CruxdLegal
Back

Privacy Policy

Effective date: 18 March 2026

This Privacy Policy explains how Cruxd (“we,” “us,” “our”) collects, uses, stores, and protects your personal data. This policy is drafted in compliance with the Information Technology Act, 2000; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; and the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1. Data We Collect

1.1 Information You Provide

  • Account data: email address, display name, and password (stored as a one-way hash; we never store your plain-text password).
  • Forecast data: your predictions, positions, and market activity within the platform.

1.2 Information Collected Automatically

  • IP address: collected for rate limiting and abuse prevention only. We do not use IP addresses for tracking or profiling.
  • Session tokens: stored as HTTP-only cookies for authentication. Tokens are hashed with SHA-256 before storage.
  • Usage data: pages visited, actions taken within the platform (forecasts placed, markets viewed). This data is aggregated and not linked to external identifiers.

1.3 Data We Do NOT Collect

  • We do not collect financial information, bank details, or payment data of any kind.
  • We do not collect Aadhaar numbers, PAN numbers, or government-issued IDs.
  • We do not use third-party trackers, advertising pixels, or analytics services that share data with third parties.

2. Purpose of Data Collection

We collect and process your data for the following lawful purposes:

DataPurposeLegal basis (DPDP Act)
Email, display nameAccount creation, authentication, communicationConsent (at registration)
Password hashSecure authenticationConsent (at registration)
IP addressRate limiting, abuse preventionLegitimate use (platform security)
Forecast activityPlatform functionality, leaderboardsConsent (by using the service)

3. Data Storage & Security

  • Data is stored in encrypted databases hosted on secure cloud infrastructure.
  • Passwords are hashed using bcrypt with a cost factor of 10.
  • Session tokens are hashed with SHA-256 before storage; raw tokens are never persisted.
  • All communication between your browser and our servers uses HTTPS/TLS encryption.
  • We implement rate limiting on authentication endpoints to prevent brute-force attacks.
  • Access to the database is restricted to authorized administrators only.

4. Data Retention

  • Account data: retained as long as your account is active. Deleted within 30 days of account deletion request.
  • Session tokens: automatically expire after 30 days and are purged from the database.
  • Email verification tokens: expire after 24 hours.
  • Password reset tokens: expire after 2 hours.
  • Rate limit records: stale records are automatically cleaned up.

5. Your Rights Under the DPDP Act, 2023

As a Data Principal, you have the following rights:

  • Right to Access: You may request a summary of the personal data we hold about you.
  • Right to Correction: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your account and all associated personal data.
  • Right to Withdraw Consent: You may withdraw consent at any time by deleting your account. Note that withdrawing consent may prevent you from using the platform.
  • Right to Grievance Redressal: You may raise a complaint with our Grievance Officer (see Section 9).
  • Right to Nominate: You may nominate another person to exercise your data rights in case of death or incapacity, as provided under the DPDP Act.

6. Data Sharing

We do not sell, rent, or share your personal data with any third party, except:

  • Email delivery: We use a transactional email service to send verification and password reset emails. Only your email address is shared with the email provider for this purpose.
  • Legal obligations: We may disclose data if required by law, court order, or government authority.

7. Cookies & Local Storage

  • Session cookie: An HTTP-only, secure cookie is used for authentication. It contains a random token (not your personal data) and expires after 30 days.
  • Theme preference: Your light/dark mode choice is stored in browser localStorage. This is not transmitted to our servers.
  • We do not use advertising cookies, analytics cookies, or third-party cookies.

8. Children's Privacy

Cruxd is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a user is under 18, we will delete their account and associated data promptly.

9. Grievance Officer

In compliance with Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 8(10) of the DPDP Act, 2023, the designated Grievance Officer / Data Protection Officer can be contacted at: grievance@cruxd.in.

  • Grievances will be acknowledged within 24 hours of receipt.
  • Resolution will be provided within 15 days of acknowledgment.
  • If unsatisfied with the resolution, you may approach the Data Protection Board of India as established under the DPDP Act.

10. Cross-Border Data Transfer

Our servers may be located outside India. By using Cruxd, you consent to the transfer of your data to servers in jurisdictions permitted under the DPDP Act. We ensure that adequate security measures are maintained regardless of server location.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-platform notice. Continued use of Cruxd after changes take effect constitutes acceptance of the updated policy.

12. Contact

For privacy-related inquiries, data access requests, or to exercise any of your rights, contact us at: hello@cruxd.in.