Your data, treated like it’s ours.
NiveshLens holds investor data, not investor money — and we hold it under DPDP-aligned controls with row-level security on every protected table.
Encrypted at rest
All user data lives in Supabase Postgres, encrypted at rest with industry-standard AES-256. Backups are encrypted with the same key class.
Row-level security
Every table that stores user data is protected by Postgres Row Level Security. 34 tables are under RLS today; the policies live in our 0011_rls_policies.sql migration.
No service-role exposure
The service-role key never reaches the browser. Privileged operations (CAS parsing, scheduled rank jobs) run inside Supabase Edge Functions with strict input validation.
Email-OTP + OAuth
Authentication uses Supabase Auth. Email-magic-link OTP is the default; Google OAuth is scaffolded and gated behind your consent.
PAN handling
PAN is collected only when you complete the optional CAS upload flow, verified once, and never shared with a third party. We never request your CAS password — CAMS/KFin sign the PDF, the password is part of the email body, and we read both server-side only.
No broker credentials
We never ask for and never store broker logins or API keys. Portfolio data comes from your CAS upload or your manual entry — nothing else.
Aligned with India’s Digital Personal Data Protection Act, 2023.
We treat user data under a fiduciary lens: collected with notice and consent, processed for the purpose you saw at signup, retained no longer than we need to keep your portfolio and FundScore history meaningful, and deleted on request.
You can export your portfolio and watchlists in CSV from the dashboard at any time, and you can request full account deletion by emailing privacy@niveshlens.in. We action deletion requests within 30 days.
For the long-form data-handling specifics, see the Privacy Policy.
The vendors who can ever touch your data.
We keep this list short on purpose. If a vendor isn’t here, they don’t have access — and adding one means we update this page first.
| Vendor | Purpose | Status |
|---|---|---|
| Supabase | Postgres, Auth, Storage, Edge Functions | Live |
| Vercel | Web hosting and edge cache | Live |
| Razorpay | Subscription billing (UPI / card / netbanking) | Integration pending |
| Resend | Transactional email (OTP, monthly report links) | Integration pending |
Found a vulnerability?
We’d much rather hear from you than read about it on a forum. Email security@niveshlens.in with reproduction steps. We acknowledge within 48 hours and don’t prosecute good-faith research.