1. Purpose and Scope

1.1 This Privacy Policy (“Policy”) explains how AI Growth Services Private Limited (“AIGSPL”, “we”, “us”), operating the GoAlpha platform (“Platform”), collects, processes, stores, shares and protects your personal data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1.2 This Policy is also prepared in compliance with Information Technology Act, 2000 and Rules thereunder, particularly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and any other applicable laws and regulations governing data protection and financial services in India.

1.3 For the purposes of this Policy:

- "Personal Data" has the meaning assigned under the DPDP Act, 2023 which essentially mean any data about an individual who is identifiable by or in relation to such data;

- "Sensitive Personal Data or Information (SPDI)" includes passwords, financial information, and biometric data as defined under IT Act Rules, 2011;

- "Data Principal" means you, the user whose personal data is processed;

- "Data Fiduciary" means the entity determining the purpose and means of processing personal data.

1.4 This Policy also explains how SEBI-registered Research Analyst (“Research Provider(s)”) who are responsible and accountable for all research, signals, recommendations, quantitative/model outputs and related regulated content displayed on the Platform, collects and stores KYC Records strictly for regulatory compliance, separate from GoAlpha’s Platform Data.

Subject to applicable SEBI norms, access to any SEBI-regulated research content on the Platform is permitted only after successful completion of KYC with the concerned Research Provider(s), in accordance with applicable SEBI regulations.

1.5 By accessing or using GoAlpha, you agree to this Policy. If you do not agree, please stop using the Platform.

2. Data Fiduciaries and Data Responsibilities

2.1 To provide complete transparency, GoAlpha uses a segregated data responsibility model, with two distinct fiduciaries:

(a) AIGSPL → Data Fiduciary for Platform Data

AIGSPL determines the purpose and means of processing:

• Registration Data (name, email, mobile)

• Login Credentials (hashed)

• App Usage Data

• Behavioural & telemetry data

• Subscription and transaction metadata

• Portfolio and trade execution data imports (consent-based), including holdings, positions, and broker-provided transaction metadata

• Marketing and communication preferences

• Consent logs

• Device information

• Analytics and aggregated insights

(b) Research Provider(s) → Data Fiduciary for KYC Records

Research Provider(s) determines the purpose and means for:

• PAN, Aadhaar XML, official ID documents

• Address proof, images, signatures

• KYC provider responses

• RA/PMLA compliance data

• SEBI-mandated record retention

• Audit logs for recommendations/signals

AIGSPL does not store or retain any KYC documents.

2.2 Data Processors

In addition to Data Fiduciaries, certain third-party service providers act as Data Processors on our behalf, processing data only as per our instructions:

(a) Cloud hosting providers

(b) Payment gateways and aggregators

(c) Document collection service providers

(d) Email/SMS service providers

(e) Analytics and monitoring tools

Data Processors are contractually bound to:

- Process data only for specified purposes

- Implement adequate security measures

- Not retain data beyond service requirements

- Comply with DPDP Act and IT Act obligations

2.3 No Sale of Personal Data

AIGSPL/GoAlpha does not sell, rent, or trade your personal data to third parties for their marketing purposes.

3. Categories of Personal Data Collected

All data collected falls into two buckets:

3.1 Bucket 1 – KYC Data (Stored Only by Research Provider(s))

Collected only when you undergo KYC for accessing research regulated under SEBI:

1. Full name (official ID)

2. Date of birth

3. PAN number

4. Aadhaar XML / Aadhaar masked copy

5. Photograph / selfie

6. Address proof (utility, bank statement, etc.)

7. Digitally stored e-KYC metadata

8. Document collection logs and transmission records

9. KYC Reference ID (generated by Research Provider(s) upon completion of verification, shared with GoAlpha only as a status token).

10. Any identity document required under RA Regulations / PMLA

Where it is stored:

·       Research Provider’s compliance environment

·       Not stored by AIGSPL at any point

AIGSPL receives only:

• KYC Reference ID

• KYC status (verified / pending / rejected)

• Timestamp

No identity document or raw data is retained. AIGSPL does not at any point access, process, transmit, store, or view any KYC document or raw KYC information. KYC transmission occurs through secure, direct channels between the user and Research Provider(s).

3.2 Bucket 2 – Platform Data (Stored by AIGSPL)

Collected to operate the GoAlpha platform:

A. Registration Data

• Name (user entry)

• Email address

• Mobile number

B. Login & Account Security Data

• Hashed passwords

• OTP logs

• Session tokens

C. App Usage & Behavioural Data

• App screens viewed

• Click paths

• Time spent

• Device model, OS, network

• Crash logs & error reports (PII stripped)

• IP address and approximate geolocation

D. Subscription & Payment Metadata

• Payment reference number

• Amount, timestamp

• Subscription tier

• Renewal status

• Gateway transaction ID

(Note: Payment instruments are not stored; gateways handle PCI/DSS compliance.)

E. Portfolio Import Data (only with user consent)

• Broker name

• Holdings and positions (instrument, quantity, average price etc.)

• Broker-provided trade execution details and order status for user-initiated trades

• Valuation and performance snapshots

Such data is imported solely for display, reconciliation, historical performance computation, and audit purposes. The Platform does not initiate, modify, cancel, or exercise discretion over any trade.

F. Communication Preferences

• Marketing consent

• Notification opt-in/out

• Language preference

G. Analytics & Aggregates

• Anonymised usage insights

• Aggregated behavioural segments

3.3 Sensitive Personal Data or Information (SPDI)

Under IT Act Rules, 2011, the following data categories are classified as SPDI and receive enhanced protection:

(a) Passwords and authentication credentials (hashed/encrypted)

(b) Financial information (bank account, payment card details - handled by PCI-DSS compliant gateways only)

(c) Biometric information (if facial recognition/fingerprint used for authentication)

(d) Medical/health records (if collected for any reason)

SPDI is:

- Collected only with explicit consent

- Processed under strict security protocols

- Never shared except as legally required or with explicit consent

- Subject to encryption at rest and in transit

3.4 Automatically Collected Data

When you use the Platform, we automatically collect:

(a) Device Information: Device model, operating system, unique device identifiers, mobile network information

(b) Log Data: IP address, browser type, access times, pages viewed, app crashes

(c) Location Data: Approximate location derived from IP address (precise GPS only with explicit permission)[Prakash1] 

(d) Cookies and Similar Technologies: See Section 13 for details

3.5 Data Collected from Third Parties

We may receive data about you from:

(a) Broker platforms (when you link your account)

(b) KYC verification agencies (verification results only)

(c) Market data providers (publicly available corporate actions, announcements)

(d) Analytics partners (aggregated industry benchmarks)

4. Purpose of Processing

4.1 AIGSPL uses Platform Data for:
(a) creating your account;
(b) authenticating your login;
(c) operating app features;
(d) improving product experience;
(e) personalising non-investment content and platform features (with consent);
(f) sending alerts, updates and transactional messages;
(g) fraud detection and security;
(h) processing payments and subscriptions;
(i) enabling portfolio analytics. Such analytics are mechanical, descriptive, and user-initiated, and do not constitute personalised investment advice, suitability assessment, or recommendations;
(j) compliance with legal and regulatory obligations.

4.2 Research Provider(s) uses KYC Data solely for:
(a) RA Regulation compliance;
(b) PMLA/KYC verification;
(c) maintaining required audit trails;
(d) regulatory inspections or inquiries;
(e) validating eligibility for paid research.

4.3 Purpose Limitation Principle

Personal data collected for one purpose will not be used for a materially different purpose without obtaining fresh consent, except:

(a) Where required by law or court order

(b) To prevent fraud or security threats

(c) To comply with regulatory obligations

4.4 Automated Decision-Making

(a) We may use algorithms and automated systems to personalize your experience, including:

- Surfacing relevant platform features or informational content based on usage patterns

- Detecting unusual activity or fraud

- Optimizing app performance

(b) Automated decisions do NOT include:

- Investment advice (all research is authored by Research Provider(s))

- Account suspension (reviewed by human personnel)

- Credit/lending decisions (not applicable to Platform)

- distribution of research services

5. Lawful Bases and Consent Framework

5.1 Lawful Bases for Processing

We process your personal data on the following legal grounds:

(a) Consent: For optional features like portfolio import, marketing communications, personalized analytics

(b) Performance of Contract: To provide Platform services you've signed up for

(c) Legal Obligation: To comply with SEBI, PMLA, IT Act, tax laws, and court orders

(d) Legitimate Interest: For fraud prevention, security, and service improvement (balanced against your rights)

5.2 Consent Requirements

When we rely on consent:

(a) Consent requests are clear, specific, and separate from other terms

(b) You can withdraw consent at any time through account settings or by emailing privacy@goalpha.in

(c) Withdrawal does not affect prior processing done with valid consent

(d) Some services may become unavailable if consent is withdrawn

5.3 Consent for Specific Purposes[Prakash2] 

Granular consent options include:

Purpose

Mandatory/Optional

Impact if Declined

Account creation & authentication

Mandatory

Cannot use Platform

KYC for Research Services

Subject to applicable SEBI norms, mandatory for research access

Can use free features only

Portfolio import from broker

Optional

No access to trade execution feature and portfolio view feature

Marketing communications

Optional

No promotional emails/SMS etc.

Analytics & product improvement

Optional

No impact on core feautes

5.4 Consent Recording

(a) All consent actions are logged with timestamp, IP address, and consent version[Prakash3] 

(b) Consent logs are retained for the duration of data retention as specified under applicable laws

5.5 Special Categories Requiring Explicit Consent

Explicit, affirmative consent is required before:

(a) Sharing Platform Data with Research Provider(s) (beyond KYC/subscription validation)

(b) Transferring data outside India (if applicable)

(c) Using data for marketing/promotional purposes

(d) Processing SPDI categories

6. Data Sharing and Third Parties

Data is shared only on a strictly necessary basis:

6.1 With Research Provider(s) – For:

• KYC data (direct transfer)

• Subscription validation

• Distribution of research content authored by the Research Provider(s)

• Regulatory audit

AIGSPL provides no access to Platform Data unless:
(a) required for regulatory compliance;
(b) explicitly consented by user.

In no event shall Platform Data be used by Research Provider(s) for personalised research, profiling, or suitability assessment.

AIGSPL and Research Provider(s) maintain strict segregation of KYC Data and Platform Data. No co-mingling, shared access, joint storage, or cross-usage of KYC Records and Platform Data is permitted.

6.2 With Third-Party Service Providers

(a) Document Collection Platform --- facilitates secure capture and transmission of KYC records.
[Prakash4] (b) Payment Gateway / Aggregator— handles payment transaction.
(c) Broker Gateway — to enable portfolio import and deep-link access to the broker’s execution environment.
(d) Cloud Hosting Providers — for secure storage of Platform Data.

(e) Communication Service- for sending transactional emails, SMS, push notifications etc.

(e) Analytics & Performance Monitoring — for understanding user behaviour, detecting crashes, improving UX and overall for app performance.
(f) Marketing Partners — only anonymised/consented segments.

(g) Customer Support- for handling queries and complaints

All processors are bound by strict DPDP-compliant agreements.

6.3 Data Sharing for Legal/Regulatory Reasons

We may disclose your data without prior notice to:

(a) SEBI, RBI, FIU-IND, or other financial regulators

(b) Income Tax Department or GST authorities

(c) Law enforcement under valid court orders or warrants

(d) Legal/external auditors for statutory compliance

(e) Government agencies investigating fraud or financial crimes

Such disclosures are limited to what is legally required. SEBI, FIU-IND, or any regulatory authority may require access to Platform Data or Research Provider’s KYC Records. Such access will be provided in compliance with applicable law.

6.4 Business Transfers

In the event of merger, acquisition, restructuring, or sale of assets:

(a) Your data may be transferred to the successor entity

(b) You will be notified via email at least 30 days in advance

(c) The new entity will be bound by this Privacy Policy (or provide you option to opt-out)

6.5 No Sharing for Marketing by Third Parties

Save & except group entities, we do NOT share your personal data with third parties for their independent marketing purposes without your explicit opt-in consent.

7. Data Retention

7.1 Research Provider(s) (KYC Data):

Retains full KYC and audit logs for 8 years as required under SEBI RA Regulations and PMLA.

7.2 AIGSPL (Platform Data):

• Profile data → 8 years post account closure

• Usage telemetry → 2 years (raw), anonymised thereafter

• Portfolio imports → 3 years active + 5 years archived

• Consent logs → retained as long as the associated data is retained

• Transaction metadata → 8 years

7.3 Retention Period Calculation

Retention periods begin from:

(a) Account closure date (for profile data)

(b) Last transaction date (for payment metadata)

(c) Last login date (for inactive accounts - see 7.5)

(d) Consent withdrawal date (for consent-based processing)

7.4 Data Deletion After Retention

Once retention periods expire:

(a) Data is securely deleted using industry-standard methods (overwriting, shredding)

(b) Backups containing expired data are purged within 90 days of retention expiry

(c) Anonymized/aggregated data may be retained indefinitely for analytics

7.5 Inactive Account Policy

Accounts inactive for 3 consecutive years will be:

(a) Marked as dormant after 2 years (email notification sent)

(b) Scheduled for closure after 3 years (final notification 60 days prior)

(c) Closed automatically unless you reactivate by logging in

(d) Data retained post-closure as per Section 7.2 timelines

8. User Rights

You have the right to:
8.1 Access your personal data.
8.2 Correct or update inaccurate data.
8.3 Withdraw consent (for Platform Data).
8.4 Request erasure (subject to regulatory retention).
8.5 Nominate another individual to manage your account in the event of death/incapacity.
8.6 File complaints with the Data Protection Board of India.

Requests may be sent to:
support@goalpha.in

Research Provider(s) will handle requests related to KYC Data; AIGSPL handles Platform Data requests.

9. Security Practices and Measures

9.1 Compliance Framework

GoAlpha strives to ensure the security, integrity and privacy of your Personal Data and to protect your Personal Data against unauthorized access or unauthorized alteration, disclosure or destruction. For this purpose, GoAlpha adopts the best standards and practice for data collection, storage and processing practices and security measures, including appropriate encryption and physical security measures to guard against unauthorized access to systems where GoAlpha stores your Personal Data in compliance with the applicable laws. Our security practices comply with IT (Reasonable Security Practices) Rules, 2011.

Please note GoAlpha is not responsible for any breach of security or for any actions of any third parties that receive your Personal Data.

Notwithstanding anything contained in this Privacy Policy or elsewhere, GoAlpha shall not be held responsible for any loss, damage or misuse of your Personal Data, if such loss, damage or misuse is attributable to any event that is beyond the reasonable control of GoAlpha and shall include, without limitation, acts of government, computer hacking, unauthorized access to computer data and storage device, computer crashes, breach of security and encryption, due to any act or omission by the third-party etc.

9.2 Technical Security Measures

(a) Encryption:

- Data in transit: TLS 1.3 / HTTPS for all connections

- Data at rest: AES-256 encryption for databases

- KYC data: End-to-end encryption before transfer to Research Provider(s)

(b) Access Controls:

- Role-Based Access Control (RBAC) for employees

- Multi-factor authentication for administrative access

- Principle of least privilege enforced

- Access logs maintained and audited quarterly

(c) Authentication & Credentials:

- Passwords hashed using bcrypt/Argon2 (NOT stored in plain text)

- Optional Two-Factor Authentication (2FA) via OTP

- Session timeout after 30 minutes of inactivity

- Account lockout after 5 failed login attempts

(d) Network Security:

- Firewalls and intrusion detection systems (IDS)

- DDoS protection via CDN (Cloudflare/AWS Shield)

- Regular vulnerability scans and penetration testing

- VPN-only access to production databases

(e) Application Security:

- Secure coding practices and code reviews

- Input validation and sanitization to prevent injection attacks

- Protection against OWASP Top 10 vulnerabilities

- Regular security patches and updates[Prakash5] 

9.3 Organizational Security Measures

(a) Employee Training:

- Mandatory data privacy and security training for all employees

- Background verification for employees handling sensitive data

- Confidentiality agreements (NDAs) signed by all personnel

(b) Data Handling Policies:

- Clean desk and clear screen policies

- Prohibition on storing data on personal devices

- Secure disposal of physical documents (shredding)

(c) Vendor Management:

- Security assessments before onboarding third-party processors

- Contractual data protection obligations

- Periodic audits of high-risk vendors

9.4 Limitations of Security

(a) Despite our best efforts, no system is 100% secure. Risks include:

- Sophisticated cyber-attacks

- Insider threats

- Third-party service failures

- Zero-day vulnerabilities

(b) You play a critical role in security by:

- Using strong, unique passwords

- Not sharing credentials

- Enabling 2FA, if applicable

- Keeping your device/browser updated

- Being cautious of phishing attempts

9.5 Your Security Obligations

You agree to:

(a) Protect your account credentials from unauthorized access

(b) Immediately report suspected security breaches to support@goalpha.in

(c) Use trusted networks (avoid public WiFi for sensitive transactions)

(d) Log out after each session on shared devices

(e) Keep your registered email and mobile secure

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit the Platform. They help us remember your preferences, authenticate your session, and analyze usage patterns.

10.2 Types of Cookies We Use[Prakash6] 

(a) Strictly Necessary Cookies (Cannot be disabled):

- Session management and authentication

- Security and fraud prevention

- Load balancing and platform stability

(b) Functional Cookies (Can be disabled):

- Remember your language preference

- Store theme settings (dark/light mode)

- Save your layout preferences

(c) Analytics Cookies (Can be disabled):

- Google Analytics: Track page views, user journey

- Mixpanel: Understand feature usage and engagement

- Heatmaps: Visualize click patterns

(d) Marketing Cookies (Can be disabled):

- Google Ads: Retargeting (if applicable)

- Social media pixels: Facebook/LinkedIn (if applicable)

10.3 Other Tracking Technologies

(a) Web Beacons/Pixels: Embedded in emails to track open rates

(b) Local Storage: HTML5 storage for offline functionality

(c) Device Fingerprinting: Identify returning users for fraud prevention

(d) SDKs: Mobile analytics SDKs (Firebase, Crashlytics)

10.4 Managing Cookie Preferences

(a) Platform Cookie Settings:

- Login → Settings → Privacy → "Manage Cookies"[Prakash7] 

- Toggle analytics and marketing cookies on/off

10.5 Impact of Disabling Cookies

Disabling cookies may:

- Log you out automatically (session cookies)

- Reset your preferences repeatedly

- Break certain Platform features

- Affect website performance

10.6 Third-Party Cookies

Some cookies are set by third-party services we integrate (analytics, payment gateways). We do not control these cookies. Review their privacy policies.

11. Severability

GoAlpha endeavors and has made every effort to ensure that this Policy adheres with the applicable laws. If, for any reason, a court of competent jurisdiction finds any provision this Policy, or portion thereof, to be unenforceable, the invalidity or unenforceability of such part of this Policy shall not prejudice or affect the validity or enforceability of the remainder of this Policy.

12. Updates to This Privacy Policy

12.1 Reasons for Updates

We may update this Policy to:

(a) Reflect changes in data processing practices

(b) Comply with new laws or regulations (DPDP Rules, IT Act amendments)

(c) Incorporate new features or third-party services

(d) Improve clarity or transparency

(e) Address identified security risks

12.2 Notification of Material Changes

For material changes (e.g., new data categories collected, changes in retention, additional third parties):

(a) Email notification to all active users at least 7 days before effective date

(b) Prominent in-app banner/pop-up requiring acknowledgment

(c) Posted on homepage with "Updated" tag

Material changes include:

- Collecting new sensitive data categories

- Sharing data with new third-party categories

- Changing data retention periods significantly 

12.3 Notification of Non-Material Changes

For clarifications or minor updates:

(a) Posted on Platform with updated "Last Updated" date

(b) No separate email notification

12.4 Without prejudice to foregoing, GoAlpha reserves the right, at its sole discretion or on account of changes in law, to modify or replace this Privacy Policy in accordance with the applicable laws, from time to time, by posting the modified version of the Privacy Policy on the Platform.

12.5 Your continued use of the service(s) /Platform following the posting of any changes to this Policy constitutes your acceptance of those changes. Where such changes require consent under applicable law, continued use shall not constitute consent unless such consent is expressly obtained.

13. Integration

This Policy as posted on the Platform is the sole statement of Our Privacy Policy with respect to Platform, and no summary, modification, restatement or other version thereof, or other privacy statement or policy, in any form, is valid unless We post a new or revised policy on the Platform.

14. Contact Us

For any query or assistance, feel free to Contact Us with Our customer support team at support@goalpha.in

15. Grievance Officer

In accordance with Information Technology Act, 2000 and the rules made there under, the contact details of the Grievance Officer are provided below:

Name: Mr. Prakash Chandra Mishra

Email Id: prakash.m@goalpha.in