Mindstocs- Privacy policy

Privacy policy

Home
Privacy policy

Effective Date: 20-Sep-2025

Last Updated : 30-Oct-2025

Jurisdiction : Sawantwadi, Sindhudurg, Maharashtra, India

This Privacy Policy (“Policy”) explains how MindStocs (“Company”, “we”, “our”, “us”) collects, processes, stores, secures, and discloses personal data of individuals (“User”, “you”, “your”) who access or use the Company’s dashboards, software, algorithms, APIs, websites, projects, and related digital services (“Services”).

MindStocs currently operates as a sole proprietorship under Indian law and functions strictly as a technology and software service provider. The Company does not:

(a) accept or manage User funds,

(b) pool capital or handle deposits,

(d) offer any regulated product under SEBI, RBI, IRDAI, or any financial authority.

All Services are limited to software access only.

If the Company converts to any other legal structure (e.g., Private Limited, LLP), this Policy shall be updated and Users will be notified in accordance with Clause 22 (Policy Updates).

This Policy is drafted in accordance with:

• The Digital Personal Data Protection Act, 2023

• The Information Technology Act, 2000 and IT Rules, 2011

• The Consumer Protection (E-Commerce) Rules, 2020

• The Prevention of Money Laundering Act, 2002 (only if KYC/AML applies)

• Applicable regulatory cybersecurity guidelines issued in India

This Policy forms an integral part of the Company’s Terms & Conditions and Refund Policy. In case of any conflict, the stricter provision shall apply in favour of the User, subject to Indian law.

By accessing or using the Services, you:

(a) confirm that you have read and understood this Policy,

(b) consent to the lawful processing of your personal data for service, security, and compliance purposes,

If you do not agree with this Policy, you must immediately discontinue use of the Services.

1. Definitions & Interpretation

1.1 **“Personal Data”** means any information that identifies, or can reasonably be used to identify, a natural person, as defined under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1.2 **“Sensitive Personal Data”** includes, but is not limited to: Aadhaar numbers (where lawfully permissible and only in masked/UIDAI-compliant format), Permanent Account Number (PAN), bank account details, broker statements, financial transaction records, biometric identifiers, and other categories of data requiring enhanced protection under applicable laws. The Company shall not store or retain **unmasked Aadhaar numbers**, full biometric data, payment card CVV, UPI PINs, or other highly-sensitive credentials in raw form.

1.3 **“Anonymised Data”** means data that has been irreversibly de-identified in such a way that an individual cannot be re-identified, whether directly or indirectly.

1.4 **“Pseudonymisation”** means the processing of data in a manner that it cannot be attributed to a specific person without the use of additional information, provided that such additional information is stored separately and protected by appropriate technical and organisational measures.

1.5 **“Processing”** means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

1.6 **“DPDP Act”** refers to the Digital Personal Data Protection Act, 2023, together with its rules, notifications, and any amendments from time to time.

1.7 **“Data Fiduciary”** (also referred to in this Policy as “Company”, “we”, “us”) means the entity that determines the purpose and means of Processing Personal Data in accordance with the DPDP Act. MindStocs acts as the Data Fiduciary for the processing described in this Policy.

1.8 **“DPA”** means a Data Processing Agreement entered into between the Company and any third-party service provider or processor handling Personal Data on the Company’s behalf.

1.9 **“ROPA”** refers to Records of Processing Activities maintained by the Company as required under the DPDP Act and other applicable regulations.

1.10 **“Consent”** means any freely given, specific, informed, and unambiguous indication of the User’s wishes, by a clear affirmative action, signifying agreement to the processing of their Personal Data.

1.11 **“Personal Data Breach”** means a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.12 **Interpretation:** Headings are provided for convenience only and shall not affect the interpretation of this Policy. Words in singular include the plural, and vice versa. References to “laws” include applicable rules, regulations, notifications, circulars, and judicial pronouncements.

1.13 **“Data Principal”** means the individual to whom the Personal Data relates (i.e., the User) and includes the parent or lawful guardian of a child and the lawful guardian of a person with disability, as applicable under the DPDP Act.

2. Data Fiduciary & Contact Information

2.1 **Data Fiduciary:** The Data Fiduciary responsible for processing User data is **MindStocs**, operating as a duly established sole-proprietorship entity under Indian law and through any authorised subsidiaries or operational units.

2.2 **Data Processor:** For certain activities, MindStocs may engage third parties as **Data Processors** (e.g., payment gateways, hosting providers, KYC vendors). These entities act strictly under the Company’s documented instructions and Data Processing Agreements (DPAs).

2.3 **Registered Office:**

MindStocs

1452 Majgoan Tambalgothan,

Sawantwadi, Sindhudurg, Maharashtra – 416510, India

*(Users should verify this address exclusively from the official MindStocs website to avoid fraudulent correspondence.)*

2.4 **Privacy / Grievance Contact:**

Email: **privacy@mindstocs.com**

This serves as the designated contact point for grievances under the Information Technology Act 2000, the DPDP Act 2023, and the Consumer Protection (E-Commerce) Rules 2020.

2.5 **Support / Refunds:**

Email: **support@mindstocs.com**

This contact is provided exclusively for queries related to account access, subscription support, and refund requests under the Company’s Refund Policy.

2.6 **Grievance Officer:**

**Name:** Jackson A Fernandes

**Email:** privacy@mindstocs.com

**Tel:** +91 9021008698

2.7 **Response & Resolution Timelines (SLA):**

- Acknowledgement of any grievance or complaint shall be provided within **48 hours** of receipt.

- The Company will aim to provide a substantive resolution or update within **30 days**, in accordance with statutory requirements.

2.8 **Data Protection Officer (DPO):**

At present, the Company’s internal compliance team handles grievance redressal and data-protection responsibilities.

A formally appointed **Data Protection Officer** (“DPO”) will be designated and notified to the **Data Protection Board of India** *if and when* MindStocs is classified as a **Significant Data Fiduciary** under Section 10 of the DPDP Act.

The DPO’s name and contact details will be published on the official website upon such designation.

2.9 **Jurisdiction for Escalation:**

If a grievance remains unresolved, Users retain the right to escalate complaints to:

(a) The **Data Protection Board of India**,

(b) Relevant statutory regulators such as the **RBI** or **SEBI** (for financial-compliance queries), and

For international Users, escalation will remain subject to **Indian law**, unless mandatory local consumer or privacy protections apply.

3. Scope & Compliance

3.1 **Scope of Policy:**

This Policy applies to all processing of Personal Data undertaken in connection with:

(a) the Company’s website, dashboards, indicators, algorithms, Expert Advisors (EAs), and APIs;

(b) participation in Projects and Service Packages (including Service Access Fees, billing, and subscription records);

(d) all communications, grievance redressal, refunds, and support interactions.

3.2 **Regulatory Framework:**

This Policy is implemented in compliance with:

(a) the **Digital Personal Data Protection Act, 2023**;

(b) the **Information Technology Act, 2000** and **IT (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011**;

(d) the **Prevention of Money Laundering Act, 2002** and FIU-IND reporting obligations (only where KYC/AML checks apply); and

(e) applicable guidelines issued by the **Reserve Bank of India (RBI)**, **Securities and Exchange Board of India (SEBI)**, and **CERT-In** on cybersecurity and data handling.

**Clarification:** MindStocs is **not** a “Reporting Entity” under the Prevention of Money Laundering Act, 2002. Any references to FIU-IND apply only to the obligations of **RBI-regulated payment gateways** and their **banking partners**, not to MindStocs.

For the definitive commercial and regulatory disclaimer governing MindStocs' operations, Users should refer to the **Terms & Conditions — Final Consolidated Disclaimer (Clause 52).**

3.3 **Nature of Services – No Registration with Regulators:**

MindStocs is a **software and technology service provider**. It is **not registered with SEBI** as an investment adviser, research analyst, portfolio manager, or stock broker, nor with the **RBI** as a regulated entity.

- Service Access Fees are strictly payments for access to digital tools, dashboards, and Projects.

- Nothing in this Policy or in the Terms & Conditions constitutes investment advice, portfolio management, trade execution, solicitation, deposit-taking, or a collective investment scheme.

- Users remain fully responsible for their own trading and financial decisions.

3.4 **International Users:**

While Services may be accessed from outside India, this Policy is governed by **Indian law**. Users located abroad are solely responsible for ensuring compliance with their local data protection, privacy, and financial regulations.

3.5 **Consistency with Terms & Conditions:**

This Privacy Policy forms an integral part of, and must be read with, the Company’s **Terms & Conditions** and **Refund Policy**.

In the event of any conflict, the stricter or more protective clause shall prevail in favour of User rights and regulatory compliance.

For avoidance of doubt, the **Final Consolidated Disclaimer (Clause 52)** in the Terms & Conditions shall override any inconsistent language in this Privacy Policy, Refund Policy, Shipping Policy, or marketing materials.

4. Categories of Data Collected

4.1 User-Provided Data

We may collect the following information directly from Users for account creation, subscription, support, or compliance purposes:

(a) Basic identifiers: full name, email address, mobile number, postal address, and date of birth.

(b) Identity & verification: PAN and other KYC documents (Aadhaar only in masked form where legally required).

(c) Financial information: bank account details (solely for refund processing where applicable) and Service Access Fee payment records.

(d) Communications: support tickets, grievance logs, emails, and other correspondence.

(e) Referral Data: referral code, referral tracking logs, and attribution metrics. No financial commission, payout, or incentive is offered.

⚠️ Aadhaar: If Users upload Aadhaar for address proof or KYC, the Aadhaar number must be **masked/redacted**. The Company does not store unmasked Aadhaar, biometric identifiers, CVV, UPI PIN, or other highly sensitive credentials.

4.2 Automatically Collected Data

When Users access or interact with the Services, the following data may be collected automatically:

(a) Technical identifiers: IP address, device details, browser/OS information.

(b) Session metadata: cookies, timestamps, navigation patterns, and usage logs.

Automatically collected data may be used in anonymised or aggregated form for analytics, optimisation, and cybersecurity enhancement.

4.3 Third-Party Data Sources

(a) Payment gateways (e.g., Razorpay) for transaction confirmations.

(b) Broker/exchange systems only when the User explicitly enables API linking.

⚠️ API-linked trade data remains the **User’s property**. The Company does not exercise control over, manage, or influence User trading activity.

4.4 Payment Data

(a) The Company does **not** store or process card numbers, CVV, UPI PINs, or raw payment credentials.

(b) All payments are processed exclusively via **PCI-DSS compliant RBI-regulated gateways**.

4.5 Cookies & Tracking

For details on cookie-based data collection, see Clause 27 (Cookies & Tracking Technologies).

5. Purpose & Legal Basis

5.1 Purposes of Processing

MindStocs processes Personal Data strictly for lawful and defined purposes, including:

(a) Account creation, authentication, and user management.

(b) Processing of payments, invoicing, refunds, and subscription renewals.

(c) Compliance with applicable tax, billing, and statutory reporting requirements (e.g., GST/TDS where legally mandated).

(d) Customer support, technical assistance, grievance handling, and dispute resolution.

(e) Cybersecurity, fraud prevention, risk monitoring, and abuse detection.

(f) System performance diagnostics, analytics, and product enhancement (using anonymised or aggregated data where possible).

(g) Mandatory disclosures to regulators, courts, or authorities where required under Indian law.

(h) Optional marketing or product update communication **only where explicit opt-in consent is provided by the User**.

(i) Verification of user identity or eligibility for account-related actions, only where legally necessary.

⚖️ Lawful Purpose & Data Minimisation

All Personal Data processed by the Company is limited to what is necessary, proportionate, and reasonably expected in the normal course of providing software services.

5.2 Legal Bases for Processing

Processing is carried out on the following lawful grounds:

(a) **Contractual necessity** – to provide access to software, dashboards, APIs, and related services.

(b) **Legal obligation** – to comply with Indian laws including the DPDP Act 2023, IT Act 2000, GST/TDS rules, and applicable CERT-In directives.

(c) **Legitimate interest** – including fraud prevention, service optimisation, platform security, error logging, and account integrity, documented through internal Legitimate Interest Assessments (LIA).

(d) **Consent** – used only for optional features such as marketing, referral attribution visibility, or beta-feature activation.

5.3 Exclusions

Personal Data is **not** processed for:

(a) Investment advisory, brokerage, research analysis, or portfolio management.

(b) Solicitation, pooling, or management of User funds.

(d) Any activity requiring registration with SEBI, RBI, IRDAI, or FIU-IND.

5.4 Consent Records & Withdrawal

(a) The Company maintains timestamped logs of all User consents and withdrawals.

(b) Consent withdrawal does not affect the lawfulness of prior processing.

(d) Consent withdrawal may be requested at any time via **privacy@mindstocs.com**.

5.5 Alignment with User Rights

All processing of Personal Data shall remain consistent with the Data Principal rights set out in Clause 14 of this Policy.

6. Use, Disclosure & Mandatory Reporting

6.1 Permitted Recipients

Personal Data may be shared on a strictly need-to-know basis with:

(a) Payment gateways and banking partners for subscription processing, refunds, and reconciliation.

(b) Certified KYC vendors, only where verification is legally required.

(d) Independent auditors or legal advisors for compliance verification, dispute resolution, or statutory audits.

(e) Courts, law enforcement agencies, or regulators when disclosure is compelled under applicable law.

6.2 Mandatory Disclosures

The Company may disclose Personal Data only when required by:

(a) Court orders, tribunal directives, or duly issued summons,

(b) Statutory or regulatory notices from competent Indian authorities,

(d) Foreign authorities **only through Government of India-approved channels** (e.g., MLAT requests), subject to Indian law.

6.3 AML / PMLA Position

(a) MindStocs is **not** a “Reporting Entity” under the Prevention of Money Laundering Act, 2002.

(b) All AML/KYC compliance and Suspicious Transaction Reports (STR) obligations rest solely with RBI-regulated payment gateways and their banking partners.

(c) MindStocs does not perform STR filing, account monitoring, or AML screening beyond identity validation where legally required.

(d) The Company will cooperate with payment gateways and authorities **only upon receipt of a valid written order**.

6.4 Purpose Limitation

Disclosures are made only for lawful, proportionate, and clearly defined purposes such as:

- Fulfilment of contractual obligations,

- Statutory compliance,

- Verified dispute handling,

- Cybersecurity or fraud prevention.

No Personal Data is disclosed for resale, advertising, or user profiling.

6.5 Logging of Disclosures

All external disclosures of Personal Data, including those made to regulators or enforcement agencies, are recorded in the Company’s Records of Processing Activities (ROPA) with time, purpose, and authority details.

6.6 User Notification

Users will be informed of any regulator or law-enforcement disclosure **where legally permissible**. Notification may be deferred or withheld if:

(a) prohibited by law, or

(b) it may prejudice an active investigation or national-security process.

6.7 No Commercial Sharing

The Company does not sell, rent, trade, or commercially exploit Personal Data.

All sharing is strictly controlled, contract-bound, and auditable.

7. Identity Verification & Aadhaar Compliance

7.1 General Verification

MindStocs may request valid identity or address proof only where required for:

(a) account authentication or fraud prevention,

(b) statutory compliance (e.g., GST/TDS invoice requirements),

(d) dispute resolution and legal documentation.

Accepted documents include:

- Passport

- Voter ID

- Driving Licence

- Utility Bill

- Bank Statement

- PAN (for tax-linked invoices)

7.2 Aadhaar Handling

(a) MindStocs does not require Aadhaar for normal onboarding.

(b) Aadhaar may be requested only where expressly mandated by law or a competent authority.

(d) MindStocs does not collect, store, or process:

- full Aadhaar number,

- e-Aadhaar PDF with unmasked ID,

- biometric identifiers, or

- online/API-based Aadhaar e-verification.

(e) Only offline, masked XML-based verification may be used if legally required.

(f) Aadhaar will never be used for profiling, marketing, creditworthiness, or product eligibility decisions.

7.3 User Responsibility

(a) Users must upload Aadhaar only in masked form.

(b) If an unmasked Aadhaar is uploaded, MindStocs will delete it on detection and request a compliant version.

(c) MindStocs is not liable for any exposure resulting from a User’s failure to mask Aadhaar, except where retention is legally mandated.

7.4 Retention & Deletion

(a) Identity documents are retained only for the duration required for compliance, invoice validity, or legal defence.

(b) Once no longer required, documents are deleted or permanently redacted in accordance with Clause 14 (Right to Erasure).

7.5 Audit & Safeguards

(a) Any Aadhaar processing is logged in the Company’s Records of Processing Activities (ROPA).

(b) Internal audits confirm no unmasked Aadhaar or biometric data is stored.

7.6 Legal Compliance

This Aadhaar handling framework ensures compliance with:

- Digital Personal Data Protection Act, 2023,

- Aadhaar Act, 2016 & UIDAI Regulations,

- Supreme Court judgment in K.S. Puttaswamy (2018),

- UIDAI restriction on private sector online authentication.

8. Data Retention

8.0 Purpose Limitation & Storage Minimisation

MindStocs retains Personal Data only for as long as necessary to fulfil the lawful purpose for which it was collected, or to meet statutory, tax, audit, cybersecurity, or dispute-resolution obligations.

No data is retained beyond its lawful, contractual, or operational necessity, in compliance with Section 9(1)(c) of the Digital Personal Data Protection Act, 2023.

8.1 Minimum Retention Periods

MindStocs retains User data strictly as required under Indian law:

(a) KYC Records – 10 years (PMLA, RBI/FIU-IND, where applicable).

(b) GST Invoices & TDS Records – 8 years (GST & Income Tax Acts).

(d) Logs, Telemetry & Error Reports – 6 months to 3 years (security, debugging, and operational continuity).

(e) Financial Transaction Records – 8 years (statutory audit and tax compliance).

(f) Technical API Logs & Configuration Metadata – retained while the account is active, then deleted or anonymised after legal retention ends.

8.2 User Deletion Requests

(a) Users may request deletion of Personal Data under the Digital Personal Data Protection Act, 2023.

(b) Deletion may be lawfully denied where retention is required by Indian tax, regulatory, or law-enforcement obligations.

8.3 Secure Disposal

(a) After expiry of the retention period, Personal Data will be securely deleted, anonymised, or archived using industry-accepted sanitisation methods.

(b) Deletion applies to both primary storage and backups within 90 days, subject to technical feasibility.

(c) Anonymised Data may continue to be used for analytics, research, or service optimisation without identifying any User.

8.4 Regulatory & Forensic Overrides

(a) Records will be retained beyond normal timelines where a dispute, tax inquiry, arbitration, or regulator-directed investigation is ongoing.

(b) Competent authorities such as FIU-IND, SEBI, Income Tax, GST, CERT-In, or law-enforcement may require extended retention; MindStocs shall comply with such lawful requests.

8.5 Retention Logging & Audit Trail

All retention, archival, and deletion actions are logged in the Company’s Records of Processing Activities (ROPA).

Retention logs are periodically reviewed by internal compliance teams or external auditors for statutory alignment.

8.6 User Acknowledgement

By using the Services, Users acknowledge that certain records (e.g., tax, KYC, and legally-mandated financial logs) **must** be retained for statutory periods and cannot be erased on demand.

All non-mandatory data will be deleted once lawful obligations are fulfilled.

9. Data Accuracy, Minimisation & User Obligations

9.1 User Accuracy Obligations

(a) Users must provide true, complete, and verifiably authentic information as required under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), including Sections 9(1)(a)–(c).

(b) Users must promptly update the Company regarding any change in contact details, documents, banking information, or tax details.

9.2 Principle of Data Minimisation

(a) The Company collects and processes only data strictly required for:

- Provision of software and account access,

- Statutory and tax compliance (e.g., KYC, GST),

- Fraud prevention, cybersecurity, and system integrity.

(b) Optional or non-essential data is collected only with explicit consent, which may be withdrawn without affecting access to core Services.

(c) Data processing is reviewed periodically to ensure compliance with the storage-limitation and minimisation duties under the DPDP Act.

9.3 Fraudulent or Misleading Data

(a) Submission of false, fabricated, forged, or misleading information may result in:

- Suspension or termination of Services,

- Refusal of refunds where legally justified,

- Permanent blacklisting, and

- Reporting to competent authorities.

(b) The Company may report verified fraud to FIU-IND, SEBI, RBI, Income Tax, or law-enforcement bodies where legally required.

9.4 Audit & Verification Rights

(a) The Company may perform random or risk-based verification of User-submitted information.

(b) Such verification may include cross-checks with regulators, payment processors, banks, or KYC vendors.

(c) Users must cooperate with verification requests; refusal or non-cooperation may result in temporary or permanent restriction of access.

9.5 User Responsibility

Users acknowledge that providing incorrect, incomplete, or misleading information may:

- Prevent or delay access to Services,

- Lead to suspension or blacklisting,

- Trigger regulatory reporting,

- Result in penalties under applicable Indian laws (including DPDP Act, IT Act, PMLA, Consumer Protection Act).

9.6 Correction & Review Rights

(a) Users may request correction or updating of inaccurate Personal Data held by the Company.

(b) Upon successful verification, corrections will be completed within 15 business days unless restricted by law.

10. Security Controls, User Responsibilities & Audits

10.1 **Company Security Controls**

(a) All data transmissions are secured using **TLS/HTTPS encryption**.

(b) Sensitive Personal Data is encrypted **at rest** using AES-256 or equivalent standards. Encryption keys are stored and rotated securely under certified key management protocols.

(c) **Role-based access controls (RBAC)** restrict internal access strictly to authorised personnel with signed confidentiality undertakings.

(d) Continuous **security logging, monitoring, and anomaly detection** are maintained for access, configuration changes, and system activities.

(e) The Company conducts periodic **vulnerability assessments and penetration tests (VAPT)**, applying critical patches without undue delay.

(f) Security practices align with **CERT-In Directions (2022)**, **RBI cybersecurity circulars**, and global standards such as **ISO/IEC 27001** and **SOC 2 Type II** frameworks where applicable.

10.2 **Audits & Assessments**

(a) Independent third-party security audits may be commissioned periodically for systems handling Personal Data or financial data.

(b) Audit reports are reviewed internally by the Compliance Officer. Summary findings may be shared with Users or regulators upon lawful request.

(c) The Company maintains documented **Records of Processing Activities (ROPA)** and internal audit logs for accountability and regulatory inspection.

10.3 **Incident Response & Breach Notification**

(a) The Company maintains an **Incident Response Plan (IRP)** addressing detection, containment, recovery, and forensic investigation.

(b) Breaches reportable under Indian law will be notified as follows:

- To **CERT-In** within **6 hours** of detection or awareness, as per CERT-In Directions (2022).

- To the **Data Protection Board of India** within **72 hours**, as required under the **DPDP Act, 2023**.

- The nature and extent of the breach,

- Likely impact and affected data categories,

- Mitigation and remedial steps taken, and

- Recommended precautions for Users.

(d) All breach records, incident reports, and regulator communications will be logged and preserved for a minimum of 12 months.

10.4 **User Responsibilities**

(a) Users must:

- Maintain secure login credentials and devices,

- Protect broker API keys and trading accounts,

- Use strong passwords and update them periodically,

- Enable two-factor authentication (2FA) where available.

(b) The Company shall not be liable for unauthorised access, loss, or misuse arising from User negligence, device compromise, or insecure API handling, except where liability cannot be excluded by law.

10.5 **Shared Responsibility Principle**

Security responsibilities are shared between the Company and the User as follows:

- The **Company** secures servers, databases, and transmission channels.

- The **User** secures endpoints, login credentials, and connected broker or exchange APIs.

This shared responsibility model ensures complete protection across the full transaction chain.

10.6 **Vulnerability Disclosure**

(a) Security researchers may responsibly disclose suspected vulnerabilities to **security@mindstocs.com**.

(b) The Company shall acknowledge valid reports and remediate confirmed vulnerabilities promptly.

(c) Researchers acting in good faith shall not face legal or penal action, provided they do not exploit, access, or publicly disclose issues before remediation.

10.7 **Periodic Review & Continuous Improvement**

(a) The Company’s Information Security and Compliance Teams conduct quarterly reviews of technical and organisational controls.

(b) Security procedures are updated in response to new regulatory guidance, threat intelligence, or post-incident reviews.

(c) Annual policy audits are performed to ensure continuous alignment with CERT-In, DPDP Act, and global security standards.

10.8 **Retention of Security Logs**

(a) Security and audit logs (including access, system, and event logs) are retained for a minimum of **180 days** in compliance with **CERT-In Directions (2022)**.

(b) Logs are maintained in **tamper-proof and time-stamped formats** and may be retained longer where required for forensic, audit, or regulatory purposes.

11. Automated Processing, DPIA & Profiling

11.1 Automated Processing for Service Integrity

The Company uses automated systems solely for operational security, compliance integrity, and platform stability, including:

(a) Fraud detection and prevention (e.g., duplicate accounts, suspicious access patterns, bot activity),

(b) Risk-based verification of User identity and documentation,

(d) System diagnostics, performance telemetry, and error-pattern detection for service optimisation.

11.2 Transparency of Automated Decisions

Where an automated rule or system-generated flag may materially affect a User’s access to Services (e.g., temporary account suspension for risk review), the User will be informed of:

(a) The fact that an automated process was involved,

(b) The general logic or policy basis (as permitted by law), and

11.3 Data Protection Impact Assessments (DPIA)

(a) High-risk or large-scale automated processing undergoes a documented **Data Protection Impact Assessment (DPIA)** before deployment.

(b) DPIA reports form part of the Company’s Records of Processing Activities (ROPA).

11.4 Exclusions: No Commercial Profiling

The Company does **not** use automated processing for:

(a) Targeted behavioural advertising or marketing segmentation,

(b) Credit scoring, lending, or insurance risk assessments,

(d) Any form of financial suitability or wealth profiling.

11.5 User Right to Human Review

(a) Users may request **manual review** of any automated decision that materially affects access to Services.

(b) Such requests will be acknowledged within 48 hours and responded to within 15 business days.

11.6 Regulatory Clarification

Automated risk-screening or identity checks performed by the Company are **internal controls only**.

(a) MindStocs does **not** perform regulated AML/KYC screening or STR reporting.

(b) All statutory AML/KYC obligations remain the responsibility of RBI-regulated payment intermediaries and their banking partners.

11.7 Algorithmic Accountability & Auditability

(a) All material automated rules and algorithms are version-controlled and internally approved before deployment.

(b) Logs of automated inputs, outputs, and triggers are retained for a minimum of one (1) year for audit, incident response, and dispute resolution.

12. Cross-Border Transfers & Safeguards

12.1 **Primary Data Storage**

All primary collection, processing, and storage of Personal Data are performed on servers physically located within India.

Cross-border transfers are permitted only in exceptional cases where required for service functionality, analytics, or sub-processor operations, and are governed strictly by the safeguards in this Clause.

12.2 **Limited Cross-Border Transfers**

Where cross-border transfers are unavoidable (e.g., hosting, analytics, or global integrations), such transfers shall:

(a) **Be Lawful** – comply with the **Digital Personal Data Protection Act, 2023 (Section 16)**, **RBI/SEBI data handling guidelines**, and any **Central Government notifications specifying restricted jurisdictions**;

(b) **Be Contractually Safeguarded** – take place under a written **Data Processing Agreement (DPA)** incorporating India-equivalent data protection, retention, and breach notification obligations; and

(c) **Be Consent-Based** – where required by law, the User’s **specific and informed consent** will be obtained prior to any such transfer.

Where cross-border processing is used, MindStocs continues to apply Indian law as the primary legal framework and will seek fresh consent whenever the scope or purpose of processing materially changes.

12.3 **Sensitive Data Restrictions**

The following categories of data shall **never be transferred or processed outside India**:

(a) Aadhaar numbers, biometric identifiers, or UIDAI-linked information;

(b) UPI PINs, payment card details, or raw financial credentials;

(c) KYC/AML records or PAN-linked datasets, which shall be processed only through Indian servers or certified domestic vendors in compliance with RBI and FIU-IND standards.

12.4 **Foreign Processor Obligations**

Any foreign sub-processor engaged by MindStocs must:

(a) Maintain contractual commitments equivalent to Indian data protection law;

(b) Implement technical and organisational measures for confidentiality, encryption, and breach response;

(d) Cooperate in good faith with lawful audit or compliance verification requests from MindStocs or Indian authorities.

12.5 **Transparency for Users**

A summary of jurisdictions and processor categories involved in any cross-border data transfer shall be published in **Annexure A – Sub-Processor List** and updated periodically.

Users may request the most recent version by contacting **privacy@mindstocs.com**.

12.6 **Alignment with International Standards**

For Users located in jurisdictions with stricter cross-border data transfer requirements (e.g., EU/UK), MindStocs may implement **Standard Contractual Clauses (SCCs)**, **Binding Corporate Rules (BCRs)**, or equivalent contractual mechanisms to enable lawful processing consistent with their national data protection frameworks.

12.7 **Compliance Updates & Data Localization Priority**

(a) MindStocs follows an **India-first data localization policy**, prioritising domestic storage and processing wherever technically and operationally feasible.

(b) Upon any future notification by the **Government of India** specifying restricted jurisdictions under Section 16 of the DPDP Act, MindStocs will immediately:

- Cease or reroute transfers to affected countries, and

- Notify Users of any material impact on service continuity.

(c) The Company shall review all cross-border data flows at least annually to ensure continued compliance with Indian law and applicable foreign data protection regimes.

13. Sub-Processors & Vendor Management

13.1 Use of Sub-Processors

The Company may engage third-party service providers (“Sub-Processors”) for limited and defined functions, including:

(a) payment processing and billing infrastructure,

(b) identity and document verification services (where applicable),

(d) email, SMS, and notification delivery systems,

(e) analytics, telemetry, and performance monitoring tools,

(f) compliance, audit, and forensic support (when legally required).

13.2 Vendor Due Diligence

Each Sub-Processor is subject to a documented due-diligence and risk-assessment that evaluates:

(a) information-security controls and certifications,

(b) compliance with the DPDP Act 2023, IT Act 2000, and CERT-In directives,

(d) financial and operational reliability.

13.3 Data Processing Agreements (DPA)

All Sub-Processors are contractually bound by written DPAs requiring:

(a) confidentiality and restricted data-access,

(b) processing only under Company instructions,

(d) prompt breach notification and cooperation with incident response,

(e) verified deletion, destruction, or return of Personal Data upon termination,

(f) prohibition on onward transfer without written consent.

A current list of approved Sub-Processors is maintained in **Annexure A**.

13.4 Accountability to Users

MindStocs remains the Data Fiduciary and retains full responsibility for lawful and secure processing, even when data is handled by an authorised Sub-Processor.

13.5 Transparency & Change Notifications

(a) A functional-category list of active Sub-Processors (e.g., “payment gateway”, “hosting provider”) is published in Annexure A.

(b) Users will be notified before any material change involving core payment, hosting, or identity vendors, unless law requires immediate action.

13.6 User Acknowledgement

By continuing to use the Services, the User consents to lawful processing by authorised Sub-Processors engaged under this clause.

Independent services voluntarily connected by the User—such as broker platforms, VPS providers, or exchanges—are **not** Sub-Processors of MindStocs and are governed by their respective policies.

13.7 Ongoing Monitoring & Review

(a) Sub-Processors are reviewed at least once every 12 months for continued compliance.

(b) High-risk vendors (e.g., hosting or payment partners) may be subject to ad-hoc audits or third-party attestations.

(c) Vendors that fail required standards may be suspended or replaced; Users will be notified where such change impacts service continuity.

14. User Rights & Exercise Procedure

14.1 Data Principal Rights

Subject to the Digital Personal Data Protection Act, 2023 (“DPDP Act”), Users (“Data Principals”) are entitled to the following rights:

(a) Access – to receive a summary of Personal Data being processed, including purpose, categories, and third-party recipients.

(b) Correction – to rectify incomplete, inaccurate, or outdated Personal Data.

(c) Erasure – to request deletion of Personal Data no longer necessary for lawful purposes, subject to statutory retention obligations.

(d) Portability – to obtain eligible Personal Data in a structured, machine-readable format (CSV/JSON/XML), where technically feasible.

(e) Processing Restriction – to object where processing exceeds the lawful purpose or is based solely on legitimate interest.

(f) Consent Withdrawal – to revoke consent for optional or marketing-related processing at any time without affecting prior lawful use.

(g) Nomination – to appoint a nominee to exercise privacy rights in the event of death or incapacity.

(h) Grievance Redressal – to escalate unresolved complaints through the procedure defined under Clause 2.7.

14.2 Procedure to Exercise Rights

(a) Requests must be submitted via email to privacy@mindstocs.com from the registered email ID.

(b) Secondary identity verification (e.g., last 4 digits of PAN or recent transaction reference) may be required.

(d) Requests made by a nominee or authorised agent must include a valid authorisation letter or power of attorney with ID proof.

14.3 Response Timelines

(a) Acknowledgement within 48 hours.

(b) Final response or status within 30 calendar days.

(c) Extensions, if required due to technical or third-party dependency, will be communicated within the initial 30-day window.

(d) Consent withdrawals related to marketing or optional services shall be executed within 5 business days.

14.4 Valid Grounds for Refusal

A request may be lawfully denied, delayed, or partially fulfilled where:

(a) Statutory retention is required under tax, audit, accounting, or regulatory laws,

(b) Disclosure would compromise investigations, litigation, or enforcement activity,

Any refusal will include a written explanation citing the applicable legal basis.

14.5 Fees for Excessive Requests

The first valid request under each right is processed free of charge.

A reasonable administrative fee may apply for repetitive, abusive, or disproportionate requests, in line with Section 12(7) of the DPDP Act.

14.6 Request Logging & Audit

(a) All access, correction, erasure, and portability requests are recorded in a Rights Request Register.

(b) Records are retained for seven (7) years or the applicable statutory limitation period.

(c) These records may be produced before the Data Protection Board of India (DPB) or competent legal authorities upon lawful demand.

14.7 Escalation Path

Unresolved issues may be escalated to:

(a) The Data Protection Board of India (DPB),

(b) Consumer Courts under the Consumer Protection Act 2019,

15. No Financial Handling, No Restoration Fund, No Claim Processing

15.1 The Company does not manage, store, review, process, audit, or validate any trading capital, profit, loss, broker balance, or financial performance of Users.

15.2 The Platform does not operate any Restoration Fund, reimbursement program, payout mechanism, loss-coverage scheme, or claim-based settlement process of any kind.

15.3 The Company does not collect or request broker statements, portfolio screenshots, MT4/MT5 account history, or trade logs for the purpose of financial assessment, profit validation, or compensation.

15.4 All trading activity and financial consequences — including profit, loss, slippage, brokerage charges, and execution quality — remain solely between the User and their chosen broker.

15.5 No user shall have any right, entitlement, or legal claim for reimbursement, recovery, loss-sharing, or post-trade compensation from the Company under any circumstances.

15.6 Any clause in older versions of the Privacy Policy or Terms relating to “Restoration Fund”, “Claim Review”, “Compensation”, or “Forensic Audit” is withdrawn and no longer applicable.

16. Breach Notification & Incident Response

16.1 **Regulatory Reporting**

In the event of a confirmed or suspected Personal Data breach, MindStocs shall notify:

(a) **CERT-In** within six (6) hours of detection, where the incident meets the thresholds under the CERT-In Directions (2022);

(b) The **Data Protection Board of India** within seventy-two (72) hours of becoming aware of any breach that is likely to cause **significant harm** under the **Digital Personal Data Protection Act, 2023**; and

(c) Other competent regulators (including RBI, SEBI, and Income Tax authorities) where the breach involves regulated financial or tax-sensitive data.

Note: MindStocs is not a Reporting Entity under the Prevention of Money Laundering Act, 2002 and therefore has no obligation to notify FIU-IND. Any notification duties rest solely with the payment gateway or its banking partners.

16.2 **User Notification**

(a) Affected Users shall be notified **without undue delay** where the breach is reasonably likely to cause material or reputational harm.

(b) Such notifications shall include:

- The nature, scope, and time of the breach;

- Categories of Personal Data affected;

- Likely consequences;

- Containment and mitigation measures taken;

- Recommended User actions (e.g., password reset, API key revocation); and

- Dedicated contact details for support or clarifications.

16.3 **Incident Response Plan (IRP) & Testing**

(a) The Company maintains a formal **Incident Response Plan (IRP)** covering:

- Detection and triage;

- Containment and isolation of affected systems;

- Forensic investigation and detailed logging;

- Evidence preservation and integrity verification;

- Coordination with hosting providers, Sub-Processors, and auditors; and

- Timely remediation and regulator reporting.

(b) The IRP shall be **tested at least annually** through internal or third-party simulations, with corrective actions tracked to closure.

16.4 **Root-Cause Analysis & Post-Incident Review**

(a) Following closure of each notifiable incident, a formal **Root-Cause Analysis (RCA)** and **Post-Incident Review (PIR)** shall be conducted to document causes, lessons learned, and preventive actions.

(b) The RCA/PIR report shall be retained for **a minimum of seven (7) years** or until completion of all regulatory audits, whichever is longer.

16.5 **Third-Party Breaches**

Where a breach originates from a Sub-Processor or external service (e.g., payment gateway, hosting provider), MindStocs shall:

(a) Require immediate written notification from the Sub-Processor;

(b) Notify affected Users if their Personal Data is directly impacted; and

(c) Coordinate in good faith with regulators, affected parties, and Sub-Processors to ensure timely containment and reporting.

16.6 **Data-Preservation for Forensics**

All system, application, and security logs relevant to a reportable incident shall be preserved for **not less than 180 days** from the date of incident detection, in compliance with the **CERT-In Directions (2022)** and other applicable law.

16.7 **No Waiver of Rights**

Nothing in this Clause limits or waives the User’s statutory right to seek redress, lodge complaints with regulators, or claim remedies for data breaches under applicable Indian law.

17. Children & Minors

17.1 **Age Restriction**

MindStocs Services are intended exclusively for individuals aged **18 years and above**, in full compliance with Section 9 of the **Digital Personal Data Protection Act, 2023 (DPDP Act)** and allied IT Rules.

17.2 **Prohibition on Minor Accounts**

(a) The Company does not knowingly collect or process Personal Data of individuals under the age of 18.

(b) If the Company becomes aware that an account or data belongs to a minor, such account shall be **immediately suspended or terminated**, and all associated data shall be securely deleted, except where retention is legally mandated (e.g., for fraud investigation, regulatory compliance, or law enforcement purposes).

17.3 **Age Verification Methods**

(a) The Company employs **self-declaration** at the time of registration and may request supporting **KYC documents** such as PAN, voter ID, or passport for age verification, where legally required.

(b) Verification logs shall be recorded and retained for audit and compliance evidence in accordance with Clause 8 (Data Retention).

17.4 **Parental Consent (Exceptional Circumstances)**

(a) MindStocs does not knowingly provide Services to minors.

(b) In the event that the Company lawfully offers an educational or research-related product requiring access by minors, **verifiable parental or guardian consent** shall be obtained prior to activation.

- A government-issued ID of the parent/guardian, and

- A signed or digitally verified consent form authorising the child’s use of the Service.

(d) Parental consent records shall be securely retained for **a minimum of seven (7) years** or until the child attains the age of majority, whichever is longer.

17.5 **Parental Responsibility**

Parents or legal guardians who become aware that a minor has accessed the Services without proper consent must promptly contact **privacy@mindstocs.com** to request suspension and deletion of the account.

17.6 **Prohibition on Tracking or Profiling of Minors**

In accordance with Section 9(2) of the DPDP Act, MindStocs shall not:

(a) Process or profile any data of children for advertising or behavioural tracking;

(b) Undertake any targeted or personalised marketing based on minor data; or

17.7 **No Child-Specific Marketing**

MindStocs does not market, promote, or distribute services aimed at children or minors and does not knowingly use children’s data for advertising, profiling, or analytics.

17.8 **Compliance Statement**

This Clause satisfies the Company’s obligations under the **Digital Personal Data Protection Act, 2023**, **Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011**, and the **Supreme Court of India (Aadhaar & Privacy) Judgments (2017–2018)** regarding protection of minors’ personal information.

18. Marketing & User Consent

18.1 Opt-In Requirement

MindStocs shall send marketing, promotional, or educational communications (including newsletters, offers, referral information, and product updates) only where the User has explicitly opted in through email confirmation, web consent settings, or platform-based consent forms, in accordance with Section 7 of the Digital Personal Data Protection Act, 2023 (DPDP Act).

18.2 Granular Consent

Where feasible, Users shall be provided with granular selection options (e.g., newsletters, software updates, promotional offers), enabling selective opt-in or opt-out for specific communication categories.

18.3 Right to Withdraw Consent

Users may withdraw their marketing consent at any time by:

(a) clicking the “unsubscribe” link in emails,

(b) modifying communication preferences in their dashboard, or

18.4 Effect of Withdrawal

Withdrawal of marketing consent will immediately stop all non-transactional communications. Such withdrawal will not:

(a) affect access to paid Services, or

(b) stop essential operational messages (policy updates, billing, OTP, alerts, or compliance notices).

18.5 Third-Party Processors

Any third-party vendor used for marketing (email, SMS, CRM platforms) acts strictly as a Data Processor under a written Data Processing Agreement (DPA), ensuring confidentiality, lawful processing, and compliance with this Policy and the DPDP Act.

18.6 Cross-Border Tools

If international marketing tools or cloud services are used, all transfers shall comply with Clause 12 (Cross-Border Transfers), including contractual safeguards and consent (where applicable).

18.7 Mandatory Service Notices

System alerts, policy updates, security warnings, and billing confirmations are service notifications, not marketing. These will continue regardless of marketing consent status because they are required for contract performance and regulatory compliance.

18.8 Mandatory Marketing Disclaimer

All marketing and promotional communications, irrespective of channel, shall prominently include the following disclaimer verbatim:

"MindStocs provides software access only and is not registered with SEBI, RBI, IRDAI, or any financial regulator. The Company does not offer investment advice, profit guarantees, capital protection, payouts, deposits, or any regulated financial product. All trading activity is fully at the User’s own risk. No employee, reseller, or third party is authorised to promise returns, fixed income, or guaranteed profits on behalf of the Company."

(a) This disclaimer must appear clearly in all communication channels including banners, brochures, ads, social media, WhatsApp, presentations, sales calls, and emails.

(b) The use of terms such as “guaranteed”, “fixed returns”, “assured profits”, “double income”, “risk-free earnings”, or similar expressions is strictly prohibited.

18.9 Consent Records & Audit Trail

(a) The Company shall maintain verifiable logs of all marketing opt-ins, opt-outs, timestamps, source of consent, and withdrawn consents.

(b) Such records shall be securely retained for a minimum of 7 years or until withdrawn, whichever is later.

(c) Annual audits shall be conducted to ensure compliance with the DPDP Act, Consumer Advertising Rules, and SEBI/RBI anti-misleading norms.

19. Refunds & Data Retention

19.1 Non-Refundable Services

All payments made for MindStocs Services are strictly non-refundable once the software access has been activated, except where:

(a) the Company fails to activate access within seven (7) Business working days (Non-including weekends and holidays) of receiving all required user details;

(b) a verified permanent technical failure prevents service delivery; or

No refund shall be issued for reasons related to market performance, trading results, profit expectations, user dissatisfaction, or withdrawal of interest after activation, as MindStocs provides software access only and does not offer investment, advisory, or return-based services.

19.2 Refund Method & Timeline

(a) Approved refunds will be processed only to the original payment method used for the transaction.

(b) Refunds are executed exclusively via RBI-regulated PCI-DSS compliant gateways (e.g., Razorpay).

(d) Refunds may be delayed if additional verification or fraud review is required.

19.3 Anti-Fraud Verification

(a) The Company may conduct KYC, payment traceability, and AML checks prior to refund approval.

(b) Refunds suspected to involve unauthorised or fraudulent transactions may be withheld, reversed, or reported to competent authorities including FIU-IND, RBI, or law enforcement.

19.4 Refund Exclusions

Refunds shall not apply to:

(a) activated or partially used subscriptions;

(b) expired billing cycles or renewed plans;

(d) performance-based complaints or market losses;

(e) violations of the Terms & Conditions or misuse of Services.

19.5 Data Retention for Financial Compliance

(a) All transaction logs, invoices, payment confirmations, and refund records shall be retained for a minimum of seven (7) years in compliance with Income Tax, GST, and audit laws.

(b) Financial identifiers such as PAN, masked bank details, or payment reference IDs shall be maintained in encrypted or tokenised form.

(d) Secure deletion or archival shall occur after expiry of the statutory retention period, as per Clause 8 (Data Retention).

19.6 Dispute Redressal

Refund-related grievances shall follow the escalation structure in Clause 2 (Grievance Redressal).

If unresolved, Users may escalate to:

(a) Razorpay or issuing bank,

(b) Consumer Courts under the Consumer Protection Act, 2019, or

19.7 Audit & Regulatory Access

Refund logs and related compliance records may be disclosed to regulators, auditors, or statutory authorities upon lawful written request. The Company shall maintain full audit trails for a minimum of seven (7) years.

20. Shipping & Delivery of Services

20.1 Nature of Services

MindStocs provides exclusively digital products and services, including but not limited to algorithmic trading software, dashboards, APIs, indicators, VPS access, and other related digital tools. No physical goods are shipped or delivered. All Services are rendered electronically through secure digital channels.

MindStocs provides software access only and does not offer investment, advisory, profit-sharing, capital handling, or any regulated financial product.

20.2 Service Activation Timelines

(a) Standard Activation: Access credentials or licenses are typically provisioned within 24–48 hours of confirmed payment through RBI-regulated, PCI-DSS compliant gateways (e.g., Razorpay).

(b) Compliance Delays: Where KYC or verification checks are required, activation may take additional time. Users will be notified via their registered email.

(c) Delivery Definition: Digital delivery is deemed complete once login credentials, activation keys, or platform access permissions are issued to the User’s registered email or dashboard.

20.3 Proof of Delivery & Audit Trail

(a) System-generated logs maintained by MindStocs — including timestamped payment confirmations, license issuance, login records, or API token generation — shall constitute conclusive proof of service delivery.

(b) All timestamps follow Indian Standard Time (IST).

20.4 Non-Delivery or Access Issues

(a) If access credentials are not received within the defined timeline, Users must email support@mindstocs.com with payment proof.

(b) The Company will investigate and respond within seven (7) Business working days (Non-including weekends and holidays).

(c) If the issue cannot be rectified due to technical or regulatory constraints, the Company’s sole liability is limited to refund processing under Clause 19.

20.5 Exclusions & Third-Party Dependencies

MindStocs is not liable for delays or failures caused by:

(a) payment gateway or banking delays,

(b) internet/DNS/hosting outages,

(d) user device or email configuration issues, or

(e) failures of third-party services not controlled by the Company.

The Company may assist but holds no liability for external disruptions.

20.6 Technical Force Majeure

Temporary delays due to maintenance, cyberattacks, hosting failures, or external system outages do not constitute breach of contract. The Company will attempt to restore services and notify Users where feasible.

20.7 Acknowledgement

By subscribing, Users acknowledge that:

(a) delivery is purely digital and complete upon access issuance,

(b) delays outside MindStocs’ control do not equal non-performance, and

(c) all delivery-related disputes are governed by Clause 40 (Governing Law & Dispute Resolution) of the Terms & Conditions.

21. Grievance Redressal & Escalation

21.1 Grievance Officer

In compliance with the Information Technology Act, 2000, the Consumer Protection (E-Commerce) Rules, 2020, and the Digital Personal Data Protection Act, 2023, MindStocs has appointed the following officer for grievance redressal and regulatory liaison:

Name / Designation: Head – Compliance & Grievance Cell (Acting Grievance Officer)

Email: privacy@mindstocs.com

Phone: +91 9021008698

Address: 1452 Majgoan Tambalgothan, Sawantwadi, Sindhudurg, Maharashtra – 416510

Working Hours: Monday to Saturday, 10:00 AM – 6:00 PM IST

This Clause 21 serves as the Master Grievance Clause governing all complaints related to MindStocs software, dashboards, APIs, subscriptions, refunds, and data privacy matters.

21.2 Modes of Submission

Grievances may be lodged via:

(a) Email to privacy@mindstocs.com

(b) Support ticket or in-app/web form

21.3 Acknowledgement & Resolution Timelines

(a) Acknowledgement within 48 hours

(b) Resolution or status update within 30 days

21.4 Escalation Pathways

If unresolved, Users may escalate to:

(a) Data Protection Board of India – privacy and DPDP matters

(b) Consumer Courts – disputes under the Consumer Protection Act, 2019

21.5 Regulatory Scope Clarification

MindStocs operates solely as a software and technology service provider.

MindStocs provides software access only and is not registered with SEBI, RBI, IRDAI, MCA, or FIU-IND.

Only grievances directly related to MindStocs’ software, digital services, or data processing will be handled under this policy.

21.6 User Cooperation

Users must provide accurate details, including transaction IDs and supporting documents, to enable investigation.

21.7 Record-Keeping & Audit

All grievance records are logged, timestamped, and retained for a minimum of seven (7) years for audit and regulatory inspection.

21.8 Good Faith Resolution Obligation

Both parties agree to attempt internal resolution in good faith before proceeding to arbitration or litigation as per Clause 40 of the Terms & Conditions.

22. Policy Updates

22.1 Notification of Changes

The Company reserves the right to amend, update, or revise this Privacy Policy at any time to reflect:

(a) changes in applicable laws or regulatory guidance;

(b) enhancements in data protection or cybersecurity standards; or

(a) Material Changes:

Material revisions that alter how Personal Data is collected, used, or shared will be notified to all registered Users via:

• Email to the registered address, and

• Prominent notice on the official MindStocs Platform.

(b) Notice Period:

Where feasible, Users will receive at least seven (7) days’ prior notice before material changes take effect, except where immediate updates are required by law, regulator instruction, or urgent cybersecurity reasons.

In cases of regulatory mandate or urgent data security updates, changes shall take immediate effect upon publication, with retrospective notification provided within a reasonable period.

(d) The revised Effective Date will always be displayed at the top of this Policy, and all prior versions will be archived internally.

22.2 Renewed Consent Requirement

If an update introduces a new category of Personal Data processing, modifies the lawful basis, or adds new marketing purposes, the Company shall:

(a) seek fresh, explicit consent from affected Users; and

(b) document such consent in accordance with Clause 5.4 (Consent Records).

22.3 Archival of Previous Versions

(a) Historical versions of this Policy shall be retained internally for a minimum of seven (7) years for audit and regulatory reference.

(b) Upon written request, Users may obtain a copy of the version that applied at the time of their original transaction or subscription.

22.4 Binding Effect

(a) Continued use of any MindStocs Service after publication of an updated Policy constitutes acknowledgment and acceptance of the revised terms.

(b) All disputes relating to such updates shall be governed by Clause 40 (Governing Law & Dispute Resolution).

(c) MindStocs provides software access only and is not registered with SEBI, RBI, IRDAI, or any financial regulator. Policy updates do not convert the Service into an investment, advisory, or regulated product.

23. Contact & Escalation

23.1 Privacy & Grievance Matters

For all privacy-related inquiries, grievances, or exercise of rights under the Digital Personal Data Protection Act, 2023, Users may contact the designated privacy team:

Email: privacy@mindstocs.com

Phone: +91 9021008698

Address: 1452 Majgoan Tambalgothan, Sawantwadi, Sindhudurg, Maharashtra – 416510

Working Hours: Monday–Saturday, 10:00 AM – 6:00 PM IST

All communications must be sent from the User’s registered email ID and should include relevant identifiers (e.g., transaction reference, registered contact number) for verification.

23.2 General Support, Technical Assistance & Refunds

For service-related queries, access issues, or refund requests, Users may contact:

Email: support@mindstocs.com

All refund and technical requests will be handled in accordance with Clause 19 (Refunds & Data Retention) and Clause 20 (Shipping & Delivery of Services).

23.3 Escalation Mechanisms

If the User does not receive a satisfactory response within the timelines specified under Clause 21 (Grievance Redressal), escalation may be made as follows:

(a) Data Protection Matters – Data Protection Board of India, after exhausting internal process.

(b) Consumer / Service Matters – Consumer Dispute Redressal Commissions under the Consumer Protection Act, 2019.

23.4 Exclusions

(a) MindStocs operates solely as a software and technology service provider.

(b) MindStocs is not registered with SEBI, RBI, IRDAI, or FIU-IND. The Company does not offer investment advice, portfolio management, deposits, capital protection, or any regulated financial product.

23.5 Official Communication Channels

(a) Users must rely only on communication channels hosted under verified Company domains (e.g., @mindstocs.com, www.mindstocs.com).

(b) The Company is not responsible for communications sent through unauthorised WhatsApp numbers, Telegram groups, or social media accounts.

23.6 Response Expectation Disclaimer

All grievance and escalation responses are dependent on receipt of complete, verifiable information from the User. Incomplete or unverifiable submissions may delay timelines under Clause 21.3 until verification is completed.

24. Regulatory Compliance Declarations

24.1 Digital Personal Data Protection Act (DPDP), 2023

This Privacy Policy is structured in full compliance with the Digital Personal Data Protection Act, 2023, including lawful purpose, consent, minimisation, retention, breach notification, user rights, and grievance redressal obligations. MindStocs maintains internal Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA) for high-risk processing, accessible to regulators upon lawful request.

24.2 Information Technology Act, 2000 & IT Rules, 2011

MindStocs implements “reasonable security practices” under Rule 8 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including encryption, access control, periodic security testing, and incident response. A statutory grievance mechanism is maintained in compliance with Rule 5(9).

24.3 Consumer Protection (E-Commerce) Rules, 2020

MindStocs maintains transparent, pre-disclosed policies covering refunds, digital delivery, pricing, and grievance handling in accordance with the Consumer Protection (E-Commerce) Rules, 2020.

24.4 CERT-In Cybersecurity Directions, 2022

The Company complies with CERT-In Directions, 2022, including:

(a) 180-day log retention for all network and application systems,

(b) breach reporting within six (6) hours,

(d) maintaining an incident response plan and audit trail.

24.5 RBI Compliance via Regulated Payment Gateways

All payments for MindStocs Services are processed exclusively through RBI-regulated Payment System Operators (e.g., Razorpay) under the Payment and Settlement Systems Act, 2007.

(a) MindStocs does not store or process card numbers, CVV, UPI PINs, or similar credentials.

(b) Razorpay and its banking partners are responsible for KYC/AML screening and Suspicious Transaction Report (STR) filings with FIU-IND.

24.6 Regulatory Exclusions & Scope Clarification

MindStocs operates solely as a software and technology service provider. It is not registered with SEBI, RBI, IRDAI, or FIU-IND.

MindStocs provides no investment advice, portfolio management, capital protection, deposits, insurance, or any regulated financial product. All trading activity is at the User’s own risk.

24.7 Audit Readiness & Documentation

MindStocs maintains audit-ready documentation including:

(a) Records of Processing Activities (ROPA),

(b) Data Protection Impact Assessments (DPIA),

(d) Cybersecurity audit logs retained for a minimum of seven (7) years.

24.8 Voluntary Regulatory Cooperation

Although not a regulated financial intermediary, MindStocs cooperates in good faith with competent Indian authorities such as CERT-In, FIU-IND, RBI, or Consumer Protection Councils when provided with lawful written requests.

25. Acknowledgement & User Consent

25.1 User Declaration

By accessing or using any MindStocs Service, the User expressly acknowledges and agrees that:

(a) They have read, understood, and accepted this Privacy Policy in its entirety.

(b) They voluntarily consent to the lawful processing of their Personal Data for service delivery, payment reconciliation, GST/TDS compliance, statutory record-keeping, fraud prevention, and security monitoring purposes.

(c) They understand and accept that MindStocs is a software and technology service provider only, not a regulated financial intermediary, and does not provide investment advice, portfolio management, deposit-taking, or guaranteed returns.

(d) They acknowledge and agree that certain records—such as invoices, tax data, and payment logs—may be retained for legally mandated periods even after account closure or termination of Services.

(e) They understand that optional or value-added features (e.g., newsletters, marketing updates, third-party integrations) are enabled only through separate, explicit consent, which may be withdrawn at any time without affecting core Service access.

(f) Where the Data Principal is deceased or legally incapacitated, consent or withdrawal may be exercised by a lawful nominee or representative in accordance with applicable law.

25.2 Consent Standards

Consent obtained under this Policy complies with Section 6 of the Digital Personal Data Protection Act, 2023, and must be:

(a) Free, specific, informed, unconditional, and unambiguous;

(b) Given through a clear affirmative action, such as clicking “I Agree” or selecting an on-screen checkbox;

(d) Retrievable and auditable for inspection by the Data Protection Board of India or any competent authority upon lawful request.

25.3 Consent Withdrawal

(a) Users may withdraw consent directly from their account dashboard (where enabled) or by emailing privacy@mindstocs.com from their registered address.

(b) All withdrawals are logged and acknowledged automatically.

(d) Withdrawal does not override statutory retention requirements for tax, accounting, or dispute-related records.

(e) Valid withdrawals will be implemented within seven (7) business days.

(f) Certain optional features or integrations may become unavailable after withdrawal.

25.4 Binding Effect

(a) Continued access to or use of MindStocs Services after publication or update constitutes binding acceptance of this Policy and its lawful amendments under Clause 22 (Policy Updates).

(b) Refusal or non-acceptance of this Policy may limit or terminate Service access in accordance with the Terms & Conditions.

(c) This acknowledgement is a legally valid electronic record under Section 65-B of the Indian Evidence Act, 1872, and the Information Technology Act, 2000.

26. Annexures & Documentation

26.1 Annexure A – Sub-Processor List

A current list of authorised third-party service providers (“Sub-Processors”) — including payment gateways, cloud hosting providers, communication platforms, and security vendors — is maintained on the official MindStocs website.

• The list is reviewed and updated quarterly or upon any material change.

• Material changes (such as addition or replacement of a Sub-Processor) will be notified to Users at least seven (7) days in advance, unless urgent continuity or security requirements require immediate deployment.

• Archived versions of Annexure A are retained internally for a minimum of seven (7) years for audit and regulatory inspection.

26.2 Annexure B – Data Processing Agreement (DPA) Template

MindStocs maintains a standard Data Processing Agreement (DPA) governing confidentiality, data-handling standards, and compliance obligations for all Sub-Processors.

• A regulator-ready version may be furnished upon lawful written request.

• A redacted summary may be shared with Users upon verified written request, subject to confidentiality controls.

• No Sub-Processor is permitted to access Personal Data until the DPA is fully executed.

26.3 Annexure C – Breach Notification Templates & Procedures

Standardised templates for regulatory and User notifications in the event of a data breach are maintained in accordance with the CERT-In Directions (2022) and the DPDP Act (2023).

• Templates include regulator alerts, User communication formats, and post-incident reporting structures.

• These may be shared with competent authorities without delay upon lawful request.

• Where a breach is notifiable, a summary disclosure may be issued to Users without exposing sensitive technical or security details.

26.4 Annexure D – User Rights Request Forms

Standardised forms for exercising Data Principal rights (access, correction, erasure, portability, consent withdrawal) are available:

(a) on the official website, or

(b) upon request via privacy@mindstocs.com

Each request is logged with a unique reference ID and retained in accordance with statutory retention obligations.

26.5 Annexure E – Service Usage & Account Records

Summaries of User account activity (including subscription history, support logs, and system-generated platform access records) are maintained strictly for compliance, audit, and dispute-resolution purposes.

• These records are not used for advertising, profiling, or commercial resale.

• Access is restricted to authorised compliance and security personnel.

• Disclosure to regulators or lawful authorities may occur only upon written legal mandate.

26.6 Periodic Review, Version Control & Confidentiality

(a) All Annexures undergo periodic review at least once every twelve (12) months to ensure accuracy and legal compliance.

(b) Each revision is version-controlled with a revision ID and effective date.

(c) Certain Annexures (e.g., audit templates, internal security matrices) may contain proprietary or confidential information and will only be shared under lawful regulatory compulsion.

(d) The latest publicly accessible Annexures are published on the Company’s official website or made available upon written request to the Data Protection Officer.

27. Cookies & Tracking Technologies

27.1 **Essential Cookies**

MindStocs uses essential cookies that are strictly necessary for the operation of its digital services, including:

(a) Authentication and login sessions;

(b) Load balancing and performance optimisation;

These essential cookies are mandatory for platform functionality and cannot be disabled by the User.

27.2 **Security & Monitoring Cookies**

For system integrity, cybersecurity compliance, and fraud prevention, certain cookies and tracking tools are used to:

(a) Monitor suspicious logins, device fingerprints, and API activity;

(b) Detect anomalies, credential stuffing, and session hijacking attempts;

Such data is processed under **legitimate interest and statutory cybersecurity obligations**, and remains pseudonymised, access-controlled, and time-bound.

27.3 **Analytics & Performance Cookies**

Analytics and performance cookies are deployed **only upon explicit, informed User consent** via the on-screen cookie banner or preference dashboard.

- These cookies collect aggregated, anonymised usage metrics to improve dashboard performance and user experience.

- No personally identifiable information is collected unless voluntarily submitted by the User (e.g., login events).

- IP addresses and device identifiers are truncated or anonymised wherever technically feasible.

27.4 **User Control**

(a) Users may withdraw consent or modify cookie preferences at any time via:

- Browser or device settings; or

- The MindStocs cookie preference panel, where available.

(b) Withdrawal does not affect lawful processing already completed but will immediately disable all non-essential cookies.

27.5 **Retention of Cookie Data**

Analytics and telemetry derived from cookies are retained for a maximum of **twelve (12) months**, unless longer retention is required for verified cybersecurity investigations.

Upon expiry, such data is permanently **anonymised or securely deleted** in accordance with Clause 8 (Data Retention).

27.6 **Data Location & Processing**

All cookie-derived analytics and telemetry data are stored within **India-based or DPIIT-compliant cloud infrastructure**.

Where cross-border processing is required (e.g., international analytics tools), transfers shall be governed by a **Data Processing Agreement (DPA)** and safeguards under Clause 12 (Cross-Border Transfers).

27.7 **No Advertising or Behavioural Tracking Cookies**

MindStocs does **not** use advertising, behavioural targeting, remarketing, or third-party ad network cookies.

Cookie data is never sold, leased, monetised, or shared with advertisers or data brokers.

27.8 **Consent Records & Audit Logs**

(a) All cookie consent actions (grant, withdrawal, modification) are **timestamped, encrypted, and logged** for regulatory audit under Section 10 of the DPDP Act.

(b) These records are retained for **seven (7) years** or until completion of lawful audits.

27.9 **Cookie Banner & Preference Management**

MindStocs displays a compliant cookie banner providing clear options to:

- Accept all cookies,

- Reject non-essential cookies, or

- Customise preferences.

Users may withdraw consent **with equal ease** through the same interface or by contacting **privacy@mindstocs.com**.

28. Breach Liability of Third-Party Processors

28.1 **Allocation of Risk**

Where a Personal Data breach or security incident originates from third-party service providers (including but not limited to payment gateways, brokers, hosting/cloud vendors, certified KYC vendors, or forensic auditors), **primary liability** for such breach shall rest solely with the respective processor, in line with its contractual, statutory, and regulatory obligations.

All such processors operate under a written **Data Processing Agreement (DPA)** imposing strict breach notification, security, indemnity, and compliance obligations pursuant to the **Digital Personal Data Protection Act, 2023** and **CERT-In Directions, 2022**.

28.2 **Company Responsibility**

MindStocs remains accountable as the Data Fiduciary for conducting due diligence and enforcing contractual safeguards.

However, MindStocs shall not be held liable for any third-party processor’s **independent act of negligence, misconduct, data leak, fraud, or regulatory non-compliance**, provided:

(a) reasonable due diligence was conducted before appointment, and

(b) no known compliance deficiency was wilfully ignored.

MindStocs’ liability is restricted only to failure of due diligence or deliberate negligence in vendor oversight.

28.3 **Indemnity & Right of Recovery**

Each processor shall **indemnify and hold MindStocs harmless** against all penalties, damages, investigations, claims, or remediation costs arising from the processor’s breach or non-compliance.

MindStocs reserves full legal and contractual rights to **seek recovery, compulsory audit, suspension, or termination** of the responsible processor.

28.4 **Regulatory Cooperation & Documentation**

(a) MindStocs will cooperate with regulators, affected Users, and the responsible processor to ensure timely mitigation, evidence preservation, and statutory reporting.

(b) All breach-related logs, notices, reports, and correspondence shall be retained for **seven (7) years** for audit and inspection, in accordance with Clause 10 (Security Controls) and CERT-In requirements.

28.5 **User Notification**

If a processor-originated breach materially affects Users, MindStocs shall notify affected Users **promptly after receiving verified information** from the processor.

The notification shall specify:

(a) identity or category of the responsible processor,

(b) type and scope of impacted data,

(d) the extent of MindStocs’ and the processor’s respective responsibilities.

28.6 **No Waiver of Statutory Obligations**

This Clause does not exempt MindStocs from statutory duties under the DPDP Act.

MindStocs remains responsible for:

- due diligence before onboarding processors,

- enforcing DPA safeguards,

- breach reporting to CERT-In and the Data Protection Board (where applicable), and

- ensuring lawful cooperation with regulators.

29. Force Majeure – Data & Service Risks Beyond Control

29.1 **Events Beyond Control**

MindStocs shall not be liable for any delay, interruption, suspension, or failure in data processing, security, or service delivery arising from circumstances beyond its reasonable control, including but not limited to:

(a) Natural disasters (fire, flood, earthquake, cyclone, pandemic, epidemic),

(b) Power grid failure, data centre outage, large-scale ISP or DNS failure,

(d) Strikes, labour disruption, or industrial shutdown,

(e) Third-party platform failures (payment gateways, brokers, cloud providers, API networks),

(f) Government orders, judicial injunctions, embargoes, or law-enforcement seizure,

(g) Legislative, export-control, or policy changes affecting cross-border data, encryption, financial transactions, or hosting infrastructure.

29.2 **Mitigation Efforts**

Upon invocation of force majeure, MindStocs shall undertake commercially reasonable actions to:

(a) contain and limit impact,

(b) preserve confidentiality, integrity, and availability of data,

(d) restore affected systems in priority order based on user risk and regulatory impact.

29.3 **Impact on Data Processing**

During a force majeure event, certain processing functions (account access, refunds, API sync, audit logs, grievance turnaround, etc.) may be delayed or temporarily disabled.

However, the following obligations remain fully enforceable:

(a) secure storage and encryption of existing data,

(b) statutory regulator disclosures,

29.4 **User Notification**

Where operationally feasible, affected Users will be notified through:

- Platform-wide banner or dashboard alert,

- Email or SMS to registered contact details.

Messages will include disruption scope, expected restoration window, and any User-side recommended actions.

29.5 **Regulatory Cooperation**

If a force majeure event results in or overlaps with a data breach, financial system impact, or service outage of regulatory relevance, MindStocs shall:

(a) notify CERT-In within the statutory 6-hour window (where applicable),

(b) notify the Data Protection Board of India within 72 hours if “significant harm” is likely,

(d) retain full incident logs, forensic artefacts, and correspondence for **seven (7) years**.

29.6 **Duration of Suspension**

Relief from performance applies **only for the duration of the force majeure condition** and solely to the extent performance is impossible or unlawful. Obligations resume automatically once conditions cease.

29.7 **No Waiver of Law**

Force majeure **does not suspend or waive** statutory duties relating to:

- breach notification,

- lawful regulator cooperation,

- minimum security controls required under the DPDP Act, IT Act, or CERT-In.

29.8 **Cross-Reference to Terms & Conditions**

The master Force Majeure clause in **Clause 32 of the Terms & Conditions** applies **mutatis mutandis**.

In case of conflict, the force majeure clause under the Terms & Conditions prevails.

30. Limitation of Liability for Data & Privacy

30.1 **Scope of Liability**

Except where expressly mandated by applicable law, the maximum aggregate liability of MindStocs for any proven data breach, privacy violation, or failure of security safeguards shall not exceed the total **Service Access Fees actually paid by the User in the twelve (12) months** preceding the event giving rise to the claim.

This limitation applies to all causes of action — contract, tort (including negligence), statutory breach, or otherwise.

30.2 **Exclusions from Liability**

MindStocs shall not be liable for:

(a) Losses caused by User negligence, including insecure devices, shared credentials, phishing, or unauthorised disclosure of API or broker keys;

(b) Incidents, outages, or breaches occurring at independent third-party platforms (brokers, exchanges, cloud/VPS providers, payment gateways) outside the Company’s direct control;

(c) Indirect, incidental, punitive, exemplary, consequential, or speculative losses, including lost profits, business interruption, missed trades, or opportunity costs;

(d) Lawful disclosures made pursuant to court order, regulator direction, or statutory requirement under Indian law;

(e) Delays, failures, or interruptions attributable to force majeure events under Clause 29.

30.3 **Non-Excludable Liability (Mandatory Carve-Outs)**

Nothing in this Clause limits or excludes liability where such exclusion is prohibited by law, including:

(a) Fraud, wilful misconduct, or gross negligence of the Company;

(b) Death or personal injury caused by proven Company negligence;

(c) Statutory compensation expressly required under the **DPDP Act, 2023**, or **Section 43A of the Information Technology Act, 2000**;

(d) Failure to implement “reasonable security practices” as required under Rule 8 of the IT (SPDI) Rules, 2011.

30.4 **Third-Party Processor Breaches**

Where a breach originates from a third-party processor, MindStocs’ liability shall be limited strictly to cases where it:

(a) failed to perform reasonable due diligence before onboarding the processor, or

(b) knowingly ignored documented compliance deficiencies.

If contractual, technical, and organisational safeguards were fully implemented, no further liability shall arise.

30.5 **User Responsibility**

Users retain full responsibility for:

(a) all trading and financial decisions made using the software,

(b) securing their own API keys, broker credentials, and devices,

No claim may be made against MindStocs for trading losses, tax liabilities, or market exposure.

30.6 **Per-Claim Cap Clarification**

The liability cap in Clause 30.1 applies **per individual User, per incident**.

Liability shall not be aggregated across:

- multiple Users,

- multiple Services, or

- multiple events or financial years.

The total exposure to all Users collectively shall not exceed the total value of Service Access Fees received in the relevant financial year.

30.7 **Compliance Defence**

MindStocs shall not be liable where it demonstrates that:

(a) reasonable security measures and statutory safeguards were in place,

(b) processing was lawful, necessary, and proportionate under the DPDP Act,

Documented audit reports, DPIA outputs, or third-party certifications shall constitute valid legal defence.

31. Audit, Records & Compliance Documentation

31.1 **Regulatory Record-Keeping**

MindStocs maintains complete and auditable records of transactions, KYC submissions, access logs, grievance trails, and data-processing activities in compliance with:

(a) the **Digital Personal Data Protection Act, 2023**,

(b) the **Information Technology Act, 2000** and IT (SPDI) Rules, 2011,

(d) the **Income Tax Act**, **GST Act**, and other applicable financial/tax regulations.

31.2 **Records of Processing Activities (ROPA)**

The Company maintains a statutory **ROPA register** containing:

- Categories of Personal Data processed,

- Purpose and lawful basis per activity,

- Retention and deletion schedules,

- Sub-Processors and transfer jurisdictions,

- Applicable safeguards and security controls.

ROPA shall be made available to competent authorities only upon lawful written request.

31.3 **Data Protection Impact Assessments (DPIA)**

DPIAs are conducted for high-risk or automated processing as required under Section 10 of the DPDP Act, 2023.

Each DPIA documents:

- Risk identification,

- Mitigation controls,

- Residual risk acceptance,

- Review frequency.

Summaries may be shared with regulators or auditors when legally required.

31.4 **Audit Rights & Regulatory Access**

Regulators may request access to records only through a valid written order, notice, or statutory direction.

MindStocs shall:

(a) Verify jurisdiction and scope,

(b) Disclose only minimum necessary data, and

31.5 **Confidentiality & Controlled Access**

All regulatory, audit, or forensic disclosures:

(a) Occur under strict confidentiality controls and NDAs,

(b) Do not constitute public disclosure, and

31.6 **Audit Readiness & Traceability**

(a) Logs, records, and evidence trails are maintained in an **audit-ready state** at all times.

(b) All access, modification, or disclosure events are traceable through **chain-of-custody logs**.

31.7 **Independent Audits**

Independent third-party audits may be commissioned to validate:

- Data-protection compliance,

- Cybersecurity controls (e.g., ISO/IEC 27001 equivalent),

- Financial integrity for tax or Restoration Fund verification.

Regulators may be provided executive summaries upon lawful request.

31.8 **Forensic Review & Fraud Control**

For Restoration disputes, fraud suspicions, or regulator-ordered inquiries, MindStocs may appoint certified forensic experts or legal advisors.

(a) Data shared is minimum-necessary, encrypted, and logged,

(b) All actions are recorded in the **forensic access register** maintained under ROPA.

31.9 **Retention & Secure Disposal**

Records are retained only for the legally mandated duration (typically **7–10 years** for tax, audit, or regulatory purposes).

After expiry, records are:

(a) securely deleted, anonymised, or archived, and

(b) destruction logs are maintained for audit verification.

31.10 **Regulatory Cooperation & Legal Defence**

MindStocs cooperates fully with lawful investigations, while reserving the right to:

(a) seek clarification or challenge overbroad or extrajudicial demands, and

(b) protect confidential, proprietary, or commercially sensitive information.

All cooperation remains subject to due process under Indian law.

32. Severability & Interpretation

32.1 **Severability**

If any provision of this Privacy Policy is declared unlawful, void, or unenforceable by a court, tribunal, or competent authority, that provision shall be severed to the minimum extent required.

All remaining provisions shall continue in full force and effect.

Severance shall not relieve either party of statutory, regulatory, or data-protection obligations that remain independently enforceable under Indian law.

32.2 **Headings & Formatting**

Headings, numbering, bold text, or structure are provided for reference only and do not affect the meaning, scope, or legal interpretation of any clause.

32.3 **Policy Hierarchy & Conflicts**

This Privacy Policy shall be read together with the:

(a) **Terms & Conditions**,

(b) **Refund Policy**,

(d) Applicable **Annexures**.

In the event of inconsistency:

(i) The more protective clause for the User shall prevail, unless contrary to law;

(ii) Statutory, regulatory, or judicial interpretations (e.g., Data Protection Board of India, SEBI, RBI, CERT-In) override internal policy language;

(iii) Residual ambiguity shall be resolved under **Clause 40 (Dispute Resolution)** of the Terms & Conditions.

32.4 **Interpretive Authority**

Unless a statutory mandate dictates otherwise, the Company’s reasonable and good-faith interpretation of this Policy governs operational application, provided such interpretation does not conflict with applicable law.

32.5 **Interdependence of Clauses**

Each clause is independent but operates cumulatively.

Invalidity of one clause does not invalidate associated provisions relating to:

- User rights,

- Regulatory compliance,

- Mandatory security or retention requirements.

32.6 **Language & Controlling Version**

The legally binding version of this Policy is the **English version**.

Translations are provided only for convenience. In case of conflict, the English version prevails for all legal, regulatory, and enforcement purposes.

33. Business Transfers

33.1 **Business Transfers & Successors**

If MindStocs undergoes a merger, acquisition, restructuring, insolvency, or sale of assets (in whole or in part), all User Personal Data and related records may be transferred to the successor or acquiring entity, provided that such entity:

(a) assumes all rights, duties, and obligations under this Privacy Policy and the Terms & Conditions; and

(b) continues to process all Personal Data in accordance with applicable law and valid User consents.

33.2 **User Notification & Consent Continuity**

(a) Users shall be notified of any material business transfer through email and/or an official Platform notice where required under the **Digital Personal Data Protection Act, 2023 (DPDP Act)**.

(b) If the successor proposes any new or altered purposes of processing, categories of data use, or consent conditions, fresh **explicit consent** shall be obtained prior to implementation.

(c) Users retain the right to withdraw such consent or request deletion of non-essential data in accordance with **Clause 14 (User Rights & Exercise Procedure)**, subject to lawful retention obligations.

33.3 **Regulatory & Legal Compliance**

All transfers shall comply with:

(a) Applicable provisions of the **Companies Act, 2013** and filings with the **Ministry of Corporate Affairs (MCA)**;

(b) Any disclosure or approval requirements imposed by sectoral regulators (**RBI**, **SEBI**, or the **Data Protection Board of India (DPB)**), where relevant; and

33.4 **Notification to the Data Protection Board**

If a transfer results in a material change of control, purpose, or fiduciary structure, MindStocs shall notify the **DPB** within statutory timelines prescribed under the **DPDP Act 2023** or rules made thereunder.

33.5 **Binding Obligations on Successors**

Any successor, assignee, or acquiring entity shall be **legally bound** to:

(a) honour all existing User consents, rights, and protections;

(b) maintain equivalent or stronger data-protection and retention standards; and

(c) observe all commitments contained in the MindStocs **Terms & Conditions**, including governing law and dispute-resolution provisions.

33.6 **Jurisdiction Continuity**

All transferred obligations and rights shall remain governed by Indian law and the **Dispute Resolution** mechanism in **Clause 40** of the Terms & Conditions, regardless of the successor’s place of incorporation or principal operations.

34. Third-Party Services & Links

34.1 **Third-Party Integrations**

MindStocs Services may integrate with or rely on independent third-party platforms and service providers, including but not limited to:

(a) Payment gateways (e.g., Razorpay),

(b) Broker APIs and trading exchanges (linked voluntarily by the User),

(d) Hosting and cloud infrastructure providers, and

(e) Email, SMS, or notification delivery providers.

34.2 **Independent Privacy Practices**

Each third-party provider operates under its own privacy policy, security framework, and regulatory supervision.

MindStocs ensures contractual safeguards through **Data Processing Agreements (DPAs)** where such entities act as data processors or sub-processors.

However, MindStocs is **not responsible or liable** for any independent processing, misuse, or breach occurring outside its direct control or contractual scope.

34.3 **Due Diligence & Risk Classification**

(a) All third-party providers are subject to documented **vendor due-diligence** and **risk classification** (low, medium, or high) based on sensitivity of processed data.

(b) Periodic compliance audits or certifications (e.g., ISO 27001, PCI-DSS) are obtained and reviewed to ensure continued adequacy.

34.4 **User Discretion & Consent**

(a) By voluntarily enabling any third-party integration, Users acknowledge and consent to the processing of their data by that provider for the stated purpose.

(b) Users are advised to review the third party’s own privacy policy and terms before activation.

(c) **Consent for optional integrations** (e.g., analytics tools, broker APIs) is obtained through clear opt-in mechanisms and may be withdrawn anytime without affecting core service access.

34.5 **Cross-Border Processing**

If any third-party provider transfers or stores data outside India, such transfers shall comply with **Clause 12 (Cross-Border Transfers & Safeguards)**, including contractual and consent-based protections equivalent to Indian law.

34.6 **Broker API Disclaimer**

Users linking broker APIs or trading accounts acknowledge that:

(a) Execution, margining, and trade data are governed solely by the broker’s regulatory framework;

(b) MindStocs has **no discretionary access** to or control over execution outcomes; and

(c) MindStocs bears no liability for broker-side outages, mis-executions, or losses arising from broker or exchange systems.

34.7 **Breach Notification by Third Parties**

All third-party processors engaged by MindStocs are contractually obligated to:

(a) Notify MindStocs of any confirmed or suspected breach within **24 hours** of discovery; and

(b) Cooperate fully in containment, investigation, and notification to regulators or affected Users under **Clause 16 (Breach Notification & Incident Response)**.

34.8 **External Links & Third-Party Websites**

The Platform may contain external links or references to third-party websites or resources not operated by MindStocs.

Accessing such links is entirely at the User’s discretion.

MindStocs disclaims all responsibility for their content, data practices, or security standards.

Users are advised to exercise caution and review the external site’s privacy policy before interaction.

34.9 **Accountability Limitation**

MindStocs’ responsibility under the **DPDP Act, 2023** is limited to conducting due-diligence, maintaining DPAs, and ensuring equivalent safeguards for processors within its control.

MindStocs shall not be held liable for independent or unauthorised acts, omissions, or data breaches by third-party service providers beyond its contractual and legal oversight.

34.10 **Ownership of Broker Data**

All broker-linked trade data, positions, execution logs, and account information accessed through User-authorised API connections remain the exclusive property of the User. MindStocs processes such data solely for dashboard display, analytics, and automation as per User instruction, without exercising discretionary control or taking investment decisions.

35. Risk Disclosure & No Guarantee

35.1 Market Risk Disclaimer

Use of MindStocs Services (including algorithmic software, dashboards, APIs, indicators, VPS, and Project participation) involves substantial market and financial risk.

Users expressly acknowledge that:

(a) Trading in equities, derivatives, forex, or commodities is inherently risky and may lead to partial or total loss of capital;

(b) Algorithmic or logic-based tools cannot predict or eliminate market volatility;

(d) All MindStocs tools are provided strictly for software, educational, and research purposes, not as investment advice, solicitation, or portfolio management.

35.2 No Guarantee of Returns

(a) MindStocs does not offer guaranteed, fixed, or assured returns under any circumstances.

(b) Service Access Fees represent payments solely for access to digital tools, dashboards, and related software services.

(c) MindStocs Services are not deposits, securities, insurance products, or collective investment schemes under SEBI, RBI, or IRDAI regulation.

(d) No employee, affiliate, or marketing representative is authorised to promise profits, capital protection, or assured income on behalf of the Company.

35.3 Restoration Fund Clarification

(a) The Restoration Fund is a conditional, discretionary, and non-statutory mechanism subject to availability of segregated funds and eligibility verification.

(b) It does not constitute a capital guarantee, insurance policy, fiduciary obligation, or investor-protection scheme.

(c) Restoration Fund processing, eligibility, and calculation are governed exclusively by Clauses 17 and 27 of the Terms & Conditions.

(d) Any communication or presentation of Restoration Fund benefits shall be accompanied by the mandatory disclaimer required under Clause 44.2 of the Terms & Conditions.

35.4 User Responsibility

Users remain solely responsible for:

(a) All trading and investment decisions taken using or alongside MindStocs tools;

(b) Configuration and security of broker APIs, funds, and margin levels;

(d) Independent evaluation of risk before committing funds.

MindStocs disclaims liability for trading losses, execution errors, reliance on illustrations, or decisions based on marketing materials.

Losses caused by slippage, latency, broker outages, API errors, automation failure, or execution variance are fully at the User’s risk.

35.5 Illustrations, Charts & Marketing Demonstrations

All examples, charts, performance figures, or case studies shown through the Platform, marketing materials, webinars, or social media are purely illustrative and educational.

They are not forecasts or assurances of profitability.

Every such illustration must prominently carry the mandatory disclaimer in Clause 44.2 of the Terms & Conditions.

35.6 Independent Advice

Users are strongly advised to obtain professional financial, tax, and legal advice before using any MindStocs product or making trading decisions.

Participation in MindStocs Services constitutes full acknowledgment of these risks.

35.7 No Inducement or Solicitation

Nothing in the Platform, marketing communication, or Restoration Fund documentation shall be construed as an invitation, inducement, or solicitation to invest, deposit, or trade in securities or financial products regulated by SEBI, RBI, or IRDAI.

MindStocs operates solely as a technology and software solutions provider.

35.8 Slippage, Automation & Execution Failure Waiver

The User expressly acknowledges and agrees that all trading losses, missed profits, or execution differences arising from slippage, spread widening, latency, delayed order routing, exchange throttling, margin freeze, RMS square-off, broker-side rejection, internet or VPS interruption, API disconnection, server downtime, or automation malfunction — even where MindStocs software, logic, or systems are involved — are fully assumed by the User and shall not give rise to any refund, compensation, Restoration claim, or legal liability against the Company.

35.9 Technology & Third-Party Dependency Disclaimer

Trading automation depends on external broker APIs, exchanges, internet connectivity, hosting infrastructure, and third-party systems outside the control of MindStocs.

MindStocs has no obligation to compensate for losses caused by third-party outages, rejected orders, regulatory halts, network failure, or brokerage-side technical issues.

36. Account Closure & Data Handling

36.1 User-Initiated Closure

Users may request permanent closure of their MindStocs account by emailing **support@mindstocs.com** from their registered email address. Secondary verification (e.g., PAN last four digits or OTP) is mandatory before processing.

36.2 Effect of Closure

Upon confirmation of closure:

(a) All access to dashboards, algorithms, APIs, VPS, indicators, Projects, and licenses is permanently disabled;

(b) All active subscriptions terminate without refund, except where expressly permitted under Clause 19;

(d) Referral, commission, reseller, and affiliate privileges terminate immediately;

(e) Account cannot be reactivated under any circumstance. A new account requires fresh registration and KYC.

36.3 Mandatory User Responsibilities

(a) The User must manually disconnect all broker APIs, disable auto-trading, close open positions, and uninstall any synced automation before requesting closure.

(b) MindStocs is not responsible for any orders, trades, losses, slippage, margin calls, or automation activity occurring after closure due to failure to disconnect brokerage systems.

36.4 Post-Closure Data Retention

Notwithstanding account closure, the Company will retain legally required records including:

- KYC / AML data: 10 years

- GST, TDS, and tax invoices: 8 years

- Financial and accounting records: 7–10 years

- Restoration and dispute logs: until final regulatory/audit closure

Retention is compulsory under Indian law and not subject to deletion requests.

36.5 Deletion of Non-Essential Data

All non-mandatory personal data (marketing consents, optional integrations, analytics logs, etc.) will be anonymised or deleted within **30 days** of closure, except where a longer period is required by law or regulator.

36.6 Rights Before Closure

Before closure is final, Users may request:

(a) A copy of their processed personal data; or

(b) Machine-readable export (CSV/JSON/XML), if technically feasible.

No portability or export is available after closure.

36.7 Consent & Acknowledgement

By requesting closure, the User agrees that:

(a) Statutory retention overrides the right to erasure;

(b) No further refunds, claims, or compensations will be accepted post-closure;

(d) All liabilities arising from automation, API connections, or brokerage activity after closure rest solely with the User.

36.8 Closure Timeline

A written confirmation of closure will be issued within **30 business days** of a verified request, along with a statement of any retained records under Clause 36.4.

36.9 Regulatory Overrides

MindStocs may delay, restrict, or refuse full data deletion where records are required for:

(a) FIU-IND, SEBI, RBI, GST, or Income Tax investigations;

(b) Court orders, audits, or ongoing disputes;

Such overrides will be logged in the Company’s ROPA records.

36.10 Final Waiver

By initiating account closure, the User irrevocably waives any future rights to:

(a) Restoration Fund claims not already filed,

(b) Refunds beyond the Refund Policy,

(d) Claims arising from automated or broker-linked trading after closure.

This clause survives closure and remains legally binding.

37. International Use & Jurisdiction

37.1 Governing Law

This Privacy Policy and all data processing activities are governed exclusively by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and all applicable rules, notifications, and directions. MindStocs is an India-based entity, and all legal, technical, and compliance obligations operate under Indian jurisdiction only.

37.2 Foreign Users & Territorial Scope

(a) Users outside India who access MindStocs Services do so voluntarily and expressly agree that their data will be processed solely under Indian law.

(b) MindStocs does not undertake, represent, or guarantee compliance with foreign privacy laws such as GDPR, CCPA, PIPEDA, LGPD, POPIA, or any other non-Indian regime.

(c) Foreign Users are solely responsible for ensuring that their use of the Services is lawful in their own jurisdiction, including tax, trading, and data regulations.

(d) No User may claim extraterritorial rights, protections, or remedies under foreign laws against MindStocs.

37.3 Dispute Resolution

All disputes relating to data processing, privacy, or cross-border usage shall be resolved strictly under Clause 42 (Dispute Resolution) of the Terms & Conditions:

(a) Mandatory internal grievance handling first,

(b) If unresolved, binding arbitration under the Arbitration & Conciliation Act, 1996,

(d) Courts of Maharashtra, India, hold exclusive supervisory jurisdiction.

37.4 Conflict of Laws

(a) In case of conflict between Indian law and any foreign statute or regulation, Indian law prevails absolutely.

(b) No foreign regulatory, judicial, or administrative order is binding on MindStocs unless routed through Indian authorities under valid law.

37.5 Regulatory Cooperation (Limited)

MindStocs may cooperate with foreign authorities only when:

(a) Requests are received through Government of India channels (CERT-In, MeitY, RBI, SEBI, DPB, etc.),

(b) There is an active MLAT, treaty, or sovereign legal basis,

Such cooperation never constitutes submission to foreign enforcement or waiver of Indian jurisdictional protection.

37.6 No Extraterritorial Rights

This Policy does not create or imply:

(a) Any enforceable privacy or consumer rights under foreign laws,

(b) Any acceptance of GDPR/CCPA jurisdiction,

37.7 Cross-Border Processing Clarification

Where foreign Users' data is processed or stored in India, it is done exclusively under Indian law. Cross-border transfer safeguards apply only where MindStocs exports data outside India under Clause 12, never where Users import their data into India by using the Platform.

37.8 Acceptance Condition

Use of MindStocs Services from outside India constitutes:

(a) Irrevocable submission to Indian law,

(b) Waiver of foreign privacy law claims,

38. Survival & Binding Effect

38.1 Post-Termination Survival

The following obligations continue to apply even after account closure, Service expiry, or termination of the User relationship:

(a) Statutory data retention and audit obligations,

(b) Refund processing, chargeback handling, and accounting reconciliation,

(d) Arbitration, dispute resolution, and jurisdiction provisions under Clause 42 of the Terms & Conditions,

(e) Confidentiality, indemnity, disclaimer, and limitation-of-liability clauses.

38.2 Survival of Lawful Consent

Any consent lawfully obtained for processing of Personal Data—including retention of KYC, AML, GST/TDS, financial, and regulatory records—remains valid for the full statutory retention period as required by the Digital Personal Data Protection Act, 2023, regardless of account closure.

38.3 Continuing User Liabilities

Termination does not release the User from:

(a) Pending or unpaid Service Access Fees,

(b) Liability arising from fraud, misuse, or breach of contractual obligations,

(d) Legal or financial obligations triggered during active Service usage.

38.4 Regulatory & Legal Disclosures After Termination

MindStocs may continue to retain, produce, or disclose User records to regulators, courts, tax authorities, or law-enforcement agencies even after termination, where required under law or valid written order.

38.5 No Extension of Commercial Benefits

Survival of obligations shall not:

(a) Extend or revive Restoration eligibility, refund rights, warranties, or promotional benefits,

(b) Create any new commercial or contractual entitlement after closure,

38.6 Binding Effect

This Privacy Policy continues to bind the User, their legal heirs, representatives, successors, and permitted assigns.

Any future access, reinstatement, or renewed subscription automatically reactivates full acceptance of this Policy and all updates issued under Clause 22 (Policy Updates).

39. Entire Agreement & Precedence

39.1 Entire Agreement

This Privacy Policy, together with the Terms & Conditions, Refund Policy, Shipping & Delivery Policy, Cookie Policy, Security Guidelines, and all officially issued Annexures or compliance addenda, constitutes the full and final agreement between the User and MindStocs on all matters relating to data protection, privacy, security, and processing.

All previous drafts, proposals, emails, verbal explanations, advertisements, or informal assurances are fully superseded and have no legal effect.

39.2 Precedence in Case of Conflict

If any inconsistency arises between multiple policies:

(a) Terms & Conditions govern service eligibility, fees, platform rights, and Restoration rules;

(b) This Privacy Policy governs data collection, processing, retention, and consent rights;

(d) Shipping & Delivery Policy governs activation, access provisioning, and proof of delivery;

(e) Final Consolidated Disclaimer (Clause 52, T&C) governs all marketing, claims, ROI statements, and promotional language.

The stricter clause in favour of regulatory compliance or user protection will prevail where legally required.

39.3 Regulatory Override

Where any clause of this Policy is inconsistent with Indian law or regulator direction—including DPDP Act 2023, IT Act 2000, Consumer Protection Act 2019, RBI/SEBI/IRDAI circulars, or CERT-In Orders—the statutory requirement shall override the conflicting clause without affecting the enforceability of the remaining Policy.

The clause shall be interpreted or amended only to the extent required for compliance while retaining original intent.

39.4 No Waiver

Failure, delay, or selective enforcement by MindStocs shall not be construed as waiver of rights.

No waiver, relaxation, or modification is valid unless issued in writing by an authorised Compliance Officer.

39.5 Binding Incorporation of Policy Updates

All future amendments, annexures, regulatory add-ons, or compliance notifications issued by MindStocs are automatically incorporated into this Policy from their notified effective date under Clause 22 (Policy Updates).

Continued use of the Services constitutes binding acceptance of such updates.

39.6 Non-Derogation

Nothing in this clause limits statutory user rights, regulator audit powers, or MindStocs’ ability to enforce indemnity, limitation of liability, and survival clauses under Clauses 30, 31, 36, and 38.

40. Governing Law & Dispute Resolution

40.1 Governing Law

This Privacy Policy is governed exclusively by the laws of India, including:

(a) Digital Personal Data Protection Act, 2023,

(b) Information Technology Act, 2000,

(d) all applicable rules, notifications, and regulator directives issued thereunder.

40.2 Dispute Resolution Procedure

(a) All contractual, service, or policy-related disputes shall follow the procedure in Clause 42 of the Terms & Conditions:

(i) Mandatory written notice and 30-day good-faith negotiation; then

(ii) Arbitration under the Arbitration and Conciliation Act, 1996, by a sole arbitrator appointed per the Terms & Conditions.

(b) Seat and venue of arbitration: **Sindhudurg, Maharashtra, India**.

Language: English.

- Filing statutory complaints before the Data Protection Board of India,

- Approaching Consumer Commissions under the Consumer Protection Act, 2019,

- Using RBI Ombudsman or other regulator-mandated forums.

(d) Statutory rights that cannot be legally waived remain outside arbitration.

40.3 Jurisdiction

Subject to Clause 40.2(c), the courts of **Sindhudurg, Maharashtra, India** shall have exclusive jurisdiction for:

(a) Enforcement of arbitral awards,

(b) Interim relief applications, and

40.4 Cross-Border Users

(a) Foreign Users agree that all processing is governed solely by Indian law.

(b) No foreign privacy or consumer law (GDPR, CCPA, etc.) applies unless mandated by the Government of India or agreed in writing.

(c) No provision shall be interpreted as acceptance of foreign court or regulator jurisdiction, except pursuant to a valid MLAT or Indian sovereign directive.

40.5 Finality

Arbitral awards issued under this clause are final, binding, and enforceable under the Arbitration and Conciliation Act, 1996 and the Code of Civil Procedure, 1908, without prejudice to statutory remedies expressly preserved under Indian law.

41. Law Enforcement & Regulatory Cooperation

41.1 Legal Compliance

MindStocs complies only with lawful, written, and verifiable requests issued under Indian law by:

(a) Law enforcement agencies (police, cybercrime cells, investigation units),

(b) Statutory regulators (SEBI, RBI, FIU-IND, MCA, CERT-In, Income Tax Dept.),

(d) Any other competent Indian authority empowered by law.

Requests from foreign governments are processed **only through Government of India channels** (MLAT, diplomatic route, or authorised nodal agency).

41.2 Scope and Method of Disclosure

(a) Disclosures are restricted strictly to the specific data requested.

(b) Every disclosure is logged internally with: requesting authority, legal basis, data shared, date, and time.

(d) Full chain-of-custody records are maintained for forensic or user-identifiable data.

41.3 User Notification

MindStocs will notify affected Users **after disclosure** where legally permitted.

Notification may be withheld if:

(i) prohibited by court order,

(ii) disclosure may compromise investigations or national security, or

(iii) request relates to AML, fraud, or cybersecurity directives issued by regulators.

41.4 Mandatory Cooperation

MindStocs will assist lawful authorities by:

(a) Sharing audit logs, forensic records, or transactional data,

(b) Implementing corrective or preventive controls ordered by regulators,

(d) Issuing required compliance confirmations or certificates.

41.5 No Voluntary Disclosure

MindStocs will **not** voluntarily share User data with any regulator, government entity, or third party unless:

(a) compelled by valid Indian legal order,

(b) necessary to prevent imminent threat to life or security, or

41.6 Protection Against Unlawful or Overbroad Requests

MindStocs may:

(a) Demand written proof of authority,

(b) Decline overbroad or extrajudicial data demands,

41.7 Foreign Authority Requests

Any data demand from a foreign regulator, court, or government will be processed **only via Indian sovereign channels** (e.g., MHA, CERT-In, MEA).

No direct submission to foreign jurisdictions is permitted unless expressly authorised under Indian law and Clause 12 on Cross-Border Transfers.

42. Broker API, VPS & Third-Party Execution Disclaimer

42.1 Independent Broker Relationship

All order execution, margining, fund management, and trade settlements occur exclusively between the User and their selected broker, exchange, or financial institution. MindStocs has no control over execution, order routing, slippage, latency, or fund flows.

42.2 No Trade Execution Authority

MindStocs does not place, trigger, modify, or cancel any trades on behalf of Users. All actions taken through broker APIs are executed solely under the User’s account permissions and risk settings.

42.3 Third-Party Dependency Disclaimer

Platform performance may depend on the uptime, API reliability, and compliance policies of third-party brokers, VPS providers, hosting platforms, payment gateways, or network carriers.

MindStocs is not liable for delays, outages, or execution failures originating from such entities.

42.4 Security Responsibility

The User is solely responsible for the security of:

(a) API keys and broker credentials,

(b) VPS or hosted machine access,

(d) revoking access in case of compromise.

42.5 No Capital Handling Statement

MindStocs does not hold user brokerage funds, does not access wallets or bank accounts, and does not participate in capital flow of any kind.

42.6 Mandatory Statement

MindStocs does not hold client capital, does not execute trades on behalf of users, and is not a SEBI or RBI regulated entity.

43. Reverse Engineering, Source Code & Decompilation Restriction

43.1 Prohibited Technical Actions

The User shall not attempt to decompile, reverse engineer, disassemble, extract, decrypt, scrape, clone, or replicate any part of the MindStocs Platform, including executable files, APIs, logic modules, dashboards, or automation engines.

43.2 Anti-Circumvention & IP Breach

Any attempt to bypass platform protections, licensing controls, authentication systems, or usage metering shall be treated as unauthorised access and IP violation, subject to civil and criminal action.

43.3 Proprietary Logic & Confidential Architecture

Internal logic, data structures, algorithms, triggers, and workflow architecture remain proprietary and confidential under Clause 15 (Confidentiality) and applicable IP law.

43.4 Technical Protection Measures

The Platform may use obfuscation, encryption, or license binding to prevent source code visibility and unauthorised redistribution.

44. Data Portability & Software IP Limitation

44.1 Users may request a copy of their personal data, trading logs, and configuration inputs, but not any internal system logic, source code, back-end workflow, or IP-protected software files.

44.2 Data portability applies only to user-owned datasets, not to proprietary platform structures, execution models, or indicators.

44.3 Exported data will be provided in machine-readable formats (CSV/JSON/XML) where feasible and legally permitted, subject to authentication and security checks.

44.4 Portability requests do not create any IP ownership, development rights, or derivative software entitlement for the User.

45. Telemetry, Diagnostic Logs & AI System Optimisation

45.1 MindStocs may collect anonymised telemetry and diagnostic performance data (e.g., error logs, load metrics, feature usage, crash traces) strictly for platform optimisation, security enhancement, and bug analysis.

45.2 No personal identifiers or broker balances are included in telemetry unless voluntarily submitted through a support request.

45.3 Such data may be processed using internal or third-party analytics tools under Data Processing Agreements (DPAs) with full encryption and access logging.

45.4 Telemetry does not include financial outcomes, trading performance, or strategy secrets unless explicitly provided by the User.

46. Telemetry, Diagnostic Logs & AI System Optimisation

46.1 MindStocs may collect anonymised telemetry and diagnostic performance data (e.g., error logs, load metrics, feature usage, crash traces) strictly for platform optimisation, security enhancement, and bug analysis.

46.2 No personal identifiers or broker balances are included in telemetry unless voluntarily submitted through a support request.

46.3 Such data may be processed using internal or third-party analytics tools under Data Processing Agreements (DPAs) with full encryption and access logging.

46.4 Telemetry does not include financial outcomes, trading performance, or strategy secrets unless explicitly provided by the User.

47. Class Action & Collective Claim Waiver (Privacy-Specific)

47.1 To the fullest extent permitted by law, the User agrees that all privacy-related claims shall be pursued only on an individual basis, not as a plaintiff, class member, or representative in any class, collective, joint, or public interest litigation.

47.2 No arbitrator or court shall consolidate multiple User claims or preside over any form of representative action.

47.3 This clause is consistent with Clause 71 (Class Action Waiver) of the Terms & Conditions and applies equally to all privacy, data, consent, retention, and platform usage disputes.

47.4 Any attempt to initiate, participate in, or solicit others for a class action, mass petition, or collective lawsuit against MindStocs shall be deemed a material breach of this Policy and the Terms & Conditions, and may result in immediate termination of Services, legal cost recovery, and defence action under applicable law.

48. Final Consolidated Disclaimer

MindStocs is a technology and software service provider. It is **not registered with or regulated by SEBI, RBI, IRDAI, FIU-IND, or any other financial authority**. Nothing in this Privacy Policy, the Terms & Conditions, or any marketing material shall be construed as:

(a) investment advice,

(b) portfolio management,

(d) a collective investment, insurance, or deposit-taking activity under Indian law.

All Service Access Fees are payments made **solely for access to digital tools, dashboards, APIs, algorithms, and related software services**, and **not linked to trading outcomes, profits, or market performance**.

The **Restoration Fund** is a **discretionary, conditional, and non-statutory benefit**, subject to eligibility, availability, and verification. It does not constitute an insurance product, guarantee, or capital protection scheme.

Users remain fully responsible for:

- their trading and financial decisions;

- their own tax filings (GST, TDS, Income Tax, etc.); and

- compliance with any applicable financial or data protection laws.

MindStocs deducts or withholds taxes only where expressly mandated under Indian law.

---

48.1 **Purpose of Policy**

This Privacy Policy is informational and compliance-oriented. It explains how MindStocs collects, processes, and protects personal data but does **not** create any express or implied warranty, guarantee of profitability, uninterrupted operation, or risk-free usage.

48.2 **Exclusions of Liability**

(a) This Policy and related documents do not constitute investment, financial, tax, or legal advice.

(b) The Company disclaims liability for any loss, damage, or claim arising out of:

- reliance on marketing, educational, or illustrative materials;

- failures or errors of third-party providers (e.g., brokers, exchanges, payment gateways, hosting vendors) not under its control;

- user negligence, such as insecure passwords, compromised devices, or improper API key management;

- force majeure events, as defined under the Terms & Conditions.

48.3 **User Acknowledgement**

By using the Services, the User acknowledges that:

(a) they have read, understood, and accepted this Privacy Policy and all related terms;

(b) they remain solely responsible for trading outcomes and decision-making; and

48.4 **Non-Solicitation & Representation Disclaimer**

No communication, publication, or material issued by MindStocs shall be interpreted as an invitation, inducement, or recommendation to trade, invest, or deposit funds.

MindStocs does not hold or manage client capital, does not pool investor funds, and does not issue securities or contracts of insurance.

48.5 **Policy Updates & Interpretation**

The Company may amend or update this Privacy Policy in accordance with Clause 22 (Policy Updates). Continued use of the Services after such updates constitutes binding acceptance.

Interpretation of this Policy shall always favour compliance with prevailing Indian law and user protection.

48.6 **Governing Law & Dispute Resolution**

This Privacy Policy shall be governed by the laws of India. All disputes shall follow the dispute resolution framework specified in **Clause 40 of this Policy** and **Clause 71 of the Terms & Conditions**, including arbitration and applicable statutory redressal rights.

48.7 **Precedence & Override**

This Final Consolidated Disclaimer shall **override any inconsistent or conflicting language** found in:

- this Privacy Policy,

- the Terms & Conditions,

- the Refund or Shipping Policies, or

- any marketing, communication, or promotional material.

The **Final Consolidated Disclaimer in Clause 71 of the Terms & Conditions** shall prevail as the definitive disclaimer governing all representations and communications made by MindStocs.