1) Key Definitions

• Personal Data (PD): Any information relating to an identified or identifiable natural person. Examples: name, email, phone, IP address.
• Sensitive Personal Data (SPD): Categories defined by law (e.g., financial account numbers, identity documents). We avoid collecting SPD except where strictly necessary for billing/compliance.
• Non‑Personal Data (NPD): Data that cannot reasonably identify an individual (e.g., aggregated latency metrics).
• Processing: Any operation performed on data (collection, storage, use, disclosure, deletion).
• Controller / Data Fiduciary: The entity determining purposes and means of processing (CopyTrade.in for Platform data).
• Processor / Data Processor: A vendor processing data on our behalf (e.g., cloud hosting).
• Broker: Your third‑party brokerage service that you connect to the Platform.
• Master / Child Account: Account roles configured by you on the Platform for trade replication.

2) Scope & Applicable Law

Primary governing framework: Digital Personal Data Protection Act, 2023 (India) and its rules/notifications as they come into force.

Where applicable (e.g., you are an EU/UK resident), we align with GDPR/UK GDPR principles. If you are a California resident, we honor CCPA/CPRA rights as described in Section 14.

In any conflict, the stricter protection to the individual will apply, unless prohibited by law.

3) What We Collect (by Category)

A) Account & Identity Data

Name, email, phone number (optional), organization (optional).

Login credentials (hashed passwords), multi‑factor tokens (if enabled).

B) Broker Integration Data

Broker API keys or OAuth tokens (tokenized, encrypted at rest).

Broker account identifiers (masked where feasible).

Mapping data between Master and Child accounts.

Configuration values: copy factor, risk limits, allowed instruments, maximum order size.

C) Trading Activity & Telemetry

Replication events: symbol, side, quantity, price (as provided by broker), order type, time‑in‑force, status, broker order ID, timestamps.

Execution diagnostics: latency, slippage estimates, rejection codes, retry counts.

System logs: API call outcomes, throttling/back‑off events, error traces (sanitized).

We do not store your broker passwords.

D) Device & Usage Data

IP address, user‑agent, device type, OS, browser, locale/timezone.

Session metadata: login/out times, feature usage, navigation events, crash reports.

E) Billing & Commercial Data

Plan tier, invoices, payment status, trial eligibility.

Payment card data is handled by a PCI‑DSS compliant processor; we do not store full card numbers or CVV.

F) Support & Communications

Emails, tickets, chat transcripts, call notes.

Feedback, surveys, beta program responses.

G) Cookies, Local Storage & SDKs

Strictly Necessary Cookies: session/authentication, CSRF protection.

Functional Cookies: preference, language.

Analytics (privacy‑respecting): performance metrics, no advertising identifiers.

Local storage for short‑lived UI state.

We do not use third‑party advertising cookies.

We do not knowingly collect data from children under 18 (see Section 13).

4) Why We Process Data (Purposes) & Legal Bases

We do not sell personal data.

5) How We Use Data (Processing Details)

Trade Replication: We read events from your configured Master account and submit corresponding orders to Child accounts according to your settings. We log request/response metadata for diagnostics and auditability.

Order Enrichment: We may add technical fields (e.g., internal correlation IDs, timestamps) to ensure traceability across systems.

Error Handling & Retries: On transient broker/API failures, we may retry requests with exponential back‑off (within your configured safeguards).

Anonymization & Aggregation: We aggregate telemetry to improve reliability and capacity planning. Aggregates contain no directly identifying information.

Automations/Alerts: If you enable alerts (e.g., replication failures), we process your email/notification preferences to deliver them.

6) Data Sharing & Disclosures (Who Sees What)

We disclose data only as needed:

Processors / Sub‑Processors (acting on our behalf):

• Cloud infrastructure & database hosting.
• Email delivery & customer support tools.
• Payments & invoicing.
• Observability (logs, metrics, error tracking) with data minimization.

We bind vendors to confidentiality and data protection obligations by contract. A current list of subprocessors is available on request (see Appendix B template).

Regulatory & Legal:

• Lawful requests by authorities, court orders, or to comply with applicable law.
• To investigate, prevent, or act against suspected fraud, security incidents, or violations of our Terms.

Corporate Events:

In a merger, acquisition, reorganization, or asset sale, data may transfer to the successor, subject to this Policy’s protections.

We do not disclose your data to third parties for their independent marketing.

7) Security Measures (Technical & Organizational)

We employ a layered security program:

• Encryption: TLS 1.2+ in transit; AES‑256 at rest for databases, secrets, and broker tokens.
• Key Management: Keys stored in managed KMS/HSM; strict rotation schedules; least‑privilege access.
• Access Controls: Role‑based access control (RBAC), SSO for admin tools, mandatory MFA for privileged personnel.
• Network Security: VPC isolation, security groups, WAF, DDoS protections, IP allow‑listing for critical paths.
• Application Security: OWASP‑guided SDLC, code review, dependency scanning, secret scanning, CI/CD signing.
• Logging & Monitoring: Centralized, tamper‑evident logs; anomaly detection; rate‑limit alerts.
• Vulnerability Management: Regular scanning, patch SLAs, third‑party penetration tests (at least annually).
• Business Continuity/DR: Daily encrypted backups; tested restores; target RPO ≤ 24h, RTO ≤ 24h.
• Personnel & Vendors: Background checks where lawful; security training; vendor risk assessments.

No system is perfectly secure; see Section 11 (User Responsibilities) and Section 12 (Incidents).

8) International Transfers & Data Residency

Primary storage is intended to be in India or nearby regions with reliable latency.

If cross‑border transfers are necessary (e.g., global cloud services), we use contractual safeguards and transfer only to jurisdictions permitted by Indian law and with adequate protections (or equivalent safeguards under GDPR, where applicable).

You consent to such transfers by using the Platform.

9) Data Retention (By Data Type)

We may retain limited data longer if required by law or to resolve disputes/enforce agreements.

10) Your Privacy Choices & Controls

• Access/Export: Request a copy of your Personal Data.
• Correction: Update inaccurate or incomplete data.
• Deletion: Request deletion; we will honor unless retention is legally required (e.g., tax, audit logs).
• Restriction/Objection: Where applicable law provides, you may restrict or object to certain processing.
• Consent Withdrawal: You may revoke consents (e.g., analytics cookies, marketing) at any time.
• Broker Unlink: You can revoke broker access via the Platform and/or your broker’s console.
• Requests: [email protected] (see Appendix C for DSR workflow).

11) User Responsibilities (Critical)

• Use strong, unique passwords and enable MFA.
• Keep devices and browsers updated; use reputable antivirus/EDR.
• Protect broker tokens/keys; rotate regularly.
• Configure replication settings prudently (copy factor, max order size, allowed instruments).
• Monitor your accounts; set alerts at your broker where available.
• Immediately report suspected compromise or unauthorized activity to [email protected].

12) Incidents & Breach Notification

We operate an incident response plan with 24/7 monitoring.

Upon confirming a data breach likely to result in risk to individuals, we will notify affected users and relevant authorities as required by applicable law (e.g., GDPR’s 72‑hour rule).

Notifications will include the nature of the breach, likely consequences, and measures taken.

We will cooperate with brokers and processors as needed to mitigate risk.

13) Children’s Data

The Platform is not intended for individuals under 18.

We do not knowingly collect data from children. If we learn of such collection, we will delete it and may terminate the account.

14) Region‑Specific Disclosures

India (DPDP 2023): We act as a data fiduciary for Platform data. You have rights to access, correction, erasure, grievance redressal, and nominate a person to exercise rights in the event of incapacity or death. Cross‑border transfers will honor restrictions notified by the Government of India.

EU/UK (GDPR/UK GDPR): Lawful bases listed in Section 4 apply. You have rights of access, rectification, erasure, restriction, portability, and objection. You may lodge a complaint with your supervisory authority. Where required, we will appoint an EU/UK representative.

California (CCPA/CPRA): We do not “sell” personal information. California residents may request access, deletion, and to limit use of sensitive personal information.

15) Third‑Party Links & Brokers

The Platform may contain links to third‑party sites and dashboards (e.g., brokers, payment portals). Their privacy practices are governed by their own policies.

Broker connections are user‑initiated; you should review your broker’s privacy policy and API permissions.

We are not responsible for third‑party handling of your data.

16) Cookies & Similar Technologies (Detailed)

A) What We Set

• Session Cookie: Maintains login state; expires on logout/session end.
• CSRF Token: Protects against cross‑site request forgery; short‑lived.
• Preference Cookie: Stores language/UX preferences; 6–12 months.
• Analytics Cookie (1st‑party): Anonymous event counts and latency; 12 months.

B) Your Controls

You can manage cookies via our cookie banner (where shown) and your browser settings. Blocking necessary cookies may impair functionality.

17) Product Analytics & A/B Testing

We may run privacy‑respecting analytics (preferably self‑hosted or IP‑truncated) to understand feature performance.

A/B tests, if any, avoid processing directly identifying data where feasible.

You may opt out where required by law or by contacting [email protected].

18) Automated Decision‑Making & Profiling

We do not engage in decisions producing legal or similarly significant effects based solely on automated processing of your Personal Data.

No behavioral advertising profiling.

19) Data Protection Officer (DPO) / Grievance Officer

Until a dedicated DPO is appointed, please contact:

Privacy & Security Office – CopyTrade.in

Pune, Maharashtra, India

Email: [email protected]

Grievance Officer (India): Will be disclosed on the website footer when appointed; contact the above email in the interim.

20) Changes to this Policy

We may update this Policy to reflect operational, legal, or regulatory changes. We will post updates with a new “Last Updated” date and, where material, provide notice via email or in‑app. Continued use after changes constitutes acceptance.

Appendices

Appendix A: Data Flow Summary (Textual)

• User sign‑up/login → Auth service verifies credentials → Session token issued.
• Broker connect → User provides API key or completes OAuth → Token encrypted and stored.
• Master event → Platform detects trade signal → Normalizes payload with correlation ID.
• Child replication → Orders submitted to each Child broker per configuration → Responses logged.
• Telemetry → Latency/slippage metrics recorded (aggregated).
• Storage → Core data in primary DB; logs in append‑only store; backups encrypted.
• Support → If user opens ticket, minimal context and relevant logs are accessed by authorized staff.

Appendix B: Sub‑Processor Register Register (Template)

We maintain an up‑to‑date list on request. Replace placeholders with your actual vendors.

Appendix C: Data Subject Request (DSR) Workflow

• Verify requester identity (email challenge + additional verification for sensitive requests).
• Log request in DSR register with timestamp and category (access, correction, deletion, etc.).
• Triage scope: systems involved, data categories, legal holds.
• Fulfill within statutory timelines (e.g., 30 days GDPR baseline), or communicate extension.
• Retain minimal audit proof of completion.

Appendix D: Security Controls (Expanded)

• Secrets management: Central secret store, environment‑specific scoping, automatic rotation.
• Database security: Row‑level access policies; query auditing; least‑privilege DB roles.
• API security: Auth tokens with expiry; HMAC signing where applicable; strict CORS.
• Build pipeline: Immutable artifacts, provenance attestations, dependency pinning.
• Change management: Ticketed changes, peer review, staged rollouts, automatic rollback.
• Endpoint security (staff): Full‑disk encryption, screen‑lock, device compliance, remote wipe.
• Physical security: Data centers with multi‑factor entry, CCTV, SOC controls (via cloud provider).
• Third‑party risk: Due diligence, DPAs, security questionnaires, breach clauses.

Appendix E: Retention Rationale & Exceptions

• Regulatory needs: Tax, accounting, and audit obligations may require extended retention.
• Dispute resolution: Data under legal hold is preserved until matter resolves.
• Backups: Point‑in‑time recovery only; deletion requests applied prospectively; backups expire on schedule.

Appendix F: Cookie Table (Example)

Appendix G: Contact & Escalation

• General privacy: [email protected]
• Security incidents: [email protected]
• Billing: [email protected]
• Postal: Cloudberry Technologies (CopyTrade.in), Pune, Maharashtra, India

Plain‑English Reminder

CopyTrade.in is a technical automation service. You control what is replicated, where, and how. We protect your data with care, keep logs for accountability, and give you practical controls. If something looks unclear, write to us—we’ll answer in plain language.