Privacy Policy

HARSHIV SYMPOSIUM LLP · Effective: 2 June 2026 · DPDP Act 2023 compliant

Quick Read

We collect only what we need — account, payment (via Razorpay — we never see your card), license fingerprint, your Ask AVATARA queries and your journal entries. We don't sell data, don't run ad trackers, don't use Google Analytics. Sub-processors are listed below. You have DPDP Act rights to access, correct, delete and complain. Grievance Officer: [email protected].

01

Introduction & Scope

Harshiv Symposium LLP ("we", "us", "our") operates the AVATARA platform — including the AVATARA website, the Avatara Nakshatra desktop application, the Avatara Meridian desktop application, the APEX program and the free Academy modules (SHIELD, SPARK, VISION).

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it and the rights you have under the Digital Personal Data Protection Act 2023 ("DPDP Act"), the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("IT Rules 2011").

For the purposes of the DPDP Act, Harshiv Symposium LLP is the Data Fiduciary. The user is the Data Principal.

02

What Data We Collect

Account data — full name, email address, hashed password, phone number (optional) and any role/plan assigned to your account.

Payment data — Razorpay payment IDs, order IDs, plan purchased, amount and timestamp. Card numbers, UPI IDs and bank details are NEVER stored by us; they are processed directly by Razorpay (RBI-licensed payment aggregator).

Software license data — Ed25519-signed license keys, machine fingerprints (a non-reversible hash derived from your device hardware identifiers used solely for license-binding enforcement), license activation/rebind history.

Usage data — pages visited, features used, Ask AVATARA search queries, course module progress, paper trading entries, journal entries.

Technical data — IP address, browser type, operating system, device type, time zone, session identifiers, cookie identifiers.

Communication data — emails you send us, support ticket history, grievance escalations.

We do NOT collect or store: Aadhaar numbers, PAN numbers, bank account numbers, financial portfolio positions (beyond what you voluntarily enter in your journal) or biometric data.

03

Why We Collect This Data (Lawful Basis)

Under the DPDP Act, we process personal data on the basis of your CONSENT (collected via account registration and product checkout) and where strictly necessary for LEGITIMATE USES (responding to support, complying with legal obligations, preventing fraud).

Specific purposes:

• To create and maintain your account, authenticate you and provide the services you paid for

• To process payments and issue invoices

• To generate, validate and revoke software licenses (machine binding requires a hashed device identifier)

• To answer Ask AVATARA queries by matching them against our own curated educational content (no external AI provider is used)

• To send transactional emails (license keys, payment receipts, trial expiry alerts, account notices)

• To send service updates and educational content (you can opt out anytime)

• To monitor abuse, fraud, scraping and Terms of Use violations

• To comply with tax, audit and legal obligations under Indian law

04

Third-Party Processors (Sub-Processors)

We share necessary data with the following third parties — each governed by their own privacy policy. By using AVATARA, you consent to your data being processed by them for the purposes listed below.

• Razorpay Software Pvt. Ltd. (India) — processes all payments. Receives your name, email, phone and payment instrument details directly (we never see card/UPI data).

• MongoDB Atlas (operated by MongoDB Inc., data hosted in Mumbai, India region) — primary database for account, license mirror, journal and transactional data.

• Vercel Inc. (United States) — hosts the frontend website. May log IP addresses and request metadata for serving the application.

• Microsoft Azure (Central India region) — hosts our backend API, License Server and license database.

• Cloudflare Inc. (United States) — DNS, CDN and email routing (forwarding domain emails to our team inbox).

• Resend (email delivery service) — transactional email delivery (license keys, trial emails, receipts).

• Zerodha Broking Ltd. (India) — only when you use Avatara Nakshatra, your Kite Connect OAuth token is stored LOCALLY on your machine, never sent to our servers. Nakshatra communicates with Zerodha's Kite Connect API directly from your device.

05

Cross-Border Data Transfer

Some of our sub-processors (Vercel, Cloudflare) are located outside India. The DPDP Act permits cross-border transfer to countries not specifically restricted by the Central Government. Where possible, we use sub-processors with India-region data centres (MongoDB Atlas Mumbai, Azure Central India) to keep data within Indian borders.

For transfers outside India, we rely on the sub-processor's standard contractual safeguards and their own DPDP/GDPR compliance posture.

06

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected or as required by Indian law.

• Account data — retained while your account is active. Deleted within 30 days of account closure (subject to legal holds).

• Payment / invoice data — retained for 8 years as required by the Companies Act 2013 and Income Tax Act 1961.

• Ask AVATARA query logs — retained for 90 days for abuse monitoring, then anonymised or deleted.

• License activation logs — retained for the lifetime of the license + 12 months for audit.

• Email communications / grievance tickets — retained for 3 years.

• Server access logs — retained for 90 days.

07

Your Rights as a Data Principal (DPDP Act 2023)

Under the DPDP Act, you have the following rights with respect to your personal data:

• Right to access — request a copy of the personal data we hold about you

• Right to correction & erasure — request correction of inaccurate data or deletion of data no longer required

• Right to grievance redressal — contact our Grievance Officer (details below)

• Right to nominate — nominate another person to exercise rights on your behalf in case of death or incapacity

• Right to withdraw consent — withdraw consent for processing at any time (note: this may make the service unusable)

To exercise any of these rights, email [email protected] with subject "DPDP Request — [type]" along with proof of identity. We respond within 30 days.

08

Ask AVATARA Query Data

When you use Ask AVATARA, your question is matched against our own curated educational content; it is not sent to any external AI provider.

We log query metadata (matched/unmatched, response length) for abuse monitoring and to improve our content. After 90 days, query text is anonymised.

Do NOT submit any sensitive personal data, financial credentials or third-party personal data in your queries.

09

Security Measures

We implement reasonable security practices as required under Section 8(5) of the DPDP Act and the IT Rules 2011:

• Passwords stored using bcrypt with per-user salt

• HTTPS/TLS 1.2+ for all data in transit

• Database encryption at rest via MongoDB Atlas and Azure managed disk encryption

• Ed25519 asymmetric signing for license issuance (private key held in isolated storage)

• Role-based access control — only authorised partners and the Grievance Officer access production data

• Regular vulnerability monitoring and patching

• Encrypted off-site backups

No system can guarantee absolute security. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required by the DPDP Act within the applicable timelines.

10

Children's Data

AVATARA is intended for users 18 years of age and older. The exception is SPARK (Kids Finance), which is designed for children aged 8-14 and operated under strict parental consent — parents/guardians create and control the child's account.

Consistent with the DPDP Act, we do not engage in behavioural tracking, targeted advertising or profiling of children. SPARK contains no third-party advertising and no AI features.

If you believe we have inadvertently collected personal data of a child under 18 outside the SPARK program without verifiable parental consent, contact [email protected] immediately for deletion.

11

Cookies & Local Storage

We use first-party cookies and browser localStorage for: authentication session tokens (JWT), CSRF protection, theme/UI preferences, paper-trading state.

We do NOT use third-party tracking cookies, advertising cookies or analytics tags that share data with marketing platforms. We do not use Google Analytics.

You can disable cookies in your browser, but the platform will not function correctly without authentication cookies.

12

Grievance Redressal

Per the IT Rules 2011 (Rule 5(9)) and DPDP Act Section 8(10), we have appointed a Grievance Officer:

Grievance Officer: Paresh R. Wagh (Designated Partner, Harshiv Symposium LLP)

Email: [email protected]

Acknowledgement: within 24 hours

Resolution: within 15 days for routine matters, 30 days for complex matters

If your grievance is not satisfactorily resolved, you may escalate to the Data Protection Board of India once it becomes operational under the DPDP Act or to the Adjudicating Officer under the IT Act 2000.

13

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via email and an in-app notice at least 7 days before they take effect. Continued use after the notice period constitutes acceptance.

14

Contact

For any privacy-related question, request or concern, contact [email protected]. For general support, [email protected]. For grievances, [email protected].

Harshiv Symposium LLP — Founder & Designated Partner: Paresh R. Wagh.

Grievance Officer — DPDP Act 2023 / IT Rules 2011

Paresh R. Wagh — Designated Partner, Harshiv Symposium LLP
Grievance email: [email protected]
Privacy queries: [email protected]
General support: [email protected]
Acknowledgement within 24 hours · Resolution within 15-30 days