1. Introduction
This Privacy Policy explains how the Rutrax team (“Rutrax”, “we”, “us”, “our”) collects, uses, stores, shares, and protects your personal data when you use the Rutrax website, web application, and related services (the “Service”).
We are committed to handling your data in line with the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital Personal Data Protection Act, 2023 (“DPDP Act”). By using the Service, you consent to the practices described here.
2. Data we collect
2.1 Information you provide directly
- Account data: first name, last name, email address, hashed password. We never store your password in plain text.
- Email verification codes (OTPs) used during sign-up and sensitive actions.
- Risk configuration: rules, strategy profiles, stop-loss / take-profit values, daily loss limits, preferences.
- Tradebook CSVs you upload to the Tradebook Analyzer.
- Support communications you send us.
2.2 Broker and trading data (via OAuth)
When you connect your broker account (Zerodha / Kite Connect), we receive and store:
- Broker API credentials: OAuth access token, refresh token, request token, API key, API secret, and token expiry. These are stored with security controls appropriate to their sensitivity.
- Portfolio and trading data: positions, holdings, orders, trades, realised/unrealised P&L, executed trade history, instrument metadata, and related timestamps.
- Automation telemetry: exit attempts, CDSL authorisation (TPIN/DDPI) states, portfolio sync logs, and automation skip logs.
We do NOT receive or store your broker password, PAN, Aadhaar, or bank account details. Those remain with your broker.
2.3 Device and usage data
- Technical data: IP address, browser type, device type, operating system, session identifiers, language, timezone.
- Usage data: pages visited, features used, clicks, timestamps, error logs, performance metrics.
- Push notification data: endpoint URL and public keys, stored only after you grant notification permission.
- Cookies / local storage: authentication cookies or tokens and preferences (see section 8).
2.4 Information from third parties
- Google (optional): if you sign in with Google, we receive your Google email and basic profile information.
- Email infrastructure logs: delivery, bounce, and complaint data from our email service provider.
We do not collect sensitive personal data such as biometric information, caste, religion, sexual orientation, or health data.
3. How we use your data
| Purpose | Examples |
|---|---|
| Provide the Service | Create/authenticate your account, sync your portfolio, evaluate rules, place automated orders via your broker |
| Essential notifications | OTPs, SL/TP placements, exit events, daily loss breaches, broker reconnect reminders, TPIN/OTP alerts |
| Improve the Service | Debug errors, analyse usage, monitor performance |
| AI-generated insights (summarisation only) | Explain your portfolio or discipline score — never trading advice |
| Security & fraud prevention | Detect abuse, rate-limit violations, unauthorised access |
| Legal compliance | Respond to lawful requests, enforce Terms, defend claims |
We rely on the following legal bases under the DPDP Act:
- Consent (for optional features like push notifications and Google sign-in).
- Necessity for the specified purpose (for core Service functions once you register).
- Legal obligation (for compliance requests).
4. How we share your data
We do not sell your personal data. We share it only:
- Broker API (Zerodha / Kite Connect): to read your account and place orders on your behalf, based on your instructions.
- Infrastructure providers: cloud hosting, database, logging, and email delivery providers that process data on our behalf under appropriate safeguards.
- Authentication providers (Google, if enabled by you).
- Legal / regulatory disclosure: when required by a court, SEBI, exchange, depository, or other lawful authority, or to protect our rights, safety, or property, or those of our users.
- Successor entity: in connection with a merger, acquisition, or sale of all or part of our business, subject to this Policy.
We do not share your broker access tokens, portfolio positions, or trading data with advertisers, data brokers, or any third party for marketing purposes.
5. Data security
We implement commercially reasonable security measures aligned with industry practice for fintech platforms:
- Encryption in transit (HTTPS / TLS) for all traffic.
- Security controls for sensitive credentials (broker tokens, password hashes).
- Access controls limiting internal access to personal data.
- Structured logging that excludes secrets and PII where possible.
- Rate limiting and abuse detection.
- Regular dependency and security review.
No method of transmission or storage is 100% secure. In the event of a personal-data breach likely to cause significant harm, we will notify affected users and the Data Protection Board of India as required under the DPDP Act.
6. Data retention
| Data | Retention |
|---|---|
| Account data | While your account is active; deleted or anonymised within 90 days of account deletion |
| Broker access/refresh tokens | Until they expire or you disconnect the broker; deleted promptly on disconnect |
| Portfolio, positions, trades, P&L | For the life of your account, so you can view history; deleted or anonymised within 90 days of account deletion |
| Exit attempts, skip logs, sync logs | Up to 24 months for reliability and dispute resolution |
| Tradebook CSVs and derived analysis | Until you delete them, or 90 days after account deletion |
| Email logs (transactional) | Up to 12 months |
| Security / audit logs | Up to 24 months |
| Statutory records (if any) | As required by Indian law (typically up to 8 years) |
7. Your rights
Under the DPDP Act and applicable law, you have the right to:
- Access your personal data.
- Correct or update inaccurate data.
- Erase your data (subject to legal retention requirements).
- Withdraw consent for optional processing (e.g. notifications).
- Nominate another person to exercise your rights in case of death or incapacity.
- Grievance redressal — lodge a complaint with us (section 11), and escalate to the Data Protection Board of India if unresolved.
You can exercise most of these rights directly from within the Rutrax app (Settings → Account) or by writing to privacy@rutrax.app. We will respond within the timelines prescribed by law (typically within 30 days).
Disconnecting your broker from Settings → Brokers immediately revokes our access tokens and halts all order-placement on your broker account.
8. Cookies and similar technologies
We use a small number of cookies and local-storage items, limited to:
- Authentication: to keep you signed in.
- Preferences: e.g. theme, last-visited page.
- Analytics (if enabled): aggregated, privacy-preserving usage data.
We do not use cookies for third-party advertising or cross-site tracking. You can clear cookies from your browser settings; doing so will sign you out.
9. Children’s data
The Service is intended for users 18 years and older. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@rutrax.app and we will delete it.
10. International transfers
Rutrax primarily processes data within India. If data is processed in a jurisdiction outside India (for example, through a cloud provider’s region), we will do so only to countries not restricted under the DPDP Act and subject to appropriate safeguards.
11. Grievance redressal
For any grievance related to your personal data, please write to:
Grievance contact (beta): grievance@rutrax.app
We will acknowledge grievances within 48 hours and endeavour to resolve them within 30 days. A named Grievance Officer will be designated once Rutrax’s legal entity is formalised.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified at least 7 days in advance by email or in-app banner. The “Last updated” date at the top reflects the most recent revision. We encourage you to review this Policy periodically.
13. Contact
- General questions: support@rutrax.app
- Privacy / data requests: privacy@rutrax.app
- Security reports: security@rutrax.app
- Grievance redressal: grievance@rutrax.app