Privacy Policy

We collect the following categories of personal data:

Information You Provide

• Identity data: Full name, date of birth, PAN (Permanent Account Number) as required for SEBI KYC
• Contact data: Email address, phone number, postal address
• Financial data: Bank account details for refund processing, payment transaction records
• KYC data: Identity proof, address proof, and other documents as required by SEBI regulations
• Communication data: Correspondence via email or through the Platform, support requests, and feedback

Information Collected Automatically

• Technical data: IP address, browser type and version, device information, operating system
• Usage data: Pages visited, features used, access timestamps, session duration
• Authentication data: Login timestamps, session tokens (we do not store passwords — authentication is handled via secure OTP/email link)

Under the DPDPA 2023, we process your personal data based on the following lawful grounds:

• Consent: You provide explicit consent during registration and KYC. You may withdraw consent at any time, subject to SEBI retention requirements.
• Contractual necessity: Processing required to fulfil your Subscription and deliver the Services.
• Legal obligation: Processing required to comply with SEBI (Research Analysts) Regulations, 2014, Prevention of Money Laundering Act, Income Tax Act, and other applicable Indian laws.
• Legitimate use: Processing necessary for security, fraud prevention, and improvement of the Platform.

Your personal data is used for the following purposes:

• Verifying your identity and completing KYC as required by SEBI
• Providing and managing your Subscription and access to Research
• Processing payments, invoices, and refunds
• Communicating with you about your account, service updates, and alerts
• Responding to support requests and grievances
• Complying with regulatory reporting obligations to SEBI and other authorities
• Maintaining security and preventing fraud, unauthorized access, or misuse of the Platform
• Improving the Platform, analysing usage patterns, and developing new features (using aggregated, anonymised data where possible)

We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you.

We implement robust technical and organisational measures to protect your personal data:

• Encryption at rest: All personal data stored in our databases is encrypted using AES-256-GCM encryption
• PAN protection: PAN numbers are stored as irreversible HMAC hashes — the plaintext PAN is never stored in our database after KYC verification
• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Access controls: Strict role-based access controls ensure that only authorised personnel can access personal data, on a need-to-know basis
• Infrastructure security: Our Platform is hosted on enterprise-grade cloud infrastructure with DDoS protection, firewalls, and continuous monitoring
• Incident response: We maintain a data breach response plan and will notify affected individuals and the Data Protection Board of India as required by the DPDPA

We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

• Regulatory authorities: SEBI, income tax authorities, or other government bodies when required by law or regulation
• Payment processors: To process your subscription payments and refunds (payment processors do not have access to your KYC documents or research data)
• Service providers: Cloud infrastructure and email delivery providers who process data on our behalf under strict contractual data protection obligations
• Legal proceedings: When required by court orders, legal process, or to protect the rights and safety of the Company or others

We do not transfer personal data outside India unless required by law or with your explicit consent, and only where adequate safeguards are in place as per the DPDPA.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to access: You may request a summary of your personal data that we process and the processing activities associated with it.
• Right to correction: You may request correction of inaccurate or incomplete personal data. You may update your profile information directly through the Platform.
• Right to erasure: You may request deletion of your personal data. Please note that this right is subject to SEBI data retention requirements (see Section 7 below). Data required to be retained under law will be retained for the mandatory period even after an erasure request.
• Right to data portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to withdraw consent: You may withdraw consent for processing at any time. Withdrawal of consent does not affect the lawfulness of processing conducted before withdrawal and does not affect processing required under legal obligations.
• Right to grievance redressal: You may raise grievances regarding the processing of your personal data. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

To exercise any of these rights, contact us at support@mithrilresearch.in. We will respond to your request within 30 days.

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and in compliance with applicable legal requirements:

• SEBI retention requirement: Under SEBI (Research Analysts) Regulations, KYC records, client agreements, research reports, and communication records must be maintained for a minimum of 5 years from the date of the transaction or the termination of the client relationship, whichever is later.
• Financial records: Payment and invoice records are retained for a minimum of 8 years as required under the Income Tax Act and GST regulations.
• Account data: If you cancel your Subscription, your account data is retained for the SEBI-mandated period and thereafter securely deleted or anonymised.
• Aggregated and anonymised data: Data that has been aggregated and anonymised (such that it cannot identify you) may be retained indefinitely for analytical purposes.

The Platform uses strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking technologies. Analytics, if any, use privacy-respecting, cookieless methods.

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete such data promptly, in accordance with the DPDPA.

We may update this Privacy Policy from time to time to reflect changes in our practices, regulatory requirements, or applicable law. Material changes will be communicated to you via email and/or a prominent notice on the Platform at least 30 days before they take effect. We encourage you to review this page periodically.

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact:

Mithril Research LLP (Data Fiduciary)
SEBI Registration No.: INE000XXXXXX (pending)
Email: support@mithrilresearch.in

If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India as constituted under the DPDPA 2023.