Privacy Policy

This Privacy Policy explains how Intuition India OPC Private Limited (“we”, “us”) processes personal data of users of the InTuition Exchange platform. It applies in addition to, and forms part of, our Terms of Service. This Policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Personal data we collect

Account data

• Name, email address, mobile number, password (stored as a salted hash).

KYC data

• Permanent Account Number (PAN) and PAN-card image.
• Aadhaar number (last four digits stored, full number used only for OTP verification through the official UIDAI flow), name, date of birth, gender, and address as returned by Aadhaar e-KYC.
• Live selfie / liveness video for face match.
• Verified bank account number, IFSC, and account holder name (collected through penny-drop validation).

Transaction data

• Deposits, withdrawals, orders, executed trades, wallet balances, on-chain transfers, payment-gateway references, TDS-deduction records.

Device, log, and usage data

• IP address, device identifier, operating system, browser, language, referrer URL, pages visited, timestamps, error logs.
• Cookies and similar technologies for authentication, security, and basic analytics. See section 7 below.

2. Why we process this data

• Account creation and login — to authenticate you and secure your account.
• KYC and AML/CFT compliance — to verify your identity, screen against sanctions and PEP lists, conduct ongoing due diligence, and file STRs / CTRs with FIU-IND under the Prevention of Money Laundering Act, 2002.
• Payment processing — to collect INR deposits and disburse INR withdrawals through our regulated payment partners.
• Tax compliance — to deduct tax at source under Section 194S of the Income-tax Act, 1961 and to issue TDS certificates.
• Service operation — to execute orders, maintain wallet balances, settle trades, and provide transaction history.
• Fraud and security — to detect and prevent unauthorised access, account takeover, market abuse, and money laundering.
• Service communications — to send transactional emails and SMS related to your account, security, and KYC status.
• Product improvement — aggregated, de-identified analytics to improve the Platform.

3. Legal basis

We process your personal data on the basis of (a) the contract you enter into with us when you accept our Terms of Service, (b) compliance with legal obligations under the PMLA, the Income-tax Act, FIU-IND directions, and the IT Act, and (c) where applicable, the consent you provide at the point of collection (for example, for Aadhaar e-KYC). You may withdraw consent at any time by writing to our Grievance Officer; withdrawal will not affect processing already carried out, and we may need to restrict or close your account if consent is withdrawn for a purpose that is essential for service provision.

4. Who we share data with

We share personal data only with the following categories of recipients:

• Payment partners — Razorpay Software Private Limited, for processing INR deposits and the bank account of record for INR withdrawals.
• KYC and identity-verification providers — Sandbox.co.in (Quicko Infosoft Private Limited) for PAN, Aadhaar, and bank verification.
• Communications providers — Twilio (SMS) and Zeptomail (email) for transactional notifications.
• Cloud hosting and infrastructure — providers under contract that store and process data on our behalf.
• Regulators and law enforcement — FIU-IND, the Income-tax Department, the Reserve Bank of India, courts, and law-enforcement agencies, where disclosure is required by law or in response to a valid legal request.
• Professional advisers — auditors, lawyers, and accountants under a duty of confidentiality.
• Successors — any acquirer in connection with a merger, acquisition, or sale of assets, subject to the same protections set out in this Policy.

We do not sell or rent personal data, and we do not share personal data with advertising networks for cross-context behavioural advertising.

5. Retention

We retain account, KYC, and transaction records for at least five years from the date of the relevant transaction or the closure of your account, whichever is later, as required by Section 12 of the Prevention of Money Laundering Act, 2002. Tax records are retained for the period prescribed under the Income-tax Act. Server logs and security records are retained for shorter periods consistent with our security policy. After the retention period expires, data is securely deleted or irreversibly anonymised.

6. Security

• Data in transit is protected with TLS.
• Sensitive fields (KYC numbers, hot-wallet keys) are encrypted at rest with AES-256-class algorithms.
• Access to production systems is role-based, logged, and limited to authorised personnel with a business need.
• We follow industry standards for vulnerability management, secret rotation, and security testing.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at help@intuitionexchange.com.

7. Cookies

We use a small number of cookies and similar technologies:

• Strictly necessary — session, CSRF, and login cookies required to operate the Platform.
• Preference — to remember your theme (light/dark) and locale.
• Analytics — aggregated traffic analytics; we do not use cookies for cross-site advertising.

You can clear cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in.

8. Your rights

Subject to applicable law (including the DPDP Act, 2023), you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request erasure of data we are no longer required to retain;
• withdraw consent for processing based on consent;
• nominate another individual to exercise your rights in the event of your death or incapacity;
• file a complaint with our Grievance Officer and, where unresolved, with the Data Protection Board of India.

Some rights are limited by our legal obligation to retain KYC and transaction records under the PMLA. To exercise your rights, write to help@intuitionexchange.com from your registered email address.

9. International transfers

We process and store data primarily in India. Where any sub-processor stores data outside India, we transfer data only to jurisdictions notified or otherwise permitted under the DPDP Act, 2023 and on the basis of contractual safeguards.

10. Children

The Platform is not intended for, and is not knowingly offered to, persons under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, write to us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes will be notified to you in the Platform or by email.

12. Contact and grievance