Privacy Policy
Last updated: 16 February 2026 · Effective immediately
1. Overview
Kaash (“the Platform”, “we”, “us”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why, and how we handle it. We comply with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and applicable Indian regulations.
Kaash is an educational platform for learning stock and mutual fund valuation. We do not facilitate financial transactions, buying/selling of securities, or investment advisory services.
Under DPDPA, Kaash acts as a Data Fiduciary (the entity that determines the purpose and means of processing your personal data). You, the user, are the Data Principal.
2. Data We Collect
2.1 Information You Provide
| Data | Purpose |
|---|---|
| Email address | Account creation, OTP authentication, communications |
| Phone number (optional) | Phone OTP authentication |
| Display name | Profile identification in the community |
| Age group | Age-appropriate content, DPDPA compliance |
| Onboarding answers | Investor persona assignment, personalized experience |
| Bio (optional) | Public profile display |
| Feedback submissions | Product improvement, bug reports |
2.2 Information Generated by Your Activity
| Data | Purpose |
|---|---|
| Valuation theses | Community learning, portfolio of research |
| Votes, comments, reactions | Social engagement, content quality signals |
| KPoints balance & game state | Gamification, leaderboard rankings |
| Quiz attempts & scores | Learning progress tracking |
| Squad membership | Community features |
2.3 Automatically Collected
| Data | Purpose |
|---|---|
| IP address | Rate limiting, abuse prevention |
| Browser/device info | PWA compatibility, bug diagnosis |
| Page views (PostHog) | Product analytics (only if you consent to optional cookies) |
3. Cookies & Local Storage
3.1 Essential (Always Active)
These are required for the Platform to function. You cannot opt out of essential cookies.
- Authentication cookies (httpOnly) — Secure session and refresh tokens to keep you logged in.
- Theme preference (localStorage) — Remembers your light/dark mode choice.
- Cookie consent flag (localStorage) — Stores whether you accepted or rejected optional cookies.
3.2 Optional Analytics (Consent Required)
These are only set if you click “Accept all” on the cookie banner.
- PostHog — Product analytics: page views, feature usage, funnel analysis. No personally identifiable information is included in events.
You can change your cookie preference at any time by clearing your browser's localStorage for this site, which will re-display the cookie consent banner on your next visit. Rejecting analytics cookies does not affect the functionality of the Platform — only optional usage analytics will be disabled.
4. How We Use Your Data
- Provide the service: Authentication, profile, thesis creation, gamification, squad features
- Personalization: Investor persona, age-appropriate content, engagement notifications
- Security: Rate limiting, abuse detection, content sanitization
- Product improvement: Aggregate analytics (with consent), feedback analysis
- Communications: Welcome email, OTP codes, feedback email alerts (to admins only)
We do NOT sell, rent, or trade your personal data to third parties. Ever.
4.1 Legal Basis for Processing (DPDPA)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & authentication | Consent (DPDPA Section 6) |
| Service delivery (theses, gamification, squads) | Consent & contractual necessity (DPDPA Section 4) |
| Analytics (PostHog) | Explicit opt-in consent (DPDPA Section 6) |
| Security & abuse prevention | Legitimate use (DPDPA Section 7 — reasonable security) |
| Legal compliance (IT Act obligations) | Legal obligation (DPDPA Section 7) |
| Children's data (ages 16–17) | Verifiable parental consent (DPDPA Section 9) |
5. Third-Party Services & Cross-Border Data Transfer
| Service | Data Shared | Server Location | Purpose |
|---|---|---|---|
| Supabase | All user data | EU/US | Database, authentication, storage |
| Google OAuth | Email, name, avatar | US | Sign-in |
| Resend | Email address | US | OTP delivery, welcome emails |
| Cloudflare Turnstile | Browser fingerprint | Global CDN | Bot protection on feedback form |
| PostHog (opt-in) | Anonymous usage events | EU | Product analytics |
Cross-Border Data Transfer (DPDPA Section 16)
Your personal data may be transferred to and processed in countries outside India (including the US and EU) by the third-party services listed above. Such transfers are made only to countries or entities not restricted by the Central Government under DPDPA Section 16(1). Each third-party processor is contractually obligated to maintain appropriate data protection standards.
6. Data Retention
- Active accounts: Data retained as long as your account is active.
- Guest accounts: May be deleted after 30 days of inactivity.
- Deleted accounts: Personal data erased within 30 days. Published theses may be anonymized and retained for community benefit.
- Auth cookies: Session token expires in 24 hours; refresh token in 30 days.
- Analytics data: Anonymized and retained for up to 12 months.
7. Your Rights (Under DPDPA 2023)
As a Data Principal under DPDPA, you have the right to:
- Access: Request a summary of the personal data we process about you.
- Correction: Update or correct inaccurate personal data via your Profile page.
- Erasure: Request deletion of your account and personal data.
- Withdraw Consent: Withdraw consent for optional data processing (analytics) at any time.
- Grievance Redressal: Contact us for any privacy concerns; we will respond within 30 days.
- Nominate: Nominate another person to exercise your rights in case of death or incapacity.
To exercise these rights, use the in-app Feedback widget or email us at the address listed in the app settings. We will acknowledge your request within 48 hours and process it within 30 days.
If you are not satisfied with our response, you have the right to file a complaint with the Data Protection Board of India as established under DPDPA Section 18.
8. Children's Privacy (Ages 16-17)
Under DPDPA, individuals under 18 are classified as “children.” Kaash allows users aged 16 and above. For users aged 16–17:
- We process personal data only with verifiable parental or guardian consent as required under DPDPA Section 9.
- During registration, users aged 16–17 must confirm that a parent or guardian has consented to their use of the Platform.
- We do not engage in behavioral tracking, profiling, or targeted advertising of any user, including minors (DPDPA Section 9(2)).
- We do not process children's data in any manner likely to cause detrimental effect to their well-being (DPDPA Section 9(3)).
- Parents/guardians may request access to or deletion of their child's data at any time using the in-app Feedback widget.
9. Data Security
- All data is encrypted in transit (HTTPS/TLS) and at rest (Supabase encryption).
- Authentication cookies are httpOnly and Secure, preventing XSS-based theft.
- User-generated content is sanitized to prevent injection attacks.
- API endpoints are rate-limited to prevent abuse.
- Row-Level Security (RLS) policies ensure users can only access their own data.
- Content Security Policy (CSP) headers prevent unauthorized script execution.
- We implement reasonable security practices and procedures as required under the SPDI Rules, 2011, and the IT Act, 2000.
9.1 Data Breach Notification (DPDPA Section 8(6))
In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals (users) without unreasonable delay, as required under DPDPA Section 8(6). Notification will include the nature of the breach, the data affected, and steps we are taking to mitigate the impact.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform (in-app notification). The “Last updated” date at the top indicates when the policy was last revised.
11. Governing Law
This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
12. Contact the Data Fiduciary
For any privacy-related inquiries, data access requests, or grievances, please use the in-app Feedback widget or email us at the address listed in the Platform settings.
- We will acknowledge your request within 48 hours.
- We will resolve your request within 30 days as required by DPDPA.
- If unresolved, you may escalate your complaint to the Data Protection Board of India (DPDPA Section 18).