← Back to mcrux

Privacy Policy

Last updated: May 2026

1. Who We Are

mcrux (“we”, “us”, “our”) is an AI-powered portfolio analysis service for Indian retail investors, operated by its founders and reachable at info@mcrux.com. mcrux is currently pre-incorporation. This policy applies to the website mcrux.com and all associated services.

2. Data We Collect

Account information

When you sign in with Google, we receive your name, email address, and profile picture from Google. We do not collect passwords.

Portfolio data (CAS statements)

When you upload a Consolidated Account Statement (CAS) PDF, we extract and store your mutual fund holdings — fund names, ISIN codes, folios, units held, and current values. This is sensitive financial information and is treated accordingly. We do not collect your PAN number or any data that appears in the CAS beyond your mutual fund holdings.

Payment information

Payments are processed by Razorpay. We receive a confirmation of payment and your plan tier. We do not store card numbers, UPI IDs, or any payment instrument details.

Usage data

We may collect basic usage logs (pages visited, features used) to improve the product. We do not use third-party advertising trackers.

3. How We Use Your Data

  • To parse your CAS PDF and generate portfolio analysis reports
  • To send your portfolio data to an AI model (Anthropic Claude or Google Gemini) to produce the written analysis. Your data is sent as part of the AI prompt and is not used to train the model — both Anthropic and Google commit contractually that data submitted via their API is not used for model training.
  • To manage your account, subscription tier, and billing
  • To send transactional emails (welcome, payment confirmation, monthly digest for Pro subscribers)
  • To improve the accuracy and usefulness of our analysis

We do not sell your data to any third party. We do not use your portfolio data for advertising. We do not share your data with any financial institution, broker, AMC, or distributor.

4. Third-Party Services and Cross-Border Transfers

We use the following sub-processors to operate the service. Several are hosted outside India (marked USA). By using mcrux you consent to this cross-border transfer of your data, which we carry out under contractual safeguards with each provider.

ServicePurposeData shared
Supabase (USA)Database & authenticationAccount + portfolio data
Google OAuthSign-inName, email, profile picture
Anthropic Claude (USA)AI analysis generation (primary)Portfolio holdings (no PAN, no name)
Google Gemini (USA)AI analysis generation (fallback)Portfolio holdings (no PAN, no name)
Razorpay (India)Payment processingEmail, payment amount
Resend (USA)Transactional emailName, email
Railway (USA)API hostingRequest logs
Vercel (USA)Frontend hostingRequest logs

5. Data Retention

  • Your account and portfolio data is retained for as long as your account is active. We keep it so your historical analyses remain available to you over time.
  • If you request account deletion by emailing info@mcrux.com, we will permanently delete your personal data and portfolio holdings within 30 days of your request.
  • Payment records may be retained for up to 7 years as required by Indian accounting and tax laws, even after account deletion.
  • Aggregated, anonymised analytics data (not linked to your identity) may be retained indefinitely to improve the product.

6. Security

Portfolio data is stored in Supabase with row-level security — each user can only access their own data. API keys and secrets are stored as environment variables and never committed to source code. All traffic is encrypted via HTTPS/TLS. While we take reasonable measures to protect your data, no online system is completely secure. You transmit data to us at your own risk.

7. Your Rights

Under the Digital Personal Data Protection Act 2023 (DPDP Act), the Information Technology (Amendment) Act 2008, and applicable Indian privacy rules, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request erasure of your data (subject to our legal retention obligations)
  • Withdraw consent at any time by deleting your account or emailing us
  • Nominate a person to exercise these rights on your behalf in the event of your death or incapacity (right under DPDP Act 2023)
  • File a complaint with the Data Protection Board of India once constituted under the DPDP Act

To exercise any of these rights, email info@mcrux.com. We will respond within 30 days. You may also raise a complaint with our Grievance Officer (see Section 10 below).

8. Children

mcrux is not directed at anyone under 18 years of age. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the website before the change takes effect. The “Last updated” date at the top will always reflect the current version. Continued use of the Service after the effective date of any change constitutes your acceptance of the revised policy.

10. Grievance Officer

As required under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Digital Personal Data Protection Act 2023, we have designated a Grievance Officer to address complaints related to the processing of your personal and financial data.

Name: Grievance Officer, mcrux

Email: info@mcrux.com

Response time: We will acknowledge your complaint within 48 hours and endeavour to resolve it within 30 days.

11. Contact

For any privacy-related questions or requests, contact us at info@mcrux.com.

Terms of UseHome