Living document — not legal advice
Who we are
DalalOS (https://dalalos.in) is a hosted MCP (Model Context Protocol) server and API that gives AI assistants read-only access to Indian (NSE/BSE) stock-market data — raw disclosed figures and mechanically-computed ratios only, never investment advice. This policy covers the landing site, the sign-in / API-key dashboard, and the underlying MCP server and REST API that the dashboard talks to.
Information we collect
We collect the following categories of data:
- Identity data, via WorkOS AuthKit. When you sign in, WorkOS authenticates you (email/password, Google, or another supported method) and passes us your WorkOS user ID and the email address associated with your account. We don't receive or store your password — that's handled entirely by WorkOS.
- Account and API-key data. We store an internal account record linked to your WorkOS identity (your subscription tier and usage counters) and, if you create one, your API key's prefix and a hash used to authenticate future requests. The full plaintext key is shown once at creation time in your dashboard and is not retrievable afterward — if you lose it, you revoke it and create a new one.
- Usage and analytics data — only if analytics are enabled. If the operator has configured PostHog for a given deployment, we capture a small set of product events (for example: account created, signed in, API key created, first query made) tied to your account ID, along with standard web-analytics data such as pages visited, referrer, device/browser type, and approximate location derived from IP address. If PostHog is not configured, none of this is collected — this is an environment-variable-gated feature, not a toggle a visitor can see, and it is off by default in any deployment where the operator hasn't set it up.
- Request and log data. Like most hosted services, our hosting provider (Vercel) and our own server logs record basic technical data for every request — IP address, timestamp, requested path, and response status — for reliability, rate-limiting, and abuse prevention.
We do not knowingly collect any brokerage, demat, trading, or financial-account credentials — DalalOS never asks for those, and read-only market data does not require them.
Why we collect it
- To provide the service. Identity and account data are required to authenticate you, provision your account, issue and validate API keys, and enforce your plan's rate limits and usage quota.
- To prevent abuse. Request logs and rate-limit counters let us detect and block excessive or automated abuse of the free tier and the underlying NSE/BSE-sourced data.
- To improve the product. Where analytics are enabled, aggregate usage patterns (which tools get called, where users drop off during sign-up) help us prioritize what to build next.
- To communicate with you. We may email you about your account (for example, a security-relevant change) at the address WorkOS provides us. We don't run a marketing mailing list today.
Who we share data with
We don't sell personal data. We share it only with the service providers that operate the product, each processing data on our behalf and only for the purpose described:
- WorkOS — authentication (AuthKit sign-in) and session management. WorkOS is the source of truth for your login credentials.
- Supabase — stores your account record, API-key metadata, and usage counters in a Postgres database. This is the same Supabase project the DalalOS MCP server reads and writes to.
- PostHog — optional product analytics, described above. Only receives data when an operator has configured it for a given deployment.
- Vercel — hosts the landing site and its serverless functions, and by necessity processes request metadata (IP address, headers) to serve every page and API route.
We may also disclose data if required to by law, regulation, legal process, or a governmental request, or where we believe in good faith it's necessary to protect the rights, property, or safety of DalalOS, our users, or the public.
How long we keep data
We retain account and identity data for as long as your account exists, so the product keeps working (your API keys stay valid, your usage quota keeps resetting correctly). Request/server logs are kept for a limited operational window and rotated out; we don't keep an indefinite raw log archive. Where analytics are enabled, PostHog event data is retained per PostHog's own retention settings for our account. If you ask us to delete your account (see below), we delete or anonymize the identity and account data we hold within a reasonable time, subject to any data we're legally required to retain longer (for example, for fraud-prevention or accounting purposes).
Your rights and choices
Depending on where you're located, you may have rights to access, correct, export, or delete the personal data we hold about you, or to object to or restrict certain processing. Concretely, today:
- API keys can be created and revoked yourself, self-serve, from
/dashboard/keysat any time — no need to contact us for that. - Access, export, or deletion of your account and identity data is not yet a self-serve dashboard action. Email hello@dalalos.in from the address associated with your account and we'll action the request — including full account deletion — as soon as reasonably possible. We'd rather be upfront that this is a manual, email-based process today than claim a self-serve mechanism that doesn't exist yet.
Cookies and similar technologies
WorkOS AuthKit sets a session cookie to keep you signed in. Where PostHog analytics are enabled, PostHog sets its own cookies/local-storage identifiers to distinguish visitors and stitch a pre-sign-in browsing session to your account after you sign in. We don't use third-party advertising cookies.
Children's privacy
DalalOS is not directed at children and we don't knowingly collect personal data from anyone under the age required by applicable law to consent to data processing on their own behalf. If you believe a child has provided us with personal data, contact us and we'll remove it.
International data transfers
DalalOS is an Indian product, but our service providers (WorkOS, Supabase, PostHog, Vercel) operate global infrastructure, so data may be processed on servers outside India. Each provider maintains its own safeguards for cross-border transfers; we haven't layered a separate contractual mechanism on top of theirs at this stage.
Changes to this policy
We'll update the "Last updated" date above whenever this policy changes, and for material changes we'll make reasonable efforts to give more prominent notice (for example, on the dashboard). Continued use of DalalOS after a change means you accept the updated policy.
Contact us
Questions, requests, or concerns about this policy or your data: hello@dalalos.in.
FAQ
Common questions
Do I need to sign in to use DalalOS?
Browsing the site and the public read-only pages (tools, docs, screener, heatmap, calendar, FII/DII, IPOs, discovery, individual stock pages) doesn't require an account. Signing in via WorkOS is only required to reach your dashboard and create an API key.
Does DalalOS sell my data?
No. DalalOS does not sell personal data to third parties. Data is shared only with the service providers described below, strictly to operate the product (authentication, storage, hosting, optional analytics).
Can I delete my account and data?
There isn't a self-serve "delete my account" button today. Email hello@dalalos.in and we'll action a deletion request — see "Your rights and choices" below.
Is analytics tracking always on?
No. Product analytics (PostHog) only runs when the operator has configured it for a given deployment. If it isn't configured, no analytics events are captured at all — this follows the same graceful-degradation pattern used throughout the product.
Connect your AI to Indian stock market data
Sign in to DalalOS and connect your AI in one line of config. Free to start.
KEEP EXPLORING