Skip to main content

Privacy Policy

Effective May 27, 2026

Important: This Privacy Policy may be updated by FxKaran at any time. The current version is always the one posted at fxkaran.com/privacy. Material changes will be notified to you by email and/or in the dashboard at least seven (7) days before they take effect. Continued use of the Services after the effective date of any change constitutes acceptance.

1. Who this applies to

This Privacy Policy describes how Karan Pal (operating as "FxKaran") collects, uses, stores, and shares information when you use fxkaran.com, the FxKaran dashboard, or the FxKaran Telegram channel.

The principal data controller is Karan Pal (operating as "FxKaran"). Contact: support@fxkaran.com.

2. What we collect

At sign-up: your email address, your password (stored only as a one-way hash by our authentication provider, Supabase; we never see your plaintext password), and your acceptance of these Terms and our Risk Disclosure (timestamped).

During onboarding (the form shown after email verification): your full name, country, WhatsApp number (mandatory — primary support channel), city (optional), preferred contact channel (WhatsApp or email), and timezone (auto-detected from your browser). If you arrive via a referral link or are given an invite code, the code is recorded against your profile.

When subscribing to the premium copy service: your broker name, server, and account number, your MT5 master password (stored encrypted in Supabase Vault and additionally wrapped with an app-layer AES-256-GCM key held outside the database — see section 4), and your chosen risk amount per signal.

When using the referral program: the referral relationship between you and the user you referred (or who referred you); the payouts (or rejections) we have processed and their references; for crypto payouts, no wallet address is stored — wallet addresses are confirmed verbally on the scheduling call and used only for the transfer.

For payout calls (crypto payouts specifically): we may record the call (audio and/or screen) for fraud-prevention and dispute-resolution purposes. You will be told at the start of any call that is being recorded and may decline, in which case we will offer an alternative payout method.

From your use of the Services: notifications, risk-change requests, account-status events; an audit log of administrative actions on your account (e.g. password reveals, role changes, account deletions); login and session metadata (IP address, user-agent, timestamps) via Supabase; subscription billing records and payment status.

From any future payment gateway: whatever the gateway shares with us (typically last 4 digits, brand, billing email). We do not store full card numbers.

We do not use third-party analytics, tracking pixels, or advertising cookies as of this Effective date. If we add any in future, this Policy will be updated and you will be notified before they go live.

3. Why we use it

We process your data to provide the Services you signed up for (executing trades on your authorised broker account via the copier, sending notifications, processing billing, paying out referrals); to verify your identity and protect your account (MFA, audit log); to communicate with you (verification emails, welcome emails, risk-request status, security events, service announcements); to operate the referral program; to meet legal, tax, audit, and recordkeeping obligations; and to investigate, prevent, and respond to fraud or abuse.

Lawful bases: your consent (where applicable), the necessity of performance of our contract with you (the Services), our legitimate interest in operating a secure service, and compliance with law.

4. How we secure your data

Your MT5 master password is never stored in a plain database column. It is encrypted by an app-layer AES-256-GCM key (the key is held outside the database, in our deployment environment) and then written through a secure database function into Supabase Vault, which encrypts it again at rest. Reads require a server-side privileged role, a fresh MFA challenge from the administrator, and are recorded in an immutable audit log that you can see in your dashboard.

We require multi-factor authentication (TOTP) for every user account, not just administrators. Sensitive administrator actions (revealing a master password, deleting a user) require a fresh MFA challenge in addition to the active session.

All transit is over HTTPS / TLS. We follow the OWASP top-10 mitigations for the application and apply security headers (HSTS, Content-Security-Policy, X-Frame-Options, etc.) on every response. Service-role secrets are never exposed to the browser bundle.

5. Data breach notification

If we become aware of a security incident that materially affects your personal data, we will notify you by email without undue delay and, where required by applicable law, within the legally mandated window (e.g. seventy-two (72) hours under the EU GDPR or India's DPDP Act, 2023, where applicable). Notification will describe what happened, the data affected, the remediation taken, and any steps you should take.

6. Who we share it with (sub-processors)

We use the following service providers to operate FxKaran. Each one only sees the data needed to perform its function: Supabase (PostgreSQL hosting, authentication, encrypted vault) — hosting region ap-south-1 (Mumbai), stores all account, profile, MT5, and audit data. Vercel (web hosting) — serves the fxkaran.com application. Sanity (content management) — stores the content you read (homepage, legal docs, FAQs) and does not see user data. Resend (transactional email delivery) — receives your email address and the email body for any email we send you, with sending domain fxkaran.com. ImprovMX (inbound email forwarding) — forwards messages sent to support@fxkaran.com to our team inbox. socialtradertools.com (trade copier platform) — receives your MT5 server, account number, and master password to configure the copier, required only for the premium service. PostHog (product analytics) — receives anonymised event data (page views, click captures, lifecycle events such as signup completed, payment approved, MT5 activated) plus your Supabase user identifier and email associated with those events, hosted on PostHog's US Cloud; used to understand how the product is being used and to identify drop-off points in the signup and onboarding funnel. Future: a payment gateway (provider to be confirmed; you will be notified before we begin sharing data with it).

We may add, remove, or change sub-processors over time. Material changes will be announced under the change-notice procedure at the top of this Policy.

We do not sell your data, and we do not share it with advertisers.

We may disclose your data to law enforcement, regulators, courts, or other authorities if compelled by valid legal process or to protect the safety, rights, or property of FxKaran, our users, or the public.

7. International transfers

Your data may be transferred to, stored in, and processed in countries other than India, including the United States and the European Union, where our sub-processors operate. By using the Services you consent to such transfers. We rely on the relevant sub-processors' standard data protection commitments. Where required by law (e.g. for transfers from the EU/UK or UAE), we put in place additional safeguards such as Standard Contractual Clauses.

8. How long we keep it

While your account is active, we retain all account and operational data necessary to provide the Services.

When you delete your account (via Settings → Delete account, or via an admin acting on your request), your profile, MT5 accounts, vault secrets, notifications, risk requests, and billing history are deleted from our active database. Your audit log entries are retained in immutable form — these capture the fact that the deletion happened, your original email at time of deletion, and the actor who performed it, for legal and forensic purposes. Referral-program records relating to payouts already made are retained as required for tax and accounting purposes. Email logs at Resend, hosting logs at Vercel, and database logs at Supabase follow each provider's standard retention (typically 30–90 days). Verified-but-never-onboarded accounts that sit idle for more than seven (7) days are automatically deleted by a daily job.

Recordings of payout calls (where made) are retained for ninety (90) days unless we have a specific reason to keep them longer (active dispute, regulatory request, or your written request).

We will retain billing records for the period required by applicable tax law (currently up to eight (8) years).

9. Your rights

You can, at any time: access and update your profile data on the Settings page; change your WhatsApp number, contact preference, name, country, or timezone; delete your account from the Settings page; request a copy of your data by emailing support@fxkaran.com; request correction or restriction of data we hold; withdraw your consent, where consent is the legal basis.

If you are in a jurisdiction with specific data-protection laws (e.g. GDPR if you are an EU/UK resident; UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data; India's Digital Personal Data Protection Act, 2023), you may have additional statutory rights. We will honour those rights as required by the applicable law.

To exercise any of these rights or to ask a question, email support@fxkaran.com. We will respond within thirty (30) days; some requests (data export) may require additional verification of identity to protect your account.

10. Children

The Services are not intended for anyone under the age of eighteen (18). If you become aware that a person under 18 has provided us with personal information, please contact support@fxkaran.com so we can delete it.

11. Cookies

We use only the cookies strictly necessary to keep you signed in, to remember your re-authentication when you perform sensitive actions, and to persist a referral code if you arrived via a referral link. No analytics or advertising cookies are used as of this Effective date.

12. Changes to this Policy

We may update this Policy. The new version will be posted at fxkaran.com/privacy with an updated Effective date. Material changes (changes to what we collect, how we secure it, who we share it with, your rights, or how long we keep your data) will be notified to you by email and/or in the dashboard at least seven (7) days before they take effect. Continued use after the effective date constitutes acceptance.

13. Contact

Karan Pal (operating as "FxKaran") — support@fxkaran.com