Your data is yours. We just hold it.

Kautilya ("we", "us", "our") is a sole proprietorship registered in India under Udyam-BR-26-0228225. We operate the analytics platform at app.kautilya.xyz and the marketing site at kautilya.xyz. This policy explains how we handle personal data of users ("you") under the Digital Personal Data Protection Act, 2023 ("DPDPA").

We collect only what is needed to run the product. Categories:

• Account data: email address, hashed password, full name (if provided), display preferences.
• Verification data: one-time passwords (OTP) sent to your email for sign-up and password reset. OTPs are stored hashed and expire in 10 minutes.
• Broker tokens: when you connect a broker (Zerodha, Dhan, Upstox, Angel, Fyers), we store the access tokens encrypted at rest so the workstation can fetch your holdings. We never store your broker password.
• Portfolio data:your holdings, positions, trade history, P&L, cost basis, watchlists, alert rules, virtual portfolio entries, trade journal notes.
• Usage data: pages visited, features used, IP address, browser user-agent, session timestamps. Used for product analytics and abuse prevention.
• Billing data:Razorpay payment metadata (order ID, signature, method, last 4 of card if applicable). We do not store full card numbers or UPI handles — that lives only on Razorpay's PCI-DSS certified systems.
• Support communications: emails you send to support@, billing@, privacy@, or grievance@kautilya.xyz, plus our replies.

We process data on the following lawful bases under DPDPA:

• Consent — when you sign up, you consent to the processing described here. You can withdraw consent at any time by emailing privacy@kautilya.xyz; the consequence is account closure.
• Legitimate uses — fulfilling the subscription contract, running the platform, debugging, security, fraud prevention, and statutory record-keeping (tax, payment regulations).

We do not engage in profiling for advertising, do not sell data to third parties, and do not use your portfolio or trading data to train public AI models.

We share personal data only with the following data processors, each bound by contractual confidentiality and data-protection obligations:

• AWS (Amazon Web Services) — hosting infrastructure (EC2, RDS, Amplify). Mumbai (ap-south-1) and Ohio (us-east-2) regions.
• Razorpay — SEBI-recognised Payment Aggregator. Receives order amount, currency, your email, and billing name when you check out.
• Resend — transactional email delivery (OTP, alerts, weekly digest, password resets).
• Anthropic— the "Artha" AI analyst feature sends the conversation text and selected portfolio context to Anthropic for model inference. Anthropic does not train on this data per its commercial API terms.
• Broker APIs (Zerodha Kite, Dhan, Upstox, Angel, Fyers) — outbound API calls authenticated with your tokens to fetch market data, holdings, positions, and execute orders you initiate.
• Government authorities — only when compelled by a valid legal order under Indian law.

Some processors (Anthropic, Resend) operate outside India. By using the platform you consent to this transfer. We restrict transfers to jurisdictions notified or not restricted by the Government of India under Section 16 of the DPDPA.

• Account & portfolio data — for as long as your account is active.
• OTP records — 10 minutes (hashed), then deleted.
• Broker tokens — until the token expires or you disconnect the broker, whichever is earlier.
• Billing records — 8 years, as required by Indian tax and payment regulations.
• Support emails — 2 years from last reply.
• Server access logs — 90 days.

On account closure, we delete portfolio and personal data within 30 days, except billing records held for statutory retention.

As a Data Principal, you have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Erase data we no longer need (subject to statutory retention).
• Withdraw consent and close your account.
• Nominate another individual to exercise these rights on your behalf in case of death or incapacity.
• File a grievance and, if unresolved, approach the Data Protection Board of India.

To exercise any right, email privacy@kautilya.xyz from your registered email. We respond within 7 days; complex requests within 30 days.

• TLS 1.2+ in transit; AES-256 at rest on AWS RDS.
• Broker tokens encrypted with per-user keys.
• Passwords hashed with bcrypt; OTPs hashed with SHA-256 and a server secret.
• Production credentials live in a .env file marked immutable (chattr +i) on a hardened EC2 host. No engineer has standing access to the database from outside the VPC.
• Two-factor authentication is available via email OTP on password-reset and high-risk operations.

No system is perfectly secure. If you suspect a breach involving your account, email security@kautilya.xyz immediately. We disclose confirmed breaches to affected users and the Data Protection Board of India within the timelines required by DPDPA.

We use first-party cookies and browser local storage strictly for login session management, theme preference, and feature flags. We do not use third-party advertising cookies. We do not load fingerprinting, ad-tech, or session-replay scripts.

Kautilya is not directed at individuals under 18 years of age. We do not knowingly collect data from children. If you believe a child has provided us data, email privacy@kautilya.xyz and we will delete it.

We will update this policy as the product evolves or regulations change. Material changes will be emailed to registered users at least 7 days before they take effect. The current version is dated at the top of this page.

Privacy queries: privacy@kautilya.xyz
Grievance officer: grievance@kautilya.xyz
Statutory address available on request to grievance@.