We built Kanalyst on a simple belief — your financial data belongs to you. This policy explains exactly what we collect, why we collect it, and what we never do with it.
Kanalyst collects only the data necessary to provide you with automated financial tracking. Nothing more.
Account information. When you sign up, we collect your name, email address, and authentication credentials. If you sign in with Google, we receive your name and email from Google — we never see your Google password.
Financial identifiers (optional). To unlock password-protected CAS and NPS PDFs, you can optionally provide your PAN number and date of birth in Settings. These are encrypted at rest and used only to derive PDF passwords.
Transaction data. From SMS messages (Android app) or parsed broker emails (web), we extract and store: merchant name, transaction amount, bank name, last 4 digits of account, date and time, and transaction type. Raw SMS text and raw email bodies are never stored.
Portfolio data. From your CAS statements and NPS documents, we store ISIN codes, quantities, NAV values, fund names, and holding values — exactly the information needed to display your portfolio dashboard.
Usage data. Anonymous, aggregated usage statistics to help us improve the product. This data cannot identify you.
The Kanalyst Android app requests permission to read SMS messages on your device.
SMS processing happens locally on your device. Kanalyst uses pattern matching to identify bank transaction messages — all other SMS messages are silently ignored. Only the extracted transaction data (merchant, amount, date) is transmitted to our servers. The raw SMS text is never sent to or stored on our servers.
The Kanalyst web application optionally connects to your Gmail account to automatically import your investment portfolio from CAS and NPS statement emails. This section complies with Google's API Services User Data Policy and the Limited Use requirements.
Scope requested. We request gmail.readonly — read-only access. We cannot send emails, delete emails, or make any changes to your Gmail account.
Which senders we access. We search only for emails from these specific financial institutions:
| Sender / Institution | Purpose | What We Extract |
|---|---|---|
| NSDL / nsdl.co.in | CAS — equity holdings | ISIN, quantity, purchase price, current value |
| CDSL / cdslstatement.com | CAS — equity holdings | ISIN, quantity, purchase price, current value |
| CAMS / camsonline.com | Mutual fund CAS | Fund name, folio, units, NAV, value |
| Protean / protean-tinpan.com | NPS statements | PRAN, scheme values, XIRR, contributions |
PDF processing. Some NPS statements are image-based PDFs. In these cases, the PDF may be processed using Google's Gemini AI (via Google's own API) for optical character recognition. This is covered by Google's own privacy terms and Limited Use requirements.
Token security. Your Gmail OAuth tokens are encrypted with AES-256-GCM before being stored in our database. The encryption key is held separately in a secured environment.
Kanalyst's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
You can disconnect Gmail at any time from Settings → Data & Privacy → Disconnect Gmail inside the app. Disconnecting immediately revokes the token at Google and deletes all stored credentials from our database. You can also revoke directly at myaccount.google.com/permissions.
We do not use your personal or financial data for advertising, marketing, credit scoring, or any purpose beyond providing the Kanalyst service to you.
Your data is stored on secure servers hosted by Supabase (PostgreSQL) in compliance with SOC 2 Type II standards. All data is transmitted over HTTPS/TLS 1.3.
The Android app uses AES-256-GCM encryption for any sensitive credentials stored locally. SMS data never leaves your device — only extracted transaction fields are synced to the cloud.
We do not sell, trade, rent, or share your personal or financial data with any third party for any commercial purpose.
Infrastructure providers we use to operate Kanalyst:
Each provider processes only the data necessary to provide their specific service and is bound by their own data processing agreements.
Legal requirements. We may disclose data if required by Indian law or a valid court order. We will notify you where legally permitted.
You have full control over your data at all times.
You can delete all your data directly inside the app — no email required:
Go to Settings → Data & Privacy → Delete Account & All Data. Type DELETE to confirm. All data is permanently erased and Gmail access is revoked immediately.
Alternatively, email us at hello@kanalyst.in with subject "Data Deletion Request". We will process your request within 30 days.
Deletion is permanent and cannot be undone. Everything is erased: your account, holdings, portfolio snapshots, transactions, income, expenses, goals, bank deposits, NPS data, sync logs, family data, rules, and Gmail OAuth tokens.
Kanalyst is intended for users 18 years and older. We do not knowingly collect, store, or process personal data from anyone under 18. If you believe a minor has created an account, please contact us at hello@kanalyst.in and we will delete the account immediately.
We may update this policy from time to time. For significant changes, we will notify you via email or in-app notification at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision.
Questions about this policy, data rights, or privacy concerns — we are here.
We aim to respond to all privacy-related enquiries within 2 business days. For data deletion requests, we will confirm receipt immediately and complete deletion within 30 days.
✉ hello@kanalyst.in