Privacy Policy

• Account information: name and email address when you sign up
• Financial data: asset holdings, values, and transactions you add to Virasat
• Broker credentials: encrypted using AES-256-GCM, never stored in plain text
• WhatsApp phone number: if you connect WhatsApp, your verified phone number is stored to link incoming messages to your account. Verified via OTP sent to your registered email.
• Usage data: pages visited, features used, error logs (via Sentry, anonymised)

• We do not collect your Aadhaar number, PAN card, or government ID
• We do not collect your bank account details or UPI ID
• We do not track you across other websites
• We do not use advertising trackers

• To provide the Virasat service — showing your portfolio, analysis, insights
• To connect to your broker via API using your credentials
• To improve the product based on anonymised usage patterns
• To send product updates (only if you opt in)
• To deliver WhatsApp messages if you have connected your WhatsApp number

• All data encrypted at rest (AES-256)
• All data encrypted in transit (TLS 1.3)
• Database uses Row Level Security — your data is completely isolated from other users
• Broker credentials encrypted with AES-256-GCM before storage
• Production hosted on Vercel (Singapore) + Supabase/AWS (Mumbai region) for Indian data residency

When you join Virasat, you choose one of two storage modes:

• Virasat Vault: Your data is stored securely in Supabase (AWS Mumbai). Virasat manages encryption keys and backups. You can export or delete your data at any time.
• My Vault (Google Drive backup): In addition to the Virasat Vault, an encrypted backup is synced to your personal Google Drive. You control the backup — you can disconnect Google Drive or delete the backup file at any time from your Google account. Virasat can only read/write to the specific folder it creates; it cannot access any other Google Drive content.

Both vault modes are equally secure and DPDP Act compliant. You can change your vault choice via Settings.

We never sell your data. We never share your data with advertisers. We share data only with:

• Supabase (AWS Mumbai) — database hosting, Indian data residency
• Vercel — application hosting
• Sentry — error tracking, anonymised
• Anthropic — AI analysis. Your portfolio summary (totals and percentages, no PII) is sent to the Claude API for analysis. No name, PAN, folio numbers, or transaction details are ever sent.
• Twilio — WhatsApp message delivery, if you have connected your WhatsApp number. Twilio receives only the message text and your WhatsApp phone number. No financial data is transmitted.
• Razorpay — payment processing for paid plans. Razorpay processes subscription payments. Virasat does not store your card or bank details.
• Google — OAuth login and, if you choose My Vault, Drive backup. Google receives only what is required for authentication and the specific Drive backup folder.

Virasat complies with India's Digital Personal Data Protection Act 2023 (DPDP Act). As a data fiduciary, we:

• Collect only the personal data necessary to provide the service
• Process personal data only for the purpose for which it was collected
• Store personal data only as long as necessary, or as directed by you
• Honour your right to access, correct, and erase your personal data
• Notify you in the event of a personal data breach, as required by law

For DPDP Act queries, contact: privacy@virasat.co.in

• Access: email privacy@virasat.co.in to get a copy of your data
• Deletion: use Settings → Danger Zone, or email privacy@virasat.co.in to delete all your data within 7 days
• Correction: update via Settings or email us
• Export: download your data via Settings → Export, or contact us

We use only essential session cookies for authentication. No advertising or tracking cookies.

For privacy questions: privacy@virasat.co.in
For data deletion: privacy@virasat.co.in