Privacy Policy

Last updated: 28 May 2026

1. Who we are

Calsify (calsify.in) is a portfolio analytics tool for Indian equity investors. We help you analyse holdings, model risk, plan rebalances, and identify tax-loss harvesting opportunities. This policy explains what data we collect, why we collect it, and what choices you have over it.

2. Using Calsify as a guest

You can use Calsify without creating an account. In guest mode, your portfolio data — holdings, lots, and any analysis results — is cached only in your own browser's local storage. We do not store this data on our servers. Clearing your browser's storage for calsify.in permanently removes it. Analyses you run in guest mode are not linked to any persistent identity.

3. Data we collect when you create an account

  • Account data — your email address and display name, collected via Supabase Auth when you sign up. If you sign up with Google, we also receive your Google profile email and name from Google's OAuth response.
  • Portfolio data — holdings you choose to save, including lot-level purchase quantity, price, and date. Stored in our database only when you explicitly save a portfolio.
  • Broker integration tokens — if you connect Zerodha Kite, the short-lived access token for that day's session is cached for the duration of your session so we can fetch live holdings. We do not store your broker password — Kite uses an OAuth-style consent flow.
  • Google account — if you connect Google Sheets, we store OAuth credentials (access token and refresh token) in our Supabase database so we can sync your holdings to a Sheet you own. We request only the drive.file scope, which limits access to files Calsify itself creates. We never read, modify, or delete other files in your Google Drive.
  • Payment data — if you subscribe to a paid plan, your payment is processed by Razorpay. We store only your subscription tier and expiry date; we never see or store card or bank details.
  • Product analytics — if you accept cookies, we collect anonymised page views, key product events (e.g. logged in, ran analysis), and unhandled error reports via PostHog and Vercel Analytics. You can decline the cookie banner and Calsify works fully without any analytics collection.
  • Bug reports — if you submit a bug or feedback report through the in-app widget, we record the description you wrote, the page path you were on, and (only if you opt in) a screenshot you choose to attach.
  • Usage logs — standard server logs (request path, timestamp, HTTP status) for debugging and rate-limit enforcement. We do not log email addresses or portfolio contents in application logs.

4. How we use your data

  • To provide portfolio analysis, lot tracking, rebalancing, and tax-harvesting features.
  • To authenticate you securely across sessions and devices.
  • To send transactional emails — signup confirmation, password reset, and important account notices — via Resend.
  • To sync your holdings to your Google Sheet (only when you have connected Google Sheets).
  • To process subscription payments via Razorpay.
  • To understand aggregate usage patterns and fix bugs (analytics, only with your consent).
  • We do not sell your data to third parties.
  • We do not use your data for advertising.
  • We do not use your portfolio or holdings data to train any machine learning model.

5. Google user data

Calsify's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We only create and write to the single Google Sheet we create on your behalf.
  • We never share your Google data with any third party.
  • You can disconnect Google at any time from your Profile page. This immediately deletes your stored OAuth tokens from our database.

6. Third-party services we use

  • Supabase — authentication and primary database, hosted on AWS. Privacy policy.
  • Vercel — application hosting, plus optional Vercel Analytics for anonymised page views (only active if you accept cookies). Privacy policy.
  • PostHog — product analytics and unhandled-error capture (only active if you accept cookies). Session recording is disabled. Privacy policy.
  • Resend — transactional email delivery (signup confirmation, password reset). Resend processes your email address only for the purpose of delivering these messages. Privacy policy.
  • Razorpay — payment processing for paid plans. Razorpay handles card and bank details directly; we never see or store them. Privacy policy.
  • Google APIs — Google Sheets and Drive, only when you connect your Google account.
  • Zerodha Kite Connect — only when you choose to import live holdings from Zerodha. Kite handles your broker authentication directly; we never see your broker password.

7. Cookies & tracking

We use two categories of cookies and browser storage:

  • Essential cookies and storage — set by Supabase to manage your login session, and by Calsify to store your theme preference, cookie choice, and guest portfolio cache. These are required for the app to function and are not subject to consent.
  • Analytics cookies — set by Vercel Analytics and PostHog to measure aggregate page views, key product events, and unhandled errors. These are only set after you explicitly accept via the cookie banner. If you decline or never respond, we do not collect any analytics. PostHog session replay is disabled, so we never record your screen.

You can change your cookie preference at any time by clearing your browser's local storage for calsify.in — the banner will reappear on your next visit.

8. Data storage and security

  • All traffic between your browser and Calsify is encrypted in transit over HTTPS. Strict-Transport-Security is enforced.
  • Account data, saved portfolios, and stored OAuth credentials live in Supabase (hosted on AWS) with access controls that restrict each row to its owning user.
  • Authentication uses Supabase's PKCE flow. Password reset links expire within an hour and can only be used once.
  • Backend API endpoints that touch user-specific data verify the requesting user's identity on every request. Background analysis jobs are scoped to the user who created them.
  • Rate limiting is applied to authentication and analysis endpoints to prevent abuse.

9. Data retention and deletion

You can delete individual saved portfolios at any time from the Profile page. You can permanently delete your entire account — including all saved portfolios, reports, and any connected Google or Razorpay records — from the Danger Zone section of your Profile page. Account deletion is immediate and irreversible. Server logs are retained for up to 30 days for debugging and security, then automatically purged.

10. Your rights

In line with India's Digital Personal Data Protection (DPDP) Act, you have the right to access, correct, export, or delete your personal data at any time. Most of these rights are exercisable directly in the app. For anything else, contact us at the email below.

11. Children

Calsify is intended for users who are at least 18 years old. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

12. Updates to this policy

We may update this policy from time to time as the product evolves. The “Last updated” date at the top reflects the most recent change. Material changes will be communicated by email to account holders.

13. Contact

Questions about this policy or your data? Email us at support.calsify@gmail.com.

Not investment advice · Privacy
Portfolios
Analyse
Rebalance
Reports