1. About This Policy
This Privacy Policy (“Policy”) explains how Devesh Varshney, sole proprietor of TruePrice (“TruePrice”, “we”, “us”, “our”), a SEBI-registered Research Analyst operating the platform and services available at trueprice.pro (the “Platform”), collects, uses, stores, transfers, discloses, and otherwise processes your personal data when you visit the Platform, register an account, or use any of our services.
This Policy is published in compliance with:
- The Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”);
- The Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”);
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended), including the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026;
- Directions issued by the Indian Computer Emergency Response Team (“CERT-In”) under Section 70B(6) of the Information Technology Act, 2000.
By accessing or using the Platform, you acknowledge that you have read and understood this Policy. Where your consent is the lawful basis for processing your personal data, you provide that consent by completing the consent action presented to you (for example, signing up, opting in to WhatsApp messages, or accepting cookies). You may withdraw your consent at any time as described in Section 13.
2. Who We Are & How To Contact Us
For the purposes of the DPDP Act, the Data Fiduciary in respect of your personal data is:
Devesh Varshney (sole proprietor of TruePrice)
SEBI-registered Research Analyst · Registration Number: Pending issuance
Place of business: Bengaluru, Karnataka, India
All correspondence (privacy, data requests, grievances, support): support@trueprice.pro
Our Data Protection Officer (“DPO”) and our Grievance Officer under the IT Rules, 2021 are identified in Section 17.
3. Personal Data We Collect
We collect only the personal data we need to operate the Platform, authenticate you, deliver our research and analytics services, comply with law, and secure the Platform against abuse.
3.1 Information you provide
- Account & identity data: Indian mobile number (mandatory and used as your primary identifier), country code, name, email address, password (hashed; never stored in plain text), and the authentication provider you choose (WhatsApp OTP, Google Sign-In, email/password, or email magic-link).
- Profile data: investment preferences, risk tolerance indicators, watchlists, notes, and any other information you voluntarily add to your profile or settings.
- Portfolio import data: if you use the Portfolio Sync feature, screenshots of your broker / demat statement that you upload to extract your holdings (ticker, quantity, average cost). We do not ask for, receive, or store your broker login credentials, demat account number, bank details, PAN, or any login session with your broker. We do not connect to any broker on your behalf.
- Payment data: when you purchase a subscription, credits, or any paid feature, payment instrument details (UPI VPA, card BIN, netbanking selection, wallet) are collected and processed directly by our payment aggregator, Cashfree Payments India Private Limited. We receive only the order ID, transaction status, partial payment metadata, and the GST-relevant invoice fields. Full card numbers, CVVs, UPI PINs, and netbanking passwords are never seen, collected, or stored by TruePrice.
- Communications data: messages you send to support, feedback, grievance submissions, and any correspondence with us.
3.2 Information collected automatically
- Device & technical data: IP address, user-agent, browser type and version, operating system, screen resolution, language, and time-zone.
- Usage & telemetry: pages visited, features used, search queries on the Platform, valuation parameters you input, click and scroll patterns, error events, and approximate latency.
- Authentication telemetry: OTP request and verification events, failed-login counters, session expiry, and rate-limit counters used to prevent abuse.
- Cookies and similar technologies: see our Cookie Policy.
- Server & security logs: request paths, response codes, OpenTelemetry traces, and security events. Logs are retained in India for at least 180 days as required under the CERT-In Directions dated 28 April 2022.
3.3 Information from third parties
- Authentication providers: if you sign in using Google, we receive your email address, Google account display name, profile photo (if any), and a unique Google identifier — only to the extent you authorise during the Google consent screen.
- Meta WhatsApp: we receive delivery and read receipts for OTP and (if you opt in) alert messages we send you via the official Meta WhatsApp Cloud API.
- Cashfree: we receive transaction status webhooks and reconciliation data tied to your order.
3.4 What we do not collect
We do not collect (a) Aadhaar numbers; (b) PAN numbers (except where you voluntarily share them in support correspondence); (c) bank account numbers; (d) broker login credentials of any kind; (e) sensitive personal data such as health, religion, biometric, or sexual orientation; or (f) location data more granular than the country level inferred from your IP.
4. Why We Process Your Personal Data
We process personal data only for the purposes set out below, and only on a lawful basis identified in the same row.
| Purpose | Lawful basis |
|---|
| Create and authenticate your account; secure sign-in | Performance of the contract you enter when you accept our Terms; consent |
| Deliver research, valuations, watchlist, portfolio, and other Services you request | Performance of the contract |
| Process payments and refunds via Cashfree | Performance of the contract; legal obligation (tax / record-keeping) |
| Send transactional messages (OTPs, payment receipts, account & security alerts) by WhatsApp / email | Performance of the contract |
| Send valuation alerts, marketing, and product updates | Your consent — withdrawable at any time |
| Improve the Platform, debug, monitor performance, prevent abuse | Legitimate purpose under the DPDP Act |
| Comply with SEBI, RBI, CERT-In, tax, and other legal obligations | Legal obligation |
| Detect and prevent fraud, security incidents, and platform abuse | Legitimate purpose; legal obligation |
We do not engage in solely-automated decision-making that produces legal or similarly significant effects on you. We do not sell your personal data. We do not use your portfolio holdings, watchlist contents, or research-consumption history for advertising targeting.
5. Third Parties & Sub-Processors
We engage carefully selected third-party service providers to operate the Platform. Each is bound by a written contract that requires them to process personal data only on our instructions, maintain reasonable security, and assist us in fulfilling our obligations under the DPDP Act. The current list of categories and named providers is set out below and will be updated when it changes.
Authentication & identity
- Meta Platforms, Inc. — WhatsApp Business / Cloud API. Sends OTPs and (if opted in) WhatsApp alerts to your registered number. We share your phone number and the OTP / template variables with Meta for delivery. Meta's handling of WhatsApp messages is governed by the WhatsApp Privacy Policy and the WhatsApp Business Messaging Policy.
- Google LLC — Firebase Authentication and Google Sign-In. Used for email/password, email-link, and Google sign-in. Firebase may process your email, name, IP, user-agent, phone number, and a Firebase identifier in the United States. See the Firebase Privacy & Security page and the Google Privacy Policy. Where Firebase processes Google account data, we use that data only for the purposes disclosed here, in line with the Google API Services User Data Policy, including its Limited Use requirements.
Payments
- Cashfree Payments India Private Limited. RBI-authorised Payment Aggregator. Processes UPI, cards, netbanking, and wallet transactions on our behalf. We share order ID, amount, currency (INR), customer name, email, and phone with Cashfree to enable the transaction; Cashfree alone collects card / UPI / banking credentials, which are never received or stored by TruePrice. Their practices are governed by the Cashfree Privacy Policy and Terms.
AI-assisted data extraction
- Anthropic, PBC — Claude API and OpenAI, L.L.C. — OpenAI API. We use these large-language-model services as tooling to extract and structure information from publicly available documents (annual reports, earnings call transcripts, exchange filings, regulatory disclosures), and to parse user-uploaded portfolio screenshots during Portfolio Sync. Both providers operate under commercial / enterprise terms under which inputs and outputs are not used to train their models. The valuation models themselves (DCF, Relative Valuation, SOTP, Reverse DCF) are rule-based and produce deterministic numeric outputs from the underlying financial data and your assumptions; the AI tooling is used only to ingest and structure source data.
Hosting, storage & infrastructure
- Google Cloud Platform (Cloud SQL / PostgreSQL, Cloud Run, Pub/Sub) — primary application hosting and database; data residency in India.
- Cloudflare, Inc. — Cloudflare R2 object storage and CDN for static assets and document storage.
- Vercel, Inc. — front-end edge delivery for the Next.js Platform.
Observability & security
- HyperDX — receives OpenTelemetry traces, metrics, and structured logs (no payment instrument data, no document content) used to debug, monitor, and secure the Platform.
Public market & financial data sources
- Yahoo Finance, the Federal Reserve Economic Data (FRED) service, and publicly published Damodaran data sets — used only to fetch public market-data inputs (prices, risk-free rate, equity risk premium, sector betas). No personal data flows to these sources.
- BSE, NSE, and Ministry of Corporate Affairs filings (publicly available) — used as the primary source of company financials.
Analytics & advertising (forward-looking)
We may, in future, deploy first- or third-party analytics and advertising technologies including Google Analytics 4, Google Tag Manager, Google Ads conversion tracking, and the Meta Pixel. Where we do, we will (i) update our Cookie Policy, (ii) request your prior consent for non-essential cookies via a consent banner, and (iii) honour your withdrawal of consent. Until such time, no marketing pixels are loaded on the Platform.
6. Disclosure To Authorities
We may disclose personal data to a court, regulator (including SEBI, the Reserve Bank of India, the Income-tax Department, and the Data Protection Board of India), CERT-In, law-enforcement agency, or other governmental authority where we are legally compelled to do so or where disclosure is necessary for the establishment, exercise, or defence of legal claims, the prevention of fraud, or the safety of users.
7. Cross-Border Transfers
TruePrice is operated from India and our primary servers are hosted in India. Some of our service providers (notably Meta, Google / Firebase, Anthropic, OpenAI, Cloudflare, Vercel, and HyperDX) may process personal data outside India in jurisdictions that include the United States and the European Economic Area, in line with their published terms.
Such transfers are made only to the extent strictly necessary to deliver the Platform, are subject to written contractual safeguards, and are permitted under the DPDP Act. We do not transfer personal data to any country or territory included in the “negative list” notified by the Central Government under Section 16 of the DPDP Act.
8. Cookies And Similar Technologies
We use a small number of strictly necessary cookies (authentication session, security, load balancing, CSRF protection) without which the Platform cannot function. We use preference cookies to remember your theme, watchlist defaults, and similar choices.
Where we deploy non-essential cookies for analytics or advertising in future, we will request your prior, granular, and withdrawable consent. Full details, including a vendor list, retention periods, and how to opt out, are set out in our Cookie Policy.
9. AI-Assisted Processing
TruePrice uses commercial large-language-model APIs from Anthropic and OpenAI strictly as a tool to extract structured data from publicly available documents (such as annual reports, earnings call transcripts, and exchange filings) and, in the Portfolio Sync flow, to read holdings tables from screenshots that you upload.
- The valuation models on the Platform (DCF, Relative Valuation, SOTP, Reverse DCF) are rule-based and deterministic. They are not generative; they produce a numerical output from clearly defined inputs and assumptions disclosed within each report.
- We use these AI providers under their commercial / enterprise terms, which contractually prohibit them from using our inputs or outputs to train their models.
- We do not send AI providers your authentication credentials, payment information, or any other data not strictly required for the extraction task at hand.
- AI-assisted output that is presented to you is reviewed by deterministic validation rules. Where the Platform displays content that is substantially generated using AI tooling, we identify it as such in the relevant section in line with the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026.
10. Data Retention
- Account & profile data: retained for the life of your account. After account deletion, we erase or de-identify within 30 days, save where retention is required under law (e.g., books of accounts under the Income-tax Act).
- Portfolio screenshot uploads: the screenshot itself is processed and discarded; only the extracted holdings rows you confirm are retained, and only for the duration you keep the portfolio.
- Payment records: retained for 8 years from the end of the financial year of the transaction, as required under the Income-tax Act, 1961 and the books-of-account retention periods prescribed by applicable law.
- OTP and authentication telemetry: 5-minute OTP TTL; rate-limit counters auto-expire; failed-login records retained 90 days.
- System & security logs: retained for at least 180 days within India in line with the CERT-In Directions of 28 April 2022.
- Grievance records: retained for 5 years from resolution as required under the SEBI (Research Analysts) Regulations, 2014 and related circulars.
11. Data Security
We implement reasonable security practices and procedures aligned to the SPDI Rules and the DPDP Act, including:
- TLS 1.2+ encryption of data in transit;
- Encryption at rest for our managed databases and object storage;
- Hashing of passwords using salted, industry-standard one-way functions;
- Role-based access control, least-privilege principles, and audit logging;
- Token-based session management with sliding expiry and revocation;
- Rate-limiting, anomaly detection, and bot-mitigation on auth endpoints;
- Periodic vulnerability assessment and dependency patching.
No system can be made fully secure. Where a personal-data breach is likely to result in risk to your rights, we will notify you and the Data Protection Board of India in the form and within the timeframes prescribed under the DPDP Rules. Where the incident qualifies as a reportable cyber incident under Section 70B, we will report it to CERT-In within six hours of becoming aware of it.
12. Children's Data
The Platform is intended exclusively for individuals who are at least 18 years of age. We do not knowingly process personal data of children. If we become aware that we have collected personal data from a person under 18, we will delete it without delay and disable the associated account. If you believe we hold personal data about a minor, please write to support@trueprice.pro.
13. Your Rights
Subject to the conditions of the DPDP Act and the SPDI Rules, you have the following rights with respect to your personal data:
- Right to access: obtain a summary of your personal data being processed and the processing activities undertaken in respect of it.
- Right to correction and erasure: have inaccurate or incomplete personal data corrected or completed, and have personal data erased that is no longer necessary, subject to overriding legal retention obligations.
- Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
- Right to withdraw consent: withdraw your consent at any time, with effect from the date of withdrawal, without affecting the lawfulness of processing that occurred before withdrawal.
- Right to nominate: nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
- Right to grievance redressal: have your grievances addressed by us. If you are not satisfied, you may complain to the Data Protection Board of India.
- Right to opt out of marketing: opt out of any non-transactional marketing or alert messages at any time, by replying STOP / unsubscribing, or by writing to us.
To exercise any of these rights, write to support@trueprice.pro from your registered email or include your registered phone number for identity verification. We will respond within 30 days, or earlier where required by law. Where we are unable to act on a request, we will explain why.
14. Marketing Communications
We send transactional messages (OTPs, payment receipts, security alerts, grievance updates) without seeking separate consent because they are necessary to perform our contract with you. We send valuation alerts, product updates, and any other promotional communications only where you have opted in. You can withdraw that consent at any time from your account settings, by replying STOP / unsubscribing, or by writing to support@trueprice.pro.
15. CERT-In Cooperation
We comply with the CERT-In Directions dated 28 April 2022 issued under Section 70B(6) of the Information Technology Act, 2000. In particular, we synchronise system clocks to NIC / NPL time servers, retain ICT system logs within Indian jurisdiction for at least 180 days, and report specified cyber incidents to CERT-In within six hours of becoming aware.
16. Changes To This Policy
We may update this Policy from time to time. Material changes will be communicated through the Platform or via email / WhatsApp to your registered contact details. The “Last updated” date at the top of this page indicates when the Policy was last revised. Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy. Where new processing activities require fresh consent, we will request that consent before commencing the new activity.
17. Grievance Officer, DPO & Escalation
In accordance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 8(9) of the DPDP Act, the following individual is designated as our Grievance Officer and acts as our Data Protection Officer (DPO):
Name: Devesh Varshney
Designation: Proprietor & Grievance Officer / DPO
Email: support@trueprice.pro — single channel for all privacy, data, grievance and support requests
Address: Bengaluru, Karnataka, India
Acknowledgement SLA: within 48 hours
Resolution SLA: within 30 days, in line with the IT Rules, 2021 and the SEBI (Research Analysts) Regulations, 2014
If you are not satisfied with our response, you may escalate to:
- The Data Protection Board of India for matters under the DPDP Act, once it becomes operational, via meity.gov.in.
- The SEBI SCORES portal at scores.sebi.gov.in for matters relating to research analyst services, and SEBI's Online Dispute Resolution platform at smartodr.in.
- The National Consumer Helpline at 1915 or consumerhelpline.gov.in for consumer grievances under the Consumer Protection (E-Commerce) Rules, 2020.
18. Contact Us
For any privacy-related question, data request, grievance, or general query, write to a single channel: support@trueprice.pro.