Privacy Policy

Kiaora International ("FNODATA", "we", "us") operates the website fnodata.in and the FNODATA web application. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. It is intended to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

1. Data we collect

Account information (from Google)

When you sign in with Google, we receive:

• Your Google account ID (sub)
• Email address
• Full name
• Profile picture URL (if present)

Broker authorization tokens

When you connect a broker (Upstox today; Zerodha, Dhan, Angel One, ICICI Direct planned) via OAuth:

• An encrypted access token from your broker
• The broker's user ID (a short identifier like "5HCLWD")
• Token expiry timestamp

We never receive your broker password. Login happens on your broker's own secure page. Access tokens are encrypted at rest with AES-256-GCM before being stored in our database.

Usage data

• Pages you visit and features you use within the app
• Saved strategies, templates, and alerts you create
• Timestamps of login, broker connection, and subscription events
• IP address and user agent for security and abuse prevention

Payment information

If you subscribe to a paid plan, payment is processed by Razorpay. We receive only the transaction ID and payment status — we never see your card number or UPI credentials. Razorpay handles all sensitive payment data per PCI-DSS standards.

2. How we use your data

• To authenticate you when you log in
• To fetch and display market data from your connected broker
• To save your strategies, templates, positions, and alerts
• To process subscription payments and manage billing
• To send transactional emails (welcome, payment confirmation, trial-ending reminder)
• To investigate abuse, security incidents, or violations of our Terms
• To improve the service (aggregated, anonymized usage analytics)

We do not use your data for advertising. We do not sell your data to anyone. We do not use your broker tokens to place trades or access funds.

3. Where your data is stored

• Account + token database: Supabase (PostgreSQL), hosted in the ap-northeast-1 (Tokyo) AWS region.
• Live feed server: Hetzner Cloud VPS in Helsinki, Finland. This server holds your broker token in memory only during your active session and discards it when you disconnect.
• Static frontend + SEO metadata: Vercel global edge network.
• Payment records: Razorpay (India).

Under the DPDP Act 2023, cross-border transfer of personal data is permitted by default except to countries specifically restricted by the Government of India. As of the date of this policy, none of the above jurisdictions are on a restricted list.

4. Who we share data with

We share limited data only with the following service providers, each bound by their own privacy policies:

• Google — for OAuth authentication
• Your broker (Upstox, etc.) — for fetching your market data
• Supabase — database hosting
• Vercel — frontend hosting
• Hetzner — feed server hosting
• Razorpay — payment processing (paid plans only)
• Email provider (to be added) — transactional email delivery

We do not share your data with advertisers, marketers, data brokers, or any third party not listed above. We may disclose data if required by a valid legal order from an Indian court or government agency.

5. How long we keep your data

• Account data — until you request deletion or close your account
• Broker access tokens — encrypted; automatically expire daily per broker rules; deleted on disconnect
• Subscription and payment records — retained for 8 years as required by Indian tax law
• Server logs and analytics — 90 days, then aggregated/anonymized

6. Your rights under the DPDP Act

As a Data Principal under the DPDP Act 2023, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate data
• Erasure — ask us to delete your data (subject to legal retention rules above)
• Withdrawal of consent — revoke consent for any processing that relies on consent
• Grievance redressal — raise complaints about how we handle your data
• Nominate — designate another person to exercise these rights if you are incapacitated or deceased

To exercise any of these rights, email us at support@fnodata.in. We will respond within 15 working days.

7. Security

We use TLS for all connections, AES-256-GCM encryption for stored broker tokens, and HMAC-signed short-lived tickets for authenticating WebSocket connections. Database access is restricted to our backend services. Per-user data isolation is enforced at the application layer: one user can never see another user's broker tokens or private data.

No security system is perfect. In the unlikely event of a personal data breach affecting you, we will notify you and the Data Protection Board of India as required by the DPDP Act.

8. Cookies and tracking

We use strictly necessary cookies for authentication and session management. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that profile individuals. We may add privacy-respecting, self-hosted analytics (e.g. Plausible) in the future — if we do, this policy will be updated.

9. Children

FNODATA is intended for users aged 18 and above (F&O trading is not legally available to minors in India). We do not knowingly collect personal data from anyone under 18. If you believe we have, contact us and we will delete it.

10. Grievance contact

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 15 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.