Ticker Lab — Privacy Policy
Please read this Privacy Policy in full. It forms part of your Terms of Use.
1. Who we are
The Ticker Lab platform ("the Service", "the Platform") is operated by Satyabrata Mishra (referred to as "the Operator", "we", "us"), with operations in Kollam, Kerala, India.
For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Operator is the Data Fiduciary in respect of the personal data processed through the Service. You, the user, are the Data Principal.
2. What personal data we collect
We collect personal data only to the extent necessary to provide the Service and meet our legal obligations.
| Category | Specific data points | Source of collection |
|---|---|---|
| Account identity | Name, email address | You, at signup |
| Authentication | Google OAuth profile (when you sign in via Google); password hash (if you choose email/password signup) | You / Google |
| Subscription & payment | Subscription tier, payment status, Cashfree transaction tokens. We do not store card numbers | Cashfree Payments |
| Broker integration | Zerodha Kite API token (encrypted at rest), Kite client ID | You, via an OAuth-style consent step |
| Trading data | Records of paper-traded positions (ApexQQuant), tier-grouped scanner outputs, screener queries you save | Platform-generated as you use the Service |
| Usage logs | IP address (for security and abuse prevention), session timestamps, pages visited | Platform-collected |
| Communications | Emails you send us, support tickets | You |
We do NOT collect: government identifiers (PAN, Aadhaar, Voter ID), biometric data, precise location data (beyond IP-derived approximate geolocation), health information, or sensitive personal data relating to political opinions, religious beliefs, or sexual orientation.
3. Why we collect it (purposes)
| Purpose | Data used | Legal basis under DPDP |
|---|---|---|
| Provide the Service (account access, paper trading, analytics, screener) | Account, payment, broker integration, trading data | Performance of agreement |
| Authenticate you and secure your account | Authentication, IP, session | Performance of agreement + legitimate interests (security) |
| Process payments | Subscription, payment tokens (via Cashfree) | Performance of agreement |
| Communicate with you (transactional emails, support) | Email, communications | Performance of agreement |
| Comply with legal obligations (tax records, fraud investigation, response to lawful orders) | Logs, transaction history | Legal obligation |
| Improve the Service through aggregated, non-personal analytics | Anonymised usage patterns | Legitimate interests |
We do not use your personal data for: targeted advertising, sale to third parties, profiling for any purpose beyond service delivery, or any purpose not listed above.
4. Whom we share your data with
We share personal data only with the following categories of third parties, strictly for the purposes stated below:
| Third party | Role | What we share |
|---|---|---|
| Cashfree Payments (India) | Payment processor | Subscription tier, amount, transaction reference. Card details are handled by Cashfree under PCI-DSS standards; we never receive them. |
| Google LLC (United States) | OAuth identity provider (when you sign in via Google) | Standard OAuth handshake; we receive your name and email from Google |
| Brevo (formerly Sendinblue) (France) | Transactional email delivery | Your email address, for verification and notifications |
| Zerodha Broking Ltd. (India) | Broker API provider (Kite Connect) | We use the Kite API token you generate to fetch market data on your behalf; no orders are placed |
| Hetzner Online GmbH (Germany) | Cloud infrastructure hosting | All Platform data, including your personal data, is physically stored on Hetzner servers in Germany |
| Government authorities | Compliance with valid legal process | Only what is legally required, when legally required |
We have signed a Data Processing Agreement (DPA) with Hetzner Online GmbH under which Hetzner is contractually bound to process data only on our instructions and in accordance with EU GDPR and Indian data-protection standards.
We do not sell, rent, or trade your personal data to any third party.
5. Cross-border data transfer
Your personal data is physically stored on servers operated by Hetzner Online GmbH in Germany.
Under the DPDP Act, Section 16, cross-border transfer of personal data is permitted to any country not specifically restricted by notification of the Central Government. As of the date of this Privacy Policy, Germany is not on any restricted-countries list. Should the Central Government issue restrictions affecting Germany in future, we will take steps to comply, including (if necessary) migrating data to a permitted jurisdiction.
Germany operates under the European Union's General Data Protection Regulation (GDPR), which provides data-protection standards substantially equivalent to or stronger than India's DPDP Act.
6. How long we retain your data
| Data category | Retention period |
|---|---|
| Active account data | For as long as your account remains active |
| Trading and usage data | Active account duration plus 1 year (for audit and dispute resolution) |
| Payment records | 7 years (Indian tax and accounting compliance) |
| Logs (IP, session timestamps) | 90 days |
| Communications (support emails) | 2 years |
| Backups | Up to 30 days from deletion |
| Account-deletion-requested data | Deleted within 30 days of request, except where retention is mandated by law |
7. Your rights as a Data Principal
Under the DPDP Act, Sections 11 to 14, you have the following rights:
| Right | What it means | How to exercise |
|---|---|---|
| Right to access | Get a copy of personal data we hold about you | Account settings → "Download my data", or email the Grievance Officer |
| Right to correction | Request correction of inaccurate or incomplete data | Account settings, or email the Grievance Officer |
| Right to erasure | Request deletion of your data (subject to legal retention requirements) | Account settings → "Delete my account", or email the Grievance Officer |
| Right to withdraw consent | Withdraw consent for non-mandatory processing | Account settings → "Withdraw consent", or email the Grievance Officer |
| Right to grievance redressal | Lodge a complaint with our Grievance Officer or with the Data Protection Board of India | See Section 11 |
| Right to nominate | Nominate another individual to exercise your rights in the event of death or incapacity | Email the Grievance Officer |
We will acknowledge verifiable rights requests within 24 hours of receipt and respond substantively within 30 days.
8. Security practices
We implement reasonable security practices in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:
- HTTPS encryption (TLS 1.2 or above) for all data in transit
- Passwords stored using industry-standard hashing (bcrypt / argon2); we never see your password in plaintext
- Zerodha Kite API tokens encrypted at rest
- Database access restricted to authenticated administrators
- Regular security patching of operating system and dependencies
- Daily encrypted backups, with restoration tested periodically
- Access logging for sensitive operations
No system is perfectly secure. In the event of a personal data breach affecting your data, we will notify you and the Data Protection Board of India within the timeframes prescribed by the DPDP Act and supporting rules.
9. Cookies and tracking
We use essential session cookies to maintain your login state (specifically, the tlsess session cookie).
We do not currently use any third-party analytics cookies, advertising cookies, or behavioural tracking technologies. If we add analytics in future, this Privacy Policy will be updated and you will see a cookie consent banner asking for your separate consent before any non-essential cookies are set.
10. Children's privacy
The Service is not intended for users under the age of 18. We do not knowingly collect personal data from minors. Account signup requires confirmation that you are 18 or older.
If you believe we have inadvertently collected data from a minor, please contact us immediately at the Grievance Officer email below.
11. Grievance Officer and complaint mechanism
In accordance with DPDP Act Section 8 and the Information Technology Rules, 2011, Rule 5(9), we have designated a Grievance Officer to address user concerns:
| Field | Detail |
|---|---|
| Name | Satyabrata Mishra |
| Designation | Operator / Grievance Officer, Ticker Lab |
| [email protected] | |
| Postal address | 5, Panchajanya, Kulakkada, Kollam, Kerala, 691521 |
| Acknowledgement | Within 24 hours of receipt |
| Substantive response | Within 15 days |
If you are dissatisfied with our response, you may escalate to the Data Protection Board of India under DPDP Act Section 27 (once the Board is fully operational; current escalation routes via the Ministry of Electronics and Information Technology, Government of India).
12. Changes to this Privacy Policy
The Operator may update this Privacy Policy at any time. Material changes will be communicated by email to the address on file and reflected by an updated "Last updated" date at the top. Continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.
13. Contact
For questions about this Privacy Policy or our data practices:
- General privacy queries: the Support tab
- Formal complaints / DPDP rights requests: [email protected]