Privacy Policy

1. Data We Collect

We collect the following personal data when you use our Platform:

• Account Information: Email address, username, full name (optional), phone number (optional).
• Authentication Data: Password (stored as a bcrypt hash, never in plaintext), session tokens.
• Portfolio Data: Stock holdings, mutual fund holdings, transaction history, and watchlists you create on the Platform.
• Usage Data: Pages visited, features used, and interaction events for improving the Platform experience.
• Technical Data: IP address, browser user-agent, collected during authentication sessions.
• Communications: Feedback, support messages, and contact form submissions.

2. Purpose of Data Processing

We process your data for the following purposes:

• Account Management: To create, maintain, and secure your account.
• Service Delivery: To provide portfolio analytics, stock screening, and other Platform features.
• Security: To detect and prevent unauthorized access, fraud, and abuse.
• Service Improvement: To understand usage patterns and improve Platform features.
• Communication: To respond to your support requests and send service-related notifications.

3. Legal Basis for Processing

Under the DPDPA 2023, we process your personal data based on your explicit consent provided at the time of registration. You may withdraw your consent at any time by deleting your account through the Settings page.

4. Data Retention

• Account Data: Retained as long as your account is active.
• Session Data: Automatically expires after 7 days.
• Usage Analytics: Retained for up to 12 months, then anonymized or deleted.
• Upon Deletion: All personal data is permanently removed within 24 hours of account deletion.

5. Your Rights Under DPDPA

As a Data Principal under the DPDPA 2023, you have the following rights:

• Right to Access: You can view your personal data through the Settings page.
• Right to Correction: You can update your profile information at any time.
• Right to Erasure: You can permanently delete your account and all associated data through the Settings page.
• Right to Withdraw Consent: You can withdraw your consent by deleting your account, after which we will cease processing your data.
• Right to Grievance Redressal: You can contact our Grievance Officer for any data-related concerns.

6. How to Exercise Your Rights

To exercise any of your rights:

• Account Deletion: Go to Settings and use the "Delete Account" option in the Danger Zone section.
• Profile Updates: Go to Settings to update your name and other profile details.
• Other Requests: Contact us at capitaladvantage.app@gmail.com.

7. Cookies and Analytics

We use the following cookies:

• Essential Cookies: Session token (HttpOnly, secure) and CSRF protection token. These are necessary for the Platform to function and cannot be disabled.
• Analytics Cookies: Google Analytics cookies to understand usage patterns. These are only activated with your consent via the cookie banner.

You can manage your cookie preferences through the cookie consent banner shown on your first visit, or by clearing your browser's local storage.

8. MCP Server & API Access

Capital Advantage offers a Model Context Protocol (MCP) server and API for programmatic access to market data and analytics. This section describes data handling specific to MCP/API usage.

• MCP Server (Client-Side): The MCP server process runs locally on your machine and is fully stateless. It does not store any user data, conversation history, query results, or analytics. No telemetry, no tracking, no cookies.
• API Key: Sent via the X-API-Key header over HTTPS with every request. The backend stores only a SHA-256 hash of the key for authentication — the raw key is never stored server-side.
• Request Metadata: The backend logs API call counts, endpoints accessed, and timestamps for rate limiting. Client IP addresses may be logged for abuse prevention.
• Query Parameters: Stock symbols, fund names, date ranges, and filter criteria are sent to the backend to fulfill requests.
• Data NOT Collected via MCP/API: No conversation content, prompts, or AI assistant responses are ever sent to Capital Advantage. No personal information, browsing history, file system data, or device information is collected through MCP/API usage.
• Read-Only: All 38 MCP tools are read-only market data lookups and calculations. The MCP server cannot modify, delete, or create any data on your behalf.
• No Third-Party Calls: The MCP server makes requests only to the Capital Advantage backend — no direct calls to third-party services are made from your machine.

9. Third-Party Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We use third-party services solely for market data:

• TrueData: For BSE/NSE market data, corporate filings, and financial statements. No personal user data is shared.
• Google Analytics: For anonymous usage analytics (with your consent). Data is processed per Google's privacy policy.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Passwords are hashed using bcrypt with a cost factor of 12.
• All data in transit is encrypted via TLS/HTTPS.
• Session tokens are cryptographically secure and stored in HttpOnly cookies.
• CSRF protection via double-submit cookie pattern.
• Account lockout after repeated failed login attempts.
• Database access is restricted to the application VNet (no public access).

11. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the Platform or via email. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Grievance Officer

In accordance with the DPDPA 2023, if you have any grievances regarding the processing of your personal data, you may contact our Grievance Officer: