Privacy Policy
Last updated: 18 April 2026
1. Who we are
Vecktor ("we", "us") is a non-custodial crypto trading tool operated from India. This policy explains what we collect, why, and your rights under India's Digital Personal Data Protection Act, 2023 (DPDP Act). For the purposes of the DPDP Act, Vecktor is the Data Fiduciary.
2. What we collect
| Data | Purpose | Storage |
|---|---|---|
| Email address, display name | Account, login, notifications | Supabase (Mumbai) |
| Exchange API key + secret | Executing orders you request | Encrypted (AES-256-GCM) |
| Backtest configs & results | Show your own history | Postgres |
| Bot configs + execution logs | Run + monitor your bots, audit trail | Postgres |
| TradingView webhook secrets | Authenticate incoming TV alerts | Postgres |
| Server logs (IP, route, timing) | Debugging, rate limiting, abuse detection | Retained 30 days |
| Error reports (Sentry) | Crash + error diagnostics | User ID scrubbed to UUID only |
We do not collect your exchange password, KYC documents, bank details, or payment instruments. Exchange KYC stays with your exchange.
3. How your API keys are protected
- Keys are encrypted with AES-256-GCM before being written to the database
- The encryption key is stored in the backend's environment, never in the database or in client-side code
- Decryption happens only in the backend process, in memory, per request
- Keys are never transmitted to the frontend after you save them
- You can revoke a stored key at any time from Settings; revoking deletes the encrypted blob
4. How we use your data
- Provide backtesting, strategy execution, monitoring, and trade history
- Place orders on your connected exchange account, on your explicit instruction
- Send you notifications about fills, kill-switch trips, and critical account events
- Detect abuse, enforce rate limits, and prevent fraud
- Improve the product via aggregated, non-identifying analytics
We do not use your trade data to train machine-learning models or sell insights to third parties.
5. Who we share it with
- Delta Exchange India — we send order instructions, authenticated by your own API key. They see you as their customer; they do not know you are using Vecktor beyond the affiliate referral attribution.
- Supabase — authentication provider (Mumbai region). They hold your email + session tokens.
- Anthropic (Claude API) — only the natural-language prompts you enter into the AI strategy builder are sent. No API keys or trade data.
- Resend — transactional email provider for notifications you opt into.
- Sentry — error telemetry. We send user UUID (no email) plus a scrubbed stack trace.
We do not sell or rent your data. We disclose data to authorities only when compelled by valid legal process under Indian law.
6. Your rights (DPDP Act)
Under the DPDP Act, 2023 you have the right to:
- Access — request a copy of your personal data
- Correct — fix inaccurate data
- Erase — delete your account and data (some anonymised operational logs may be retained for up to 90 days to prevent abuse)
- Withdraw consent for any processing you previously authorised
- Grievance — raise a concern to our Grievance Officer below
- Nominate — designate another individual to exercise your rights in case of your death or incapacity
Email privacy@vecktor.in to exercise any of these rights. We respond within 30 days.
7. Data retention
Account data is retained for as long as your account is active. On account deletion: API keys are erased immediately; trade logs are retained in anonymised form for 7 years to satisfy financial record-keeping obligations. Error logs and server logs are pruned after 30 days.
8. Cookies & tracking
We use a single session cookie to keep you logged in (set by Supabase). We do not use third-party advertising cookies or cross-site tracking. We may add privacy-respecting analytics (self-hosted Plausible or similar) — if we do, we will update this policy.
9. Security
We use HTTPS everywhere, row-level security on the database (so you can only see your own rows), encryption at rest for sensitive fields, rate limiting, and server- side JWT verification. Despite reasonable measures, no system is perfectly secure — if you suspect a compromise, email us immediately at security@vecktor.in.
10. Children
Vecktor is not intended for anyone under 18. We do not knowingly collect data from minors. If we learn we have collected data from a minor, we will delete it.
11. Changes to this policy
We may update this policy as the product evolves. Material changes will be notified by email and a prominent in-app notice. Continued use after the notice window constitutes acceptance.
12. Grievance Officer
In accordance with the DPDP Act, 2023 and IT Rules:
Name: Karan P.
Email: grievance@vecktor.in
We acknowledge grievances within 48 hours and resolve within 15 days.