← Back

Privacy Policy

Last updated: March 2025

1. What Information We Collect

We collect information you provide directly when you create an account or use the Stoxim platform. This falls into three categories:

Account data

When you register, we collect your full name, work email address, and optionally your company name. This information is used to create and manage your account.

API usage logs

Every request made using your API key is logged. Each log record includes the API endpoint called, the ISIN or company identifier queried, your IP address, the HTTP response code, and response time in milliseconds. These logs are retained for 90 days and are accessible from your dashboard.

Payment information

Subscription and billing are handled by Razorpay. We do not directly collect or store your card number, UPI handle, bank account details, or any other payment credentials. Razorpay processes this data under its own privacy policy. We do store transaction identifiers and subscription status returned by Razorpay for billing and support purposes.

2. How We Use Your Information

  • Service delivery:To authenticate you, validate your API key, enforce your plan's rate limits, and return financial data in response to your queries.
  • Billing and subscriptions: To process subscription charges via Razorpay, send invoices, and maintain GST-compliant billing records.
  • Transactional email: To send email verification links, password reset instructions, billing receipts, and service notifications via AWS SES.
  • Abuse prevention: To detect and block API abuse, scraping, or usage that violates our Terms of Service. IP addresses and usage patterns are analysed for this purpose.
  • Product improvement: Aggregated, anonymised usage data helps us prioritise new datasets, improve response times, and fix bugs. We do not sell individual usage data to third parties.

3. Data Storage and Transfer

Your account data, API keys, and usage logs are stored in a Neon PostgreSQL database located in the ap-southeast-1 (Singapore) region. Transactional emails are dispatched through AWS SES in the ap-south-1 (Mumbai, India) region. Static assets and XBRL archives are stored in AWS S3 in ap-south-1.

We are actively working toward full data residency within India and will notify registered users via email when this migration is complete.

By creating an account and using Stoxim, you acknowledge and consent to the transfer and processing of your personal data in Singapore and India as described above.

4. Third-Party Data Processors

We share your data with the following sub-processors only to the extent necessary to operate the service:

ProcessorPurposeRegion
RazorpayPayment processing, subscription billingIndia
AWS SESTransactional email deliveryap-south-1 (Mumbai)
AWS S3XBRL archive storageap-south-1 (Mumbai)
Neon PostgreSQLPrimary database (accounts, logs, billing)ap-southeast-1 (Singapore)
Upstash RedisRate limiting, session cachingap-southeast-1 (Singapore)
VercelDashboard hosting, CDN, analyticsGlobal edge
SentryError tracking and performance monitoringUnited States

5. Your Rights Under DPDPA 2023

Under the Digital Personal Data Protection Act, 2023 (India), you have the following rights with respect to your personal data:

  • Right to access: Request a summary of the personal data we hold about you and how it is being used.
  • Right to correction: Ask us to correct inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data. You may initiate this from your account settings or by emailing our Grievance Officer. Deletion is subject to retention obligations described in Section 7.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right to grievance redressal: Lodge a complaint with our Grievance Officer (see Section 6) or with the Data Protection Board of India once it is operational.

To exercise any of these rights, contact our Grievance Officer at privacy@stoxim.in. We will respond within 30 days as required by DPDPA Section 13.

6. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:

Name: [Grievance Officer Name]

Designation: Grievance Officer, Stoxim Technologies Pvt. Ltd.

Email: privacy@stoxim.in

Response time: Within 30 days of receipt of complaint (DPDPA s.13)

7. Data Retention

  • API usage logs: Retained for 90 days from the date of the request, after which they are automatically purged.
  • Billing records: Retained for 7 years to comply with GST record-keeping obligations under the Central Goods and Services Tax Act, 2017.
  • Account data: Retained until you submit a deletion request, plus an additional 30-day grace period to allow for account recovery. After that period, your data is irreversibly deleted.

8. Cookies

Stoxim uses a minimal set of cookies:

  • Session cookie (HttpOnly): A strictly necessary cookie used to maintain your authenticated session on the dashboard. This cookie cannot be accessed by JavaScript and is required for the service to function. It expires when you log out or after your session token expires (15 minutes for access tokens).
  • Vercel Analytics: First-party analytics provided by Vercel to measure page performance and visitor counts. No personally identifiable information is shared with third-party advertising networks.

We do not use any third-party advertising cookies or tracking pixels. You may disable non-essential cookies in your browser settings; this will not affect your ability to use the API.

9. Security

We apply the following technical and organisational measures to protect your data:

  • Data at rest is encrypted using AES-256.
  • Data in transit is protected using TLS 1.3.
  • Passwords are hashed using bcrypt with a per-user salt before storage. We never store plaintext passwords.
  • Webhook payloads are signed using HMAC-SHA256 so you can verify their authenticity.
  • JWT access tokens expire after 15 minutes, limiting exposure in the event of token leakage.
  • API keys are hashed in the database; the plaintext key is shown only once at creation time.

Despite these measures, no system is completely immune to attack. We encourage you to rotate your API keys regularly and to report any suspected security issues to privacy@stoxim.in.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. For material changes — such as changes to the categories of data we collect, our sub-processors, or your rights — we will notify you by email at least 30 days before the changes take effect. The date at the top of this page will always reflect the most recent update.

Your continued use of the Stoxim platform after the effective date of any changes constitutes your acceptance of the revised policy.

11. Contact

For any privacy-related questions or requests, please contact us at privacy@stoxim.in. We aim to respond to all inquiries within 5 business days.

🍪 We use cookies to improve your experience. By continuing, you agree to our Privacy Policy.