Privacy Policy

    Last updated: June 7, 2026

    WickLog ("Data Fiduciary", "we", "us", "our") operates the WickLog web application at https://wicklog.in ("Service"). This Privacy Policy describes how we collect, use, process, disclose, and protect personal data in compliance with:

    • Digital Personal Data Protection Act, 2023 ("DPDP Act")
    • Information Technology Act, 2000 ("IT Act") and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
    • IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
    • Reserve Bank of India guidelines on payment data security (applicable to Razorpay-processed transactions)

    By using the Service, you ("Data Principal") provide free, specific, informed, unconditional, and unambiguous consent to the collection and processing of your personal data as described in this Policy. You may withdraw consent at any time as provided in Section 10.

    1. Data Fiduciary Details

    FieldDetails
    Entity NameWickLog
    Service URLhttps://wicklog.in
    Contact Emailsachin@wicklog.in
    Grievance OfficerSachin Kumar Sharma
    Grievance Emailsachin@wicklog.in
    Registered AddressArithang, Gangtok, Sikkim -737101

    2. Personal Data We Collect

    WickLog collects personal data across the following categories:

    2.1 Account and Identity Data (Personally Identifiable Information)

    Collected at sign-in via Google OAuth:

    • Email address
    • Display name / full name
    • Profile picture URL

    We do not collect or store your Google account password.

    2.2 Financial and Trading Data

    Constitutes Sensitive Personal Data or Information (SPDI) under SPDI Rules, 2011:

    • Trade records: instrument symbol, entry/exit price, quantity, trade type (LONG/SHORT/F&O), trade date, P&L in INR
    • Open and closed position status
    • Strategy classifications (Breakout, Scalping, Swing, Positional, Options, BTST, etc.)
    • Portfolio-level and per-symbol P&L aggregations
    • Trading goals (target profit, current progress)

    2.3 Broker API Credentials

    Constitutes Sensitive Personal Data or Information (SPDI) under SPDI Rules, 2011:

    • API keys and access tokens for connected broker accounts (Zerodha Kite, Dhan, Groww)
    • Refresh tokens and token expiry timestamps
    • Broker connection status and last sync timestamps

    Security Note: All broker API credentials are encrypted at rest using AES-256-GCM before being stored in the database. They are decrypted only in memory at the time of a sync operation and are never transmitted in plaintext.

    2.4 Payment and Subscription Data

    • Subscription plan status (Free / Pro) and expiry date
    • Razorpay transaction IDs and payment verification status
    • Ticker Credit balance and credit transaction history

    WickLog does not store payment card numbers, CVVs, or net banking credentials. All card data is processed and tokenised exclusively by Razorpay in compliance with PCI DSS and applicable RBI guidelines.

    2.5 AI Interaction Data (Ticker AI)

    • Chat conversation history with Ticker AI
    • Trade data transmitted to Google Gemini API (trade records, P&L, statistics)
    • AI-generated responses stored against your account

    2.6 Journal and User-Generated Content

    • Rich-text journal entry content (title, body text, mood)
    • Trade-level notes and analysis text
    • User feedback, bug reports, and support messages

    2.7 Technical and Usage Data

    Automatically collected:

    • Browser session tokens (managed via Supabase, stored in browser localStorage)
    • Sidebar state preference (stored in a browser cookie)
    • Google Analytics 4 usage data: pages visited, session duration, device type, browser, OS, approximate geographic location (country/city), and referral sources

    3. Purposes of Processing and Legal Basis

    PurposeLegal Basis (DPDP Act 2023)
    Account creation and authenticationConsent; Performance of contract
    Providing trade journaling and analytics featuresPerformance of contract
    Broker trade sync via Zerodha Kite / Dhan APIsConsent
    Operating Ticker AI (data sent to Google Gemini)Consent (given at time of feature use)
    Processing subscription payments via RazorpayPerformance of contract; Legal obligation
    Sending transactional notificationsPerformance of contract
    Usage analytics via Google Analytics 4Legitimate interest (improving the Service)
    Fraud detection and security monitoringLegitimate interest; Legal obligation
    Compliance with applicable Indian lawLegal obligation

    We do not use your personal data for advertising profiling, behavioural targeting, or sale to third parties.

    4. Third-Party Data Processors

    We engage the following Data Processors to operate the Service:

    ProcessorRoleData Categories SharedPolicy
    Supabase Inc.Database, authentication, file storageAll categoriessupabase.com/privacy
    Razorpay Software Pvt. Ltd.Payment processingSubscription and payment datarazorpay.com/privacy
    Google LLC (Gemini API)AI analysis — Ticker AITrade records, P&L, chat messagespolicies.google.com/privacy
    Google LLC (Analytics 4)Usage analyticsAnonymised usage datapolicies.google.com/privacy
    Google LLC (OAuth)AuthenticationEmail, name, profile picturepolicies.google.com/privacy
    Zerodha Broking Ltd. (Kite Connect)Trade data syncEncrypted API credentialszerodha.com/privacy-policy
    Moneylicious Securities Pvt. Ltd. (Dhan)Trade data syncEncrypted API credentialsdhan.co/privacy-policy
    Vercel Inc.Application hostingNetwork request metadatavercel.com/legal/privacy-policy

    Ticker AI Data Sharing: When you use Ticker AI, your trade data is transmitted to Google's Gemini API. You may opt out simply by not using the Ticker AI feature. Disabling Ticker AI does not affect any other Service functionality.

    All processors are engaged under data processing agreements that require them to implement appropriate security measures and process data only as instructed.

    5. Data Security

    We implement the following technical and organisational security measures in accordance with Section 43A of the IT Act and the SPDI Rules, 2011:

    MeasureImplementation
    SPDI encryption at restBroker API credentials: AES-256-GCM
    Encryption in transitHTTPS/TLS 1.2+ for all data transmission
    Database access controlRow-Level Security (RLS) — each user accesses only their own data
    Authentication securitySupabase JWT-based auth with short-lived access tokens and refresh rotation
    No card storagePayment card data never stored on WickLog systems
    XSS protectionUser-generated content sanitised using DOMPurify before rendering

    Despite these measures, no electronic transmission or storage method is completely secure. WickLog cannot guarantee absolute security. In the event of a data breach materially affecting your personal data, we will notify you promptly as required by applicable Indian law.

    6. Data Retention

    Data CategoryRetention Period
    Account information (email, name, avatar)Until account deletion
    Trade records and journal entriesUntil account deletion
    Broker API credentialsUntil broker disconnection or account deletion
    AI chat conversation historyUntil account deletion or user-initiated deletion
    Feedback and support communications3 years from submission
    Payment and transaction records7 years (as required under applicable financial and tax regulations)
    Google Analytics usage data26 months (Google Analytics default retention)

    Upon account deletion initiated from the Settings page, personal data (except payment records retained by law) will be permanently deleted within 30 days. Anonymised, aggregated, and non-personal statistical data may be retained indefinitely for product improvement purposes.

    7. Your Rights as Data Principal

    Under the Digital Personal Data Protection Act, 2023, you have the following statutory rights:

    7.1 Right to Access Information (Section 11, DPDP Act) You have the right to obtain a summary of the personal data we process about you, the purposes of processing, and the identities of all processors and recipients.

    7.2 Right to Correction and Erasure (Section 12, DPDP Act) You have the right to correct inaccurate or misleading personal data. You may also request erasure of personal data that is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent. You can delete your account directly from the Settings page, which initiates erasure within 30 days.

    7.3 Right to Grievance Redressal (Section 13, DPDP Act) You have the right to have your grievances addressed by our Grievance Officer within the timeframes prescribed under applicable law. See Section 12 (Grievance Officer) of this Policy.

    7.4 Right to Nominate (Section 14, DPDP Act) You have the right to nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.

    7.5 Right to Withdraw Consent Where processing is based on your consent, you may withdraw it at any time by contacting us or by deleting your account. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

    7.6 Additional Rights (IT Act / SPDI Rules) Under the SPDI Rules, 2011, you have the right to review the personal data you have provided and to withdraw consent for its processing (subject to legal and contractual obligations).

    To exercise any of the above rights, submit a written request to sachin@wicklog.in. We will respond within 30 days of receipt. Identity verification may be required before processing your request.

    8. Cookies and Tracking Technologies

    We use cookies and browser storage technologies as described in our Cookie Policy, which is incorporated into and forms part of this Privacy Policy. You may manage cookie preferences through your browser settings; however, disabling essential cookies will impair Service functionality.

    9. Cross-Border Data Transfers

    WickLog is based in India. Some of our third-party processors (Supabase, Google LLC, Vercel) may process or store your data outside India, including in the United States and European Economic Area. Where such transfers occur:

    • We rely on applicable contractual safeguards (Standard Contractual Clauses where required)
    • Transfers to processors in countries with adequate data protection laws are permitted under the DPDP Act 2023 as notified by the Central Government

    10. Withdrawal of Consent and Account Deletion

    You may withdraw consent for data processing at any time by:

    1. Navigating to Settings → Account → Delete Account within the Service
    2. Emailing a deletion request to sachin@wicklog.in

    Upon receipt of a valid deletion request, we will delete all your personal data (save for data subject to mandatory legal retention) within 30 days. Withdrawal of consent will result in loss of access to the Service, as data processing is necessary to provide the Service.

    11. Children's Privacy

    The Service is not directed at, and WickLog does not knowingly collect personal data from, individuals under 18 years of age. If we become aware that a minor has provided personal data, we will promptly delete such data. If you believe a minor has registered an account, please contact sachin@wicklog.in.

    12. Grievance Officer

    In accordance with Rule 5A of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Section 43A of the IT Act, 2000, and Section 13 of the DPDP Act, 2023, WickLog has appointed a Grievance Officer whose details are as follows:

    Name: Sachin Kumar Sharma Designation: Grievance Officer Organisation: WickLog Email: sachin@wicklog.in Address: Arithang, Gangtok, Sikkim -737101

    How to File a Grievance: Submit your complaint in writing via email to the above address, including:

    • Your full name and registered email address
    • A clear description of the grievance and the data or conduct concerned
    • Any supporting documentation

    Response Timeline:

    • Acknowledgement: Within 24 hours of receipt
    • Resolution: Within 15 (fifteen) days of receipt of the complaint

    If you are not satisfied with the Grievance Officer's resolution, you may escalate your complaint to the Data Protection Board of India once constituted under the DPDP Act, 2023, or seek other remedies available under applicable Indian law.

    13. Changes to This Privacy Policy

    We may update this Policy periodically to reflect changes in law, our data practices, or the Service. Material changes will be communicated via:

    • Email notification to your registered email address
    • Prominent in-app notice

    Material changes will take effect no earlier than 14 days after notification. Continued use of the Service after the effective date constitutes acceptance of the updated Policy. The "Last Updated" date at the top of this page reflects the date of the most recent revision.

    14. Contact Us

    For any privacy-related questions, data access requests, or concerns not addressed by the Grievance Officer process:

    Email: sachin@wicklog.in Website: https://wicklog.in