Privacy Policy
Last updated: June 1, 2025
1. Data We Collect
We collect: (a) Account data — name, email, phone number provided during registration. (b) Behaviour data — your responses to Behaviour Score assessments, habit logs, goal progress. (c) Financial data — transaction data you choose to connect or enter manually. (d) Device data — IP address, device type, browser, usage patterns collected automatically. (e) KYC data — PAN, Aadhaar, and bank details required for investment accounts only.
2. How We Use Your Data
Your data is used to: Calculate and update your Behaviour Score; personalise your AI Coach conversations; generate your financial plan; provide investment product access appropriate to your score; send relevant habit nudges and notifications; comply with SEBI reporting requirements. We do not use your data for advertising profiling or sell it to third parties.
3. Behaviour Score Data
Your Behaviour Score is calculated from your self-assessed dimensions and platform behaviour (habit streaks, consistency). This score is stored securely, used only within GullakX, and never shared externally. You can view your complete score history in your dashboard.
4. Data Sharing
We share your data with: (a) Supabase — our database and authentication provider (data stored in eu-west region with SOC 2 compliance). (b) SEBI-regulated investment partners — only KYC and investment instruction data, as required by regulation. (c) Resend — for transactional emails (email address only). We do not share data with advertisers, data brokers, or any party for commercial purposes.
5. Data Security
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). We use Row Level Security on all database tables — no employee can access your data without your explicit consent. We conduct annual security audits. In the event of a breach, we will notify affected users within 72 hours as required by CERT-In.
6. Your Rights
You have the right to: Access all data we hold about you (contact privacy@gullakx.com); Correct inaccurate data through your profile settings; Delete your account and all associated data (30-day process, investment account closure follows SEBI timelines); Port your Behaviour Score history in JSON format; Withdraw consent for specific data uses.
7. Cookies
We use cookies for: Authentication sessions (necessary, cannot be disabled); Analytics (optional, can be disabled in Settings). We do not use advertising cookies. We do not use third-party analytics that sells your data.
8. Children's Privacy
GullakX Kids accounts for users under 18 are created under and controlled by a parent/guardian account. We do not independently collect personal data from users under 13. All children's data is visible to the linked parent account.
9. Data Retention
Active account data is retained while your account is active. Behaviour Score history is retained for 7 years for regulatory compliance. After account deletion, anonymous aggregate data may be retained for research purposes. KYC data follows SEBI-mandated retention periods.
10. Contact & Complaints
Data Protection Officer: privacy@gullakx.com. For privacy complaints, we respond within 30 days. Unresolved complaints can be escalated to India's Data Protection Board once the Digital Personal Data Protection Act is fully notified.