact you about your account. Your use of the provider is also governed by its own privacy policy. You can disconnect a linked sign-in method any time from account settings or by emailing [email protected].

4. How we use your data

  • To provide the Platform — running your strategies, backtests, and AI conversations.
  • To bill you and process subscription payments.
  • To secure the Platform — detecting abuse, brute-force attempts, and fraud.
  • To route live orders to your connected broker only after you explicitly confirm the order. The AI never auto-trades.
  • To improve the product. We measure aggregated, non-identifying metrics (feature usage, latency, error counts). Your strategies, conversations, and trade history are never used to train shared AI models. Any use of your content to improve our service is per-user, opt-in, and default OFF (the improvement toggle), and covers FAILURES ONLY.
  • To send you transactional and service emails (verification, password reset, payment receipts, security notices). We send no promotional email unless you opt in to the offers toggle (default OFF).
  • To meet legal, regulatory, and tax obligations under Indian law.

We process your personal data on the lawful bases of consent and legitimate use under Sections 4–7 of the DPDP Act. Financial information is treated as "sensitive personal data" under the SPDI Rules and collected with explicit consent at the broker-connect step.

5. Where your data is stored

Your data is stored on Microsoft Azure infrastructure in the Central India region (Pune). We use industry-standard encryption in transit (TLS 1.2 / 1.3) and at rest (AES-256). Database and cache access run over a private network, restricted to the application via managed identity and firewall rules.

Encryption of your content. We are rolling out per-user encryption of your strategies, AI conversations, and memories so that nobody — founder, support staff, or support AI — can read them without your explicit, logged grant. The exact controls in force at any time are described on our Trust page.

6. Sharing and sub-processors

We share data only with the following processors, strictly for the purposes listed:

  • Microsoft Azure — hosting, storage, secret-management (Key Vault), and AI services (Azure OpenAI). Data-processing addendum in place; primary compute and storage in Central India (Pune).
  • HDFC SmartGateway / Juspay — payment processing. PCI DSS Level 1; we do not see card details.
  • Symphony XTS — your broker, only if you connect your XTS account. We route order intent (instrument ID, side, lot size, exchange segment) using the API keys you provision; we do not transmit your name, email, or other PII to the broker.
  • Microsoft 365 (Outlook) — transactional email delivery (verification, OTP, security notices).
  • Microsoft Clarity — privacy-friendly web analytics on the public marketing site only. No PII profiling, no advertising trackers; not loaded on authenticated dashboards or trade-data screens.
  • Cloudflare — network security and content delivery, including Turnstile bot-protection on our public signup and waitlist forms. To verify a submission comes from a human, Cloudflare may process your IP address and browser characteristics; no advertising or cross-site tracking is involved.
Cross-border AI inference. Most AI processing runs on Azure OpenAI in the Central India region. Certain AI capabilities are currently served by Azure OpenAI resources in Sweden Central; where that applies, your prompt and the model response are processed outside India for that request. Azure OpenAI operates under enterprise data-protection terms with no training on customer data. We are working toward India-region pinning for all inference. By using the AI features you consent to this cross-border processing for the purpose of generating your results.

We do not sell, rent, or trade your personal data.

7. How long we keep your data (retention schedule)

Different categories of data are kept for different periods. Some are erased with your account; some the law requires us to retain.

  • Strategies, AI chats, and memories — kept for the life of your account; permanently deleted when you delete your account.
  • Backtests and simulations — kept for the life of your account; deletable on request and removed on account deletion.
  • Live trading records — deployments, orders, positions, AI trade-decision logs and the deployed strategy logic — retained for at least 5 years after the transaction, as required by the PMLA and SEBI, and retained even after you delete your account.
  • Payment and subscription records — retained for the period required by tax and anti-money-laundering law (typically 5–7 years). On erasure we anonymize your identity but keep the financial record where the law requires.
  • Security and audit logs (sign-in events, consent records, administrative access) — retained 2–5 years for security forensics and as proof of consent.
  • Abandoned signups — an unconverted signup record is purged within 90 days.
  • Backups — encrypted backups carry a rolling tail of up to 35 days beyond the live deletion before they roll off.
Private until you trade it live. Strategies you only build or backtest stay private and are deleted with your account. Strategies you deploy for live trading become part of regulated trading records — an immutable snapshot of the deployed logic is kept for at least 5 years, is producible to SEBI, the exchange, and your broker, and is retained even after you delete your account, because it documents real orders that were placed in the market. Trading and payment records subject to this legal hold cannot be erased on request while the retention period runs.

8. Your rights under the DPDP Act

As a Data Principal you have the right to:

  • Access — a copy of the personal data we hold about you.
  • Correction — to correct inaccurate or incomplete data.
  • Erasure — to delete your account and personal data, subject to the legal-retention periods in Section 7.
  • Withdraw consent — at any time. Withdrawal does not affect processing already carried out.
  • Grievance redressal — escalate any concern to our Grievance Officer (Section 10), and onward to the Data Protection Board of India.
  • Nominate — appoint someone to exercise your rights on your behalf in case of death or incapacity.

To exercise any right, email [email protected]. We respond within 30 days as required by the DPDP Act.

9. Children

The Platform is not intended for users under 18. We do not knowingly collect minors’ data, and signup enforces an 18+ date-of-birth gate. If you believe a minor has registered, write to us and we will delete the account.

10. Grievance Officer

Akshay (Grievance Officer, pre-launch) · Zarvix AI Private Limited · [email protected] — for data-protection complaints, escalations, or rights requests under the DPDP Act, 2023 (1-month response SLA under the SPDI Rules). Unresolved concerns may be escalated to the Data Protection Board of India.

11. Changes to this policy

We may update this policy. Material changes are communicated via email and a notice on the Platform, and we will ask you to re-accept on your next sign-in. Continued use after a non-material update constitutes acceptance.

12. Governing law

This policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts at Pune, Maharashtra.

Zarvix AI Private Limited · CIN: U62011PN2025PTC248729 · GSTIN: 27AACCZ8146M1ZN · DPIIT (Startup India): DIPP233049 · Backed by Microsoft for Startups