Skip to content

    Security & Privacy

    Last updated: March 29, 2026

    drishti.money is built for investors who take their money seriously — and so do we. This page explains exactly how we protect your account, your credentials, and your portfolio data.

    Zerodha OAuth — Read-Only Access

    We connect to your Zerodha account using Kite Connect OAuth, the official API from Zerodha. This means:

    • We never see your Kite username, password, PIN, or TOTP.
    • Access is strictly read-only — we can fetch holdings and trades, but cannot place, modify, or cancel any orders.
    • You can revoke our access anytime from Kite → My Profile → Apps. The moment you do, our access stops immediately.

    No Credential Storage

    Broker passwords, PINs, and TOTP codes never touch our servers. The only thing we store is a short-lived OAuth access token provided by Zerodha, which is encrypted at rest and rotated regularly.

    Data Encryption

    • In transit: All traffic to and from drishti.money uses TLS 1.2+ (HTTPS). No unencrypted connections are accepted.
    • At rest: Access tokens and sensitive fields are encrypted at rest using AES-256. Databases sit inside a private network not reachable from the public internet.

    Server Location

    All application servers and databases are hosted on AWS in the Mumbai (ap-south-1) region so your data stays inside India.

    Data Retention

    • Portfolio data is retained only while your account is active, so that we can show you history and trends.
    • When you delete your account, all personal data and broker-linked data are removed from active systems within 30 days.
    • You can request deletion at any time by emailing privacy@drishti.money.

    Third Parties

    We rely on a small number of vetted providers to run the service:

    • Zerodha Kite Connect — broker API for holdings and trades.
    • AWS (ap-south-1) — hosting and databases.
    • OpenAI / Anthropic — large language models that power concall summaries. Only public concall transcripts and anonymized portfolio snippets are shared; raw credentials or PII are never sent.

    Reporting a Security Issue

    If you believe you've found a security vulnerability, please email security@drishti.money. We take all reports seriously and will respond within 72 hours.

    Related

    See our Privacy Policy for details on what we collect and why, and our Terms & Conditions for the legal framework.