Privacy Policy
Last updated: June 16, 2026
1. Who We Are
The data controller for personal data processed via aktai.app and the Aktai platform for Research Analysts is AKTAI LTD, a private limited company registered in England & Wales, with registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.
“We”, “us”, and “our” in this policy refer to AKTAI LTD. For privacy enquiries, including data-subject requests under the UK GDPR or India's DPDP Act 2023, email [email protected].
Two roles. For the personal data of the Research Analyst who holds the account (your name, email, phone and SEBI registration details), we are the controller. For the client data you load into Aktai (your clients' names, contact details and portfolio holdings), you are the controller, or Data Fiduciary under the DPDP Act, and Aktai acts as your processor: we handle that data only on your instructions, to provide the Service to you. You are responsible for having a lawful basis and the necessary client consent to enter that data and to send notes to your clients.
Other brands. AKTAI LTD also operates Nakshara (nakshara.app), a consumer kundli-matching service. Personal data collected through Nakshara is covered by the separate Nakshara privacy policy, not this one. AKTAI LTD is the data controller and merchant of record for both brands, so card charges for Nakshara purchases may appear as “AKTAI LTD” on your statement.
1a. Lawful Basis for Processing (GDPR Art. 6)
For users in the UK or EU/EEA, we rely on the following Article 6 lawful bases. The specific basis depends on the processing activity:
- Performance of a contract (Art. 6(1)(b)): creating and managing your Aktai account, providing the filings dashboard and note drafting, delivering the notes you send, processing payments, providing customer support.
- Consent (Art. 6(1)(a)): sending marketing or product-update emails, loading analytics cookies (consent collected via the cookie banner with default-deny under Google Consent Mode v2), referring you to relevant content via location-aware personalisation. You can withdraw consent at any time without affecting prior processing (Art. 7(3)).
- Legitimate interests (Art. 6(1)(f)): product analytics in aggregate form, rate-limiting and abuse prevention, security monitoring, fraud detection on paid plans, internal record-keeping required under company law. We have completed a legitimate-interests assessment (LIA) for each of these and balanced them against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): retaining payment records and VAT-related data for the periods required by HMRC (UK) and equivalent tax authorities; responding to lawful regulator or court requests.
We do not process personal data for “vital interests” (Art. 6(1)(d)) or “public task” (Art. 6(1)(e)). We do not process any special-category data within the meaning of Art. 9.
1b. Your Rights (GDPR Art. 15–22, UK GDPR equivalent)
You can exercise any of the rights below at any time by emailing [email protected]. We will respond within 30 days (extendable to 90 days for complex requests, with notice). Free of charge unless the request is manifestly unfounded or excessive.
- Right of access (Art. 15): request a copy of the personal data we hold about you, together with information about how we use it.
- Right of rectification (Art. 16): ask us to correct inaccurate or incomplete data. Many account fields are self-service in the app.
- Right of erasure (Art. 17, “right to be forgotten”): request deletion of your account and associated data. See /data-deletion for the in-app flow. Hard-delete completes within 7 days after a cancellation window, by our automated nightly job.
- Right to restriction (Art. 18): ask us to pause processing while a dispute, accuracy check, or objection is resolved.
- Right to data portability (Art. 20): request a machine-readable export of the data you provided to us (account profile, your client list and the portfolio data you loaded, your research notes, and the Regulation 25 audit log). We deliver the export within 30 days.
- Right to object (Art. 21): object to processing based on our legitimate interests, including analytics and product improvement. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Rights regarding automated decision-making (Art. 22): we do not currently take any decisions about you that produce legal effects or similarly significantly affect you using solely automated means. See Section 6a for the AI used to draft notes from filings.
- Right to lodge a complaint: with the UK Information Commissioner's Office at ico.org.uk (lead authority for AKTAI LTD), or your local EU data protection authority if you are in the EU/EEA.
2. Data We Collect
Research Analyst account data you provide:
- Name, email address and phone number (to create and operate your account)
- SEBI registration details (to verify you are a registered Research Analyst)
- Practice or firm name and the team members you authorise
- Billing and invoicing details (card and UPI payments are processed by Stripe, or by Razorpay for Indian Research Analysts; we never store card details)
Client data you load into Aktai (you are the controller / Data Fiduciary; we process it for you):
- Your clients' names and the contact details you use to deliver notes (for example WhatsApp number or email)
- The portfolio holdings you record for each client, used to weight filings by exposure and route notes
- The research notes you draft, edit and send, and the audit record of each send
Information collected automatically:
- IP address and device information (for security, login records, and rate limiting)
- Pages visited and feature usage (aggregate, for product improvement)
- Note delivery and read status (to confirm a note reached a client)
What we do NOT collect:
- Your clients' bank or demat account credentials, or trading-account logins
- Payment-card numbers (handled by Stripe)
- Social media profiles or biometric data
3. How We Use Your Data
- To run your account, verify your SEBI registration, and provide the filings dashboard and note drafting
- To deliver the research notes you send, white-label, over WhatsApp and email
- To keep the SEBI Regulation 25 audit trail of notes you mark as sent
- To send product, billing and account-notification emails
- To process payments and manage your plan
- To improve the product, prevent abuse, and enforce our Terms of Service
- To comply with our legal obligations
We do not sell your data or your clients' data. We do not use it for advertising. We do not profile you for third-party commercial purposes.
White-label WhatsApp delivery, opt-in & opt-out
When you send a note over WhatsApp, it is delivered from your practice name through the official WhatsApp Business Cloud API using approved message templates. As the registered analyst, you are responsible for obtaining and recording each client's consent to be contacted before you add them. We log opt-in and opt-out events to support that record.
- A client can stop messages at any time by replying STOP. We suspend delivery to that recipient immediately and record the opt-out.
- Message frequency is controlled by you: one message per note you choose to send to that client.
- Message and data rates from the recipient's carrier may apply.
4. Sub-processors
We share data only with the sub-processors directly necessary to operate the platform. We have a written Data Processing Agreement (Art. 28 GDPR) in place with each sub-processor that processes personal data on our behalf. The list below is exhaustive at the date of this notice and is updated before any new sub-processor goes live.
Delivery channels
- Meta (WhatsApp Business Cloud API), processor, USA. The recipient's WhatsApp number and the note body, used solely to deliver the notes you choose to send, white-label, from your practice. A recipient can reply STOP to opt out instantly. Governed by WhatsApp's Privacy Policy.
- Resend, processor, USA. Email delivery for the notes you send and for transactional account email.
- Telegram, processor, UAE-licensed. Delivers the notes you send to a client's Telegram chat that the client has bound to your practice. Only the chat identifier and handle the client provided, plus the note body, are processed. Telegram offers no commercial Data Processing Agreement; its own privacy framework applies.
- Discord, processor, USA. Delivers notes to a Discord channel a client has connected. Only the channel or server identifier and the note body are processed. Transfers to the US rely on Standard Contractual Clauses and the UK International Data Transfer Agreement.
- Firebase Cloud Messaging (Google), processor, USA. Mobile push delivery to the iOS and Android apps: it processes the device push token, the alert body, and delivery status. Transfers to the US rely on the Google Cloud Data Processing Addendum and Standard Contractual Clauses.
Analytics and advertising
- Google (Analytics 4, Google Ads, Tag Manager), processor, USA. Aggregate site-usage analytics and measurement of whether an ad click led to a signup. These tags load only after you accept the relevant cookies (analytics and marketing are denied by default under Google Consent Mode v2) and stay off when your browser sends a Global Privacy Control signal. Transfers to the US rely on the EU-US Data Privacy Framework and Standard Contractual Clauses. See the Cookies Policy for the exact cookies.
Infrastructure
- Cloudflare, processor, USA + global edge. CDN, DDoS protection, bot management, and TLS termination. Sets strictly-necessary security cookies only; it is not used for cross-site tracking.
- Vultr, processor, India (Mumbai region). Application hosting (Node.js + queue workers), primary PostgreSQL database, and Redis queue infrastructure. Client data is stored at rest in India; named sub-processors listed on this page process data in transit under their DPAs.
- Railway, processor, USA. Residual hosting for the global news ingestion worker only; it processes public news content, not client personal data.
- Axiom, processor, USA. Anonymised application error monitoring and log analytics.
AI processing
Aktai uses Anthropic (Claude), processor, USA, to draft factual notes from filings. We send Anthropic only the filing or article text and the ticker symbols it mentions, never your clients' names, contact details, portfolio holdings, your account identifiers, or any other identifier that could connect a request to a specific person. Anthropic operates under contractual terms that prohibit training on Aktai's API data (Anthropic's Commercial Terms). If we add, remove, or swap an AI provider, we will update this section and email account holders 14 days in advance.
Payments
- Stripe, processor, USA. Subscription and one-off payments for customers billed outside India. Stripe receives your payment-card data directly; we never store it.
- Razorpay, processor, India. Subscription and fee payments for Indian Research Analysts billed in INR (card, UPI, and netbanking). Razorpay receives your payment details directly; we never store card data. Data is processed in India.
A summary of each sub-processor's purpose, region, and transfer mechanism is available on request: [email protected]. We notify registered users by email at least 14 days in advance of any new sub-processor that processes personal data.
5. Data Retention
- Account and client data, for the duration of your account. When you request deletion (in-app or by email), a 7-day grace window starts; you may cancel within that window. After it elapses an automated nightly job hard-deletes your account and the client data in it. Export anything you need to keep first.
- Research notes and Regulation 25 audit records, retained for 5 years to support your SEBI record-keeping, and exportable as a CSV at any time. You remain responsible for retaining your own copy of the records SEBI requires.
- Payment and tax records, 6 years after the end of the relevant financial year, as required of a UK company by HMRC and the Companies Act 2006
- Server logs, 30 days, then auto-deleted
6. Cookies and Tracking
We use the following cookies and similar technologies. The full list, with cookie names and lifetimes, is in our Cookies Policy.
- Authentication cookies, to keep you signed in to the web app (
aktai_access_token, about 1 hour;aktai_refresh_token, about 1 day). Both are HttpOnly and SameSite-scoped for CSRF protection. - Functional storage, browser session storage that caches your detected country and remembers notices you have dismissed.
- Google Tag Manager (GTM), loads on all pages and orchestrates the tags below. All analytics and advertising storage is denied by default via Google Consent Mode v2.
- Google Analytics 4, activated only if you accept analytics cookies.
- Google Ads, activated only if you accept marketing cookies. It measures whether an ad click led to a signup and carries the click identifier (gclid) from aktai.app to ra.aktai.app. We do not use it to build advertising profiles about you beyond this conversion measurement.
We do not use a Facebook/Meta Pixel or any advertising pixel other than the Google Ads tag described above. We do not sell your data. You can decline analytics and marketing cookies, change your choice at any time from the “Cookie settings” link in the footer, and the site will function identically. We honour the Global Privacy Control (GPC) signal: if your browser sends it, analytics and advertising stay off regardless of any banner choice.
6a. AI Processing and Automated Decisions
Aktai uses Anthropic Claude to draft factual research notes from the text of a filing or article, and to score how material an event is so it can be ranked on your dashboard. The model sees only the filing or article text and the tickers it mentions. It does not see your clients' names, contact details, or holdings.
No part of this makes an automated decision about a person. A draft is a suggestion to the registered analyst, never sent to anyone until you, a human, review, edit, and approve it. There is no “solely automated decision-making with legal or similarly significant effects” under GDPR Art. 22, and the DPDP Act equivalents do not arise, because:
- The output is a draft for your review, not a trade, recommendation, or any consequence that legally affects anyone.
- You decide what to keep, change, and send; nothing reaches a client without your approval.
- You can ask about any draft or ranking by emailing [email protected].
Aktai is software, not a financial adviser. A draft describes what a filing says, not what a stock will do. The view, the recommendation, and the responsibility for what you send are yours as the registered analyst.
7. Data Security
- TLS 1.3 encryption for all data in transit, AES-256 encryption at rest
- Bcrypt-hashed passwords (salt rounds: 12)
- Cookie-based JWT sessions with short expiry (1-hour access, 1-day refresh)
- Rate limiting on all API endpoints
- Login IP and device capture, and IP-based abuse prevention
- SHA-256 hashing of each sent note, so a tampered audit record is detectable
- Regular dependency security updates
In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware (as required by GDPR/DPDP Act).
8. International Data Transfers
Aktai serves users globally. Your data may be processed in countries outside your own. We ensure appropriate safeguards:
- EU users: Standard Contractual Clauses (SCCs) or adequacy decisions
- UK users: UK International Data Transfer Agreements (IDTAs)
- Indian users: compliance with DPDP Act cross-border transfer rules
9. Children's Privacy
Aktai is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it immediately.
10. Changes to This Policy
We may update this policy. We will notify registered users of material changes by email with at least 14 days notice. The “Last updated” date reflects the most recent revision. Continued use after changes take effect constitutes acceptance.
11. Contact & Complaints
Data controller: AKTAI LTD, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
Data protection enquiries / data-subject requests: [email protected]
Response time: 30 days (Art. 12(3) GDPR), extendable by 60 days for complex requests with prior notice to you.
Cost: free of charge unless a request is manifestly unfounded or excessive, in which case we will either charge a reasonable administrative fee or refuse it (Art. 12(5)).
Supervisory authority: the lead authority for AKTAI LTD is the UK Information Commissioner's Office (ICO), ico.org.uk, tel +44 303 123 1113. If you are in the EU/EEA, you may also complain to your national data protection authority. If you are unsatisfied with our response you may escalate directly to either authority without going through us first.