Privacy Policy
Last updated: 2026-06-22
This Privacy Policy (the "Policy") explains how FinShift Global ("FinShift", "we", "us", or "our"), the operator of the Equity Sentience platform (the "Platform"), collects, uses, stores, discloses, and protects personal data relating to natural persons (each, a "Data Principal") who access or use the Platform.
This Policy is published under the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the "SPDI Rules"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (the "Intermediary Rules"), the Digital Personal Data Protection Act 2023 (the "DPDP Act"), and the Consumer Protection (E-Commerce) Rules 2020.
1. Data Fiduciary identity
1.1 For the purposes of the DPDP Act, FinShift Global is the Data Fiduciary in respect of the personal data collected through the Platform. FinShift Global is a partnership firm constituted under the Indian Partnership Act 1932, having its registered office at 13-248, Sitanagaram, Tadepalle Mandal, Guntur, Andhra Pradesh, 522503, India. FinShift determines the purpose and means of processing of personal data collected through the Platform.
1.2 You may write to FinShift at privacy@equitysentience.in on any matter relating to this Policy or the processing of your personal data.
2. Categories of personal data we collect
2.1 We collect the following categories of personal data:
- (a) Identification data. Name and email address submitted through the access-request form, and any optional context you provide in the "why" field of that form.
- (b) Account credentials. The username and password issued to you for dashboard access. Passwords are stored in hashed form using a one-way function and are never visible to FinShift personnel in plaintext.
- (c) Technical data. Standard server log information generated when you access the Platform, including IP address, browser type and version, operating system, referring page, pages visited, timestamps of requests, and response status codes.
- (d) Communications data. Any correspondence you send to FinShift, including the content of emails sent to our published contact addresses.
2.2 We do not collect Sensitive Personal Data or Information as defined in Rule 3 of the SPDI Rules, including passwords other than to the Platform, financial information (bank account, credit or debit card, payment instrument details), physical, physiological, or mental health condition, sexual orientation, medical records, biometric information, or any document of identity issued by a government authority.
3. Purposes for which we process personal data
3.1 We process your personal data for the following specified, explicit, and lawful purposes:
- (a) to evaluate and respond to your access request, and to grant or decline dashboard access;
- (b) to authenticate you on the dashboard and to maintain session continuity;
- (c) to operate, maintain, secure, and improve the Platform, including diagnosis of errors, capacity planning, and detection and prevention of fraud, abuse, and unauthorised access;
- (d) to communicate with you about the Platform, including service notices, security advisories, and responses to your queries;
- (e) to comply with applicable law, regulation, court order, or lawful direction of a competent authority, including directions of the Indian Computer Emergency Response Team ("CERT-In") under section 70B of the Information Technology Act 2000; and
- (f) to enforce these Terms, the Privacy Policy, and any other agreement between FinShift and you.
4. Lawful basis for processing
4.1 We process your personal data on one or more of the following lawful bases under the DPDP Act:
- (a) your free, specific, informed, unconditional, and unambiguous consent, given by an affirmative action such as submission of the access-request form or use of the dashboard after presentation of this Policy (section 6 of the DPDP Act);
- (b) the performance of any function under any law for the time being in force in India, or in the interest of sovereignty, integrity, security, or public order (section 7 of the DPDP Act);
- (c) the provision of any service or benefit to you, where such processing is necessary; and
- (d) the legitimate use of personal data as set out in section 7 of the DPDP Act.
5. Consent and withdrawal of consent
5.1 Where processing is based on your consent, you have the right to withdraw that consent at any time by writing to privacy@equitysentience.in. The withdrawal of consent shall not affect the lawfulness of processing carried out before the withdrawal.
5.2 Withdrawal of consent may require FinShift to suspend or terminate your access to the Platform where the processing is necessary for that access.
6. Disclosure to third parties
6.1 We do not sell your personal data. We do not share your personal data with marketers, advertisers, or data brokers.
6.2 We disclose your personal data only to the following categories of recipients, each of which is bound by contractual obligations to process the data solely for the purposes for which it is disclosed:
- (a) Hosting and infrastructure providers. Vercel Inc. hosts the marketing site and the dashboard front-end. Railway Corp. hosts the application server and the Postgres database in which personal data is stored.
- (b) Large language model provider. Anthropic, PBC processes inputs sent for inference. The inputs sent to Anthropic consist of publicly available market data, policy text, news headlines, and corporate filings. Personal data of Data Principals (name, email, access-request reason) is not transmitted to Anthropic.
- (c) Professional advisers. Our legal counsel, auditors, and other professional advisers, where disclosure is necessary for them to provide their services to FinShift.
- (d) Government and regulatory authorities. Where required by law, court order, or lawful direction of a competent authority, including SEBI, the Reserve Bank of India, CERT-In, the Ministry of Electronics and Information Technology, the income-tax authorities, and any law enforcement agency.
- (e) Successors. In the event of a merger, acquisition, reorganisation, or sale of all or part of FinShift's assets, personal data may be transferred to the successor entity, subject to that entity assuming the obligations of this Policy.
7. Cross-border transfer of personal data
7.1 Personal data collected through the Platform is stored in a Postgres database managed by Railway Corp. in a United States region (US-East). The marketing site and the dashboard front-end are served from the global edge network of Vercel Inc., which may cache static assets in regions outside India.
7.2 The transfer of personal data outside India is conducted in accordance with section 16 of the DPDP Act. FinShift will not transfer personal data to any country or territory notified by the Central Government as a country to which the transfer of personal data is restricted.
8. Retention of personal data
8.1 We retain personal data for only as long as is necessary for the purposes for which it was collected, or for such longer period as may be required to comply with applicable law.
- (a) Access-request data is retained for the duration of your access to the Platform, and for a period of one (1) year thereafter or such longer period as may be required by law.
- (b) Account credentials are retained for the duration of your access and deleted within thirty (30) days of termination of access.
- (c) Server logs are retained for a period of one hundred and eighty (180) days, in accordance with the directions issued by CERT-In on 28 April 2022 under section 70B(6) of the Information Technology Act 2000.
- (d) Communications data is retained for a period of three (3) years from the date of the communication, or for such longer period as may be required by law or for the establishment, exercise, or defence of legal claims.
9. Security
9.1 FinShift has implemented reasonable security practices and procedures in accordance with Rule 8 of the SPDI Rules and section 8(5) of the DPDP Act. These include:
- (a) transmission of all data between your browser and the Platform over HTTPS, with HTTP Strict Transport Security enabled;
- (b) storage of personal data in a database accessible only to authorised application processes, with encryption of backups at rest;
- (c) one-way hashing of all account credentials;
- (d) access control on administrative tooling, with least privilege applied to operational personnel;
- (e) periodic rotation of credentials, secrets, and API keys;
- (f) time synchronisation of all servers to a reliable network time source, in accordance with the CERT-In directions of 28 April 2022; and
- (g) logging and monitoring sufficient to detect and investigate security incidents.
9.2 No method of transmission or storage is wholly secure. While FinShift takes reasonable steps to protect personal data, FinShift does not warrant the absolute security of personal data transmitted to or stored on the Platform.
10. Personal data breach
10.1 In the event of a personal data breach, FinShift will notify the Data Protection Board of India and the affected Data Principals in such form and manner as may be prescribed under the DPDP Act.
10.2 FinShift will report cyber security incidents to CERT-In within six (6) hours of becoming aware of the incident, in accordance with the directions issued by CERT-In on 28 April 2022.
11. Rights of Data Principals
11.1 Under Chapter III of the DPDP Act, you have the following rights in respect of your personal data:
- (a) Right to access information. You have the right to obtain a summary of the personal data being processed by FinShift and the activities undertaken in respect of that data, and the identities of all Data Fiduciaries and Data Processors with whom that data has been shared (section 11 of the DPDP Act).
- (b) Right to correction and erasure. You have the right to seek correction of inaccurate or misleading personal data, completion of incomplete personal data, updating of personal data, and erasure of personal data that is no longer necessary for the purpose for which it was collected (section 12 of the DPDP Act).
- (c) Right of grievance redressal. You have the right to a readily available means of grievance redressal in respect of any act or omission of FinShift regarding the performance of its obligations under the DPDP Act (section 13).
- (d) Right to nominate. You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity (section 14).
- (e) Right to withdraw consent. You have the right to withdraw your consent to processing at any time (section 6(4) of the DPDP Act).
11.2 To exercise any of the rights set out in clause 11.1, please write to privacy@equitysentience.in. FinShift will respond to your request within thirty (30) days. If you are not satisfied with the response, you may escalate the matter through the grievance mechanism set out at /grievance or, ultimately, to the Data Protection Board of India.
12. Personal data of children
12.1 The Platform is not intended for, and is not directed at, any individual under the age of eighteen (18) years. We do not knowingly collect personal data of any individual under the age of eighteen.
12.2 If we become aware that personal data of an individual under the age of eighteen has been collected without the verifiable consent of the parent or lawful guardian of that individual, we will delete the data without undue delay, in accordance with section 9 of the DPDP Act.
13. Cookies and similar technologies
13.1 The Platform uses only those cookies that are strictly necessary for the operation of the dashboard, including a session cookie set after successful authentication. The Platform does not use third-party analytics cookies, advertising cookies, or tracking pixels.
13.2 You may control or block cookies through the settings of your browser. Blocking the session cookie will prevent you from accessing the dashboard.
14. Grievance Officer
14.1 In accordance with Rule 5(9) of the SPDI Rules and Rule 3(2) of the Intermediary Rules, FinShift has designated a Grievance Officer. The contact details of the Grievance Officer and the procedure for filing a grievance are set out in the Grievance Redressal Policy at /grievance.
15. Changes to this Policy
15.1 FinShift may amend this Policy from time to time. The revised Policy will be posted on this page with an updated "Last updated" date. Where the amendment is material, FinShift will use reasonable efforts to notify Data Principals through the dashboard or by email.
16. Contact
For any question, request, or concern relating to this Policy or to the processing of your personal data, please write to FinShift Global at privacy@equitysentience.in.