MindStocs Privacy Policy
Effective Date: 20-Sep-2025
Last Updated : 30-Sep-2025
Jurisdiction : Sindhudurg, Maharashtra, India
This Privacy Policy (“Policy”) governs how MindStocs and its subsidiaries (“Company”, “we”, “our”, “us”) collect, process, store, disclose, and protect personal data of users (“User”, “you”, “your”) in connection with dashboards, software, algorithms, APIs, websites, projects, and related digital services (“Services”).
MindStocs is currently operated as a sole proprietorship / proprietor under Indian law and functions solely as a technology service provider. If and when MindStocs converts to another corporate form (for example, Private Limited or LLP), this Policy will be updated and Users will be notified in accordance with Clause 22 (Policy Updates).
The Company does not accept public deposits, manage pooled funds, or provide investment advice, portfolio management, or any regulated financial services under the Securities and Exchange Board of India (SEBI) or Reserve Bank of India (RBI). All Services are strictly limited to access to software, dashboards, and related digital tools.
This Policy is prepared in accordance with:
• The Digital Personal Data Protection Act, 2023
• The Information Technology Act, 2000 and IT Rules, 2011
• The Consumer Protection (E-Commerce) Rules, 2020
• The Prevention of Money Laundering Act, 2002 (where KYC/AML screening applies)
• Applicable RBI, SEBI, and sectoral cybersecurity guidelines
This Policy forms an integral part of the Company’s Terms & Conditions and Refund Policy. It must be read in conjunction with them. In the event of conflict, the stricter provision shall apply to protect User rights and ensure regulatory compliance.
By accessing or using our Services, you:
(a) Acknowledge that you have read and understood this Policy,
(b) Consent to the lawful processing of your data for service delivery, compliance, and security purposes,
(c) Accept that data processing shall continue in accordance with this Policy even after termination of services, where retention is mandated by law.
If you do not agree, you must immediately stop using the Services.
1. Definitions & Interpretation
1.1 **“Personal Data”** means any information that identifies, or can reasonably be used to identify, a natural person, as defined under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).
1.2 **“Sensitive Personal Data”** includes, but is not limited to: Aadhaar numbers (where lawfully permissible and only in masked/UIDAI-compliant format), Permanent Account Number (PAN), bank account details, broker statements, financial transaction records, biometric identifiers, and other categories of data requiring enhanced protection under applicable laws. The Company shall not store or retain **unmasked Aadhaar numbers**, full biometric data, payment card CVV, UPI PINs, or other highly-sensitive credentials in raw form.
1.3 **“Anonymised Data”** means data that has been irreversibly de-identified in such a way that an individual cannot be re-identified, whether directly or indirectly.
1.4 **“Pseudonymisation”** means the processing of data in a manner that it cannot be attributed to a specific person without the use of additional information, provided that such additional information is stored separately and protected by appropriate technical and organisational measures.
1.5 **“Processing”** means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
1.6 **“DPDP Act”** refers to the Digital Personal Data Protection Act, 2023, together with its rules, notifications, and any amendments from time to time.
1.7 **“Data Fiduciary”** (also referred to in this Policy as “Company”, “we”, “us”) means the entity that determines the purpose and means of Processing Personal Data in accordance with the DPDP Act. MindStocs acts as the Data Fiduciary for the processing described in this Policy.
1.8 **“DPA”** means a Data Processing Agreement entered into between the Company and any third-party service provider or processor handling Personal Data on the Company’s behalf.
1.9 **“ROPA”** refers to Records of Processing Activities maintained by the Company as required under the DPDP Act and other applicable regulations.
1.10 **“Consent”** means any freely given, specific, informed, and unambiguous indication of the User’s wishes, by a clear affirmative action, signifying agreement to the processing of their Personal Data.
1.11 **“Personal Data Breach”** means a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.12 **Interpretation:** Headings are provided for convenience only and shall not affect the interpretation of this Policy. Words in singular include the plural, and vice versa. References to “laws” include applicable rules, regulations, notifications, circulars, and judicial pronouncements.
1.13 **“Data Principal”** means the individual to whom the Personal Data relates (i.e., the User) and includes the parent or lawful guardian of a child and the lawful guardian of a person with disability, as applicable under the DPDP Act.
2. Data Fiduciary & Contact Information
2.1 **Data Fiduciary:** The Data Fiduciary responsible for processing User data is **MindStocs**, operating as a duly established sole-proprietorship entity under Indian law and through any authorised subsidiaries or operational units.
2.2 **Data Processor:** For certain activities, MindStocs may engage third parties as **Data Processors** (e.g., payment gateways, hosting providers, KYC vendors). These entities act strictly under the Company’s documented instructions and Data Processing Agreements (DPAs).
2.3 **Registered Office:**
MindStocs
1452 Majgoan Tambalgothan,
Sawantwadi, Sindhudurg, Maharashtra – 416510, India
*(Users should verify this address exclusively from the official MindStocs website to avoid fraudulent correspondence.)*
2.4 **Privacy / Grievance Contact:**
Email: **privacy@mindstocs.com**
This serves as the designated contact point for grievances under the Information Technology Act 2000, the DPDP Act 2023, and the Consumer Protection (E-Commerce) Rules 2020.
2.5 **Support / Refunds:**
Email: **support@mindstocs.com**
This contact is provided exclusively for queries related to account access, subscription support, and refund requests under the Company’s Refund Policy.
2.6 **Grievance Officer:**
**Name:** Jackson A Fernandes
**Email:** privacy@mindstocs.com
**Tel:** +91 9021008698
2.7 **Response & Resolution Timelines (SLA):**
- Acknowledgement of any grievance or complaint shall be provided within **48 hours** of receipt.
- The Company will aim to provide a substantive resolution or update within **30 days**, in accordance with statutory requirements.
2.8 **Data Protection Officer (DPO):**
At present, the Company’s internal compliance team handles grievance redressal and data-protection responsibilities.
A formally appointed **Data Protection Officer** (“DPO”) will be designated and notified to the **Data Protection Board of India** *if and when* MindStocs is classified as a **Significant Data Fiduciary** under Section 10 of the DPDP Act.
The DPO’s name and contact details will be published on the official website upon such designation.
2.9 **Jurisdiction for Escalation:**
If a grievance remains unresolved, Users retain the right to escalate complaints to:
(a) The **Data Protection Board of India**,
(b) Relevant statutory regulators such as the **RBI** or **SEBI** (for financial-compliance queries), and
(c) **Consumer Courts** under the Consumer Protection Act 2019.
For international Users, escalation will remain subject to **Indian law**, unless mandatory local consumer or privacy protections apply.
3. Scope & Compliance
3.1 **Scope of Policy:**
This Policy applies to all processing of Personal Data undertaken in connection with:
(a) the Company’s website, dashboards, indicators, algorithms, Expert Advisors (EAs), and APIs;
(b) participation in Projects and Service Packages (including Service Access Fees, withdrawals, or Restoration claims);
(c) use of ancillary services such as VPS, hosting, and integrations; and
(d) all communications, grievance redressal, refunds, and support interactions.
3.2 **Regulatory Framework:**
This Policy is implemented in compliance with:
(a) the **Digital Personal Data Protection Act, 2023**;
(b) the **Information Technology Act, 2000** and **IT (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011**;
(c) the **Consumer Protection (E-Commerce) Rules, 2020**;
(d) the **Prevention of Money Laundering Act, 2002** and FIU-IND reporting obligations (only where KYC/AML checks apply); and
(e) applicable guidelines issued by the **Reserve Bank of India (RBI)**, **Securities and Exchange Board of India (SEBI)**, and **CERT-In** on cybersecurity and data handling.
**Clarification:** MindStocs is **not** a “Reporting Entity” under the Prevention of Money Laundering Act, 2002. Any references to FIU-IND apply only to the obligations of **RBI-regulated payment gateways** and their **banking partners**, not to MindStocs.
For the definitive commercial and regulatory disclaimer governing MindStocs' operations, Users should refer to the **Terms & Conditions — Final Consolidated Disclaimer (Clause 52).**
3.3 **Nature of Services – No Registration with Regulators:**
MindStocs is a **software and technology service provider**. It is **not registered with SEBI** as an investment adviser, research analyst, portfolio manager, or stock broker, nor with the **RBI** as a regulated entity.
- Service Access Fees are strictly payments for access to digital tools, dashboards, and Projects.
- Nothing in this Policy or in the Terms & Conditions constitutes investment advice, portfolio management, trade execution, solicitation, deposit-taking, or a collective investment scheme.
- Users remain fully responsible for their own trading and financial decisions.
3.4 **International Users:**
While Services may be accessed from outside India, this Policy is governed by **Indian law**. Users located abroad are solely responsible for ensuring compliance with their local data protection, privacy, and financial regulations.
3.5 **Consistency with Terms & Conditions:**
This Privacy Policy forms an integral part of, and must be read with, the Company’s **Terms & Conditions** and **Refund Policy**.
In the event of any conflict, the stricter or more protective clause shall prevail in favour of User rights and regulatory compliance.
For avoidance of doubt, the **Final Consolidated Disclaimer (Clause 52)** in the Terms & Conditions shall override any inconsistent language in this Privacy Policy, Refund Policy, Shipping Policy, or marketing materials.
4. Categories of Data Collected
4.1 **User-Provided Data**
We may collect the following information directly from Users for account creation, subscription, support, or compliance purposes:
(a) Basic identifiers: full name, email address, mobile number, postal address, and date of birth.
(b) Identity & verification: PAN, Aadhaar (only where lawfully required for KYC/AML or tax compliance), and other KYC documents.
(c) Financial information: bank account details, broker statements, and Service Access Fee payment records.
(d) Communications: support tickets, grievance logs, emails, and other correspondence.
(e) Referral & Commission Data: referral codes/IDs, referred user links, commission accrual and payout logs, and anti-abuse flags.
⚠️ **Aadhaar:** If Users voluntarily upload Aadhaar for address proof, they must ensure the Aadhaar number is **masked/redacted**. The Company does not store unmasked Aadhaar numbers or biometric data.
The Company does **not collect or store any biometric identifiers**, including facial scans, fingerprints, or voice samples, under any circumstance.
**Upon user request or end of statutory retention, masked identifiers (e.g., PAN, bank details, Aadhaar fragments) shall be fully deleted as per Clause 14.**
4.2 **Automatically Collected Data**
When Users access or interact with our Services, the following information may be automatically collected:
(a) Technical identifiers: IP address, device and browser/OS details.
(b) Session data: cookies, timestamps, navigation patterns, and usage logs.
(c) API/trade data: broker-linked API logs, execution records, telemetry, and error logs (only where Users link their broker API).
Automatically collected data may also be used in **aggregated or anonymised form** for service optimisation, system analytics, and cybersecurity enhancement, without identifying individual Users.
4.3 **Third-Party Data Sources**
We may receive additional information from:
(a) Payment processors (e.g., Razorpay), including transaction confirmations;
(b) Brokers/exchanges, where the User explicitly consents through API linking; and
(c) Certified KYC vendors providing identity verification outputs.
⚠️ **Clarification:** Any API-linked trade or broker data remains the **User’s property**; MindStocs processes it only for integration and service delivery, without exercising discretionary control or making trading decisions.
4.4 **Payment Data**
(a) MindStocs does **not** store or process card numbers (PAN), CVV, UPI PINs, or raw payment credentials.
(b) All transactions are routed through **PCI-DSS compliant payment gateways** (e.g., Razorpay).
(c) For refunds and reconciliation, only masked or tokenised payment identifiers may be retained — never raw credentials.
4.5 **Cross-Reference to Cookies Policy**
For data collected via cookies, pixels, or tracking technologies, see Clause **27 (Cookies & Tracking Technologies)**.
5. Purpose & Legal Basis
5.1 **Purposes of Processing**
MindStocs processes Personal Data strictly for lawful and defined purposes, including:
(a) Account creation, authentication, and user management.
(b) Processing payments, refunds, and subscription renewals.
(c) Compliance with **KYC/AML obligations** under the PMLA, RBI guidelines, and tax rules.
(d) GST/TDS reporting and other statutory filings.
(e) Restoration Fund verification, claims assessment, forensic reviews, and audit requirements.
(f) Customer support, grievance redressal, and dispute resolution.
(g) Cybersecurity, fraud prevention, risk management, and abuse monitoring.
(h) Service performance, analytics, and product improvement (using anonymised or aggregated data where possible).
(i) Mandatory disclosures to regulators (RBI, SEBI, FIU-IND, Income Tax) and courts of law.
(j) Marketing and promotional communications **only where the User has given explicit consent**.
(k) Users remain solely responsible for their own GST, TDS, and income-tax computation and reporting on any profits or gains. MindStocs deducts or withholds GST/TDS only where expressly mandated by Indian law.
⚖️ **Lawful Purpose and Data Minimisation:**
All Personal Data is collected and processed only for lawful purposes that are necessary, proportionate, and reasonably expected in the context of the User’s relationship with MindStocs.
Data collection is limited to what is strictly required for the purposes listed above.
5.2 **Legal Bases for Processing**
Processing is carried out on the following lawful grounds:
(a) **Contractual necessity** – to deliver Services as per the Terms & Conditions.
(b) **Legal obligation** – to comply with Indian laws, including the IT Act 2000, DPDP Act 2023, PMLA 2002, GST laws, and RBI/SEBI directives.
(c) **Legitimate interest** – documented in internal **Legitimate Interest Assessments (LIA)**, including fraud prevention, platform security, debugging, incident response, and service improvement, balanced against User rights.
(d) **Consent** – obtained via clear, informed opt-in (e.g., marketing emails, optional API integrations, or participation in beta features).
5.3 **Exclusions**
Personal Data is **not processed** for:
(a) Providing investment advice, stock tips, or portfolio management.
(b) Soliciting or pooling User funds.
(c) Any financial activity requiring registration with SEBI, RBI, or IRDAI.
5.4 **Consent Records and Withdrawal**
(a) The Company maintains verifiable records of user consents (opt-ins/withdrawals) for marketing and optional integrations.
(b) Consent records are retained for the duration of the **legal retention period** or until withdrawal, whichever is longer.
(c) Users may withdraw consent at any time by contacting **privacy@mindstocs.com**; withdrawal does not affect prior lawful processing.
(d) Such records are stored securely and may be produced to regulators or the Data Protection Board of India upon lawful request.
5.5 **Alignment with User Rights**
Processing purposes and legal bases shall always be interpreted in harmony with the **rights of Data Principals** set out in Clause 14 of this Policy.
6. Use, Disclosure & Mandatory Reporting
6.1 **Permitted Recipients**
Personal Data may be shared on a strictly need-to-know basis with:
(a) Payment processors and banks (e.g., Razorpay) for subscription fees, refunds, and reconciliations.
(b) Certified KYC/AML vendors for verification purposes.
(c) Cloud and hosting providers engaged under written Data Processing Agreements (DPA).
(d) Independent auditors, forensic reviewers, or legal experts for Restoration Fund claims or disputes.
(e) Escrow trustees and custodians of the Restoration Fund.
(f) Law enforcement agencies, courts, tribunals, and regulators, where legally mandated.
6.2 **Mandatory Disclosures**
The Company may disclose Personal Data when compelled by:
(a) Court orders or tribunal directions,
(b) Regulatory notices or inspection orders, or
(c) Lawful requests from SEBI, RBI, FIU-IND, MCA, Income Tax authorities, or other competent government agencies.
(d) Foreign regulators, **only if legally permitted under Indian law** and subject to contractual or consent-based safeguards.
6.3 **AML / PMLA Position**
Based on current law and our business model, **MindStocs is not a “Reporting Entity”** under the Prevention of Money Laundering Act, 2002. MindStocs does not file Suspicious Transaction Reports (STRs), maintain AML registers, or undertake any PMLA reporting obligations.
All KYC/AML screening and STR filings rest exclusively with RBI-regulated payment gateways and their banking partners.
(a) All payment transactions are routed exclusively through **PCI-DSS compliant payment gateways** (e.g., Razorpay).
(b) Razorpay and its banking partners are responsible for **KYC/AML checks** and for filing Suspicious Transaction Reports (STRs) with FIU-IND, where applicable.
(c) MindStocs will cooperate in good faith with Razorpay, banks, and competent authorities **only upon receipt of a lawful written order** from a competent authority.
6.4 **Purpose Limitation**
All disclosures of Personal Data are made strictly for lawful and legitimate purposes, including compliance with Indian laws, resolution of verified disputes, or performance of contractual obligations. No data is disclosed or shared for commercial exploitation or profiling.
6.5 **Restoration Fund Disclosures**
(a) For transparency, Restoration Fund **summary balances** may be disclosed to Subscribers on request.
(b) **Detailed disclosures** (fund statements, transaction logs) may be made only to regulators, auditors, or escrow trustees where legally mandated.
(c) Such disclosures are **informational only** and do not create fiduciary, trustee, or capital guarantee obligations beyond the Terms & Conditions (see Clauses 15, 19, and 27 of the Terms & Conditions).
6.6 **Logging of Disclosures**
All disclosures of Personal Data (including regulator, law enforcement, or forensic requests) shall be **logged and retained** in the Company’s Records of Processing Activities (ROPA).
6.7 **User Notification**
Where legally permissible, Users will be notified if their data has been disclosed to regulators, courts, or law enforcement. Notification may be withheld if prohibited by law or if it would prejudice an active investigation.
6.8 **No Unauthorised Sharing**
Personal Data is never sold, leased, or shared with advertisers or unrelated third parties for commercial gain. All disclosures are logged and subject to audit trails.
7. Identity Verification & Aadhaar Compliance
7.1 **General Verification**
MindStocs may request valid identity and address proof for lawful KYC/AML purposes, Restoration verification, or refund validation. Accepted documents include:
- Passport
- Voter ID
- Driving Licence
- Utility Bills
- Bank Statements
7.2 **Aadhaar Handling**
(a) MindStocs does **not require Aadhaar** for onboarding. Aadhaar may only be requested if **explicitly mandated by law or regulator**.
(b) If a User voluntarily uploads Aadhaar for address verification, the following apply:
- Aadhaar number must be **masked/blurred** by the User before submission (only the last four digits visible).
- MindStocs will **not store, retain, or process any raw Aadhaar numbers or biometric identifiers**.
- MindStocs performs **only offline Aadhaar verification** (e.g., masked XML or secure eKYC file), never online or API-based authentication.
- MindStocs will not use Aadhaar for profiling, marketing, financial suitability assessments, or any non-statutory purpose.
- Upon user request or end of statutory retention, masked identifiers (e.g., PAN, bank details, Aadhaar fragments) shall be fully deleted as per the erasure rights procedure in
Clause 14.
7.3 **User Responsibility**
(a) The User is responsible for ensuring Aadhaar details are properly masked before submission.
(b) If an unmasked Aadhaar is uploaded in error, MindStocs will **delete it immediately** upon detection or notification.
(c) Users acknowledge that MindStocs disclaims liability for any harm arising from unmasked uploads, except where mandatory legal retention applies.
7.4 **Temporary Use & Retention**
(a) Identity/address documents (including Aadhaar, where submitted) will be used **only for verification**.
(b) Retention will continue only while the User has an active account, or as required for:
- Statutory record-keeping (e.g., Income Tax, GST, FIU-IND);
- Ongoing disputes or Restoration claims.
(c) Once no longer required, documents will be securely **deleted, anonymised, or redacted**.
7.5 **Audit & Safeguards**
(a) Aadhaar-related processing (where unavoidable) will be logged in the Company’s **Records of Processing Activities (ROPA)**.
(b) Periodic audits will ensure no raw Aadhaar is stored beyond legal necessity.
(c) Any confirmed Aadhaar-related data breach will be reported in line with Clause 16 (Breach Notification & Incident Response).
7.6 **Legal Compliance Note**
This approach ensures compliance with:
- **Digital Personal Data Protection Act, 2023**,
- **Aadhaar Act, 2016 & UIDAI Regulations, 2021**,
- **Supreme Court Aadhaar Judgment (K.S. Puttaswamy v. Union of India, 2018)** limiting private sector use, and
- **UIDAI’s prohibition on online/API-based Aadhaar authentication by private entities.**
8. Data Retention
8.0 **Purpose Limitation & Storage Minimisation**
MindStocs retains Personal Data only for as long as necessary to fulfil the lawful purpose for which it was collected or to meet regulatory, tax, audit, or dispute-resolution obligations.
No data is retained beyond its lawful, contractual, or operational necessity, in compliance with Section 9(1)(c) of the Digital Personal Data Protection Act, 2023.
8.1 **Minimum Retention Periods**
MindStocs retains User data strictly as required under Indian law:
(a) **KYC Records** – 10 years (PMLA, RBI/FIU-IND).
(b) **GST Invoices & TDS Records** – 8 years (GST & Income Tax Acts).
(c) **Active Account Data** – Duration of service + 7 years (audit and dispute support).
(d) **Logs, Telemetry & Error Reports** – 6 months to 3 years (for security and operational purposes).
(e) **Financial Transaction Records** – 8 years (tax and audit obligations).
(f) **Restoration Fund Records** – Until claim settlement or regulatory closure.
(g) **Financial Metadata (e.g., balances, trade logs)** – minimum 7 years to satisfy audit, tax, and IT Act record-keeping requirements.
8.2 **User Deletion Requests**
(a) Users may request deletion of their Personal Data under the **Digital Personal Data Protection Act, 2023**.
(b) Deletion requests may be lawfully refused where retention is required by regulatory, tax, or law enforcement obligations.
(c) The Company shall issue a written response within 30 days of such request, stating the reasons for refusal and the applicable legal basis for continued retention.
8.3 **Secure Disposal**
(a) Upon expiry of the retention period, Personal Data will be securely **deleted, anonymised, or archived** using industry-standard sanitisation methods.
(b) Deletion extends to all primary storage and backups **within 90 days** of the request or completion of the statutory retention period, subject to technical feasibility.
(c) **Anonymised Data** may continue to be used for research, analytics, or product improvement, provided it contains no personally identifiable information.
8.4 **Regulatory & Forensic Overrides**
(a) Where a dispute, tax proceeding, regulatory inquiry, or Restoration claim is pending, relevant records shall be retained until lawful closure.
(b) FIU-IND, SEBI, Income Tax, GST, or other competent authorities may require extended retention; MindStocs shall comply with such lawful directions.
8.5 **Retention Logging & Audit Trail**
All data retention, deletion, and archival activities are logged in the Company’s **Records of Processing Activities (ROPA)** to ensure auditability and traceability.
Retention and deletion logs are periodically reviewed by internal compliance teams or external auditors for adherence to statutory timelines.
8.6 **User Acknowledgement**
By using the Services, Users acknowledge that certain records (e.g., tax, KYC, and financial logs) must be retained for statutory periods and cannot be erased upon demand.
MindStocs will delete all other non-essential data once lawful obligations are fulfilled.
9. Data Accuracy, Minimisation & User Obligations
9.1 **User Accuracy Obligations**
(a) Users must provide **true, complete, and verifiably authentic information** as required under the **Digital Personal Data Protection Act, 2023** (“DPDP Act”), specifically Sections 9(1)(a)–(c).
(b) Users must promptly update the Company with changes in contact details, KYC documents, banking information, or tax details.
(c) Failure to maintain data accuracy may result in suspension, temporary service denial, or permanent account blacklisting.
9.2 **Principle of Data Minimisation**
(a) The Company collects and processes only data strictly necessary for:
- Service delivery and account maintenance,
- Legal and regulatory compliance (e.g., KYC, GST, AML), and
- Fraud prevention and cybersecurity.
(b) Non-essential or optional data is collected only with explicit and informed consent, which Users may withdraw at any time without affecting access to core Services.
(c) All data collection and processing activities are reviewed periodically to ensure compliance with the **storage limitation and minimisation obligations** under the DPDP Act.
9.3 **Fraudulent or Misleading Data**
(a) Submission of fraudulent, fabricated, or misleading information may result in:
- Suspension or termination of Services,
- Denial of Restoration claims or refunds,
- Permanent blacklisting, and
- Reporting to relevant regulatory or enforcement agencies.
(b) The Company reserves the right to report verified fraud or misrepresentation to **FIU-IND, SEBI, RBI, Income Tax Department, or law enforcement authorities**, as required by law.
9.4 **Audit & Verification Rights**
(a) The Company may conduct random or risk-based verification of User-submitted information to ensure compliance and authenticity.
(b) Such verification may include cross-checks with **regulators, payment processors, or financial institutions**.
(c) Users must cooperate promptly with any verification request; failure to do so may result in restricted or suspended access to Services.
9.5 **User Responsibility**
Users acknowledge that providing inaccurate or misleading information may:
- Restrict or suspend access to Services,
- Delay or deny refunds, withdrawals, or Restoration claims,
- Trigger regulatory reporting to statutory bodies, and
- Expose the User to penalties under the **PMLA, DPDP Act, Information Technology Act, or Consumer Protection Act**.
9.6 **Correction & Review Rights**
(a) Users have the right to request correction, completion, or updating of inaccurate Personal Data held by the Company.
(b) Upon verification, the Company shall correct or update such information within a reasonable period, not exceeding **15 business days**, unless restricted by law.
(c) All correction requests and actions taken are logged in the Company’s **Records of Processing Activities (ROPA)** for audit and accountability.
10. Security Controls, User Responsibilities & Audits
10.1 **Company Security Controls**
(a) All data transmissions are secured using **TLS/HTTPS encryption**.
(b) Sensitive Personal Data is encrypted **at rest** using AES-256 or equivalent standards. Encryption keys are stored and rotated securely under certified key management protocols.
(c) **Role-based access controls (RBAC)** restrict internal access strictly to authorised personnel with signed confidentiality undertakings.
(d) Continuous **security logging, monitoring, and anomaly detection** are maintained for access, configuration changes, and system activities.
(e) The Company conducts periodic **vulnerability assessments and penetration tests (VAPT)**, applying critical patches without undue delay.
(f) Security practices align with **CERT-In Directions (2022)**, **RBI cybersecurity circulars**, and global standards such as **ISO/IEC 27001** and **SOC 2 Type II** frameworks where applicable.
10.2 **Audits & Assessments**
(a) Independent third-party security audits may be commissioned periodically for systems handling Personal Data or financial data.
(b) Audit reports are reviewed internally by the Compliance Officer. Summary findings may be shared with Users or regulators upon lawful request.
(c) The Company maintains documented **Records of Processing Activities (ROPA)** and internal audit logs for accountability and regulatory inspection.
10.3 **Incident Response & Breach Notification**
(a) The Company maintains an **Incident Response Plan (IRP)** addressing detection, containment, recovery, and forensic investigation.
(b) Breaches reportable under Indian law will be notified as follows:
- To **CERT-In** within **6 hours** of detection or awareness, as per CERT-In Directions (2022).
- To the **Data Protection Board of India** within **72 hours**, as required under the **DPDP Act, 2023**.
(c) Affected Users will be notified where required under law, detailing:
- The nature and extent of the breach,
- Likely impact and affected data categories,
- Mitigation and remedial steps taken, and
- Recommended precautions for Users.
(d) All breach records, incident reports, and regulator communications will be logged and preserved for a minimum of 12 months.
10.4 **User Responsibilities**
(a) Users must:
- Maintain secure login credentials and devices,
- Protect broker API keys and trading accounts,
- Use strong passwords and update them periodically,
- Enable two-factor authentication (2FA) where available.
(b) The Company shall not be liable for unauthorised access, loss, or misuse arising from User negligence, device compromise, or insecure API handling, except where liability cannot be excluded by law.
10.5 **Shared Responsibility Principle**
Security responsibilities are shared between the Company and the User as follows:
- The **Company** secures servers, databases, and transmission channels.
- The **User** secures endpoints, login credentials, and connected broker or exchange APIs.
This shared responsibility model ensures complete protection across the full transaction chain.
10.6 **Vulnerability Disclosure**
(a) Security researchers may responsibly disclose suspected vulnerabilities to **security@mindstocs.com**.
(b) The Company shall acknowledge valid reports and remediate confirmed vulnerabilities promptly.
(c) Researchers acting in good faith shall not face legal or penal action, provided they do not exploit, access, or publicly disclose issues before remediation.
10.7 **Periodic Review & Continuous Improvement**
(a) The Company’s Information Security and Compliance Teams conduct quarterly reviews of technical and organisational controls.
(b) Security procedures are updated in response to new regulatory guidance, threat intelligence, or post-incident reviews.
(c) Annual policy audits are performed to ensure continuous alignment with CERT-In, DPDP Act, and global security standards.
10.8 **Retention of Security Logs**
(a) Security and audit logs (including access, system, and event logs) are retained for a minimum of **180 days** in compliance with **CERT-In Directions (2022)**.
(b) Logs are maintained in **tamper-proof and time-stamped formats** and may be retained longer where required for forensic, audit, or regulatory purposes.
(c) Access to these logs is strictly restricted to authorised compliance personnel and external auditors, as necessary.
11. Automated Processing, DPIA & Profiling
11.1 **Automated Processing for Service Integrity**
The Company uses automated systems solely to ensure operational and compliance integrity, including:
(a) **Fraud detection and prevention** (e.g., duplicate accounts, suspicious access, or bot activity),
(b) **Anti-Money Laundering (AML) screening** in cooperation with payment gateways and certified KYC vendors,
(c) **Restoration Fund eligibility and verification** checks, involving algorithmic comparison of broker statements and logs, subject always to human verification before final approval.
11.2 **Transparency of Automated Decisions**
Where any automated process or rule-based system may materially affect a User’s rights (e.g., account suspension, Restoration claim rejection), the User will be informed of:
(a) The fact that an automated process was used,
(b) The key parameters or logic applied (to the extent law permits), and
(c) The User’s right to request manual review under Clause 11.5.
11.3 **Data Protection Impact Assessments (DPIA)**
(a) High-risk automated or large-scale data processing activities undergo a **Data Protection Impact Assessment (DPIA)** prior to deployment.
(b) Each DPIA documents the risk assessment, mitigation measures, and residual risk acceptance, forming part of the Company’s **Records of Processing Activities (ROPA)**.
(c) DPIAs may be shared with regulators or auditors **only when legally required or formally requested** under applicable law.
11.4 **Exclusions: No Commercial Profiling**
The Company does **not** engage in automated profiling or decision-making for:
(a) Targeted advertising or marketing segmentation,
(b) Credit scoring, lending, or insurance risk assessment, or
(c) Investment recommendations, research, or portfolio classification.
11.5 **User Rights to Human Review**
(a) Users have the right to request a **manual, human review** of any automated decision that significantly affects their access to Services or financial position.
(b) The Company shall respond to such requests **within 15 business days**, following the grievance redressal timelines in Clause 2.6.
(c) Upon review, the User will receive a written explanation and, if justified, correction or reconsideration of the automated outcome.
11.6 **Scope Limitation & Regulatory Clarification**
MindStocs’ automated verification and screening processes are **supplementary controls** designed for internal integrity only.
Regulatory obligations for AML/KYC verification, transaction monitoring, and STR filing remain the sole responsibility of **RBI-regulated intermediaries**, such as payment gateways (e.g., Razorpay) and their partner banks.
MindStocs cooperates with such entities **only upon lawful written request** and does not perform any regulated AML/KYC activity independently.
11.7 **Algorithmic Accountability & Auditability**
(a) The Company maintains version-controlled documentation of key automated decision rules and algorithms that materially impact Users.
(b) All algorithmic changes are subject to **internal approval, validation testing, and compliance review** prior to deployment.
(c) Logs of automated processes, input data, and output decisions are retained for a minimum of **one (1) year** for audit and dispute resolution purposes.
(d) Independent audits of algorithmic fairness, accuracy, and bias detection may be conducted periodically, and reports may be shared with regulators where legally required.
12. Cross-Border Transfers & Safeguards
12.1 **Primary Data Storage**
All primary collection, processing, and storage of Personal Data are performed on servers physically located within India.
Cross-border transfers are permitted only in exceptional cases where required for service functionality, analytics, or sub-processor operations, and are governed strictly by the safeguards in this Clause.
12.2 **Limited Cross-Border Transfers**
Where cross-border transfers are unavoidable (e.g., hosting, analytics, or global integrations), such transfers shall:
(a) **Be Lawful** – comply with the **Digital Personal Data Protection Act, 2023 (Section 16)**, **RBI/SEBI data handling guidelines**, and any **Central Government notifications specifying restricted jurisdictions**;
(b) **Be Contractually Safeguarded** – take place under a written **Data Processing Agreement (DPA)** incorporating India-equivalent data protection, retention, and breach notification obligations; and
(c) **Be Consent-Based** – where required by law, the User’s **specific and informed consent** will be obtained prior to any such transfer.
Where cross-border processing is used, MindStocs continues to apply Indian law as the primary legal framework and will seek fresh consent whenever the scope or purpose of processing materially changes.
12.3 **Sensitive Data Restrictions**
The following categories of data shall **never be transferred or processed outside India**:
(a) Aadhaar numbers, biometric identifiers, or UIDAI-linked information;
(b) UPI PINs, payment card details, or raw financial credentials;
(c) KYC/AML records or PAN-linked datasets, which shall be processed only through Indian servers or certified domestic vendors in compliance with RBI and FIU-IND standards.
12.4 **Foreign Processor Obligations**
Any foreign sub-processor engaged by MindStocs must:
(a) Maintain contractual commitments equivalent to Indian data protection law;
(b) Implement technical and organisational measures for confidentiality, encryption, and breach response;
(c) Return or permanently delete all Personal Data upon service termination or completion; and
(d) Cooperate in good faith with lawful audit or compliance verification requests from MindStocs or Indian authorities.
12.5 **Transparency for Users**
A summary of jurisdictions and processor categories involved in any cross-border data transfer shall be published in **Annexure A – Sub-Processor List** and updated periodically.
Users may request the most recent version by contacting **privacy@mindstocs.com**.
12.6 **Alignment with International Standards**
For Users located in jurisdictions with stricter cross-border data transfer requirements (e.g., EU/UK), MindStocs may implement **Standard Contractual Clauses (SCCs)**, **Binding Corporate Rules (BCRs)**, or equivalent contractual mechanisms to enable lawful processing consistent with their national data protection frameworks.
12.7 **Compliance Updates & Data Localization Priority**
(a) MindStocs follows an **India-first data localization policy**, prioritising domestic storage and processing wherever technically and operationally feasible.
(b) Upon any future notification by the **Government of India** specifying restricted jurisdictions under Section 16 of the DPDP Act, MindStocs will immediately:
- Cease or reroute transfers to affected countries, and
- Notify Users of any material impact on service continuity.
(c) The Company shall review all cross-border data flows at least annually to ensure continued compliance with Indian law and applicable foreign data protection regimes.
13. Sub-Processors & Vendor Management
13.1 **Use of Sub-Processors**
The Company engages third-party service providers (“Sub-Processors”) for specific operational functions such as payment processing, KYC verification, hosting, communication, auditing, analytics, and forensic services.
13.2 **Vendor Due Diligence**
Before onboarding, each Sub-Processor undergoes a documented due-diligence and risk-assessment process evaluating:
(a) information-security maturity,
(b) regulatory compliance (DPDP Act 2023, IT Act 2000, CERT-In 2022 Directions),
(c) financial and operational stability, and
(d) contractual readiness to meet MindStocs’ security and privacy requirements.
13.3 **Data Processing Agreements (DPAs)**
All Sub-Processors are bound by written DPAs requiring:
(a) strict confidentiality and restricted access;
(b) compliance with the **DPDP Act 2023**, **IT (SPDI) Rules 2011**, and sector-specific regulations;
(c) equivalent technical and organisational safeguards as applied by MindStocs;
(d) immediate breach or incident notification; and
(e) secure deletion or verified return of all Personal Data at contract termination, including confirmation of destruction where applicable.
(f) The current list of approved Sub-Processors is maintained in **Annexure A**.
13.4 **Responsibility to Users**
MindStocs remains **fully accountable** to Users for lawful and secure processing, even where operations are performed by authorised Sub-Processors.
13.5 **Transparency & Notification**
(a) A summary list of active Sub-Processors (by functional category and jurisdiction) is published in **Annexure A** and updated periodically.
(b) Users will be notified of any material changes—such as addition or replacement of core payment, hosting, or KYC vendors—within a reasonable period or as otherwise required by law.
13.6 **User Acknowledgement**
By using the Services, Users consent to processing by authorised Sub-Processors operating under these safeguards.
Independent brokers, VPS providers, or exchanges directly connected by the User remain outside MindStocs’ control and are governed by their own privacy and security policies.
13.7 **Ongoing Monitoring & Annual Review**
(a) Sub-Processors are reviewed at least **annually** for continued compliance with contractual, technical, and legal obligations.
(b) High-risk vendors (e.g., payment or hosting partners) may be subject to ad-hoc audits or third-party security attestations.
(c) Any vendor failing to maintain required standards will be suspended or replaced, and Users notified if service continuity may be affected.
14. User Rights & Exercise Procedure
14.1 **Data Principal Rights**
Users (“Data Principals”) have the following rights under the **Digital Personal Data Protection Act, 2023 (DPDP Act)**:
(a) **Access** – to obtain a copy of their Personal Data being processed, along with a summary of purposes, categories, and third-party recipients.
(b) **Correction** – to rectify inaccurate, incomplete, or outdated data.
(c) **Erasure** – to request deletion of Personal Data that is no longer necessary, subject to legal retention requirements.
(d) **Portability** – to receive Personal Data in a structured, machine-readable format (JSON/XML/CSV), applicable only to automated processing and where technically feasible.
(e) **Restriction** – to restrict or object to processing based on legitimate interest or where processing exceeds the stated purpose.
(f) **Consent Withdrawal** – to withdraw consent for non-essential or marketing processing at any time, without affecting lawful prior processing.
(g) **Nomination** – to nominate another individual to exercise these rights in the event of the User’s death or incapacity.
(h) **Grievance Redressal** – to raise complaints or appeal unsatisfactory responses through the procedures in Clause 2.7.
14.2 **Procedure to Exercise Rights**
(a) All requests must be submitted in writing via email to **privacy@mindstocs.com** from the User’s registered email ID.
(b) The request must include secondary identity verification details, such as the last four digits of the User’s PAN or recent payment reference.
(c) The Company may request additional verification to prevent fraudulent or unauthorised access before processing the request.
(d) Requests made through agents or nominees must include a signed authorisation letter or power of attorney, along with verified ID proof.
14.3 **Timelines for Response**
(a) Acknowledgement within **48 hours** of receiving the request.
(b) Substantive response or outcome within **30 calendar days**.
(c) Extensions are permitted only if delays arise due to dependency on third parties or complex verification; such extensions will be notified within the initial 30-day period with reasons and an estimated timeline.
(d) **Consent withdrawals** shall be executed within **5 business days** from receipt of the request.
14.4 **Refusal & Legal Grounds**
The Company may deny, delay, or partially fulfil a request in the following situations:
(a) Where legal retention requirements under tax, audit, or financial laws apply;
(b) Where disclosure would prejudice investigations, litigation, or regulatory proceedings;
(c) Where the request is manifestly unfounded, repetitive, abusive, or technically infeasible.
All refusals shall be **reasoned in writing**, specifying the relevant legal or regulatory provision relied upon.
14.5 **Fees for Repetitive Requests**
One valid exercise of each right shall be processed free of cost.
For repetitive or excessive requests, the Company may charge a **reasonable administrative fee**, consistent with Section 12(7) of the DPDP Act.
14.6 **Record of Requests**
(a) The Company shall maintain a **Rights Request Register** documenting all access, correction, erasure, and portability requests, their verification status, and final outcome.
(b) Such records shall be retained for **seven (7) years** or the statutory limitation period for audits, whichever is longer.
(c) These records shall be made available to the **Data Protection Board of India (DPB)** or other competent regulators upon lawful request.
14.7 **Escalation & Appeals**
If the User is unsatisfied with the Company’s response, they may escalate to:
(a) The **Data Protection Board of India (DPB)** under the DPDP Act;
(b) **Consumer Courts** under the Consumer Protection Act, 2019; or
(c) Other competent regulators such as **RBI** or **SEBI**, depending on the nature of the grievance.
15. Restoration Fund & Forensic Data Handling
15.1 **Purpose of Use**
Personal Data and supporting documents submitted for Restoration or refund claims (including broker statements, trade logs, KYC records, and financial reports) shall be processed strictly for:
(a) Verification of eligibility under the Terms & Conditions, using predefined and objective criteria;
(b) Independent forensic or audit review, where deemed necessary for validation or dispute resolution;
(c) Reporting to regulators, trustees, auditors, or escrow agents, where lawfully required; and
(d) Dispute resolution, including arbitration, tribunal, or judicial proceedings where claims are contested.
15.2 **Independent Auditors & Confidentiality**
(a) The Company may appoint independent auditors, forensic experts, or legal advisors to review Restoration claims and validate financial data.
(b) All such third parties shall operate under formal **Data Processing Agreements (DPAs)** mandating: confidentiality, purpose limitation, secure processing, and data minimisation.
(c) Detailed access logs shall be maintained for all third-party or internal reviews, including date, purpose, and authorised personnel.
(d) All claim-related files and documents shall be encrypted **both at rest and in transit** using industry-standard cryptographic protocols.
(e) The Restoration Fund’s record-keeping and audit mechanisms shall undergo **independent annual audits**. Any escrow or trustee arrangements, where applicable, are **operational only** and do not establish fiduciary, trustee, guarantee, insurance, or investor-protection obligations of any nature.
15.3 **Transparency & Non-Public Disclosure**
(a) Individual claim-related data such as broker account details, financial statements, or logs shall never be disclosed to other Users or unauthorised personnel.
(b) The Company may, for transparency purposes, publish anonymised or **aggregate summaries** (e.g., Restoration Fund balance, number of claims processed, audit verification summaries) without identifying any individual User.
(c) Full disclosures may be made only to regulators, auditors, trustees, or escrow agents under a **lawful written directive** or statutory notice.
15.4 **Data Retention for Claims**
All Restoration and refund claim data shall be retained and disposed of in accordance with Clause 8 (Data Retention). Data will be securely deleted or anonymised once no longer required for legal, regulatory, audit, or dispute-related purposes.
15.5 **Chain of Custody & Evidence Preservation**
(a) All digital and physical claim records (including logs, trade data, and supporting evidence) shall be maintained under a secure **chain of custody** ensuring integrity, non-repudiation, and audit traceability.
(b) Hash-based integrity checks (e.g., SHA-256 or equivalent) may be used to preserve authenticity of digital documents submitted for verification or arbitration.
(c) Where required under law or by arbitration tribunals, the Company shall provide verified extracts or certified digital copies as admissible evidence under the **Indian Evidence Act, 1872** and the **Information Technology Act, 2000**.
15.6 **Regulatory Cooperation & Legal Disclosure**
In accordance with Section 17 of the **Digital Personal Data Protection Act, 2023**, the Company may disclose Restoration-related data to competent authorities, regulators, or courts, when required by lawful process, without further consent from the User.
Such disclosure will be limited to the minimum information necessary for the stated purpose and logged for accountability.
16. Breach Notification & Incident Response
16.1 **Regulatory Reporting**
In the event of a confirmed or suspected Personal Data breach, MindStocs shall notify:
(a) **CERT-In** within six (6) hours of detection, where the incident meets the thresholds under the CERT-In Directions (2022);
(b) The **Data Protection Board of India** within seventy-two (72) hours of becoming aware of any breach that is likely to cause **significant harm** under the **Digital Personal Data Protection Act, 2023**; and
(c) Other competent regulators (including **RBI**, **SEBI**, **FIU-IND**, and **Income Tax authorities**) where the breach involves regulated financial or tax-sensitive data.
16.2 **User Notification**
(a) Affected Users shall be notified **without undue delay** where the breach is reasonably likely to cause material or reputational harm.
(b) Such notifications shall include:
- The nature, scope, and time of the breach;
- Categories of Personal Data affected;
- Likely consequences;
- Containment and mitigation measures taken;
- Recommended User actions (e.g., password reset, API key revocation); and
- Dedicated contact details for support or clarifications.
16.3 **Incident Response Plan (IRP) & Testing**
(a) The Company maintains a formal **Incident Response Plan (IRP)** covering:
- Detection and triage;
- Containment and isolation of affected systems;
- Forensic investigation and detailed logging;
- Evidence preservation and integrity verification;
- Coordination with hosting providers, Sub-Processors, and auditors; and
- Timely remediation and regulator reporting.
(b) The IRP shall be **tested at least annually** through internal or third-party simulations, with corrective actions tracked to closure.
16.4 **Root-Cause Analysis & Post-Incident Review**
(a) Following closure of each notifiable incident, a formal **Root-Cause Analysis (RCA)** and **Post-Incident Review (PIR)** shall be conducted to document causes, lessons learned, and preventive actions.
(b) The RCA/PIR report shall be retained for **a minimum of seven (7) years** or until completion of all regulatory audits, whichever is longer.
(c) Material findings may be shared with CERT-In or the Data Protection Board of India upon lawful request.
16.5 **Third-Party Breaches**
Where a breach originates from a Sub-Processor or external service (e.g., payment gateway, hosting provider), MindStocs shall:
(a) Require immediate written notification from the Sub-Processor;
(b) Notify affected Users if their Personal Data is directly impacted; and
(c) Coordinate in good faith with regulators, affected parties, and Sub-Processors to ensure timely containment and reporting.
16.6 **Data-Preservation for Forensics**
All system, application, and security logs relevant to a reportable incident shall be preserved for **not less than 180 days** from the date of incident detection, in compliance with the **CERT-In Directions (2022)** and other applicable law.
16.7 **No Waiver of Rights**
Nothing in this Clause limits or waives the User’s statutory right to seek redress, lodge complaints with regulators, or claim remedies for data breaches under applicable Indian law.
17. Children & Minors
17.1 **Age Restriction**
MindStocs Services are intended exclusively for individuals aged **18 years and above**, in full compliance with Section 9 of the **Digital Personal Data Protection Act, 2023 (DPDP Act)** and allied IT Rules.
17.2 **Prohibition on Minor Accounts**
(a) The Company does not knowingly collect or process Personal Data of individuals under the age of 18.
(b) If the Company becomes aware that an account or data belongs to a minor, such account shall be **immediately suspended or terminated**, and all associated data shall be securely deleted, except where retention is legally mandated (e.g., for fraud investigation, regulatory compliance, or law enforcement purposes).
17.3 **Age Verification Methods**
(a) The Company employs **self-declaration** at the time of registration and may request supporting **KYC documents** such as PAN, voter ID, or passport for age verification, where legally required.
(b) Verification logs shall be recorded and retained for audit and compliance evidence in accordance with Clause 8 (Data Retention).
17.4 **Parental Consent (Exceptional Circumstances)**
(a) MindStocs does not knowingly provide Services to minors.
(b) In the event that the Company lawfully offers an educational or research-related product requiring access by minors, **verifiable parental or guardian consent** shall be obtained prior to activation.
(c) Such consent shall require:
- A government-issued ID of the parent/guardian, and
- A signed or digitally verified consent form authorising the child’s use of the Service.
(d) Parental consent records shall be securely retained for **a minimum of seven (7) years** or until the child attains the age of majority, whichever is longer.
17.5 **Parental Responsibility**
Parents or legal guardians who become aware that a minor has accessed the Services without proper consent must promptly contact **privacy@mindstocs.com** to request suspension and deletion of the account.
17.6 **Prohibition on Tracking or Profiling of Minors**
In accordance with Section 9(2) of the DPDP Act, MindStocs shall not:
(a) Process or profile any data of children for advertising or behavioural tracking;
(b) Undertake any targeted or personalised marketing based on minor data; or
(c) Transfer or share such data with third parties except as required by law.
17.7 **No Child-Specific Marketing**
MindStocs does not market, promote, or distribute services aimed at children or minors and does not knowingly use children’s data for advertising, profiling, or analytics.
17.8 **Compliance Statement**
This Clause satisfies the Company’s obligations under the **Digital Personal Data Protection Act, 2023**, **Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011**, and the **Supreme Court of India (Aadhaar & Privacy) Judgments (2017–2018)** regarding protection of minors’ personal information.
18. Marketing & User Consent
18.1 **Opt-In Requirement**
MindStocs shall send marketing, promotional, or educational communications (including newsletters, offers, referral program information, and product updates) **only where the User has explicitly opted in** through email confirmation, website consent settings, or platform-based consent forms, in accordance with Section 7 of the **Digital Personal Data Protection Act, 2023 (DPDP Act)**.
18.2 **Granular Consent**
Where feasible, Users shall be provided with **granular consent options** (e.g., newsletters, software updates, or promotional offers) enabling selective opt-in or opt-out for specific communication categories.
18.3 **Right to Withdraw Consent**
Users may withdraw their marketing consent at any time by:
(a) Clicking the “unsubscribe” link provided in each marketing email;
(b) Updating communication preferences in their account dashboard; or
(c) Contacting **privacy@mindstocs.com** from their registered email address.
18.4 **Effect of Withdrawal**
Withdrawal of marketing consent will **immediately stop all non-transactional communications**. Such withdrawal will not:
(a) Affect the User’s access to or use of paid Services; or
(b) Affect data processing necessary for compliance, fraud detection, security alerts, or essential service notifications.
18.5 **Third-Party Processors**
Any third-party vendors used for marketing delivery (e.g., email, SMS, or CRM platforms) act solely as **Data Processors** under written **Data Processing Agreements (DPAs)** ensuring confidentiality, lawful processing, and compliance with this Privacy Policy and the DPDP Act.
18.6 **Cross-Border Tools**
If the Company engages international communication platforms or cloud-based processors, all cross-border transfers shall comply with **Clause 12 (Cross-Border Transfers)**, including written safeguards and explicit User consent where applicable.
18.7 **Mandatory Service Notices**
Essential transactional communications — such as policy updates, billing confirmations, OTPs, and system alerts — are **service notices**, not marketing communications. These will continue to be sent regardless of marketing consent status, as they are necessary for contract performance and compliance.
18.8 **Mandatory Marketing Disclaimers**
All marketing and promotional communications, irrespective of channel, shall prominently include the following disclaimer verbatim:
> **Disclaimer:** “MindStocs does not provide guaranteed returns. Service Access Fees are payments for software and related services only. The Restoration Fund is discretionary and conditional, subject to eligibility and Fund availability. This is not a deposit, investment scheme, insurance product, or financial product regulated by SEBI, RBI, or IRDAI.”
(a) This disclaimer must appear clearly and legibly in all marketing channels, including but not limited to: website banners, brochures, advertisements, social media posts, presentations, WhatsApp or email campaigns, and verbal sales communications.
(b) The use of terms such as “guaranteed”, “fixed returns”, “assured profits”, or any similar expression suggesting assured income is **strictly prohibited**.
(c) All marketing content must also comply with the mandatory language prescribed in **Clause 44.2** of the **Terms & Conditions (Final Consolidated Disclaimer, Clause 52)** to ensure uniformity and compliance across platforms.
18.9 **Consent Records & Audit Trail**
(a) The Company shall maintain verifiable **records of all marketing opt-ins and withdrawals**, including timestamps, consent mode (web, email, or form), and communication category.
(b) Such records shall be retained securely for at least **seven (7) years** or until withdrawal of consent, whichever is later, and may be produced to regulators or auditors upon lawful request.
(c) The Company shall conduct **annual audits** of marketing consent and unsubscribe processes to ensure compliance with DPDP Act requirements and advertising transparency norms.
19. Refunds & Data Retention
19.1 **General Refund Policy**
Payments made for MindStocs Services are **non-refundable**, except as explicitly permitted under:
(a) these Terms & Conditions;
(b) this Privacy Policy; or
(c) as expressly required under the **Consumer Protection Act, 2019**.
Refunds may only be considered where:
(i) a permanent technical failure prevents service delivery;
(ii) a valid **Restoration claim** is approved under Clause 15 of this Policy and the Terms & Conditions; or
(iii) cancellation is requested **before activation** of the Service.
No refund shall be due merely because of market performance, strategy results, or user dissatisfaction with returns, as MindStocs does not provide investment advisory services.
19.2 **Refund Processing**
(a) Refunds, where applicable, will be processed **only to the original payment method** used for the transaction.
(b) All refunds shall be executed exclusively via **RBI-regulated, PCI-DSS compliant gateways** (e.g., Razorpay).
(c) Standard refund timelines are **7–14 business days**, subject to banking and gateway settlement cycles.
(d) Refunds may be delayed where additional verification or regulator reporting is required.
19.3 **Refund Verification & Anti-Fraud Review**
(a) Before initiating any refund, the Company may perform internal verification, including KYC validation, payment traceability, and AML screening.
(b) Refunds suspected to involve fraudulent or unauthorised transactions may be withheld, reversed, or reported to the **FIU-IND**, **RBI**, or other competent authorities.
(c) MindStocs reserves the right to recover service fees, taxes, or administrative charges incurred in processing any refund.
19.4 **Refund Exclusions**
Refunds shall **not** be issued for:
(a) Activated or partially used services, licenses, or subscriptions;
(b) Expired billing cycles or subscription renewals already in use;
(c) Misuse, violation of Terms & Conditions, or fraudulent activity;
(d) Performance-based dissatisfaction or loss arising from market volatility;
except where expressly required under applicable law.
19.5 **Data Retention During Refunds**
(a) All transaction records, invoices, KYC documents, refund logs, and payment confirmations shall be retained for a **minimum of seven (7) years**, in line with Income Tax, GST, and audit obligations.
(b) Where a refund or dispute is pending, related financial and communication records shall be retained until the dispute is fully resolved or the statutory retention period expires, whichever is later.
(c) Refund-related data shall be securely archived and **masked or tokenised** wherever feasible; such data shall **not be used for marketing, profiling, or analytics**.
(d) Personal identifiers (PAN, Aadhaar fragments, bank details) shall be retained in encrypted or redacted form in accordance with Clause 8 (Data Retention) and Clause 10 (Security Controls).
19.6 **Dispute Handling**
(a) Refund-related grievances shall be handled under the **Grievance Redressal Mechanism (Clause 21)**.
(b) If unresolved, Users may escalate complaints to:
• Razorpay (regulated Payment System Operator),
• Their issuing bank,
• The **Consumer Courts** under the **Consumer Protection Act, 2019**, or
• The **RBI Ombudsman Scheme for Digital Transactions (2021)**.
(c) All refund disputes shall be governed by the **Dispute Resolution and Governing Law** provisions in Clause 40.
19.7 **Record Preservation for Regulatory Audit**
Refund and transaction logs, including AML/KYC verification trails, shall be retained and auditable for **seven (7) years** post-processing, and may be furnished to regulators or auditors upon lawful request.
20. Shipping & Delivery of Services
20.1 **Nature of Services**
MindStocs provides exclusively **digital products and services**, including but not limited to algorithmic trading software, dashboards, APIs, indicators, VPS access, and Project participation features. No physical goods are shipped or delivered. All Services are rendered electronically through secure digital channels.
20.2 **Service Activation Timelines**
(a) **Standard Activation:** Access credentials or licenses are typically provisioned within **24–48 hours** of confirmed payment through RBI-regulated, PCI-DSS compliant gateways (e.g., Razorpay).
(b) **Compliance Delays:** Where KYC, AML, or verification checks are required, activation may take additional time. Users will be notified via their registered email address.
(c) **Delivery Definition:** Digital delivery shall be deemed complete once login credentials, activation keys, or platform access permissions are issued to the User’s registered email or account dashboard.
20.3 **Proof of Delivery & Audit Trail**
(a) System-generated logs maintained by MindStocs — including timestamped payment confirmations, license issuance, login records, or API access tokens — shall constitute **conclusive proof of service delivery**.
(b) All timestamps shall be based on **Indian Standard Time (IST)**.
(c) Users may request a copy of such delivery verification within **15 days** of purchase for their records.
20.4 **Non-Delivery or Access Issues**
(a) If access credentials are not received within the expected timeframe, Users must contact **support@mindstocs.com** with proof of payment.
(b) The Company shall investigate and respond within **seven (7) working days** of receiving a complete and verifiable request.
(c) If the issue cannot be rectified due to technical or regulatory constraints, the Company’s sole obligation shall be limited to processing a refund under **Clause 19 (Refunds & Data Retention)**.
20.5 **Exclusions & Third-Party Dependencies**
MindStocs shall not be liable for non-delivery, delays, or interruptions caused by:
(a) Payment gateway or banking system delays;
(b) Internet, DNS, or hosting service outages;
(c) Broker, exchange, or API downtime;
(d) User-side device, network, or email configuration errors; or
(e) Third-party software or service disruptions beyond the Company’s reasonable control.
In such cases, MindStocs will extend reasonable support to coordinate with third parties, but bears no liability for their operational failures.
20.6 **Technical Force Majeure**
Temporary service delays or downtime caused by scheduled maintenance, DDoS attacks, third-party platform failures, or other technical disruptions beyond MindStocs’ reasonable control shall not constitute a breach of contract. The Company shall use reasonable efforts to restore services promptly and notify Users through official communication channels.
20.7 **Acknowledgement**
By purchasing or subscribing to any MindStocs Service, Users expressly acknowledge that:
(a) All deliveries are **digital** and deemed complete once login credentials or access permissions are provided;
(b) Delays arising from factors outside MindStocs’ direct operational control do not amount to non-performance; and
(c) All disputes relating to delivery or access shall be governed by **Clause 40 (Governing Law & Dispute Resolution)** of the Terms & Conditions.
21. Grievance Redressal & Escalation
21.1 **Grievance Officer**
In compliance with the Information Technology Act, 2000, the Consumer Protection (E-Commerce) Rules, 2020, and the Digital Personal Data Protection Act, 2023, MindStocs has appointed the following officer for grievance redressal and regulatory liaison:
- **Name / Designation:** Head – Compliance & Grievance Cell (Acting Grievance Officer)
- **Email:** privacy@mindstocs.com
- **Phone:** +91 9021008698
- **Address:** 1452 Majgoan Tambalgothan, Sawantwadi, Sindhudurg, Maharashtra – 416510
- **Working Hours:** Monday to Saturday, 10:00 AM – 6:00 PM IST
This Clause 21 serves as the **Master Grievance Clause** governing all complaints related to MindStocs Services, including dashboards, APIs, subscriptions, Projects, Restoration claims, refunds, and data privacy matters.
Any other grievance contact details in this Policy are deemed references to this Clause.
21.2 **Modes of Submission**
Users may lodge grievances through any of the following authorised channels:
(a) Email to **privacy@mindstocs.com**;
(b) In-app or website-based “Support” form; or
(c) Physical submission by post to the address listed above.
All grievances must include relevant identifiers (e.g., transaction ID, registered email, and brief issue summary) for prompt resolution.
21.3 **Acknowledgement & Resolution Timelines**
(a) All grievances shall be **acknowledged within forty-eight (48) hours** of receipt.
(b) A substantive **resolution or status update** shall be provided within **thirty (30) days**, unless extended for complex issues with written justification.
(c) Users will be informed if additional time is required, along with reasons for such extension.
21.4 **Escalation Pathways**
If a grievance remains unresolved after the internal resolution period, the User may escalate the matter to:
(a) **Data Protection Board of India** – for data privacy or DPDP-related complaints;
(b) **Consumer Dispute Redressal Commissions (District, State, or National)** – for service or refund disputes under the **Consumer Protection Act, 2019**;
(c) **Razorpay’s Grievance Redressal Mechanism**, and thereafter the **RBI Ombudsman Scheme for Digital Transactions (2021)** – for payment-related disputes.
Users are encouraged to first exhaust the Company’s internal grievance mechanism in good faith before approaching external regulators or initiating arbitration.
21.5 **Regulatory Scope Clarification**
MindStocs operates solely as a software and technology service provider. It is **not registered** with SEBI, RBI, MCA, IRDAI, or FIU-IND as a regulated intermediary. Accordingly, only grievances directly related to MindStocs’ software, digital services, or data processing will be addressed under this mechanism.
21.6 **User Cooperation**
Users shall cooperate by providing accurate and complete information, including payment references, transaction IDs, and supporting documentation. Failure to do so may delay or prevent resolution.
21.7 **Record-Keeping & Audit**
All grievances, communications, and resolutions are logged, timestamped, and archived for a **minimum of seven (7) years** for audit and regulatory inspection purposes under Clause 31 (Records Retention).
21.8 **Good Faith Resolution Obligation**
Both the User and MindStocs agree to attempt resolution in **good faith** through this grievance mechanism before pursuing arbitration or litigation as outlined under **Clause 40 (Dispute Resolution)** of the Terms & Conditions.
22. Policy Updates
22.1 **Notification of Changes**
The Company reserves the right to amend, update, or revise this Privacy Policy at any time to reflect:
(a) changes in applicable laws or regulatory guidance;
(b) enhancements in data protection or cybersecurity standards; or
(c) modifications in operational or business practices.
(a) **Material Changes:**
Material revisions that alter how Personal Data is collected, used, or shared will be notified to all registered Users via:
• Email communication to the registered address, and
• Prominent display of a notice on the official MindStocs Platform.
(b) **Notice Period:**
Where feasible, Users will receive at least **seven (7) days’ prior notice** before material changes take effect, except where immediate updates are required by law, regulator instruction, or urgent cybersecurity reasons.
(c) **Immediate Effect:**
In cases of regulatory mandate or urgent data security updates, changes shall take **immediate effect** upon publication, with retrospective notification provided within a reasonable period.
(d) The revised **Effective Date** will always be displayed at the top of this Policy, and all prior versions will be archived internally.
22.2 **Renewed Consent Requirement**
If an update introduces any new category of Personal Data processing, modifies the lawful basis (e.g., from legitimate interest to consent), or adds new marketing purposes, the Company shall:
(a) seek **fresh, explicit consent** from affected Users before processing begins; and
(b) document such consent in accordance with Clause 5.4 (Consent Records) of this Policy.
22.3 **Archival of Previous Versions**
(a) Historical versions of this Policy shall be retained internally for **audit and regulatory reference** for a minimum period of **seven (7) years**.
(b) Upon written request, Users may obtain a copy of the version that was effective at the time of their original transaction or subscription.
22.4 **Binding Effect**
(a) Continued use of any MindStocs Service after publication of an updated Policy constitutes acknowledgment and acceptance of the revised terms.
(b) All disputes arising from or relating to such updates shall be governed by **Clause 40 (Governing Law & Dispute Resolution)** of this Policy and **Clause 43 (Amendments)** of the Terms & Conditions.
23. Contact & Escalation
23.1 **Privacy & Grievance Matters**
For all privacy-related inquiries, grievances, or exercise of rights under the **Digital Personal Data Protection Act, 2023**, Users may contact the designated privacy team:
- **Email:** privacy@mindstocs.com
- **Phone:** +91 9021008698
- **Address:** 1452 Majgoan Tambalgothan, Sawantwadi, Sindhudurg, Maharashtra – 416510
- **Working Hours:** Monday–Saturday, 10:00 AM – 6:00 PM IST
All communications must be sent from the User’s registered email ID and should include relevant identifiers (e.g., transaction reference, registered contact number) for verification.
23.2 **General Support, Technical Assistance & Refunds**
For service-related queries, access issues, or refund requests, Users may contact:
- **Email:** support@mindstocs.com
All refund and technical requests will be handled in accordance with **Clause 19 (Refunds & Data Retention)** and **Clause 20 (Shipping & Delivery of Services)** of this Policy.
23.3 **Escalation Mechanisms**
If the User does not receive a satisfactory response within the timelines specified under **Clause 21 (Grievance Redressal)**, escalation may be made as follows:
(a) **Data Protection Matters** – Escalate to the **Data Protection Board of India**, provided the internal grievance process has first been exhausted.
(b) **Consumer / Service Matters** – Escalate to the **Consumer Dispute Redressal Commissions** established under the **Consumer Protection Act, 2019**.
(c) **Payment-Related Issues** – Escalate via **Razorpay’s grievance redressal mechanism** (RBI-regulated Payment System Operator). If unresolved, approach the **RBI Ombudsman Scheme for Digital Transactions (2021)**.
23.4 **Exclusions**
MindStocs operates solely as a **software and technology service provider**. It is **not registered with SEBI, RBI, IRDAI, or FIU-IND** as a regulated financial intermediary. Accordingly, complaints relating to **investment advice, portfolio management, or deposit-taking** fall outside the Company’s operational and regulatory scope.
23.5 **Official Communication Channels**
(a) Users are strongly advised to rely only on official communication channels hosted under the Company’s verified domain names — e.g., **@mindstocs.com** or the secure website **https://www.mindstocs.com**.
(b) The Company disclaims all responsibility for communications or solicitations made through **unauthorised emails, WhatsApp numbers, or social media handles** not listed on its official platform.
(c) Users encountering suspected phishing or impersonation attempts should immediately report the same to **security@mindstocs.com**.
23.6 **Response Expectation Disclaimer**
All grievance and escalation responses are contingent upon receipt of complete, verifiable information from the User. Incomplete or unverifiable submissions may extend the response timeline under **Clause 21.3** until verification is complete.
24. Regulatory Compliance Declarations
24.1 **Digital Personal Data Protection Act (DPDP), 2023**
This Privacy Policy has been structured in full compliance with the **Digital Personal Data Protection Act, 2023**, including principles of lawful processing, consent, purpose limitation, minimisation, retention, breach notification, user rights, and grievance redressal. MindStocs maintains internal Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA) for high-risk processing, accessible to regulators upon lawful request.
24.2 **Information Technology Act, 2000 & IT Rules, 2011**
MindStocs implements “reasonable security practices” as prescribed under Rule 8 of the **IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011**, including encryption, controlled access, periodic vulnerability testing, and incident reporting. The Company also maintains a grievance redressal mechanism as required under Rule 5(9).
24.3 **Consumer Protection (E-Commerce) Rules, 2020**
MindStocs maintains transparent, pre-disclosed policies covering refunds, digital delivery, pricing, and grievance redressal in line with the **Consumer Protection (E-Commerce) Rules, 2020**. Users are provided clear information on refund timelines, redressal officers, and dispute escalation rights.
24.4 **CERT-In Compliance (Cybersecurity Directions, 2022)**
The Company complies with **CERT-In Directions, 2022**, including:
(a) 180-day log retention for all network and application systems,
(b) timely breach reporting within six (6) hours of detection,
(c) cooperation with CERT-In investigations, and
(d) maintaining internal incident response documentation.
MindStocs conducts periodic third-party security audits to verify CERT-In adherence.
24.5 **RBI Compliance via Regulated Payment Gateways**
All payment processing for MindStocs Services is handled exclusively through **RBI-regulated payment system operators**, such as **Razorpay**, in compliance with the **Payment and Settlement Systems Act, 2007**.
(a) MindStocs does not store or process any card numbers, CVV, UPI PINs, or similar credentials.
(b) Razorpay and its banking partners are responsible for **KYC/AML screening** and **Suspicious Transaction Report (STR)** filings with **FIU-IND**.
(c) MindStocs verifies the compliance certificates of its payment processors **annually** and cooperates with regulators upon lawful request.
24.6 **Regulatory Exclusions & Scope Clarification**
MindStocs operates purely as a **software and technology service provider**. It is **not registered with SEBI, RBI, IRDAI, or FIU-IND** as a regulated entity and does not:
(a) provide investment advice, portfolio management, or research analysis;
(b) manage, pool, or invest User funds;
(c) solicit deposits or engage in public fund-raising; or
(d) offer insurance, mutual fund, or collective investment products.
All references to Restoration or Service Packages relate solely to conditional service features as described in the Terms & Conditions.
24.7 **Audit Readiness & Documentation**
MindStocs maintains audit-ready documentation including:
(a) **Records of Processing Activities (ROPA)** under the DPDP Act,
(b) **Data Protection Impact Assessments (DPIA)** for automated or high-risk processing,
(c) **Vendor Risk Assessments** for all third-party processors, and
(d) **Cybersecurity Audit Logs** retained for a minimum of seven (7) years.
24.8 **Voluntary Regulatory Cooperation**
While MindStocs is not a regulated financial intermediary, it voluntarily cooperates in good faith with competent Indian authorities such as **CERT-In**, **FIU-IND**, **RBI**, or **Consumer Protection Councils**, to support data security, financial integrity, and consumer transparency, provided lawful written requests are received.
25. Acknowledgement & User Consent
25.1 **User Declaration**
By accessing or using any MindStocs Service, the User expressly acknowledges and agrees that:
(a) They have read, understood, and accepted this Privacy Policy in its entirety.
(b) They voluntarily consent to the lawful processing of their Personal Data for legitimate, contractual, and statutory purposes, including but not limited to KYC/AML verification, payment reconciliation, GST/TDS/tax reporting, and fraud or cybersecurity monitoring.
(c) They understand and accept that MindStocs is a **software and technology service provider only**, not a regulated financial intermediary, and does **not** provide investment advice, portfolio management, deposit-taking, or guaranteed returns.
(d) They acknowledge and agree that certain records—such as KYC, transactional, and tax data—may be **retained for the legally mandated period** even after account closure or termination of Services.
(e) They understand that optional or value-added features (e.g., newsletters, marketing updates, third-party integrations) are enabled only through **separate, explicit consent**, which may be withdrawn at any time without affecting core Service access.
(f) Where the Data Principal is a minor, deceased, or incapacitated, any consent or withdrawal thereof shall be provided or exercised by a **lawful parent, guardian, or nominated representative** under Section 13 of the DPDP Act.
25.2 **Consent Standards**
Consent obtained under this Policy complies with Section 6 of the **Digital Personal Data Protection Act, 2023**, and must be:
(a) **Free, specific, informed, unconditional, and unambiguous**;
(b) Given through a **clear affirmative action**, such as clicking “I Agree” or selecting an on-screen checkbox;
(c) **Documented in verifiable consent logs** maintained by MindStocs showing when, how, and for what purpose the consent or withdrawal was recorded; and
(d) **Retrievable and auditable** for inspection by the Data Protection Board of India or any competent authority upon lawful request.
25.3 **Consent Withdrawal**
(a) Users may manage or withdraw consents directly from their account dashboard (where available) or by sending an email request to **privacy@mindstocs.com** from their registered address.
(b) All consent-withdrawal requests are **acknowledged automatically** and logged for compliance tracking.
(c) Withdrawal shall not affect the legality of processing performed prior to the withdrawal date.
(d) Withdrawal does not override statutory retention obligations relating to KYC, AML, GST, or dispute-resolution data.
(e) Valid withdrawal requests will be fully implemented within **seven (7) business days** of receipt.
(f) Certain optional functionalities or integrations may become unavailable once consent is withdrawn.
25.4 **Binding Effect**
(a) Continued access to or use of MindStocs Services after publication or update constitutes binding acceptance of this Policy and its lawful amendments under **Clause 22 (Policy Updates)**.
(b) Refusal or non-acceptance of this Policy may limit or terminate Service access in accordance with the **Terms & Conditions**.
(c) This acknowledgement operates as a **legally valid electronic record** under Section 65-B of the Indian Evidence Act, 1872, and the Information Technology Act, 2000.
26. Annexures & Documentation
26.1 **Annexure A – Sub-Processor List**
A current and authoritative list of authorised third-party service providers (“Sub-Processors”) — including payment gateways, hosting/cloud providers, certified KYC vendors, and forensic auditors — is maintained on the Company’s official website.
- The list is reviewed and updated **quarterly** or upon any material change.
- **Material changes** (e.g., addition or replacement of a Sub-Processor) will be notified to Users via email or platform notices at least **7 days prior** to activation, unless urgent operational continuity requires immediate action.
- Archived versions of Annexure A are retained internally for at least **7 years** for audit and regulatory inspection.
26.2 **Annexure B – Data Processing Agreement (DPA) Template**
MindStocs maintains a standard **Data Processing Agreement (DPA)** governing confidentiality, security, and compliance obligations of all vendors and Sub-Processors.
- The DPA template may be shared with regulators or auditors **upon lawful written request**.
- A redacted summary version may be shared with Users upon verified written request for transparency.
- All vendors are contractually bound by this DPA before handling any Personal Data.
26.3 **Annexure C – Breach Notification Templates & Procedures**
Standardised templates for regulatory and User breach notifications are maintained internally in compliance with the **CERT-In Directions (2022)** and **DPDP Act (2023)**.
- Templates cover regulator alerts, User notices, and post-incident reports.
- These will be furnished to competent authorities **without delay** upon lawful request.
- When a notifiable breach occurs, a **summary report** may be published for Users, without revealing confidential or sensitive technical details.
26.4 **Annexure D – User Rights Request Forms**
Standardised forms for exercising Data Principal rights (access, correction, deletion, portability, and consent withdrawal) are available:
(a) on the official Company website; or
(b) upon request via **privacy@mindstocs.com**.
Each submission is logged with a unique reference number and retained for statutory record-keeping and regulatory inspection.
26.5 **Annexure E – Project Participation Records**
Summaries of Project-related data (including Service Access Fees, Restoration claims, and usage logs) are maintained **strictly for compliance, audit, and regulatory purposes**.
- These records are confidential and are **never used for marketing, profiling, or commercial resale**.
- Access is limited to authorised compliance personnel and independent auditors.
- Disclosure to regulators or statutory authorities is made only upon lawful written request.
26.6 **Periodic Review, Version Control & Confidentiality**
(a) All Annexures are subject to periodic review, at least once every **12 months**, to ensure accuracy and ongoing compliance with law.
(b) Each version is assigned a **revision ID and effective date** for traceability and internal audit.
(c) Certain Annexures (e.g., DPA templates, audit checklists) may contain confidential or proprietary frameworks and will be shared externally only upon lawful regulatory request.
(d) The most recent public versions of non-confidential Annexures are published on the Company’s website or available through the Data Protection Officer upon written request.
27. Cookies & Tracking Technologies
27.1 **Essential Cookies**
MindStocs uses essential cookies that are strictly necessary for the operation of its digital services, including:
(a) Authentication and login sessions;
(b) Load balancing and performance optimisation;
(c) Security verification, bot prevention, and fraud detection.
These essential cookies are mandatory for platform functionality and cannot be disabled by the User.
27.2 **Security & Monitoring Cookies**
For system integrity and cybersecurity compliance (including CERT-In Directions, 2022), certain cookies and tracking tools are used to:
(a) Monitor suspicious logins and API activity,
(b) Detect anomalies and session hijacking attempts, and
(c) Log device/browser metadata for security audits.
Such data is pseudonymised and processed under legitimate interest, with strict retention and access controls.
27.3 **Analytics & Performance Cookies**
Analytics and performance cookies are deployed **only upon explicit, informed consent** obtained via the on-screen cookie banner or preferences dashboard.
- These cookies collect aggregated, anonymised usage metrics to improve speed, navigation, and performance.
- No personal identifiers are collected unless voluntarily provided (e.g., via login).
- IP addresses and device IDs are truncated or anonymised wherever technically feasible.
27.4 **User Control**
(a) Users can withdraw consent or manage cookie preferences at any time via:
- The browser or mobile device settings; or
- The MindStocs cookie preferences dashboard.
(b) Consent withdrawal will not affect prior lawful processing but will immediately disable further non-essential tracking.
(c) Essential cookies will remain active for core functionality.
27.5 **Retention of Cookie Data**
Analytics and tracking data derived from cookies are retained for a maximum period of **12 months**, unless required for legitimate cybersecurity investigations.
Upon expiry, such data is **anonymised or securely deleted** in accordance with Clause 8 (Data Retention).
27.6 **Data Localization & Storage**
All cookie-derived analytics and telemetry data are stored within **India-based or RBI-approved data centres**, unless anonymised prior to transfer for third-party analytics.
Any cross-border analytics vendor (if used) shall be governed by a Data Processing Agreement (DPA) with equivalent data protection safeguards under Clause 12 (Cross-Border Transfers).
27.7 **No Third-Party Advertising Cookies**
MindStocs does **not** use advertising, behavioural targeting, or retargeting cookies.
Cookie data is never sold, leased, or shared with advertising networks, brokers, or unrelated third parties.
27.8 **Consent Logs & Compliance Auditing**
(a) All cookie consent preferences (grant, withdrawal, modification) are **time-stamped and logged** for regulatory audit under Section 10 of the DPDP Act.
(b) These consent records are retained for **seven (7) years** or until lawful audit completion.
(c) MindStocs may provide anonymised summaries of consent logs to regulators upon lawful request.
27.9 **Cookie Banner & Preference Management**
MindStocs displays a **cookie banner** upon first access, providing clear options to:
- Accept all cookies,
- Reject non-essential cookies, or
- Customise preferences.
Consent can be withdrawn **with equal ease** using the same interface or by contacting **privacy@mindstocs.com**.
28. Breach Liability of Third-Party Processors
28.1 **Allocation of Risk**
Where a Personal Data breach or security incident originates from third-party service providers (including but not limited to payment gateways, brokers, hosting/cloud vendors, or certified KYC vendors), primary liability for such breach shall rest solely with the respective processor in accordance with their contractual, statutory, and regulatory obligations.
Each third-party processor engaged by MindStocs operates under a written **Data Processing Agreement (DPA)** that imposes equivalent data protection, breach notification, and indemnity obligations consistent with the Digital Personal Data Protection Act, 2023 and CERT-In Directions, 2022.
28.2 **Company Responsibility**
MindStocs, as the Data Fiduciary, remains accountable for ensuring that reasonable technical and organisational safeguards are contractually imposed and periodically verified.
However, MindStocs shall not be held liable for a processor’s **independent act of negligence, omission, or misconduct** once all due diligence, monitoring, and contractual safeguards have been duly implemented.
MindStocs’ liability shall be limited strictly to cases where:
(a) it failed to conduct reasonable due diligence before appointing the processor; or
(b) it wilfully ignored known deficiencies in the processor’s compliance practices.
28.3 **Indemnity & Recourse**
Each processor shall indemnify and hold MindStocs harmless against all losses, penalties, regulatory fines, claims, or liabilities arising from such processor’s non-compliance, negligence, or security failure.
MindStocs reserves the right to recover damages, regulatory penalties, or remediation costs directly from the responsible processor in accordance with their DPA or applicable law.
28.4 **Regulatory Cooperation & Audit Trail**
(a) MindStocs will cooperate in good faith with regulators, affected Users, and the involved processor to ensure timely mitigation and regulatory reporting.
(b) A comprehensive audit trail, including breach notification logs, communications, and processor reports, will be maintained for a minimum of **seven (7) years** in accordance with Clause 10.11 (Security Logs) and CERT-In Directions, 2022.
(c) Such records will be shared with competent authorities upon lawful request or during a Data Protection Board inquiry.
28.5 **User Notification**
Where a third-party breach materially impacts Users, MindStocs shall notify affected Users as soon as reasonably practicable after receiving confirmed details from the processor.
The notification shall clearly:
(a) identify the source processor responsible,
(b) describe the nature and scope of the breach,
(c) outline mitigation measures taken, and
(d) clarify the limits of MindStocs’ own responsibility.
28.6 **No Waiver of Statutory Obligations**
Nothing in this Clause shall be construed as exempting MindStocs from its statutory responsibilities under the DPDP Act, 2023. MindStocs remains obligated to ensure due diligence, contractual safeguards, and regulatory cooperation in all cases.
29. Force Majeure – Data & Service Risks Beyond Control
29.1 **Events Beyond Control**
MindStocs shall not be liable for any delay, interruption, or failure in processing, protecting, or delivering Services arising from circumstances beyond its reasonable control, including but not limited to:
(a) Natural disasters (fire, floods, earthquakes, storms, pandemics, or epidemics),
(b) Power grid failures, server or data centre outages, or widespread network interruptions,
(c) Cyberattacks, ransomware, malware infections, data corruption, or denial-of-service (DoS) incidents,
(d) Strikes, labour disputes, or industrial shutdowns,
(e) Third-party outages (brokers, payment gateways, hosting/cloud providers, or API networks),
(f) Governmental orders, judicial injunctions, or regulatory restrictions, and
(g) Legislative or policy changes affecting data transfers, retention, or financial processing.
29.2 **Obligation to Mitigate**
Upon occurrence of any force majeure event, MindStocs shall take all reasonable and proportionate steps to:
(a) Contain and mitigate the impact;
(b) Preserve the integrity and confidentiality of data;
(c) Restore Services and affected systems as soon as reasonably practicable; and
(d) Maintain backup and continuity operations in line with its internal **Business Continuity and Disaster Recovery (BCDR)** framework.
29.3 **Impact on Data Processing**
During a force majeure event, certain data processing or access operations may be delayed, restricted, or temporarily suspended.
However, statutory obligations concerning:
(a) secure storage and encryption,
(b) lawful disclosure to regulators or law enforcement, and
(c) breach notification under the **DPDP Act, 2023** and **CERT-In Directions, 2022**,
shall continue to apply without exception.
29.4 **Notification to Users**
Where feasible, Users shall be notified of prolonged outages or disruptions via:
- Email, SMS, or
- System-wide platform announcements.
Notifications will include estimated restoration timelines and mitigation guidance.
29.5 **Regulatory Cooperation & Reporting**
If a force majeure event results in or coincides with a data breach or systemic financial disruption, MindStocs shall:
(a) Notify CERT-In and the Data Protection Board of India in accordance with legal timelines;
(b) Cooperate with SEBI, RBI, or other competent authorities; and
(c) Retain full incident logs, forensics, and response documentation for a minimum of **seven (7) years** for audit and compliance verification.
29.6 **Duration and Limitation of Relief**
The suspension or relaxation of obligations under this Clause shall apply **only for the duration of the force majeure event** and only to the extent that performance is rendered impossible. All obligations shall automatically resume once normal operations are restored.
29.7 **No Waiver of Statutory Obligations**
Force majeure shall not excuse or postpone statutory obligations relating to **data breach notifications, regulator reporting, or lawful cooperation** under applicable law.
29.8 **Cross-Reference to Terms & Conditions**
The consolidated **Force Majeure Clause (Clause 32)** in the Company’s Terms & Conditions applies **mutatis mutandis** to this Policy. In case of inconsistency, the consolidated clause in the Terms & Conditions shall prevail.
30. Limitation of Liability for Data & Privacy
30.1 **Scope of Liability**
Except where expressly required by law, the aggregate liability of MindStocs for any proven data protection breach, privacy violation, or failure of security safeguards shall not exceed the total subscription or Service Access Fees paid by the User in the twelve (12) months immediately preceding the event giving rise to the claim.
This limitation applies to all claims arising from data processing, service delivery, or contractual breach, whether in tort, contract, or otherwise.
30.2 **Exclusions from Liability**
The Company shall not be liable for:
(a) Losses arising from User negligence, including weak or shared passwords, unsecure devices, phishing, or mishandling of API credentials;
(b) Failures, outages, or breaches at independent third-party service providers (brokers, exchanges, payment gateways, cloud/VPS providers) beyond the Company’s direct control;
(c) Indirect, incidental, consequential, or special damages including trading losses, opportunity costs, or loss of profits;
(d) Lawful disclosures made in compliance with valid court orders, regulator directions, or statutory obligations under Indian law; or
(e) Delays or service interruptions caused by force majeure events under Clause 29.
30.3 **Mandatory Carve-Outs**
Nothing in this Clause limits or excludes liability where prohibited by law, including:
(a) Fraud, gross negligence, or wilful misconduct of the Company or its officers;
(b) Death or personal injury caused by proven negligence;
(c) Statutory compensation expressly mandated under the **Digital Personal Data Protection Act, 2023**, the **Information Technology Act, 2000 (Section 43A)**, or other non-excludable legislation;
(d) Breaches where the Company failed to maintain “reasonable security practices and procedures” as defined under Rule 8 of the IT (Reasonable Security Practices and Procedures) Rules, 2011.
30.4 **Proportional Responsibility for Third-Party Breaches**
In cases involving third-party data processors (e.g., payment gateways or hosting vendors), MindStocs’ liability shall be **limited to the extent of its verified negligence** in:
(a) failing to exercise due diligence during processor selection, or
(b) ignoring known compliance deficiencies.
Where MindStocs has implemented all reasonable technical, organisational, and contractual safeguards (including Data Processing Agreements), no further liability shall arise.
30.5 **User Responsibility**
Users remain solely responsible for:
(a) Trading and investment decisions made using the Services,
(b) Security and configuration of their broker or exchange API connections, and
(c) Compliance with applicable tax, financial, and regulatory obligations.
30.6 **Per-Claim Cap Clarification**
The liability limitation under Clause 30.1 applies **per individual User claim** and shall not be aggregated across Users, Services, or time periods.
The total liability for all Users collectively shall in no event exceed the total value of Service Access Fees received in the relevant financial year.
30.7 **Compliance Defence**
MindStocs shall not be deemed in breach or liable for damages where it demonstrates that:
(a) All required **reasonable security practices** were implemented;
(b) Data processing was lawful, proportionate, and in compliance with the DPDP Act, 2023; and
(c) The event arose from factors beyond its direct operational control.
Proof of such compliance, including system audit reports or third-party certifications, shall constitute a complete defence under applicable law.
31. Audit, Records & Compliance Documentation
31.1 **Regulatory Record-Keeping**
MindStocs maintains comprehensive records of transactions, KYC submissions, user interactions, access logs, and grievance resolutions in compliance with:
(a) the **Digital Personal Data Protection Act, 2023**,
(b) the **Information Technology Act, 2000** and **IT (Reasonable Security Practices and Procedures) Rules, 2011**,
(c) the **Consumer Protection Act, 2019** and **E-Commerce Rules, 2020**, and
(d) the **Income Tax Act**, **GST Act**, and other applicable financial/tax regulations.
31.2 **Records of Processing Activities (ROPA)**
The Company maintains detailed **Records of Processing Activities (ROPA)** that document:
- Categories of Personal Data processed,
- Purpose and legal basis of each processing activity,
- Retention periods and deletion timelines,
- Details of processors, recipients, and cross-border transfers, and
- Technical and organisational safeguards in place.
These records shall be produced to competent authorities upon receipt of a lawful written request or notice.
31.3 **Data Protection Impact Assessments (DPIA)**
For high-risk or automated processing activities, MindStocs conducts **Data Protection Impact Assessments (DPIAs)** in accordance with Section 10 of the DPDP Act, 2023.
DPIAs identify potential risks, evaluate mitigation measures, and are reviewed periodically as part of the Company’s governance framework.
Summaries may be disclosed to regulators or auditors upon lawful request.
31.4 **Audit Rights & Regulatory Access**
Competent authorities may request access to compliance records or audit reports strictly through a lawful written order, notice, or directive.
MindStocs shall:
(a) Verify the authenticity and scope of the request;
(b) Disclose only the minimum data required to satisfy the order; and
(c) Maintain full documentation of the disclosure, including date, purpose, and authority involved.
31.5 **Confidentiality & Controlled Access**
Disclosures to regulators, auditors, or forensic experts are made under strict confidentiality controls.
All such disclosures are:
(a) Logged in the Company’s **ROPA and audit registers**,
(b) Limited to authorised personnel under Non-Disclosure Agreements (NDAs), and
(c) Not considered public disclosures of User data.
31.6 **Audit Readiness & Traceability**
(a) All records, event logs, and system audit trails are maintained in an **audit-ready state**.
(b) Logs shall include full **chain-of-custody** documentation for any access, modification, or disclosure of User data.
(c) The Company conducts periodic internal audits (at least annually) and remediation reviews to ensure sustained compliance.
31.7 **Independent Audits**
Independent third-party auditors may be appointed to validate compliance with:
- Data protection requirements,
- Security standards (e.g., ISO/IEC 27001 or equivalent), and
- Financial reporting obligations.
Summaries of key findings may be shared with regulators or, where appropriate, disclosed to Users for transparency.
31.8 **Forensic Review & Fraud Prevention**
In cases involving Restoration Fund claims, disputes, or suspected fraud, MindStocs may engage certified forensic experts or legal advisors under strict confidentiality obligations.
(a) Data shared for such investigations shall be minimised to what is necessary and encrypted during transmission and storage.
(b) All access and transfer activities shall be recorded in the **forensic access register** maintained under ROPA.
31.9 **Duration of Retention & Secure Disposal**
Records are retained only for the duration mandated by applicable law, typically between **7 to 10 years** for financial and audit purposes.
Upon expiry, such records shall be:
(a) Securely deleted, anonymised, or archived using industry-standard methods, and
(b) Verified through documented deletion logs for audit assurance.
31.10 **Regulatory Cooperation & Legal Defence**
MindStocs shall fully cooperate with competent regulators, courts, and law enforcement agencies during lawful investigations, while also retaining the right to:
(a) Challenge or seek clarification on overly broad or extrajudicial data requests, and
(b) Protect proprietary, confidential, and commercially sensitive information.
Such cooperation shall always occur in accordance with due process and Indian law.
32. Severability & Interpretation
32.1 **Severability**
If any provision of this Privacy Policy is held by a court, tribunal, or competent regulatory authority to be unlawful, void, or unenforceable, that specific provision shall be deemed severed to the minimum extent necessary.
The remaining provisions shall continue to be valid, binding, and enforceable.
Such severance shall not affect the validity of any statutory, regulatory, or data protection obligations that remain independently enforceable under applicable law.
32.2 **Headings & Numbering**
Headings, numbering, bold text, or formatting are provided solely for convenience and reference. They do not affect the construction, scope, or interpretation of the substantive provisions of this Policy.
32.3 **Hierarchy & Consistency**
This Privacy Policy must be read in conjunction with the Company’s:
- **Terms & Conditions**,
- **Refund Policy**,
- **Shipping Policy**, and
- **Annexures** (as updated from time to time).
In the event of inconsistency:
(a) The stricter or more protective clause for the User shall prevail, to the extent permitted by law;
(b) Regulatory or statutory interpretations (e.g., by SEBI, RBI, or the Data Protection Board of India) shall override internal interpretations to ensure compliance; and
(c) Any remaining interpretive ambiguity shall be resolved under **Clause 40 (Dispute Resolution)** of the Terms & Conditions.
32.4 **Interpretive Authority**
Unless overridden by a statutory mandate, the Company’s reasonable and good-faith interpretation of this Policy shall prevail in determining its scope, purpose, and application.
This includes clarifications issued for operational or compliance consistency, provided such interpretation does not contravene applicable law.
32.5 **Interdependence of Clauses**
Each clause of this Policy operates independently but in harmony with others.
Invalidity of one clause shall not affect the validity or enforceability of interrelated clauses, particularly those concerning:
- Data protection obligations,
- User rights, and
- Regulatory compliance duties.
32.6 **Language & Controlling Version**
The governing and legally binding version of this Privacy Policy is the **English version**.
Any translations or local language versions are provided solely for convenience. In case of discrepancy, the English version shall prevail in all legal and interpretive contexts.
33. Business Transfers
33.1 **Business Transfers & Successors**
If MindStocs undergoes a merger, acquisition, restructuring, reorganisation, insolvency, or sale of assets (in whole or in part), all User Personal Data and related records may be transferred to the successor or acquiring entity, provided that such entity:
(a) assumes all rights, duties, and obligations under this Privacy Policy and the Terms & Conditions; and
(b) continues to process Personal Data only in accordance with applicable laws and existing consents.
33.2 **User Notification & Consent Continuity**
(a) Where required under the **Digital Personal Data Protection Act, 2023**, Users shall be notified of any such transfer via email and/or a prominent notice on the Platform.
(b) If the successor entity intends to alter processing purposes, introduce new categories of data use, or modify consent terms, fresh **explicit consent** shall be obtained from Users before implementing such changes.
(c) Users retain the right to withdraw consent or request deletion of optional data under Clause 14, subject to legal and statutory retention obligations.
33.3 **Regulatory & Legal Compliance**
All business transfers shall comply with:
(a) Applicable corporate laws and notifications under the **Companies Act, 2013** and **Ministry of Corporate Affairs (MCA)**,
(b) Relevant filings or disclosures required by financial sector regulators (**SEBI**, **RBI**, or **DPB**) where applicable, and
(c) Cross-border data transfer requirements under Clause 12 of this Privacy Policy, where data is moved to non-Indian jurisdictions.
33.4 **Data Protection Board Notification (If Applicable)**
Where the transfer materially alters the control, purpose, or fiduciary structure of data processing, MindStocs shall notify the **Data Protection Board of India (DPB)** within the timelines prescribed under the DPDP Act or any rules issued thereunder.
33.5 **Binding Obligation on Successors**
The successor or acquirer shall be **legally bound** to honour all existing:
(a) User consents and rights under this Privacy Policy;
(b) Data protection and retention obligations under applicable law; and
(c) Commitments made in the MindStocs Terms & Conditions, including dispute resolution and governing law provisions.
33.6 **Jurisdiction Continuity**
All transferred rights and obligations shall remain subject to the same governing law and dispute resolution mechanism defined in **Clause 40 (Dispute Resolution)** of the Terms & Conditions, irrespective of the successor’s place of incorporation or operation.
34. Third-Party Services & Links
34.1 **Third-Party Integrations**
MindStocs Services may integrate with or rely on independent third-party platforms and service providers, including but not limited to:
(a) Payment gateways (e.g., Razorpay),
(b) Broker APIs and trading exchanges (linked voluntarily by the User),
(c) Certified KYC and identity verification vendors,
(d) Hosting and cloud infrastructure providers, and
(e) Email, SMS, or notification delivery providers.
34.2 **Independent Privacy Practices**
Each third-party provider operates under its own privacy policy, security framework, and regulatory supervision.
MindStocs ensures contractual safeguards through **Data Processing Agreements (DPAs)** where such entities act as data processors or sub-processors.
However, MindStocs is **not responsible or liable** for any independent processing, misuse, or breach occurring outside its direct control or contractual scope.
34.3 **Due Diligence & Risk Classification**
(a) All third-party providers are subject to documented **vendor due-diligence** and **risk classification** (low, medium, or high) based on sensitivity of processed data.
(b) Periodic compliance audits or certifications (e.g., ISO 27001, PCI-DSS) are obtained and reviewed to ensure continued adequacy.
(c) Vendors failing to maintain equivalent safeguards may be suspended or replaced.
34.4 **User Discretion & Consent**
(a) By voluntarily enabling any third-party integration, Users acknowledge and consent to the processing of their data by that provider for the stated purpose.
(b) Users are advised to review the third party’s own privacy policy and terms before activation.
(c) **Consent for optional integrations** (e.g., analytics tools, broker APIs) is obtained through clear opt-in mechanisms and may be withdrawn anytime without affecting core service access.
34.5 **Cross-Border Processing**
If any third-party provider transfers or stores data outside India, such transfers shall comply with **Clause 12 (Cross-Border Transfers & Safeguards)**, including contractual and consent-based protections equivalent to Indian law.
34.6 **Broker API Disclaimer**
Users linking broker APIs or trading accounts acknowledge that:
(a) Execution, margining, and trade data are governed solely by the broker’s regulatory framework;
(b) MindStocs has **no discretionary access** to or control over execution outcomes; and
(c) MindStocs bears no liability for broker-side outages, mis-executions, or losses arising from broker or exchange systems.
34.7 **Breach Notification by Third Parties**
All third-party processors engaged by MindStocs are contractually obligated to:
(a) Notify MindStocs of any confirmed or suspected breach within **24 hours** of discovery; and
(b) Cooperate fully in containment, investigation, and notification to regulators or affected Users under **Clause 16 (Breach Notification & Incident Response)**.
34.8 **External Links & Third-Party Websites**
The Platform may contain external links or references to third-party websites or resources not operated by MindStocs.
Accessing such links is entirely at the User’s discretion.
MindStocs disclaims all responsibility for their content, data practices, or security standards.
Users are advised to exercise caution and review the external site’s privacy policy before interaction.
34.9 **Accountability Limitation**
MindStocs’ responsibility under the **DPDP Act, 2023** is limited to conducting due-diligence, maintaining DPAs, and ensuring equivalent safeguards for processors within its control.
MindStocs shall not be held liable for independent or unauthorised acts, omissions, or data breaches by third-party service providers beyond its contractual and legal oversight.
35. Risk Disclosure & No Guarantee
35.1 **Market Risk Disclaimer**
Use of MindStocs Services (including algorithmic software, dashboards, APIs, indicators, VPS, and Project participation) involves substantial market and financial risk.
Users expressly acknowledge that:
(a) Trading in equities, derivatives, forex, or commodities is inherently risky and may lead to partial or total loss of capital;
(b) Algorithmic or logic-based tools cannot predict or eliminate market volatility;
(c) Historical, backtested, or simulated results do not guarantee future performance; and
(d) All MindStocs tools are provided strictly for **software, educational, and research purposes**, not as investment advice, solicitation, or portfolio management.
35.2 **No Guarantee of Returns**
(a) MindStocs does **not** offer guaranteed, fixed, or assured returns under any circumstances.
(b) Service Access Fees represent payments solely for access to digital tools, dashboards, and related software services.
(c) MindStocs Services are **not deposits, securities, insurance products, or collective investment schemes** under SEBI, RBI, or IRDAI regulation.
(d) No employee, affiliate, or marketing representative is authorised to make any promise or verbal assurance of profit or capital protection on behalf of the Company.
35.3 **Restoration Fund Clarification**
(a) The Restoration Fund is a **conditional, discretionary, and non-statutory** mechanism subject to availability of segregated funds and eligibility verification.
(b) It does not constitute a capital guarantee, insurance policy, fiduciary obligation, or investor-protection scheme.
(c) Restoration Fund processing, eligibility, and calculation are governed exclusively by Clauses 17 and 27 of the Terms & Conditions.
(d) Any communication or presentation of Restoration Fund benefits shall be accompanied by the mandatory disclaimer required under **Clause 44.2** of the Terms & Conditions.
35.4 **User Responsibility**
Users remain solely responsible for:
(a) All trading and investment decisions taken using or alongside MindStocs tools;
(b) Compliance with personal tax, TDS, and GST obligations; and
(c) Independent evaluation of risk before committing funds.
MindStocs disclaims liability for trading losses, execution errors, reliance on indicative illustrations, or decisions based on marketing materials.
35.5 **Illustrations, Charts & Marketing Demonstrations**
All examples, charts, performance figures, or case studies shown through the Platform, marketing materials, webinars, or social media are **purely illustrative and educational**.
They are not forecasts or assurances of profitability.
Every such illustration must prominently carry the mandatory disclaimer in **Clause 44.2** of the Terms & Conditions.
35.6 **Independent Advice**
Users are strongly advised to obtain professional **financial, tax, and legal advice** before using any MindStocs product or making trading decisions.
Participation in MindStocs Services constitutes acknowledgement of full understanding of these risks.
35.7 **No Inducement or Solicitation**
Nothing in the Platform, marketing communication, or Restoration Fund documentation shall be construed as an invitation, inducement, or solicitation to invest, deposit, or trade in securities or financial products regulated by SEBI, RBI, or IRDAI.
MindStocs operates solely as a technology and software solutions provider.
36. Account Closure & Data Handling
36.1 **User-Initiated Closure**
Users may request closure of their MindStocs account at any time by submitting a written request from their registered email ID to **support@mindstocs.com**.
Such requests shall be authenticated through secondary verification (e.g., PAN last four digits or registered mobile OTP) before processing.
36.2 **Effect of Closure**
Upon account closure:
(a) Access to dashboards, APIs, Projects, and Services will be permanently disabled;
(b) All active subscriptions shall terminate in accordance with the Refund Policy (Clause 19);
(c) Restoration claims, if any, must be filed prior to closure; pending claims will continue to be processed to completion;
(d) No new Restoration or refund requests will be accepted after closure confirmation.
36.3 **Data Retention Post-Closure**
Notwithstanding closure, the Company shall retain records for the legally mandated periods required under Indian law, including:
- KYC/AML records: **10 years** (PMLA, FIU-IND guidelines),
- GST/TDS and tax records: **8 years**,
- Financial transaction and accounting records: **7–10 years**,
- Grievance, dispute, and Restoration claim logs: until final resolution or audit closure.
All such retention is for compliance, taxation, and audit purposes only and not for commercial use.
36.4 **Deletion of Residual Data**
All non-essential or voluntarily provided personal data (e.g., marketing preferences, optional API integrations, analytics logs) shall be securely **deleted or anonymised within 30 days** of closure, unless a longer retention period is mandated by law or regulators.
Deletion completion will be logged in the Company’s **Records of Processing Activities (ROPA)** for audit verification.
36.5 **User Rights Prior to Closure**
Before account closure is finalised, Users may request:
(a) A copy of their personal data processed by the Company, and/or
(b) Portability of data in a **machine-readable format (CSV/JSON/XML)**, where technically feasible and subject to legal limits under Clause 14.
Such requests must be made **before closure confirmation**, as post-closure records are restricted to regulatory retention only.
36.6 **User Consent & Acknowledgement on Closure**
By initiating account closure, the User expressly acknowledges and agrees that:
(a) Statutorily required data will continue to be retained for the mandated period;
(b) Immediate full deletion may not be possible if ongoing disputes, investigations, audits, or tax proceedings exist; and
(c) Certain anonymised residual data may continue to be used for analytics, risk monitoring, and security improvement, provided it is **irreversibly de-identified**.
36.7 **Confirmation & SLA**
MindStocs will issue a written or email confirmation of closure within **30 business days** of receiving a complete and verified request, indicating whether any residual retention is ongoing under Clause 36.3.
36.8 **Regulatory Overrides**
MindStocs may delay or lawfully refuse full data deletion where required by regulators, courts, or enforcement authorities for compliance or investigation purposes, in accordance with the **Digital Personal Data Protection Act, 2023**, **IT Act, 2000**, and related notifications.
Such instances shall be recorded in ROPA and disclosed to the User upon closure confirmation.
37. International Use & Jurisdiction
37.1 **Primary Application & Governing Law**
This Privacy Policy and all related data processing activities are governed exclusively by the laws of India, including the **Digital Personal Data Protection Act, 2023**, the **Information Technology Act, 2000**, and their corresponding rules, directions, and notifications.
MindStocs operates as an Indian entity, and all processing, storage, and dispute mechanisms are anchored within Indian jurisdiction.
37.2 **Cross-Border Users**
(a) Users located outside India may access or use MindStocs Services voluntarily. Such access shall be deemed acceptance that data processing is conducted solely under Indian law.
(b) Users are individually responsible for ensuring compliance with their local data protection, tax, and financial laws.
(c) MindStocs does **not** undertake compliance obligations under **GDPR, CCPA, PIPEDA**, or any other non-Indian privacy regimes unless explicitly agreed in writing or mandated by the Government of India.
(d) Data of foreign Users is processed exclusively under this Policy and the Indian legal framework; no dual or extraterritorial interpretation shall apply.
37.3 **Dispute Resolution Alignment**
Any dispute, claim, or question relating to this Privacy Policy or cross-border processing shall be resolved as per **Clause 42 (Dispute Resolution)** of the Terms & Conditions:
(a) Initial amicable resolution through internal grievance redressal, followed by
(b) Arbitration seated at **Sindhudurg, Maharashtra**, or **Goa** (if mutually agreed), in accordance with the **Arbitration and Conciliation Act, 1996**.
Indian courts shall have exclusive supervisory jurisdiction over arbitral proceedings.
37.4 **Conflict of Laws & Precedence**
(a) Where there is a conflict between a foreign privacy requirement and Indian law, Indian law shall prevail.
(b) The only exception applies to **mandatory, non-derogable local consumer or privacy rights** that cannot be waived by contract and that do not conflict with Indian public policy.
(c) Nothing in this Policy shall be interpreted as conferring recognition of, or submission to, any foreign jurisdiction, court, or regulatory authority.
37.5 **Regulatory Cooperation (Limited Scope)**
(a) MindStocs may cooperate with foreign regulators or authorities **only pursuant to valid Mutual Legal Assistance Treaties (MLATs)**, inter-governmental requests, or directions routed through Indian authorities such as **CERT-In, MeitY, SEBI, RBI, or the Data Protection Board of India**.
(b) Any such cooperation shall not constitute submission to foreign jurisdiction or waiver of sovereign protection under Indian law.
37.6 **No Extraterritorial Effect**
This Privacy Policy does not extend any rights, claims, or causes of action under foreign data protection or consumer laws to non-Indian Users. All rights, obligations, and remedies are governed solely by the laws and forums of India.
38. Survival & Binding Effect
38.1 **Post-Termination Survival**
The following obligations shall survive termination of a User’s account or cessation of Services:
(a) statutory data retention and audit duties;
(b) refund processing and accounting reconciliations;
(c) regulatory cooperation, breach notification, and grievance redressal;
(d) dispute resolution and arbitration rights under Clause 42 of the Terms & Conditions; and
(e) confidentiality, indemnity, and limitation-of-liability provisions, to the extent applicable.
38.2 **User Consent Survival**
Any consent lawfully provided by the User for processing of Personal Data (including retention of KYC, GST/TDS, and financial records) shall remain valid for the duration of the statutory or regulatory retention period, even after termination of Services, in accordance with the **Digital Personal Data Protection Act, 2023**.
38.3 **Outstanding Liabilities**
Termination of Services does not discharge the User from:
(a) payment of outstanding Service Access Fees;
(b) liabilities for fraud, misuse, or violation of this Policy or the Terms & Conditions;
(c) participation in ongoing investigations, audits, or arbitration; and
(d) obligations arising from acts or omissions during the period of Service usage.
38.4 **Regulatory Disclosures After Termination**
MindStocs may continue to disclose, produce, or retain User records for regulators, courts, tax authorities, or law-enforcement agencies as required by applicable law, even after account closure or termination.
38.5 **Limits on Survival**
The survival of obligations under this Clause shall not extend or revive any commercial promises, warranties, or discretionary benefits (including Restoration or refunds) beyond their contractual or statutory validity period.
38.6 **Binding Nature**
This Privacy Policy shall remain binding upon the User, their legal heirs, representatives, successors, and permitted assigns. Continued use of any residual or renewed Service constitutes acceptance of this Policy and all future amendments notified under Clause 22 (Policy Updates).
39. Entire Agreement & Precedence
39.1 **Entire Agreement**
This Privacy Policy, together with the **Terms & Conditions**, **Refund Policy**, **Shipping Policy**, **Cookie Policy**, **Security Guidelines**, and any duly published Annexures or addenda issued by MindStocs, constitutes the **entire and exclusive agreement** between the User and the Company with respect to data protection, privacy, and related operational matters.
All prior drafts, statements, or informal representations on these subjects are superseded in full.
39.2 **Precedence in Case of Conflict**
In the event of inconsistency between policies:
(a) **Service access, fees, and operational rights** shall be governed by the Terms & Conditions;
(b) **Data protection, consent, and user rights** shall be governed by this Privacy Policy;
(c) **Refunds, cancellations, and billing disputes** shall be governed by the Refund Policy;
(d) **Digital delivery and activation timelines** shall be governed by the Shipping & Delivery Policy; and
(e) **Marketing or promotional claims** shall be interpreted strictly in accordance with the **Final Consolidated Disclaimer (Clause 52)** of the Terms & Conditions.
39.3 **Regulatory Override & Interpretation**
Where any provision of this Privacy Policy conflicts with applicable Indian law — including the **Digital Personal Data Protection Act, 2023**, **Information Technology Act, 2000**, **Consumer Protection Act, 2019**, or sectoral regulations issued by **RBI**, **SEBI**, or **CERT-In** — the statutory or regulatory requirement shall prevail.
Such a conflict shall not invalidate the remainder of this Policy, and the affected clause shall be interpreted or amended to conform to the prevailing law while preserving the intent of the original provision.
39.4 **No Waiver**
Failure or delay by the Company to enforce any provision of this Privacy Policy shall not constitute a waiver of that provision or the Company’s rights to enforce it subsequently.
Any waiver, modification, or relaxation must be expressly documented and approved in writing by the Company’s authorised compliance officer.
39.5 **Binding Incorporation of Updates**
All duly published **policy updates, annexures, or compliance notices** form an integral part of this Privacy Policy and are binding upon Users from their notified effective date, subject to the communication and acceptance procedures described in Clause 22 (Policy Updates).
40. Governing Law & Dispute Resolution
40.1 **Governing Law**
This Privacy Policy shall be governed by and construed in strict accordance with the laws of India, including but not limited to:
(a) the **Digital Personal Data Protection Act, 2023**,
(b) the **Information Technology Act, 2000**,
(c) the **Consumer Protection Act, 2019**, and
(d) all applicable subordinate rules, directions, and regulatory circulars issued thereunder.
40.2 **Dispute Resolution Mechanism**
(a) All disputes, controversies, or claims arising out of or in connection with this Privacy Policy—other than those involving non-arbitrable statutory rights—shall follow the procedure specified in **Clause 42 of the Terms & Conditions**, namely:
(i) **Amicable resolution** through written notice and good-faith negotiation within 30 days; failing which,
(ii) **Arbitration** under the **Arbitration and Conciliation Act, 1996**, conducted by a sole arbitrator appointed in accordance with the Terms & Conditions.
(b) The seat and venue of arbitration shall be **Sindhudurg, Maharashtra, India** (or Goa, if mutually agreed in writing). Proceedings shall be conducted in English.
(c) Nothing in this clause restricts Users from approaching:
- the **Data Protection Board of India (DPB)** for privacy or data protection grievances,
- **Consumer Dispute Redressal Commissions** under the Consumer Protection Act, 2019, or
- **Regulatory Ombudsman Schemes** (e.g., RBI Ombudsman for Digital Transactions),
for any **non-arbitrable statutory rights** which cannot be waived under Indian law.
(d) Arbitration shall apply only to contractual or service-related disputes and not to regulatory enforcement, statutory proceedings, or complaints before competent authorities.
40.3 **Jurisdiction**
Subject to Clause 40.2(c), the courts at **Sindhudurg, Maharashtra, India**, shall have exclusive jurisdiction over all disputes arising from or related to this Privacy Policy, including any interim or enforcement proceedings arising out of arbitration.
40.4 **Cross-Border Users**
(a) For Users located outside India, this Privacy Policy and all processing activities shall remain subject exclusively to Indian law.
(b) Mandatory local consumer or privacy protections applicable in the User’s jurisdiction shall not be excluded where such rights cannot legally be waived.
(c) No part of this Policy shall be interpreted as conferring or accepting jurisdiction of any foreign court, regulator, or tribunal, unless required by a valid **Mutual Legal Assistance Treaty (MLAT)**, government notification, or international cooperation framework recognised by the Government of India.
40.5 **Finality & Binding Nature**
Arbitral awards or final judgments rendered pursuant to this clause shall be binding and enforceable in accordance with the **Arbitration and Conciliation Act, 1996** and the **Code of Civil Procedure, 1908**, without prejudice to any non-arbitrable statutory remedies preserved under Indian law.
41. Law Enforcement & Regulatory Cooperation
41.1 **Legal Compliance**
MindStocs shall comply with all lawful directions, summons, or inspection orders issued under due process by:
(a) Law enforcement agencies (including police, cybercrime cells, and investigative authorities);
(b) Regulatory bodies such as **SEBI**, **RBI**, **FIU-IND**, **MCA**, **CERT-In**, and **Income Tax authorities**;
(c) Courts, tribunals, arbitral tribunals, or statutory commissions; and
(d) Any other competent Indian government authority authorised under law.
Requests from **foreign authorities** shall be entertained only through the **Government of India’s designated channels** under applicable Mutual Legal Assistance Treaties (MLATs) or diplomatic arrangements.
41.2 **Scope and Manner of Disclosures**
(a) Disclosures shall be limited strictly to the specific categories of Personal Data or records requested under lawful authority.
(b) Each disclosure shall be **internally logged** with details of: the requesting authority, legal basis, scope of disclosure, and date/time of release.
(c) All requests shall undergo prior compliance and legal review by the Company’s authorised officer, except where immediate disclosure is mandated by emergency or court order.
(d) A **chain-of-custody record** shall be maintained for all disclosures involving forensic, transactional, or user-identifiable data.
41.3 **User Notification**
Where permitted by law, MindStocs shall notify the affected User(s) of such disclosure within a reasonable time after fulfilling the lawful request.
Notification may be withheld if:
(a) expressly prohibited by court or statutory order;
(b) reasonably likely to prejudice ongoing investigations or national security; or
(c) involves counter-fraud, AML, or cybersecurity operations directed by competent regulators.
41.4 **Regulatory Cooperation and Assistance**
MindStocs will cooperate in good faith with competent regulators and enforcement bodies, including:
(a) providing records, forensic reports, and audit logs necessary for compliance verification or fraud investigation;
(b) implementing corrective or remedial measures mandated by such authorities;
(c) supporting investigations relating to AML/KYC compliance, cybersecurity, or data protection breaches; and
(d) furnishing compliance certifications or confirmation of cooperation when legally requested.
41.5 **No Voluntary or Extrajudicial Disclosure**
MindStocs shall not voluntarily or proactively share any User Personal Data with regulators, government bodies, or private third parties unless:
(a) compelled by lawful written order or notice under Indian law;
(b) necessary to protect life, safety, or critical infrastructure from imminent harm; or
(c) required to prevent or mitigate verified fraud or cybersecurity incidents, subject to post-facto legal validation.
41.6 **Safeguard Against Unlawful Requests**
MindStocs reserves the right to:
(a) request documentary proof of authority or jurisdiction from any requesting agency;
(b) decline or seek clarification for overbroad, extrajudicial, or unverifiable requests; and
(c) record such refusals or clarifications in its **Regulatory Cooperation Register**, maintained under Clause 31 (Audit, Records & Compliance Documentation).
41.7 **Regulatory Cooperation Beyond India**
Any request or directive originating from foreign regulators, courts, or governments will be processed exclusively through formal channels recognised by the **Government of India**, such as the **Ministry of Home Affairs** or **CERT-In International Coordination Wing**, and only where consistent with Indian law and data export restrictions under Clause 12 (Cross-Border Transfers & Safeguards).
42. Final Consolidated Disclaimer
MindStocs is a technology and software service provider. It is **not registered with or regulated by SEBI, RBI, IRDAI, FIU-IND, or any other financial authority**. Nothing in this Privacy Policy, the Terms & Conditions, or any marketing material shall be construed as:
(a) investment advice,
(b) portfolio management,
(c) solicitation or invitation to invest, or
(d) a collective investment, insurance, or deposit-taking activity under Indian law.
All Service Access Fees are payments made **solely for access to digital tools, dashboards, APIs, algorithms, and related software services**, and **not linked to trading outcomes, profits, or market performance**.
The **Restoration Fund** is a **discretionary, conditional, and non-statutory benefit**, subject to eligibility, availability, and verification. It does not constitute an insurance product, guarantee, or capital protection scheme.
Users remain fully responsible for:
- their trading and financial decisions;
- their own tax filings (GST, TDS, Income Tax, etc.); and
- compliance with any applicable financial or data protection laws.
MindStocs deducts or withholds taxes only where expressly mandated under Indian law.
---
42.1 **Purpose of Policy**
This Privacy Policy is informational and compliance-oriented. It explains how MindStocs collects, processes, and protects personal data but does **not** create any express or implied warranty, guarantee of profitability, uninterrupted operation, or risk-free usage.
42.2 **Exclusions of Liability**
(a) This Policy and related documents do not constitute investment, financial, tax, or legal advice.
(b) The Company disclaims liability for any loss, damage, or claim arising out of:
- reliance on marketing, educational, or illustrative materials;
- failures or errors of third-party providers (e.g., brokers, exchanges, payment gateways, or hosting vendors) not under its control;
- user negligence, such as insecure passwords, compromised devices, or improper API key management;
- force majeure events, as defined under the Terms & Conditions.
42.3 **User Acknowledgement**
By using the Services, the User acknowledges that:
(a) they have read, understood, and accepted this Privacy Policy and all related terms;
(b) they remain solely responsible for trading outcomes and decision-making; and
(c) no algorithm, model, or software can assure profits or eliminate market risk.
42.4 **Non-Solicitation & Representation Disclaimer**
No communication, publication, or material issued by MindStocs shall be interpreted as an invitation, inducement, or recommendation to trade, invest, or deposit funds.
MindStocs does not hold or manage client capital, does not pool investor funds, and does not issue securities or contracts of insurance.
42.5 **Policy Updates & Interpretation**
The Company may amend or update this Privacy Policy in accordance with Clause 22 (Policy Updates). Continued use of the Services after such updates constitutes binding acceptance.
Interpretation of this Policy shall always favour compliance with prevailing Indian law and user protection.
42.6 **Governing Law & Dispute Resolution**
This Privacy Policy shall be governed by the laws of India. All disputes shall follow the dispute resolution framework specified in **Clause 40 of this Policy** and **Clause 42 of the Terms & Conditions**, including arbitration and applicable statutory redressal rights.
42.7 **Precedence & Override**
This Final Consolidated Disclaimer shall **override any inconsistent or conflicting language** found in:
- this Privacy Policy,
- the Terms & Conditions,
- the Refund or Shipping Policies, or
- any marketing, communication, or promotional material.
The **Final Consolidated Disclaimer in Clause 52 of the Terms & Conditions** shall prevail as the definitive disclaimer governing all representations and communications made by MindStocs.