Privacy Policy
Effective Date: [TO BE INSERTED ON PUBLICATION] Last Updated: [TO BE INSERTED ON PUBLICATION]
This Privacy Policy explains how SMF Technologies LLP (LLPIN [LLPIN], registered office at [REGISTERED OFFICE ADDRESS]) ("Company", "we", "us", "our"), as the Data Fiduciary, collects, uses, discloses, stores, and protects personal data of users ("you", "your") of the Nexora platform ("Service"), in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000 and rules made thereunder.
1. Scope
This Policy applies to personal data we process in connection with:
- the Nexora website and web application;
- the Nexora backend API;
- our Telegram notification bot; and
- our customer support channels.
It does not apply to data processed solely by your broker (Upstox) or by Google, which are governed by their own privacy policies.
2. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity & contact data | Name, email address, Google account identifier | You, via Google Sign-In |
| Broker authorization data | Upstox OAuth access/refresh tokens, broker user ID | You, via Upstox OAuth consent flow |
| Trading & account data | Strategy configurations, order history, positions, P&L, capital allocation settings | Generated by the Service based on data from your broker account |
| Communication data | Telegram chat ID, notification preferences | You, via account settings |
| Technical data | IP address, device/browser type, access logs, API request logs | Automatically, via the Service |
| Billing data (if applicable) | Subscription plan, payment status, invoices | You / payment processor |
We do not collect your broker login password, demat account PIN, bank account details, or trading PIN at any time. Authentication with your broker occurs via Upstox's own OAuth login page; we receive only the resulting access token.
3. How We Use Your Personal Data (Purpose Limitation)
We process personal data only for the following purposes, each based on your consent or as necessary to perform the contract with you:
- To provide the Service — connecting to your broker account, executing configured strategies, displaying analytics, and sending notifications.
- Account management — authentication, approval workflows, and customer support.
- Security and fraud prevention — detecting unauthorized access, abuse, or suspicious activity.
- Service improvement — aggregated, de-identified analysis of strategy performance and platform usage (never used to re-identify you).
- Legal and regulatory compliance — record-keeping required under applicable law, responding to regulatory or law-enforcement requests.
- Communications — sending you trade alerts, account notices, and (only with your separate consent) product updates or marketing.
We do not use your personal data for any purpose incompatible with the purposes above without seeking your fresh consent.
4. Legal Basis for Processing
Under the DPDP Act, we process your personal data on the basis of:
- Your explicit, informed consent, given at account creation and at the time you authorize broker API access (which you may withdraw at any time, as described in Section 8); and
- Performance of a contract to which you are a party (i.e., these Terms of Service), to the extent processing is necessary to provide the Service you have requested.
5. Sharing and Disclosure of Personal Data
We do not sell your personal data. We share personal data only with:
| Recipient | Data shared | Purpose |
|---|---|---|
| Upstox (your broker) | Order instructions generated from your configuration | To execute trades in your brokerage account, via the API access you authorized |
| Authentication tokens | Sign-in / identity verification | |
| Telegram | Chat ID, trade notification content | Sending you alerts you have opted into |
| Cloud infrastructure providers (DigitalOcean — hosting; Neon — database; Vercel — frontend hosting) | All data necessary for the Service to run | Hosting and operating the Service. These providers act as data processors under contract and do not use your data for their own purposes |
| Regulators, exchanges, courts, law-enforcement | As legally required | Compliance with applicable law or valid legal process |
| Professional advisors (auditors, lawyers) | As necessary | Legal, accounting, and compliance purposes, under confidentiality obligations |
We require all third-party processors to implement appropriate technical and organizational security measures and to process personal data only on our instructions.
6. Data Storage, Security, and Cross-Border Transfer
6.1 Personal data is stored in a PostgreSQL database (production) hosted with our cloud database provider, and processed by application servers hosted on infrastructure located in [DATA CENTER REGION — TO CONFIRM]. If any data is processed or stored outside India, we ensure this occurs only in jurisdictions and in a manner permitted under the DPDP Act and applicable government notifications.
6.2 Security measures include: encrypted transport (TLS/HTTPS) for all data in transit, access-controlled and audited database access, row-level security isolating each user's data (PostgreSQL RLS), API-key based authentication, and restricted administrative access.
6.3 Broker OAuth tokens are stored encrypted and are used solely to make authorized API calls to Upstox on your behalf. Tokens expire daily and must be re-authorized by you.
6.4 No method of electronic storage or transmission is 100% secure. In the event of a personal data breach that is likely to affect you, we will notify you and the relevant authorities as required under the DPDP Act and applicable rules, without undue delay.
7. Data Retention
7.1 We retain personal data for as long as your account remains active, and thereafter for the periods required to:
- comply with record-keeping obligations under securities, tax, and anti-money-laundering laws (generally up to 8 years for trade-related records, consistent with SEBI/exchange record-keeping norms); or
- resolve disputes, enforce our agreements, and respond to regulatory requests.
7.2 Following account deletion (Section 8), we will delete or anonymize personal data not subject to a retention obligation under Section 7.1, within a reasonable period (typically 90 days).
8. Your Rights as a Data Principal
Under the DPDP Act, you have the right to:
- Access a summary of the personal data we hold about you and the processing activities undertaken;
- Correction and updating of inaccurate or incomplete personal data;
- Erasure of personal data that is no longer necessary for the purpose it was collected, subject to our legal retention obligations (Section 7);
- Withdraw consent at any time, including by revoking the Upstox OAuth authorization from within the Platform's Settings or directly via Upstox. Withdrawing consent will disable the affected feature (e.g., automated order placement) but will not affect the lawfulness of processing carried out before withdrawal;
- Grievance redressal, including the right to file a complaint with the Data Protection Board of India if you are not satisfied with our response; and
- Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
To exercise any of these rights, contact our Grievance Officer / Data Protection contact at the details in Section 11, or in our Grievance Redressal Policy. We will respond within the timelines prescribed under applicable law.
9. Cookies and Tracking Technologies
The Platform uses cookies and similar technologies as described in our Cookie Policy.
10. Children's Data
The Service is not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age, consistent with the eligibility requirements in the Terms of Service. If we become aware that we have collected personal data from a child without verifiable parental/guardian consent, we will delete it promptly.
11. Grievance Officer / Contact
In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, our Grievance Officer is:
Name: Abbas Shanmugam Phone: +91 92931 00200 Email: abbas@smf.zone Address: [REGISTERED OFFICE ADDRESS]
Grievances will be acknowledged within 24 hours and resolved within the timelines prescribed under applicable law (see Grievance Redressal Policy).
12. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be notified to you via the Platform or by email at least [NUMBER] days before they take effect, and where required, we will seek your fresh consent.