Effective June 18, 2026 · Last updated June 18, 2026
TL;DR. We collect the minimum needed to run the Service:
your email + auth credentials, your watchlist, payment metadata (handled by
Razorpay), and standard server logs. We do not sell your data. We do not run
ads. TickerMover is a Data Fiduciary under India's Digital Personal Data
Protection Act 2023.
1. Who we are (as a Data Fiduciary)
For the purposes of the Digital Personal Data Protection Act, 2023
(“DPDP Act”), TickerMover is the Data Fiduciary. The Data Protection
Officer can be contacted at support@tickermover.com.
2. What we collect
2.1 Information you provide directly
Email address — for account creation, password reset, and product updates.
Authentication credentials — password (hashed and salted by Supabase, never visible to us in plain text), or third-party OAuth tokens if you sign in via Google etc.
Watchlist — the tickers you save.
Subscription metadata — if you upgrade to a paid plan: subscription ID, plan, status (active/cancelled). Card details are handled directly by Razorpay; we never see or store full card numbers.
Optional profile fields — name, trading experience, primary goal — collected during onboarding to tailor what we show you. You can leave these blank.
Support correspondence — emails you send to us for assistance.
2.2 Information we collect automatically
Server logs — IP address, browser user-agent, page URL, timestamp, response code. Used for debugging, abuse prevention, and aggregate analytics. Retained 30–90 days then deleted.
Cookies — a session cookie (login state) and one preference cookie ("first-visit disclaimer dismissed"). We do not set advertising or cross-site tracking cookies.
Aggregate usage data — how many users hit which pages, used in anonymous form to improve the product.
2.3 Information we do NOT collect
Your trading account, brokerage credentials, or trade history. (We are not a broker; we have no way to access these.)
Bank account or full credit card numbers.
Physical address (unless required for a future invoiced enterprise plan, with your consent).
PAN, Aadhaar, or other government identifiers.
3. Why we collect it (Purpose & Legal Basis)
What
Why
Legal basis (DPDP Act)
Email + password
Authenticate you; recover lost access
Necessary for the contract you have with us
Watchlist
Show you stocks you care about
Necessary for the contract
Server logs
Detect abuse, fix bugs, plan capacity
Legitimate use under DPDP Act §17
Payment metadata
Process subscriptions; comply with tax
Legal obligation + contract
Product update emails
Tell you about new features
Your consent (you can opt out anytime)
4. Who we share it with (Data Processors)
We use industry-standard third parties to run the Service. Each acts as a
Data Processor on our behalf and is contractually obligated to handle your data
only for the agreed purpose:
Supabase (database + auth) — stores your email, password hash, watchlist. Servers in Asia/Singapore.
Railway (hosting) — runs our application servers; sees IP addresses in logs.
Cloudflare (CDN + WAF) — sees IP and request metadata; provides DDoS protection.
Razorpay (payments) — receives payment info directly from you when you upgrade. They are a separately regulated Indian PCI-DSS compliant processor.
Resend (email delivery) — delivers transactional emails; sees your email and the message body.
Groq — processes text from public press releases through their language model. We do not send your personal data to Groq, only public earnings text.
Anthropic / OpenAI (optional, for editorial features) — same as above; only public market commentary, never your personal data.
We do not sell your personal data. We do not share it with
advertisers, data brokers, or third-party marketers.
5. Cross-border transfers
Some of our processors (Cloudflare, Resend, Groq, Anthropic) operate servers
outside India. Where this happens, transfers are made under standard contractual
clauses or equivalent safeguards as required by the DPDP Act.
6. How long we keep it
Account data: as long as your account is active, plus 90 days after deletion (to handle disputes).
Server logs: 30–90 days, then deleted.
Payment metadata: 8 years (required by Indian tax law for businesses with paid customers).
Email correspondence: 2 years from last reply, then archived.
7. Your rights under the DPDP Act
You have the following rights:
Access — ask us what data we hold about you.
Correction — ask us to fix inaccurate data.
Erasure — delete your account and all associated personal data (subject to retention obligations above for billing records).
Withdraw consent — opt out of product update emails anytime via the unsubscribe link.
Grievance redressal — if you are unhappy with how we handle your data, contact our Grievance Officer first; if unresolved, you may approach the Data Protection Board of India.
To exercise any of these rights, email
support@tickermover.com from the email associated with your
account. We will respond within 30 days as required by the DPDP Act.
8. Security
We use industry-standard practices: HTTPS everywhere, password hashing
(bcrypt via Supabase), database row-level security so users can only see their
own data, environment-isolated production credentials, and rate limiting on
authentication endpoints. No system is bullet-proof; if we discover a personal
data breach, we will notify affected users and the Data Protection Board within
the timelines required by the DPDP Act.
9. Children
The Service is not intended for users under 18. We do not knowingly collect
personal data from children. If you believe a child has provided us their
data, contact us and we will delete it.
10. Changes to this Policy
If we materially change this Policy (e.g. expand the categories of data we
collect, add new processors, change retention periods), we will notify
registered users by email at least 14 days before the change takes effect.