🛡 Your data, your control.
MFDTools.com is committed to protecting your privacy and personal data in line with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
1. Who we are (Data Fiduciary)
MFDTools.com is operated by DigiMutual Goals Pvt. Ltd. ("we", "us", "the Company"), the Data Fiduciary under the DPDP Act. Registered office: SCO-01, Near IndusInd Bank, Aastha Hospital Street, Chotala Road, Mandi Dabwali – 125104, District Sirsa, Haryana. AMFI ARN-332982.
Grievance Officer / Data Protection Officer: Deepak Singla — [email protected], +91 95412 23377.
2. What data we collect
2.1 From Customers (paying MFDs/advisors)
| Category | Examples | Source |
|---|
| Identity | Firm name, founder name, professional credentials (ARN, COP, IRDAI etc.) | Self-provided |
| Contact | Email, mobile, office address | Self-provided |
| Authentication | Hashed password (SHA-256 or PBKDF2), Access PIN hash, session tokens | Derived from your inputs; raw passwords are never stored |
| Brand assets | Logo image, theme color preference, tagline | Self-uploaded |
| Transactional | Payment amount, tier, validity dates, license ID | Generated during purchase |
| Usage | Login times, IP-derived rate-limit data, audit log entries | Automatic when you use the Service |
2.2 From visitors of branded suites (your clients)
When end-clients use your branded calculator at mfdtools.com/c/yourfirm, we may temporarily process:
- Input values entered (SIP amount, tenure, etc.) — stored only in browser memory unless explicitly saved by user
- Generated PDF/Word files — created in browser, downloaded directly, NOT stored on our servers
- Access timestamps + PIN-unlock events (for audit log of MFD's suite)
3. Why we collect (Purpose & Legal Basis)
Under DPDP Act, processing of personal data requires a lawful purpose. Our purposes:
- Provide the Service — generate branded suites, host them, enable login
- Process payments and manage subscriptions
- Authenticate users — verify password/PIN to prevent unauthorised access
- Security & fraud prevention — rate limiting, audit logs, anomaly detection
- Communication — renewal reminders, support responses, important Service updates
- Compliance — comply with applicable laws (AMFI, IT Act, DPDP Act), respond to lawful requests
- Service improvement — aggregate, anonymised analytics
Legal basis: Contractual necessity (Sec 7 DPDP Act) for items 1-4; Legitimate interest (within limits) for items 5-7; Your explicit consent for any marketing communications.
4. How we use cookies and similar tech
We use minimal cookies and browser storage:
- Essential (no consent needed): session tokens for login (sessionStorage); PIN unlock tokens (localStorage, 24h)
- Preference (consent banner): cookie consent record, language/theme preferences
- Analytics: We currently do NOT use third-party analytics (Google Analytics etc.). If we add in future, we will request explicit opt-in.
- Marketing: We do NOT use marketing cookies. We do NOT sell or share your data with advertisers.
5. Who we share data with
We share minimal data only with the following Data Processors, under strict confidentiality:
| Processor | Purpose | Location |
|---|
| Supabase | Database hosting (PostgreSQL), file storage, authentication | AWS Singapore (ap-southeast-1) — encrypted at rest, TLS in transit |
| Vercel | Static site hosting + CDN delivery | Multi-region edge, primary India |
| Cloudflare | DNS, CDN, DDoS protection | Global edge network |
| WhatsApp / Meta | Only when YOU click "WhatsApp" buttons — message handover to WhatsApp | Meta's own infrastructure |
We do NOT share customer or visitor data with marketing platforms, ad networks, or unrelated third parties. We do NOT sell your data.
6. Data retention
- Active customers: Data retained for the duration of your subscription
- Cancelled/expired customers: Retained for 12 months for renewal facilitation, then deleted (except invoices and audit log entries retained 8 years for IT Act / Income Tax compliance)
- Visitor data (your clients): NOT stored on servers — all in-browser only
- Audit logs: Retained 24 months for security investigations
- Login attempts log: Auto-purged after 90 days
7. Your rights under DPDP Act
You have the following rights regarding your personal data:
- Right to information: Know what data we hold about you (request via portal or email)
- Right to correction / update: Update your details via Customer Portal anytime
- Right to erasure ("Right to be Forgotten"): Request full deletion (subject to legal retention requirements above)
- Right to grievance redressal: Contact our Data Protection Officer (Sec 13 DPDP Act)
- Right to nominate: You may nominate another person to exercise these rights on your behalf in case of incapacity / death
To exercise any right, email [email protected] with subject "DPDP Request — [your request]". We will respond within 30 days as required by law.
8. Security measures
- All connections encrypted via HTTPS (TLS 1.3)
- HSTS (Strict-Transport-Security) header enforced
- Passwords hashed (SHA-256 / PBKDF2 — migrating to PBKDF2 with 100k iterations)
- PIN gate for client-facing suites with server-side rate limiting (5 wrong attempts → 15-min lockout)
- Stored functions ensure sensitive hashes never leave the database via API
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Login attempts logged with rate limiting at server-side
- Regular backups (weekly minimum) stored offsite
- Vendor security: Supabase is SOC 2 Type II certified; Vercel is SOC 2 + GDPR compliant
9. Children's privacy
Our Service is intended for licensed financial professionals only. We do not knowingly collect data from anyone under 18. If we learn we have collected data from a minor, we will delete it immediately.
10. International transfers
While our primary operations are India-based, our Data Processors (Supabase AWS Singapore, Vercel multi-region) may store data outside India. All such transfers are subject to standard contractual clauses and equivalent data-protection safeguards per DPDP Act Sec 16.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified via email and shown on this page with a new effective date. Continued use after changes constitutes acceptance.
12. Grievance & complaints
If you believe your personal data has been mishandled or your rights violated:
- Email our Grievance Officer at [email protected]
- We will respond within 7 days and resolve within 30 days
- If unsatisfied, you may approach the Data Protection Board of India once established under Sec 18 DPDP Act
- Consumer disputes may be filed at the appropriate Consumer Forum under Consumer Protection Act, 2019