Privacy Policy

Sleeping Trade LLC ("Sleeping Trade", "we", "us", "our") is a Delaware-registered limited liability company doing business in India through the website sleepingtrade.in and associated mobile and messaging interfaces (collectively, the "Service"). This Privacy Policy describes the categories of personal information we collect from users in India and elsewhere, the purposes for which we use that information, the parties with whom we share it, the safeguards we apply, and the rights you have over your data. It applies to every interaction you have with the Service, including browsing the public website, signing up for the waitlist, subscribing to a paid plan, connecting your broker account through an API, joining our Telegram channel, communicating with us by WhatsApp or email, and receiving trade alerts.

This Policy has been prepared with reference to the Digital Personal Data Protection Act, 2023 ("DPDP Act 2023") of India, the Information Technology Act, 2000 and the rules issued thereunder including the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011, the Indian Consumer Protection Act, 2019 in so far as it bears on consumer data, and applicable United States federal and state privacy laws including the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"). For users accessing the Service from the European Economic Area or the United Kingdom, the General Data Protection Regulation ("GDPR") and UK GDPR may also apply on a residual basis.

We have written this Policy in plain language so that an ordinary Indian retail trader can understand exactly what we collect, why, and what controls are available. Defined legal terms are explained the first time they are introduced. If anything in this Policy is unclear, please write to legal@sleepingtrade.in before using the Service.

We collect only the information that is reasonably required to operate the Service, comply with our legal obligations, and keep our users and platform safe. The categories below describe what we may collect; not every user has every category collected.

2.1 Personal information

• Identifiers: full name, email address, mobile phone number including the WhatsApp number you elect to use for trade alerts.
• Government identifiers we DO NOT collect: we do not collect PAN, Aadhaar, voter ID, or driving licence numbers. KYC for your trading account is performed by your broker, not by us.

2.2 Financial information

• The name of your broker (Zerodha, Upstox, Angel One, HDFC Securities, ICICI Direct, or a successor broker we may add) and the capital range you have selected for your subscription plan.
• Subscription invoices, plan tier, and payment status. We do not store full card numbers, CVV, UPI VPAs, or net-banking credentials — those are processed by Razorpay.

2.3 Technical information

• IP address, approximate geolocation derived from IP, device type, operating system, browser type and version, screen resolution, language preference, and access timestamps.

2.4 API credentials

• The API key, secret, and refresh tokens issued by your broker for trade-only access. These credentials are encrypted at rest using AES-256 with keys held in AWS KMS, and are transmitted only over TLS 1.3.
• The credentials we hold do not permit fund withdrawal or transfer; they are scoped to placing, modifying, and cancelling orders within your account.

2.5 Usage data, communications, and payment metadata

• Pages visited, features used, time spent on each page, click events on calls-to-action, and referral source.
• Email, WhatsApp, and Telegram messages exchanged with our team, including the text of those messages and any attachments.
• Razorpay-issued payment metadata such as payment ID, order ID, status, amount, and timestamp. We never see your raw card or bank details.

Information reaches us through one or more of the following channels, in each case with notice and, where required, with your express consent.

3.1 Information you provide directly

When you fill in a website form (waitlist, contact, support), join our Telegram or WhatsApp channels, or write to us by email, we receive the information you choose to share. You decide what to provide and you can decline to provide information, although in some cases this may prevent us from offering parts of the Service.

3.2 Cookies, pixels, and similar tracking

Our website uses essential cookies for session management and security and, with your consent, analytics cookies (Google Analytics 4) and, if enabled, advertising cookies (Meta Pixel, Google Ads conversion tracking). The detailed list of cookies, their purposes, durations, and your management choices is maintained in our Cookie Policy.

3.3 Broker API connection

When you connect your broker account, the broker issues an API key and request token to your account. You then paste those credentials into our secure setup screen, after which our backend exchanges the request token for an access token. We never receive your broker login password, your trading password, your demat credentials, your bank details, or your two-factor authentication codes for the broker.

3.4 WhatsApp and Telegram opt-ins

By opting into WhatsApp alerts you provide your mobile number and grant us permission to send you transactional and operational messages over WhatsApp Business API. By joining our Telegram channel you provide your Telegram user identifier to Telegram itself; we do not collect Telegram user IDs unless you privately message our support handle.

3.5 Email correspondence and customer support

When you write to support@sleepingtrade.in or legal@sleepingtrade.in, we receive the email address from which you write, the content of the message, and any attachments you include. Support tickets are stored for the period required to resolve and audit the request, and to comply with our record-keeping obligations.

We use your information for the following defined purposes only. Where the law requires, we obtain your consent before using your data for any purpose other than those listed.

• Service delivery: to authenticate you, route trade signals to your broker via API, send you WhatsApp and Telegram alerts, generate daily and weekly profit-and-loss reports, and provide customer support.
• Trade execution: to place, modify, and cancel orders in your broker account in accordance with the strategy stack you have subscribed to, including pre-trade risk checks such as margin sufficiency, position limits, daily loss limits, and circuit-filter compliance.
• Payments and billing: to process subscription payments through Razorpay, generate GST-compliant invoices, handle refunds where applicable, and enforce billing terms.
• Platform improvement: to study aggregate, de-identified usage patterns, fix bugs, harden security, and improve the user experience. Individual user data is not used for these analyses except to the minimum extent necessary.
• Marketing communications, with consent: to send product updates, educational content, and offers. You may opt out at any time by clicking the unsubscribe link in any email or by writing to us; opting out does not affect transactional messages required to operate the Service.
• Legal compliance: to comply with the DPDP Act 2023, the IT Act 2000, the Income Tax Act 1961 (record-keeping and tax invoices), the Prevention of Money Laundering Act 2002 to the limited extent applicable, and lawful directions from competent Indian authorities.
• Fraud prevention: to detect, investigate, and prevent unauthorised access, payment fraud, abuse of trial offers, and similar harms.

We will not use your data for any incompatible new purpose without first updating this Policy and, where required, seeking renewed consent.

Under the DPDP Act 2023 we process personal data on one or more of the following grounds. The applicable ground depends on the nature of the processing:

• Consent (Section 6, DPDP Act 2023): for marketing communications, optional analytics cookies, optional features such as WhatsApp alerts. Your consent is recorded with a timestamp and may be withdrawn at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.
• Performance of a contract: where processing is necessary to fulfil our obligations under your subscription agreement — for example, executing trades on your behalf, sending you alerts, and generating invoices. This corresponds to the "specified, lawful purposes" ground for personal data processing under the DPDP framework.
• Legitimate uses recognised under the DPDP Act: including processing for purposes for which you have voluntarily provided your data and have not indicated that you do not consent, employment-related processing where applicable, compliance with Indian law, and responding to medical or other emergencies.
• Legal obligation: for tax record-keeping under the Income Tax Act 1961 and the GST regime, for compliance with lawful orders from courts and tribunals, and for IT Act and SEBI-related disclosures where required.

For users in California, the corresponding bases under the CCPA include "performance of the contract", "compliance with legal obligation", "security and integrity of the Service", and "consent" for purposes that require it. For users in the EEA or UK, the GDPR bases of contract, legitimate interest, legal obligation, and consent apply correspondingly.

Information is stored on cloud infrastructure operated by Amazon Web Services, with primary processing in the AWS Mumbai (ap-south-1) region for Indian users wherever technically feasible. Backups may be replicated to a secondary AWS region for disaster recovery; cross-region replication is encrypted in transit and at rest.

6.1 Encryption

All personal data and API credentials are encrypted at rest using AES-256 with keys managed by AWS KMS. Data in transit is encrypted using TLS 1.3 with modern cipher suites; weak ciphers and TLS versions below 1.2 are disabled. Database connections use IAM-based authentication and connection-level encryption.

6.2 Access controls

Access to production systems is restricted to a small number of authorised personnel under the principle of least privilege. Access requires multi-factor authentication and is logged, with logs reviewed for anomalies. Engineers use short-lived credentials issued through a single-sign-on identity provider; no shared root credentials are used for routine work.

6.3 API key handling

Broker API keys, secrets, and refresh tokens are stored in an encrypted secrets store separate from the main application database. They are decrypted only at the moment of use, in memory, and are never logged or written to disk in plaintext. Engineers cannot read raw API credentials of any user; all access is intermediated by audited service code.

6.4 Incident response and breach notification

We maintain a written incident response plan. In the event of a personal data breach as defined under the DPDP Act 2023, we will notify the Data Protection Board of India and affected Data Principals without undue delay and in any event within the timelines and format prescribed by the Act and any rules made thereunder. For users in jurisdictions with separate breach-notification regimes (CCPA, GDPR), we will provide notifications consistent with those laws.

6.5 Periodic security review

We perform periodic vulnerability scanning, dependency hygiene reviews, and at least annual penetration testing by an independent third party. Findings are tracked to remediation, and a summary is available to enterprise customers under a non-disclosure agreement on request.

We work with a limited set of third-party service providers ("Processors") who process personal data on our instructions and under written contracts that include confidentiality, security, and DPDP-aligned obligations. The categories and key vendors are:

• Database and authentication: Supabase — operates our managed PostgreSQL database and authentication service. Supabase Privacy Policy.
• Payments: Razorpay Software Private Limited — processes subscription payments and refunds. We never see your raw card or bank details. Razorpay Privacy Policy.
• Email delivery: Resend (transactional email) and Hostinger (catch-all). Resend Privacy Policy.
• Cloud infrastructure: Amazon Web Services — hosts our servers, databases, and object storage primarily in the AWS Mumbai region. AWS Privacy Notice.
• Analytics: Google Analytics 4 — provides aggregated website analytics. IP addresses are truncated. Google Privacy Policy.
• Notifications: Telegram (channel broadcasts) and WhatsApp Business API via Meta Platforms (transactional alerts). Telegram Privacy Policy; WhatsApp Privacy Policy.
• Customer engagement: Limited use of customer-relationship-management tools to manage support tickets and waitlist communications.

We choose Processors with appropriate security certifications (such as SOC 2 Type II, ISO 27001, or equivalent) and assess them periodically. Where a Processor is located outside India, we apply contractual safeguards consistent with the DPDP Act 2023 and, where applicable, the GDPR's Standard Contractual Clauses.

We do not sell your personal information. "Sale" is interpreted broadly under both the DPDP Act 2023 and the CCPA, and includes exchanging personal data for monetary or other valuable consideration. We share personal data only in the following defined situations:

• With your broker, to execute trades: we send order, cancellation, modification, and position-query requests to the broker API endpoints associated with your account. We do not share any data with brokers other than what is required for the order itself.
• With our Processors: as described in Section 7, strictly to perform services for us under written contract.
• For legal compliance: when required by Indian law, by lawful direction of a competent Indian authority, by court or tribunal order, or by a comparable order under US law to which we are subject as a Delaware-registered LLC. Where permitted, we will inform affected users of such disclosure.
• To enforce our rights: to defend ourselves and our users against legal claims, to investigate suspected fraud, and to enforce our Terms of Service.
• In a corporate transaction: if Sleeping Trade LLC is acquired, merged, or transfers a substantial portion of its assets, your personal data may be transferred to the successor entity, subject to obligations no less protective than this Policy and, where required, your renewed consent.

We do not share your data with advertising networks for cross-context behavioural advertising, and we do not provide your contact details to third parties for their independent marketing.

Sleeping Trade LLC is incorporated in the State of Delaware, USA. While we host primary infrastructure for Indian users in the AWS Mumbai region, certain operational data may be processed on systems located outside India in the course of providing the Service — for example, when a Processor's primary infrastructure is in the United States or the European Union, or when our staff outside India access data to provide customer support.

The DPDP Act 2023 permits the transfer of personal data outside India except to countries or territories specifically restricted by the Central Government. Where such transfers occur, we apply written contractual safeguards including confidentiality, purpose limitation, and security obligations equivalent to those that apply within India. For data transferred to or from the European Economic Area, we rely on Standard Contractual Clauses adopted by the European Commission and, where appropriate, additional supplementary measures consistent with the post-Schrems II European Data Protection Board guidance.

For users in California, transfers of personal information to processors located in the United States are governed by the CCPA. We have entered into Service Provider Agreements with our Processors that prohibit them from selling, sharing for cross-context behavioural advertising, or retaining or using personal information for purposes other than performing the services we have engaged them to perform.

As a Data Principal under the DPDP Act 2023, you have the following rights, exercisable by writing to legal@sleepingtrade.in:

• Right to access information about personal data: a summary of the personal data being processed, the processing activities, and the identities of any other Data Fiduciaries with whom your data has been shared.
• Right to correction and erasure: request correction of inaccurate or misleading data, completion of incomplete data, updating outdated data, and erasure of data no longer required for the purpose for which it was collected, subject to lawful retention requirements.
• Right of grievance redressal: raise complaints about how we have handled your data. We are obliged to respond promptly. If you are not satisfied with our response, you may complain to the Data Protection Board of India.
• Right to nominate: nominate any other individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, nor does it affect processing on grounds other than consent (such as legal obligation).

10.1 Grievance Officer

In compliance with the IT Act 2000 and the DPDP Act 2023, we have designated a Grievance Officer who is the primary point of contact for any data-protection complaint. You can reach the Grievance Officer at legal@sleepingtrade.in; the email is monitored on every business day. We will acknowledge receipt within forty-eight hours and provide a substantive response within fifteen working days, save in genuinely complex matters where we will keep you informed of progress.

If you are a resident of the State of California, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know: the categories of personal information we have collected about you in the preceding twelve months, the categories of sources, the business or commercial purposes for collection, the categories of third parties to whom we have disclosed personal information, and specific pieces of personal information we have collected.
• Right to delete: request deletion of personal information we have collected from you, subject to exceptions for legal compliance, fraud prevention, completing a transaction, and similar grounds.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of "sale" or "sharing": we do not sell or share personal information for cross-context behavioural advertising. There is therefore no "sale" or "sharing" to opt out of, but the right is preserved should our practices ever change.
• Right to limit use of sensitive personal information: to the extent we hold sensitive personal information as defined under the CPRA, you may direct us to use it only as necessary to provide the Service.
• Right to non-discrimination: we will not deny you the Service, charge you a different price, or provide a different level of quality because you have exercised any of these rights.

To exercise CCPA/CPRA rights, write to legal@sleepingtrade.in. We will verify your identity using information already on record before fulfilling the request, and respond within forty-five days. Residents of other US states with comparable privacy laws (Virginia, Colorado, Connecticut, Utah, and others) may exercise analogous rights through the same email address.

Our website uses cookies and comparable technologies as described in detail in our Cookies Policy. In summary:

• Essential cookies are required for the website to function, including authentication, session integrity, security, and load-balancing. These cannot be disabled.
• Functional cookies store your preferences such as language and consent state.
• Analytics cookies (Google Analytics 4) are placed only after you have indicated consent through our cookie banner. They use truncated IP addresses and do not personally identify you.
• Marketing and retargeting cookies (Meta Pixel, Google Ads conversion tracking) are placed only with consent and only when active marketing campaigns are running.

You can withdraw consent at any time through the cookie banner re-open link in our website footer, by clearing cookies in your browser, or by enabling Global Privacy Control or a comparable browser-level signal. Disabling essential cookies will prevent core functionality from working, including authenticated areas of the website.

The Service is intended for adults of legal age in India, currently eighteen years. We do not knowingly collect personal information from individuals under the age of eighteen. Trading in the Indian securities market — including the futures and options segment in which our strategies operate — is itself restricted to individuals who are eighteen years or older and who hold a valid PAN, demat, and trading account in their own name. As a practical matter, the broker KYC framework prevents minors from holding the type of account required to use our Service.

If we become aware that we have inadvertently collected personal information from a person under eighteen, we will delete that information without undue delay. Parents and guardians who suspect that a minor under their care has provided personal information to us, or has interacted with the Service in a way they did not authorise, should email legal@sleepingtrade.in with the subject line "MINOR DATA REMOVAL"; we will treat such requests with priority.

For users in jurisdictions with stricter age thresholds for data protection (for example, the United States Children's Online Privacy Protection Act, which sets a threshold of thirteen years), the more protective threshold applies.

We send three categories of communications, with different consent and opt-out treatments:

14.1 Transactional

Trade alerts, daily PnL summaries, billing and security notifications, support replies, and similar messages directly required for the operation of the Service. These are sent on the basis of contractual necessity and may not be opted out of without terminating the Service.

14.2 Service updates

Notifications about new features, changes to plans, scheduled maintenance, and policy updates. These are sent at low frequency and are bundled with transactional notifications. Where required by law, you may opt out of these via the unsubscribe link.

14.3 Marketing

Promotional emails, educational content, surveys, referral programme communications. These are sent only if you have given affirmative consent (typically by ticking a marketing checkbox during signup or by joining a specific list). Every marketing email contains a one-click unsubscribe link; alternatively, write to support@sleepingtrade.in with the subject line "UNSUBSCRIBE" and we will process your request within seven days. Opt-out from marketing does not affect transactional communications or your subscription.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected and to satisfy our legal, accounting, and reporting obligations. The retention periods below are indicative; specific items may be retained for shorter or longer periods where the law requires:

• Active account data: retained while your account is active and for thirty days after closure for grace-period restoration.
• API credentials: deleted within seventy-two hours of account closure, plan downgrade to Signal Only, or revocation by you, whichever is earlier.
• Trade execution logs: retained for a minimum of eight years, in accordance with the Income Tax Act 1961 record-keeping rules and SEBI investor-protection expectations.
• Billing records and tax invoices: retained for a minimum of eight years for GST and income-tax compliance.
• Support tickets and email correspondence: retained for three years from the last contact.
• Marketing consents and opt-out records: retained for the longer of three years or the duration the corresponding mailing list is operated.
• Aggregated and anonymised data: may be retained indefinitely. Anonymisation is performed using techniques such as hashing, generalisation, and noise addition; we do not maintain a re-identification key for anonymised datasets.

On expiry of the relevant retention period, data is deleted or anonymised through automated processes. Backups containing personal data follow the same retention principle, with deletion occurring on the rolling backup cycle that would otherwise overwrite the data.

We may amend this Privacy Policy from time to time to reflect changes in our practices, in law, or in the technology we use. The "Last Updated" date at the top of this page indicates the version currently in force. Where changes are material — for example, a new category of data, a new processing purpose, or a new category of recipient — we will notify registered users by email at least fifteen days before the changes take effect, and we will display a prominent banner on the home page during the same period.

You are encouraged to review this Policy periodically. Continued use of the Service after the effective date of an amendment constitutes acceptance of the amended Policy. If you do not agree with an amendment, you may terminate your subscription before the effective date by following the steps in our Refund Policy; we will refund pre-paid amounts on a pro-rated basis where the law requires.

We maintain an internal version history of this Policy. A redline showing the changes between the previous and current version is available on request to legal@sleepingtrade.in.

For any question, request, or complaint about this Privacy Policy or our handling of your data, please use the contacts below. We aim to acknowledge every message within forty-eight business hours and to provide a substantive response within fifteen working days.

• Legal and data-protection enquiries: legal@sleepingtrade.in
• Customer support: support@sleepingtrade.in
• Postal address (USA): Sleeping Trade LLC, Delaware, United States of America. The full registered office address is provided on request to verified Data Principals.

17.1 Grievance Officer

In line with the IT Act 2000 (specifically, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011) and the DPDP Act 2023, the Grievance Officer for Sleeping Trade is reachable at legal@sleepingtrade.in. The current name of the Grievance Officer and their direct contact will be shared with users who write in to that mailbox; we will not list their personal contact in public to reduce phishing risk.

17.2 Data Protection Board of India

If you are not satisfied with our response, you may also approach the Data Protection Board of India through the channels published on its official website once the Board is operational. We will fully cooperate with any formal complaint.

This Privacy Policy is governed by and shall be construed in accordance with the laws of India, in particular the IT Act 2000, the DPDP Act 2023, and applicable subordinate legislation. As Sleeping Trade LLC is a Delaware-registered company, certain corporate aspects of our existence and obligations are governed by Delaware law and the laws of the United States; nothing in this Policy excludes any user's right to invoke the protections of their local data-protection law. Where a conflict arises between Indian and US law in respect of an Indian user, Indian law shall prevail in respect of that user's personal data.

Disputes arising out of or in connection with this Privacy Policy shall be resolved as set out in our Terms of Service. Notwithstanding the dispute-resolution clause in those Terms, you retain at all times your statutory right to lodge a complaint with the Data Protection Board of India or the relevant state-level consumer authority, and Indian users retain the right to approach Indian consumer forums for matters within their jurisdiction.