Privacy Policy.

Last updated: 23 April 2026 · Effective from: 23 April 2026

This Privacy Policy explains how Trading Arc LLP ("Trading Arc", "we", "our") — acting as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") — processes personal data of visitors and members ("you", "Data Principal"). It applies to tradingarc.in, our subdomains, Telegram community, email newsletters and any related tool we offer.

1. What data we collect

We collect only the data we genuinely need to run our education platform:

• Identity & contact data: full name, email address, mobile number, city, and — for GST-invoice requests — company name and GSTIN;
• Account data: username, hashed password, login timestamps, plan type, device and browser metadata;
• Payment data: transaction ID, amount, plan, last four digits of the card, UPI handle masked. Full card numbers, CVV and bank credentials are never stored on our servers — they are handled directly by our PCI-DSS-compliant payment processors;
• Usage & analytics data: pages visited, time on page, referral source, clicks on study sheets and tools, rough approximate location derived from IP;
• Communications: emails, tickets and chat messages you send us, including attached screenshots you choose to share;
• Cookies: first-party cookies for login and preferences; third-party analytics cookies as described in section 4.

We do not knowingly collect or process sensitive categories of data (health, biometric, financial account credentials beyond transaction metadata, etc.).

2. How we use your data

We use personal data for specified, lawful purposes under the DPDP Act:

• To create and operate your Trading Arc account and grant access to paid content;
• To process subscription payments, issue invoices, and handle refunds;
• To send transactional messages — receipts, renewal reminders, security alerts, and service announcements;
• To send educational newsletters and product updates where you have opted in (you can unsubscribe at any time);
• To improve our website, learning content and tools through aggregated analytics;
• To prevent fraud, abuse, unauthorised scraping, and enforce our Terms of Service;
• To comply with legal obligations — tax, accounting, and responses to lawful requests from Indian authorities.

3. Third-party processors

We engage a small set of reputable Data Processors to help us deliver the service. Each is bound by a written data-processing agreement and processes data only on our instructions:

• Payments: Razorpay Software Pvt. Ltd. and Stripe India Pvt. Ltd. — for card, UPI, and net-banking transactions;
• Analytics: Google Analytics 4 (with IP anonymisation enabled) and self-hosted Plausible for privacy-lite usage metrics;
• Transactional email: SendGrid (Twilio Inc.) and Amazon SES for receipts and service emails;
• Customer support: Zoho Desk for ticketing and email threads;
• Hosting & CDN: AWS Mumbai region (ap-south-1) and Cloudflare for edge caching and DDoS protection;
• Messaging: Telegram FZ-LLC — only the Telegram handle you voluntarily share with us for community access.

A current list of sub-processors can be requested at any time by writing to our Data Protection Officer.

4. Cookies & tracking

We use a minimal set of cookies:

• Essential cookies (always on): session login, CSRF token, language preference;
• Analytics cookies (opt-in via cookie banner where required): Google Analytics _ga family;
• No advertising cookies. We do not run retargeting pixels, third-party ad networks, or social-media tracking beacons.

You can disable non-essential cookies at any time from our cookie preference centre or your browser settings.

5. Data retention

We retain personal data only as long as necessary for the purposes it was collected, or as required by Indian law:

• Active account data — for the duration of your subscription plus 24 months after cancellation;
• Invoices, payment and tax records — 8 years, as required by the CGST Act and the LLP Act, 2008;
• Support tickets — 36 months;
• Analytics logs — aggregated and de-identified after 14 months.

After the applicable period, data is securely deleted or irreversibly anonymised.

6. Your rights under the DPDP Act, 2023

As a Data Principal, you have the right to:

• Access a summary of the personal data we hold about you and the processing we carry out;
• Correction & completion of inaccurate or incomplete data;
• Erasure of data that is no longer necessary for the purpose it was collected, subject to legal retention requirements;
• Withdraw consent at any time for any processing based on consent (this will not affect the lawfulness of processing done before withdrawal);
• Grievance redressal — lodge a complaint with our Data Protection Officer, and escalate to the Data Protection Board of India if not resolved satisfactorily;
• Nominate an individual to exercise these rights on your behalf in the event of your death or incapacity.

To exercise any right, email our DPO using the contact details in section 11. We will acknowledge within 48 hours and respond within statutory timelines.

7. Data localisation commitment

We primarily store personal data of Indian Data Principals on servers located in India (AWS Mumbai, ap-south-1). Where a sub-processor operates outside India, transfers are made only to jurisdictions permitted by the Central Government under the DPDP Act and under contractual safeguards equivalent to Indian law.

8. Security measures

We take the security of your data seriously and maintain reasonable security safeguards including:

• TLS 1.3 encryption in transit for all connections;
• AES-256 encryption at rest for our primary databases and backups;
• Role-based access control, MFA for internal admins, and quarterly access reviews;
• Bcrypt password hashing — we cannot see your password;
• Continuous log monitoring and rate-limiting to deter scraping and credential-stuffing;
• Annual third-party vulnerability assessment and penetration test.

No system is 100% secure. In the unlikely event of a personal data breach that is likely to cause you harm, we will notify you and the Data Protection Board of India as required by law.

9. Children's data

Our services are intended exclusively for adults aged 18 and above. We do not knowingly collect personal data from children under 18. If you believe a minor has provided data to us, please contact our DPO immediately and we will delete it.

10. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be communicated by email to active members and by updating the "Last updated" date at the top. Please review this page regularly.

11. Contact our Data Protection Officer

For any privacy query, data-rights request or complaint, please contact:

Data Protection Officer
Trading Arc LLP
Email: dpo@tradingarc.in
Postal: Bandra Kurla Complex, Mumbai 400 051, India

If your concern remains unresolved, you may escalate to our Grievance Officer or, thereafter, to the Data Protection Board of India.