Privacy Policy

NiveshLens is an information and analytics service for Indian mutual funds. We provide fund research tools such as FundScore ratings, up to 20 years of NAV history, calculators, portfolio diagnostics and an AI research assistant. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, how we secure it, and the rights you have over it. It is written to align with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”).

Important context. NiveshLens is an analytics and information product only. We are not registered with the Securities and Exchange Board of India (SEBI), we are not a broker, and we are not a mutual fund distributor. We do not move money, execute orders, hold securities or operate a demat facility. Nothing on the Service is investment, legal or tax advice.

1. Who we are (the Data Fiduciary)

For the purposes of the DPDP Act, the “Data Fiduciary” (the entity that determines the purposes and means of processing your personal data) is NiveshLens, which operates the NiveshLens website and application. References in this Policy to “NiveshLens”, “we”, “us” or “our” mean this Data Fiduciary. References to “you” or the “Data Principal” mean the individual whose personal data we process.

If you have any questions about this Policy or about how your data is handled, you can reach us at care@niveshlens.in, or contact our Grievance Officer using the details in Section 15.

2. Scope & consent

This Policy applies to personal data we collect when you visit our website, create an account, or use any feature of the NiveshLens Service. By creating an account and using the Service, you consent to the collection and processing of your personal data as described here. Where the law requires it, we ask for specific, informed and freely given consent at the point of collection — for example, before you upload a Consolidated Account Statement or provide your PAN.

• Your consent is the primary lawful basis for most of our processing. You may withdraw your consent at any time (see Section 11). Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal, and may mean we can no longer provide certain features.
• Some processing is carried out under other lawful grounds permitted by the DPDP Act, such as performing the contract you enter into with us, complying with legal obligations, and the “legitimate uses” recognised under the Act (for example, preventing fraud and securing the Service).

3. What we collect

We collect only the data we need to run the Service. This includes:

• Account & authentication data: your email address, and the one-time passwords (OTPs) used to sign you in. If you choose Google sign-in, we receive the basic profile information that Google shares (such as your email address) to authenticate you. We do not store your password — authentication is handled through OTP and OAuth.
• Profile data (optional): display name, phone number, date of birth, city, and your answers to the risk-profile questionnaire. These help us personalise your experience and tailor diagnostics; you can leave them blank.
• Identification data (optional): your PAN, only if you choose to provide it to label or link a portfolio. We treat PAN as sensitive. It is never sold and is never shared for marketing.
• Portfolio data: your holdings, transactions, watchlists and goals. You can enter these manually, or we can extract them from a Consolidated Account Statement (CAS) PDF that you upload. When you upload a CAS, we parse the document to extract your holdings and related information so we can build your portfolio view and diagnostics.
• AI assistant queries: the questions you type into the research assistant and the portfolio context relevant to answering them (see Section 5).
• Billing data: your subscription status and plan. Your card, UPI or netbanking details are entered directly with our payment processor and never reach NiveshLens servers (see Section 7).
• Usage & technical data: pages visited, actions taken within the app, and device, browser and connection metadata including your IP address. We use this for first-party product analytics and for security.

4. How we use it (purposes & lawful basis)

We use your personal data for the following purposes:

• To provide and personalise the Service — building your portfolio view, FundScore history, diagnostics, calculators and goals. (Lawful basis: performance of the contract and your consent.)
• To authenticate you and keep your account secure — sending login OTPs and managing sessions. (Lawful basis: performance of the contract; legitimate use — security.)
• To send transactional communications — login codes, billing receipts and important service notices. (Lawful basis: performance of the contract.)
• To operate the AI research assistant — processing your query and relevant portfolio context to generate an answer. (Lawful basis: your consent and performance of the contract.)
• To detect and prevent fraud, abuse and security incidents. (Lawful basis: legitimate use recognised under the DPDP Act.)
• To improve the Service by analysing aggregate, first-party usage patterns. (Lawful basis: your consent and our legitimate interest.)
• To comply with applicable law, including tax and accounting obligations. (Lawful basis: legal obligation.)

We do not sell your personal data. We do not share it with mutual fund distributors. We do not use it to target you with third-party advertising.

5. The AI assistant & your queries

When you ask the NiveshLens research assistant a question, your query — together with the portfolio context relevant to answering it — is transmitted to a third-party large-language-model provider, DeepSeek, over a secure API, so that an answer can be generated. DeepSeek acts as a sub-processor for this feature and may process the data on infrastructure located outside India (see Section 8). We send only the information needed to answer your question.

• Please do not paste sensitive personal information — such as your PAN, bank account numbers, passwords or government identifiers — into the assistant. It is not required to use the feature, and you control what you type.
• The assistant is an information and research tool. Its responses are generated by a language model, may be incomplete or inaccurate, and are not investment, legal or tax advice.

6. Cookies & similar technologies

We use a small number of cookies and similar technologies, kept to the minimum needed to run the Service:

• Essential cookies: required for authentication, session continuity and security. The Service will not work properly without these.
• Minimal analytics: first-party measurement to understand how features are used so we can improve them.

We do not use third-party advertising or cross-site ad-tracking cookies. You can block or delete cookies through your browser settings, but doing so may prevent you from signing in or using parts of the Service.

7. How we share data / sub-processors

We do not sell or rent your personal data. We share it only with a small number of vetted service providers (“sub-processors”) who process it on our behalf, under contract, and only to the extent needed to deliver the Service:

• Supabase — database, authentication and secure file storage (including the storage of uploaded CAS files and your account and portfolio data).
• Razorpay — payment processing. Razorpay is PCI-DSS compliant and collects your card, UPI or netbanking details directly. Those payment details are never transmitted to or stored on NiveshLens servers; we receive only your subscription status and a payment reference.
• Resend — delivery of transactional emails, such as login OTPs and billing receipts.
• DeepSeek — the large-language-model provider that powers the AI research assistant, as described in Section 5.

We may also disclose personal data where we are required to do so by law, by a valid order of a court or government authority, or where disclosure is necessary to protect our rights, your safety, or the security and integrity of the Service. If our business is ever involved in a merger, acquisition or asset transfer, personal data may be transferred as part of that transaction, subject to this Policy.

8. Cross-border transfers

Your personal data is stored on cloud infrastructure and is processed primarily to deliver the Service to you. Some of our sub-processors — in particular DeepSeek (AI assistant), and potentially Resend (email) and Supabase (database, auth and storage) — may process or store data on infrastructure located outside India. Where personal data is transferred outside India, we transfer it only to jurisdictions permitted under the DPDP Act and applicable rules, and we put appropriate contractual and technical safeguards in place to protect it. We share only the data necessary for each provider to perform its function.

9. Data retention

We keep your personal data for as long as your account is active and for as long as needed to provide the Service. When you delete your account, or when the data is no longer needed for the purpose it was collected, we delete or irreversibly anonymise it, except where we are required to retain certain records for a statutory minimum period (for example, billing and tax records under applicable financial laws). Once any such legal retention period ends, that data is deleted or anonymised as well.

• Account, profile and portfolio data: retained while your account is active; deleted or anonymised after account closure, subject to legal retention requirements.
• Uploaded CAS files: retained only as needed to extract and maintain your portfolio; you may delete them.
• Billing records: retained for the period required by tax and accounting law.

10. How we secure your data

We implement reasonable security practices and procedures designed to protect your personal data, consistent with the SPDI Rules and the DPDP Act:

• Encryption in transit: all traffic between your device and our servers, and between our servers and our sub-processors, is encrypted using TLS.
• Row-level security: portfolio and account data is protected by Postgres Row Level Security so that records are accessible only to the owning user, not to other users.
• Access controls: privileged credentials (such as service keys) are never exposed to the browser, and internal access to personal data is restricted on a need-to-know basis.
• Encryption at rest: data stored with our database and storage provider is encrypted at rest.

No method of transmission or storage is completely secure. In the event of a personal data breach that is likely to affect you, we will act promptly to contain it and will notify the Data Protection Board of India and affected Data Principals as required by the DPDP Act.

11. Your rights under the DPDP Act

As a Data Principal, you have the following rights in respect of your personal data:

• Right to access: obtain confirmation of, and a summary of, the personal data we process about you and the processing activities involved.
• Right to correction and updating: have inaccurate or incomplete data corrected or completed. You can edit much of your profile and portfolio directly in the app.
• Right to erasure: request deletion of your personal data where it is no longer required for the purpose it was collected, subject to our legal retention obligations.
• Right to withdraw consent: withdraw any consent you have given, as easily as it was given. After withdrawal, we will stop the relevant processing within a reasonable time.
• Right to grievance redressal: raise a complaint with our Grievance Officer about how we handle your data (see Section 15), and escalate to the Data Protection Board of India if not satisfied.
• Right to nominate: nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, contact us at care@niveshlens.in. We may need to verify your identity before acting on a request. You also have a duty under the DPDP Act not to provide false particulars or impersonate another person when exercising your rights.

12. Children’s data

The Service is intended for adults and is not directed to anyone under 18 years of age. We do not knowingly collect personal data from children or process the personal data of a child without verifiable parental consent. If you believe a minor has provided us with personal data, please contact us at care@niveshlens.in and we will take steps to delete it. We do not undertake tracking, behavioural monitoring or targeted advertising directed at children.

13. Third-party links

The Service may contain links to third-party websites, tools or resources that we do not own or control — for example, fund houses, registrars or informational sources. This Policy does not apply to those third parties. We are not responsible for their content or their privacy practices, and we encourage you to review the privacy policy of any third-party site you visit.

14. Changes to this policy

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will revise the “Last updated” date at the top of this page. If the changes are material, we will take reasonable steps to notify you, for example by email or an in-app notice, before they take effect. Your continued use of the Service after the changes become effective constitutes your acceptance of the updated Policy.

15. Grievance officer & contact

If you have any questions, concerns or complaints about this Policy or about how we handle your personal data, you can contact our Grievance Officer at care@niveshlens.in. We will acknowledge and address grievances in accordance with the timelines required under applicable law.

For general support, you can also reach us at care@niveshlens.in. This Policy is governed by the laws of India, and the courts at Ahmedabad, Gujarat have exclusive jurisdiction over any dispute relating to it. You may also see our Terms of Service for the terms governing your use of the Service.