Namaa AI ← Back

Privacy Policy

Effective date: April 2026 • Version 1.0 • India DPDP 2023 · KSA PDPL · EU GDPR

1. Who we are

Namaa AI (“Namaa”, “we”, “us”) is a Shariah-screened algorithmic trading platform operated by Khair Labs, India. This policy explains what personal data we collect, why, how long we keep it, and the rights you have under the laws that apply to you. It applies to all users of the Namaa web dashboard, mobile application, advisor portal, and any related API.

Data Protection Officer: dpo@namaa.dev • General: privacy@namaa.dev

2. Data we collect

Account data: Name, email address, password hash (bcrypt).
Broker credentials: Zerodha Kite API key, encrypted access token, TOTP secret (AES-256 at rest). We never store plaintext passwords.
Trade data: All trades executed via the Platform — prices, quantities, P&L, strategy metadata.
AI reasoning trail: Prompts, responses, model identifiers, and prompt-version hashes for every AI call that approved or skipped a trade (see ai_reasoning_audit in our schema).
Consent records: Type, version, timestamp, IP address, and user-agent at the time of each legal acceptance — append-only, 7-year retention.
Usage logs: Agent cycle events, authentication events, errors.
Device / network: IP address, user-agent, app version.

3. Why we process it (lawful bases)

Purpose	Lawful basis
Operate your trading agent	Contract performance
Comply with broker and tax recordkeeping (SEBI / ITR)	Legal obligation
Shariah compliance scoring and audit	Contract + Legitimate interest
Security monitoring, fraud prevention	Legitimate interest
Product analytics (aggregated, non-identifying)	Legitimate interest
Marketing / product updates	Consent (opt-in only)

We do not sell your data. We do not use your trade data to inform any proprietary trading on our side.

4. Processors and sub-processors

Zerodha Kite Connect — executes orders under your own API credentials.
ORIS AI (Khair Labs) — trade reasoning and Shariah re-verification; receives symbol-level prompts and returns structured compliance outputs.
ThynkTax — trade-close events for tax computation (only when you enable the integration).
Backblaze B2 / AWS S3 / equivalent — encrypted, access-controlled backup storage. We encrypt backups with age before upload; the storage provider cannot read them.
Transactional email / SMS providers — used only for account and agent notifications you enable.
Law enforcement — only when compelled by court order or a competent authority in a jurisdiction applicable to you.

A current list of sub-processors is available on request to dpo@namaa.dev. We give 15 days notice before onboarding a new sub-processor that handles personal data.

5. Retention matrix

Category	Retention	Basis
Trade records	7 years	SEBI / ITR
AI reasoning audit (`ai_reasoning_audit`)	3 years	Shariah + regulatory defensibility
Consent records (`user_consents`)	7 years, append-only	DPDP / GDPR proof
Personal identifiers (name, email, phone)	Until deletion request + 30 day grace	All regimes
Broker credentials	Until deletion, purged within 30 days	All regimes
Operational logs	30 days	Ops
Security / audit logs	1 year	Security
Encrypted DB backups	1 year rolling	Ops
Audit cold-copy (regulatory)	7 years, immutable	SEBI / GDPR / DPDP / PDPL

On deletion, identifiers are purged but AI reasoning and trade rows are pseudonymised — your user_id is replaced with a one-way HMAC hash so rows remain for regulatory retention without identifying you.

6. Your rights by jurisdiction

6.1 India — Digital Personal Data Protection Act 2023 (DPDP)

Right to access a summary of personal data processed.
Right to correction and erasure — inaccurate data corrected; erasure subject to retention obligations above.
Right to nominate — you may designate another person to exercise your rights on your behalf in the event of death or incapacity.
Right to grievance redressal — our Grievance Officer is reachable at dpo@namaa.dev. We respond within 15 days.
CERT-In breach notification — significant breaches notified within 6 hours.

6.2 Kingdom of Saudi Arabia — Personal Data Protection Law (PDPL)

Right to be informed of the collection, use, and disclosure of your data.
Right to access, correct, and destroy your data subject to the retention schedule above.
Right to withdraw consent to optional processing at any time.
Cross-border transfers — your data may be processed in India and in our processors’ jurisdictions (see §4). We apply contractual safeguards equivalent to SDAIA standards. Where required, we will apply for specific approval from the Saudi Data & AI Authority.
Complaints — to us at dpo@namaa.dev, or to SDAIA directly.

6.3 European Economic Area / United Kingdom — GDPR / UK-GDPR

Access, rectification, erasure, restriction, portability, and objection (Articles 15–21).
Automated decision-making — our trade approvals include automated reasoning. You may request human review and the logic summary by emailing our DPO.
International transfers — when we transfer personal data outside the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.
Lodge a complaint with your national supervisory authority (or the ICO for UK users).
Representative — EU users may contact our EU representative at the DPO address above until a dedicated representative is appointed.

7. Exercising your rights

Two self-service flows are available from your account settings:

Export — /api/me/export (or Settings → Export my data) returns a JSON bundle of your personal data, trades, consents, and AI reasoning audit rows. Rate-limited to once per day.
Delete — /api/me/delete-request (or Settings → Delete my account) queues your account for deletion. A 30-day grace period lets you cancel. After grace: identifiers are hard-deleted, trade and audit rows are pseudonymised and retained for the regulatory window.

For any other request (correction, objection, restriction), email dpo@namaa.dev from the address on your account. We respond within 15 days (GDPR: 30 days / DPDP: 15 days / PDPL: 30 days).

8. Security

All sensitive credentials are AES-256 encrypted at rest. Passwords are bcrypt-hashed. Backups are encrypted with age before leaving the server; the storage provider cannot decrypt them. Database uses WAL with restricted file-system access. Penetration testing precedes major releases.

9. Cookies

One HttpOnly session cookie (namaa_token) for authentication. No third-party tracking cookies. The mobile app stores the session token in the OS secure keystore (Keychain on iOS, Keystore on Android).

10. Children

The Platform is not intended for users under 18. We do not knowingly process data from minors. Under DPDP, consent for anyone under 18 requires verifiable parental consent — we do not offer such a flow, which effectively excludes users under 18.

11. Changes to this policy

Material changes bump the policy version. When that happens, your next login surfaces the new version for re-acceptance. Prior versions are retained in our policy_versions table with content hashes so you can inspect exactly what you agreed to on a given date.

12. Contact

Data Protection Officer: dpo@namaa.dev
General: privacy@namaa.dev