ftInvstr Backtesting for Indian equity strategies

Privacy Policy

Last updated: May 16, 2026

Short version: We collect the minimum data needed to run your account and personalise your experience. We don't sell your data. You can request access, correction, or deletion at any time.

1. Who we are

ftInvstr ("we", "us", "our") operates the website at ftinvstr.in and the associated mobile applications (together, the "Service"). The Service helps users research and track hypothetical investment strategies on Indian equities.

ftInvstr is an educational and analytical platform and does not provide investment advice, brokerage services, or securities recommendations.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights under applicable Indian law — including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000.

2. Data we collect

2.1 Information you give us

Account details: name, email address, password (stored only as a salted hash — we never see your plain-text password).
Profile preferences: notification preferences, capital amounts you choose to associate with tracked strategies (used only to compute personalised hypothetical P&L).
Strategies you create: the expressions, configurations, and metadata you save in the Strategy Lab.
Subscriptions: which strategies you follow (Track).
Communications: anything you send us via email or support channels.

2.2 Information we collect automatically

Usage data: pages visited, features used, click events, time spent — used to improve the product and surface usage patterns to admins.
Device data: device type (mobile/desktop), browser or OS version, IP address (truncated for analytics), Firebase Cloud Messaging (FCM) token for push notifications (mobile app only).
Cookies and similar technologies: session cookies (to keep you logged in), CSRF cookies (to protect form submissions), and analytics cookies (see Section 6).

2.3 What we do NOT collect

We do not collect your PAN, Aadhaar, bank account details, or any financial credentials. We do not handle real money, do not execute trades, and do not integrate with any brokerage.
We do not collect health, biometric, or other sensitive personal data as defined under the DPDP Act, except for optional biometric login on mobile (Touch ID / fingerprint) which is processed entirely on your device and never transmitted to us.
We do not knowingly collect data from anyone under 18 (see Section 8).

3. How we use your data

We use the data we collect to:

Operate, maintain, and personalise the Service (e.g., show you the strategies you Track, compute your personalised hypothetical P&L);
Authenticate you and protect your account from abuse;
Send you product-related communications you opted in to (daily P&L summaries, rebalance alerts, account notifications);
Analyse usage patterns to improve features (aggregated and de-identified wherever possible);
Detect, investigate, and prevent fraud, abuse, or security incidents;
Comply with applicable laws and respond to lawful requests from authorities.

4. Legal bases for processing

Under the DPDP Act, we process your personal data on the following grounds:

Your consent, freely given when you sign up and (separately) when you opt in to push notifications or marketing emails;
Performance of our contract with you (i.e., delivering the Service you signed up for);
Legitimate interests — for example, preventing fraud or improving the product — provided they don't override your rights;
Compliance with legal obligations applicable to us.

5. Who we share data with

We share data only with service providers that help us run the Service. We do not sell or rent your personal data to advertisers.

Cloud and infrastructure providers: hosting providers, database providers, CDN.
Email delivery: transactional email service (account verification, daily summaries).
Push notifications: Google Firebase Cloud Messaging (mobile app only).
Analytics and crash reporting: aggregated and de-identified usage analytics, plus crash reporting (Sentry / Firebase Crashlytics).
Authorities: where we are required by Indian law to disclose data, we will do so only to the extent strictly required and notify you where legally permissible.

All third-party processors are bound by contractual confidentiality and data-protection obligations. Where data is transferred outside India, we use providers that meet equivalent data-protection standards.

6. Cookies

We use only essential cookies (session, CSRF, authentication) plus a small set of analytics cookies. We do not use third-party advertising or tracking cookies. You can disable cookies in your browser settings, but parts of the Service may not work.

7. Data retention

Account data: retained for as long as your account is active.
Backtest results, strategies you saved, subscription history: retained while your account is active so you can return to them.
Usage and analytics data: aggregated; raw event-level data retained for up to 24 months then deleted or fully anonymised.
Server logs: 90 days, then deleted.
If you delete your account, we delete or fully anonymise your personal data within 30 days, except where retention is required by law (e.g., financial / audit records).

8. Your rights

Under the DPDP Act and applicable Indian law, you have the right to:

Access the personal data we hold about you;
Correct inaccurate or outdated data;
Erase your account and associated personal data (subject to retention exceptions above);
Withdraw consent for any processing based on consent — you can opt out of marketing emails or notifications at any time;
Nominate a person to exercise these rights on your behalf in the event of your death or incapacity;
File a grievance with us (see Section 11) and, if unsatisfied, with the Data Protection Board of India.

To exercise any of these rights, email us at the address in Section 11. We will respond within 30 days.

9. Security

We use industry-standard security measures: encryption in transit (TLS), password hashing, restricted internal access, and regular security reviews. No system is perfectly secure; we cannot guarantee absolute security. If we become aware of a personal data breach affecting you, we will notify you in accordance with Indian law.

10. Children's data

The Service is not intended for, and we do not knowingly collect data from, individuals under 18. If we learn that we have collected data from a person under 18 without parental consent, we will delete it. Parents and guardians may contact us at the address in Section 11.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify you via email or an in-app notice at least 30 days before the change takes effect.

12. Contact us / Grievance officer

If you have questions about this policy or want to exercise any of your rights, contact us at:

Email: help@ftinvstr.in
Grievance Officer: as designated under the DPDP Act, contactable at the email above. We will acknowledge complaints within 7 days and resolve them within 30 days.