Privacy Policy
Effective: 2 June 2026 · Version 1.0.0
This Privacy Policy explains how OptionLab Pro ("we", "us", "our"), operated by TRIPLEPRO CONSULTING PRIVATE LIMITED ("Company"), collects, uses, and protects information when you use our platform at optionlabpro.com. By using OptionLab Pro, you agree to this Policy. The Company is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). This Policy is also governed by the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Data Fiduciary
TRIPLEPRO CONSULTING PRIVATE LIMITED
D-92, Ground Floor, Milan Apartment, Pitampura,
New Delhi - 110034, North West Delhi, Delhi, India
GSTIN: 07AANCT1397D1Z4 · PAN: AANCT1397D
Grievance Officer / DPO: Rahul Vijj, Director — supportoptionlabpro@gmail.com
1. Information We Collect
1.1 Account Information
- Google account email address (used as your account identifier)
- Name as provided by Google OAuth (display only)
- Account creation date and last login timestamp
- Subscription plan and payment status
1.2 Consent Records
When you accept our Terms of Service or Risk Disclosure, we record: the TOS version accepted, timestamp, a one-way SHA-256 hash of your IP address (never the raw IP), and a hash of your browser User-Agent string. This is an append-only audit log — individual entries are never deleted.
1.3 Usage and Analytics
- Login events (timestamp + hashed IP)
- Trial and plan activation events
- Geographic region derived from IP via third-party geo-lookup (country, city, region — IP itself is not stored in plaintext)
1.4 Payment Information
Payments are processed by Razorpay. We receive only the Razorpay Order ID and Payment ID to verify transactions — we never handle, store, or have access to your card number, CVV, or bank account details. Razorpay's own Privacy Policy governs data processed on their platform.
1.5 Broker API Credentials (Elite Tier)
We never store your broker credentials on our servers. When you enter API keys or login credentials in the Broker Vault, they are encrypted with AES-256-GCM using a key derived from your personal vault PIN (PBKDF2-SHA256, 260,000 iterations) and stored only in your browser's local storage. If you enable the optional cloud vault sync, credentials are transmitted over TLS and stored in our database in Fernet-encrypted form — they are never stored or logged in plaintext.
1.6 Referral Codes
If you use a referral code at signup, we record it on your account profile to credit the referrer.
2. How We Use Your Information
| Purpose | Lawful Basis (IT Rules 2011) |
|---|---|
| Account creation and authentication | Contractual necessity |
| Subscription management and billing | Contractual necessity |
| Consent and legal compliance records | Legal obligation |
| Security, fraud prevention, abuse detection | Legitimate interests |
| Service improvement and debugging | Legitimate interests |
| Responding to your support queries | Contractual necessity / consent |
We do not sell, rent, or share your personal data with third parties for marketing purposes.
3. Data Retention
Under DPDP Act §8(7), we retain personal data only as long as necessary for the purpose for which it was collected, unless a longer period is required by another law. Where statutory retention (GST, income tax, SEBI) exceeds DPDP minimisation, the statutory floor applies.
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account records | Duration of subscription + 30-day grace window after deletion request | Contractual + DPDP §8(7) |
| Account deletion audit log (hashed PII only) | 3 years from deletion | DPDP audit retention |
| Consent records (TOS acceptance log) | 7 years | Indian contract law |
| Payment transaction records (Razorpay IDs) | 8 years | GST §36 + income tax |
| GST invoices | 8 years | GST §36 CGST Act |
| Broker order audit records | 8 years | SEBI broker recordkeeping |
| Login / event logs | 180 days, then anonymised | Legitimate interest |
| Broker vault credentials (encrypted) | Deleted on account purge or vault clear | DPDP §8(7) |
| Fraud-detection signals + device fingerprints | 30 days rolling | Legitimate interest |
30-day grace window: When you request account deletion, your account enters a 30-day cool-off period. During this window you can sign back in and cancel the request. After 30 days, your personal data is hard-deleted by an automated nightly process. An audit row carrying only one-way hashes (SHA-256) of your phone and email survives for 3 years to prove the deletion was honoured. Records subject to statutory retention (invoices, payment audit, order audit) are retained per their respective retention windows even after personal-data purge.
4. Data Sharing and Disclosure
We share your data only in these limited circumstances:
- Razorpay — payment processing (Order ID, Payment ID). Razorpay is PCI-DSS compliant.
- Google OAuth — identity verification at login. We receive your email and name; no further Google data is accessed.
- ip-api.com — geo-lookup for hashed IP addresses (country/city for analytics). Only the hashed IP is ever sent.
- Cloud infrastructure providers (Google Cloud Platform) — data is stored in Mumbai region servers where feasible.
- Law enforcement or regulatory authorities — only when required by a valid legal order, court directive, or SEBI/RBI requirement under Indian law.
5. Your Rights as a Data Principal (DPDP Act §11–14)
Under the Digital Personal Data Protection Act 2023, you have the following statutory rights regarding your personal data:
- Right to access information (§11) — request a summary of the personal data we hold about you, the purposes of processing, and identities of data processors.
- Right to correction and erasure (§12) — request correction of inaccurate or incomplete data, or erasure of personal data not subject to statutory retention.
- Right to grievance redressal (§13) — file a complaint with our Grievance Officer (see §10 below). If unresolved, escalate to the Data Protection Board of India.
- Right to nominate (§14) — nominate another person to exercise your rights in the event of your death or incapacity. To register a nomination, email the Grievance Officer with the nominee's name and contact details.
- Right to withdraw consent — withdraw consent at any time via /account in the app. Withdrawal triggers the 30-day soft-delete flow (Section 3). Withdrawal does not affect the lawfulness of processing before withdrawal.
How to exercise these rights: Most rights can be exercised in-app at /account. For requests that require human review (access, correction, nomination), email supportoptionlabpro@gmail.com with subject "DPDP Rights Request — [your registered email]". We respond within 30 days. Requests relating to financial records subject to statutory retention may be partially declined where retention is mandated by law (we will explain which records are affected and the legal basis).
Data Protection Board escalation: If we do not resolve your complaint to your satisfaction within 30 days, you may escalate to the Data Protection Board of India under DPDP §27. Procedure and forms will be published on the Board's official website (dpb.gov.in upon establishment).
6. Security
- All data in transit is protected by TLS 1.2+
- Passwords are hashed with PBKDF2-SHA256 (260,000 iterations) and salted — never stored in plaintext
- Vault credentials are Fernet-encrypted at rest (AES-128-CBC + HMAC-SHA256)
- IP addresses are one-way hashed (SHA-256) before storage — they cannot be reversed
- Session tokens use HMAC-SHA256 with secret rotation support
- Authentication uses stateless signed tokens; no session cookies containing credentials
- Access to production systems is restricted to authorised personnel with MFA
Breach notification: No security system is impenetrable. In the event of a personal-data breach affecting your data, we will notify the Data Protection Board of India within the timeline required by DPDP §8(6) (within 72 hours), notify CERT-In within 6 hours where the breach also constitutes a "cyber incident" under the CERT-In Directive of April 2022, and notify you without undue delay where the breach is likely to cause you significant harm. Our internal breach response runbook (governing detection, containment, notification, and post-mortem) is documented and reviewed annually.
7. Cookies and Tracking
OptionLab Pro does not use third-party advertising cookies or tracking pixels. We use:
- Session token — first-party Bearer token stored in your browser's
localStorageto maintain logged-in state. Strictly necessary; cannot be disabled while you are signed in. optionlabpro_cookie_consent— first-party cookie recording your acknowledgment of this Cookie & Privacy notice. 1-year max-age, Lax-SameSite, Secure in production.
No cross-site tracking is performed. We do not use Google Analytics, Meta Pixel, or similar advertising platforms. If we add analytics in the future, this section will be updated and you will be prompted for granular consent before any new cookies are set.
8. Children's Privacy (DPDP §9)
OptionLab Pro is not directed at persons under the age of 18. Under DPDP §9, processing of personal data of children (under 18) requires verifiable consent from a parent or lawful guardian. We do not knowingly process children's data. If you believe we have inadvertently collected such data, contact our Grievance Officer (see §9 below) immediately and we will delete it without delay.
9. Grievance Officer & Data Protection Officer
In accordance with the DPDP Act 2023 §10 and §13, and the IT Act 2000 and rules made thereunder, the Company designates the following contact:
Name: Rahul Vijj
Designation: Director, TRIPLEPRO CONSULTING PRIVATE LIMITED
Role: Grievance Officer (DPDP §13) and Data Protection Officer (DPDP §10)
Email: supportoptionlabpro@gmail.com
Postal address: D-92, Ground Floor, Milan Apartment, Pitampura, New Delhi - 110034, India
Response time: Within 30 days of receipt
For DPDP rights requests use subject "DPDP Rights Request — [your registered email]". For grievances use "Grievance — [your registered email]". For breach reports use "Security: [your registered email]".
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Effective" date at the top of this page and, where appropriate, by sending an email notification to registered users. Continued use of the platform after the updated effective date constitutes acceptance of the revised policy.
11. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of India. Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the competent courts in Delhi, India, where the Company's registered office is located.
OptionLab Pro is a software platform and market analysis tool. It is not a SEBI-registered Investment Adviser. Nothing on this platform constitutes investment advice, a recommendation to buy or sell securities, or an offer of securities. All trading decisions are made solely by you.