Invest Buddy AI← Legal Index

Legal

Privacy Policy

Effective: 6 March 2026·Beta v1.0

This Privacy Policy describes how Upflow Sprint Private Limited ("Company", "we", "us", or "our") collects, uses, stores, and protects personal data when you use Invest Buddy AI ("Platform"). This policy is compliant with India's Digital Personal Data Protection Act, 2023 (DPDPA 2023).

1. Data Fiduciary (Controller)

Upflow Sprint Private Limited

Website: https://upflowsprint.com

Grievance Officer / Data Protection Contact: legal@upflowsprint.com

2. What Personal Data We Collect

2.1 Account & Identity Data

  • Full name and email address provided at registration
  • Encrypted session tokens managed by Supabase Auth (authentication provider)

2.2 Brokerage Integration Data

  • OAuth 2.0 access tokens and refresh tokens for connected brokerage accounts (e.g., Upstox) — stored encrypted using AES-256
  • Holdings, positions, and transaction history fetched from connected brokerage accounts on your behalf

2.3 User-Provided API Credentials

  • Third-party LLM API keys (e.g., OpenAI, Anthropic, Google Gemini) that you voluntarily provide for AI assistant features — stored encrypted using AES-256 and never transmitted for any purpose other than forwarding your requests to the selected LLM provider

2.4 Platform Usage Data

  • Portfolio snapshots and watchlists you create and manage within the Platform
  • Algorithmic configuration parameters you set (weights, indicators, scoring thresholds)
  • Chat history with the AI assistant (stored to provide conversation continuity)
  • Platform preferences and settings

2.5 Analytics Data (Public Pages Only)

  • Standard web analytics (e.g., page views, referral sources, browser/device type) collected on the public marketing/landing pages only via analytics tools such as Google Analytics, Microsoft Clarity, or Yahoo Analytics
  • No personally identifiable information from authenticated app sections is shared with any analytics provider.
  • Analytics data is collected in aggregate and used only to understand website traffic.

3. How We Use Your Data

  • 3.1 Providing the Platform: Fetching and analysing your portfolio holdings, generating algorithmic scores, executing orders on your explicit instruction, running the AI assistant.
  • 3.2 Authentication: Maintaining secure login sessions and verifying your identity.
  • 3.3 Email Notifications: Sending portfolio summaries, alerts, or digest emails you have opted into.
  • 3.4 Security: Detecting and preventing unauthorised access, fraud, or abuse.
  • 3.5 Product Improvement (Beta): Aggregate, anonymised usage patterns may be analysed to improve Platform performance. We do not analyse individual financial data for this purpose.
  • 3.6 Legal Compliance: Complying with applicable laws, court orders, or regulatory requirements.

4. Data Sharing & Third Parties

Our Commitment

We do not sell, rent, or share your personal or financial data with any third party for commercial, advertising, or marketing purposes.

We use the following infrastructure processors who act under contractual data-processing obligations:

Supabase Database and Authentication

Hosts your account data, encrypted tokens, holdings, and chat history. Operates on AWS (US regions) under SOC 2 compliance.

Privacy Policy →

Netlify Web Hosting & CDN

Hosts and serves the Platform's web application. Standard server logs may include IP addresses.

Privacy Policy →

LLM Providers AI Assistant (when you provide your API key)

Your chat messages are forwarded to the LLM provider of your choice (OpenAI, Anthropic, Google, etc.) using your own API key. Their respective privacy policies apply to that data. We do not store your messages with their services on your behalf.

We may disclose data if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of the Company, our users, or the public.

5. Data Security

  • 5.1 OAuth tokens and LLM API keys are encrypted at rest using AES-256 before being written to the database.
  • 5.2 All data access to your records is enforced using Row-Level Security (RLS) policies — no user can access another user's data.
  • 5.3 All data in transit between your browser and our servers is encrypted with TLS.
  • 5.4 We do not store your brokerage account passwords or trading PIN.
  • 5.5 While we implement industry-standard security, no system is perfectly secure. You accept residual risk by using the Platform.

6. Data Retention

  • 6.1 Your data is retained as long as your account is active.
  • 6.2 Upon account deletion or a valid erasure request, your personal and financial data will be deleted within 30 days, except where retention is required by applicable law.
  • 6.3 Anonymised aggregate analytics data may be retained indefinitely.
  • 6.4 Chat history is retained to provide conversation continuity and can be cleared by you at any time from your account settings.

7. Your Rights under DPDPA 2023

As a Data Principal under the Digital Personal Data Protection Act 2023, you have the following rights:

Right to Access

Request a summary of personal data we hold about you and how it is being used.

Right to Correction

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data, subject to legal retention obligations.

Right to Grievance Redressal

Lodge a complaint about our data handling practices with our Grievance Officer.

Right to Nominate

Nominate an individual to exercise your rights on your behalf in event of death or incapacity (as per DPDPA 2023).

Withdrawal of Consent

Withdraw consent for data processing at any time; this will not affect lawfulness of processing before withdrawal.

To exercise these rights, contact our Grievance Officer at legal@upflowsprint.com. We will respond within 30 days of receiving a verifiable request.

8. Cookies & Local Storage

  • 8.1 The Platform uses cookies strictly for authentication session management (HttpOnly, Secure, SameSite=Lax).
  • 8.2 Local browser storage may be used for UI preferences (e.g., sidebar state, theme), which contains no personal data.
  • 8.3 Third-party analytics cookies may be present on the public landing page only, subject to standard browser privacy controls.
  • 8.4 No advertising or tracking cookies are used in authenticated app sections.

9. Children's Privacy

The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, please contact legal@upflowsprint.com immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and/or a Platform notice at least 15 days before taking effect. Your continued use of the Platform after the effective date constitutes your acceptance of the revised policy.

← Terms of ServiceFinancial Disclaimer →Beta Agreement →