← Back to Home

Privacy Policy

Last updated: 9 May 2026

This Privacy Policy explains what personal data TheMarketSnap (“we”, “us”) collects when you use the Platform, why we collect it, how we store and protect it, and the rights you have over it. We comply with the Information Technology Act, 2000 (and its Reasonable Security Practices and Procedures rules) and operate consistently with the Digital Personal Data Protection Act, 2023 (DPDP).

1. Information We Collect

  • Account data: name, email address, optional WhatsApp phone number (E.164), and an optional avatar selection.
  • Portfolio data: tickers, exchange (NSE/BSE), quantity, average buy price, and optional notes you add to portfolio entries.
  • Trade Journal data (Elite): trade details (entry/exit, prices, R-multiple, tags, free-form thesis/notes/lesson) and up to 3 screenshots per entry stored on Cloudflare R2.
  • Usage data: AI query counts (Portfolio Chat, Snap.AI), feature usage, last-seen timestamps for activity dashboards, and minimal session metadata for rate-limiting and abuse prevention.
  • Payment data: processed entirely by Razorpay. We store transaction IDs, subscription state, and refund records — never card numbers, CVV, or net-banking credentials.
  • Device / log data: IP address, user-agent, and request timestamps captured by our servers and CDN for security and rate-limiting purposes.

2. How We Use Your Data

  • To run the Platform — portfolio tracking, AI summaries, Snap.AI replies, the daily WhatsApp report, and Trade Journal.
  • To process subscription payments via Razorpay and manage billing.
  • To send transactional communications (signup verification, password reset, payment confirmations, security notices, daily reports) over email and/or WhatsApp depending on your settings.
  • To enforce monthly AI caps, prevent abuse, and detect fraud.
  • To improve the Platform using aggregated, anonymised usage patterns.

We do not sell, rent, or share your personal data with third-party advertisers, data brokers, or marketing networks.

3. Third-Party Processors

We rely on the following processors. Each is bound by their own privacy and security commitments and processes data only for the purpose listed:

  • Supabase — hosted PostgreSQL database (data stored in the AP-South-1 / Mumbai region).
  • Razorpay — payment processing.
  • Meta (WhatsApp Business / Cloud API) — WhatsApp message and template delivery, only if you opt in.
  • ZeptoMail — transactional email delivery.
  • Google Gemini & OpenRouter (GPT-4.1 nano) — AI inference for summaries, movement explanations, Portfolio Chat, and Snap.AI. We do not send your portfolio holdings or PII to these providers beyond what is strictly necessary to answer the user's query; we do not allow them to train on your data.
  • Cloudflare R2 — encrypted object storage for Trade Journal screenshots.
  • Vercel — frontend hosting and CDN.
  • DigitalOcean — backend application hosting.
  • Google Cloud — scheduled data ingestion and pipeline jobs.
  • PostHog (EU region, first-party-proxied) — product analytics; configured to drop common PII fields and to use a first-party proxy so requests stay on our domain.

4. Data Storage & Security

  • Application data lives in encrypted-at-rest PostgreSQL on Supabase (AP-South-1).
  • Passwords are hashed with bcrypt (12 salt rounds); refresh tokens are SHA-256 hashed before storage and rotated on use.
  • Access tokens are kept in JavaScript memory only (never localStorage). Refresh tokens are httpOnly, Secure, SameSite=Lax cookies inaccessible to client-side scripts.
  • HTTP traffic uses TLS 1.2+ end-to-end. We send HSTS with a 2-year max-age and Content Security Policy headers across the platform.
  • Trade Journal screenshots are kept in a private Cloudflare R2 bucket and accessed via short-lived presigned URLs only.

5. Data Retention

  • Account data is retained while your account exists.
  • Market data snapshots and stock news are kept for 3 days on a rolling window (we don't hold long-term history).
  • Portfolio AI summaries and movement explanations are cached for short windows (≤72 hours) and regenerated daily.
  • WhatsApp Snap.AI conversation threads are kept for context across the session and idle-expire after 30 minutes.
  • Chat transcripts in your browser are stored in sessionStorage and are cleared when you close the tab.
  • Payment records are retained for the duration required by Indian tax and accounting law (typically 8 years).
  • On account deletion, all personal data is permanently removed via cascading delete (financial records may be retained per the previous bullet).

6. Cookies

We use a single httpOnly cookie (refresh_token) for authentication and a short-lived first-party PostHog session cookie for product analytics. We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers.

7. Your Rights

You have the right to access, correct, export, and delete your personal data. You can do most of this directly from Account Settings. For anything else (data export request, opt-out of WhatsApp, grievance redressal), email us at hello@themarketsnap.com and we'll respond within 7 business days.

8. Grievance Officer

Per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, you may raise privacy or data-related grievances by writing to Adarsh Aleti, Grievance Officer, at hello@themarketsnap.com. Address: Hyderabad, Telangana, India.

9. Children

The Platform is for users 18 years or older. We do not knowingly collect data from children. If we become aware that a child has provided us with data, we will delete it promptly.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be flagged on the Platform with a new “Last updated” date. Continued use after a change constitutes acceptance.