← Back to Kayova

Privacy Policy

Last updated: 5 May 2026

Overview

Kayova is a portfolio analytics tool that processes Consolidated Account Statements (CAS) issued by CAMS and KFintech, and other investment statements you choose to upload. We are committed to protecting your financial privacy. Your data is processed to generate portfolio analytics and is never sold or shared with third parties for advertising.

Google Sign-In and Google User Data

Kayova uses Google Sign-In via Firebase Authentication. When you sign in, we ask Google for the default Firebase scopes only:

  • openid — to authenticate your identity
  • email — to retrieve your email address for account management and notifications
  • profile — to retrieve your display name for personalising welcome emails

What we read

From the Google sign-in we read:

  • Your Firebase user ID (a stable, non-Google identifier we use as your account key)
  • Your email address
  • Your display name (used at the moment of welcome-email rendering only)
  • Whether Google has verified your email (we use this as a security gate to unlock features; it is not used for tracking)

What we store

In our Firestore database we persist only:

  • Your email address
  • Your verification status
  • The timestamp your account was created

Your Google display name is read transiently to personalise welcome emails and is never written to our database.

What we do NOT collect or store

  • Your Google profile photo
  • Your phone number
  • Google Drive files, Gmail messages, Calendar entries, Photos, or any other Google service data
  • OAuth access tokens or refresh tokens

Your sign-in session ends when you close your browser. After 15 minutes of inactivity your session expires automatically.

Other Data We Collect

  • Uploaded CAS / EPF / equity statement data: investor names, folio numbers, fund names, transaction history, unit balances
  • Asset class classifications and entity-name preferences you configure within the app
  • Computed portfolio snapshots and daily portfolio values derived from the above
  • If you opt into Email Ingestion: PDF attachments you forward to our ingest address, the document password you set for them, and a log of each ingestion

PAN numbers extracted from your CAS are used only for parsing and are not stored in our database.

How We Use Data

  • To compute portfolio holdings, XIRR, and asset allocation analytics
  • To display your investment history and performance over time
  • To remember your entity-name preferences and scheme classifications
  • To send transactional emails (verification, welcome, ingestion confirmations) to your account email address

We do not use your data for advertising, profiling, AI/ML training, or any purpose beyond providing the analytics service.

Data Storage & Security

Your account data and portfolio data are stored in Google Firestore on Google Cloud infrastructure. Forwarded statement PDFs are stored in Google Cloud Storage. Access is restricted to your authenticated account. CAS and contract-note PDFs you upload directly through the app are parsed entirely in your browser and are never uploaded to our servers; only the parsed transaction data is stored. Forwarded-email PDFs are processed server-side and stored encrypted at rest using Google Cloud's platform defaults.

Market data (security master, prices, benchmarks) is held in a separate Postgres database (Google Cloud SQL, asia-south1) and is not linked to your Google account.

Third-Party Services (Subprocessors)

  • Google Cloud (Firebase Authentication, Firestore, Cloud Storage, Cloud SQL) — authentication, data storage, and database hosting
  • Vercel — frontend application hosting
  • Render — backend API hosting
  • Zoho Mail (SMTP) — transactional email delivery. We send your email address and a derived first name when sending you a welcome, verification, password-reset, or ingestion-confirmation email.
  • MFAPI / BSE NAV API — public mutual-fund NAV data (no personal data is shared)
  • Yahoo Finance — public equity closing prices (no personal data is shared)

We do not use any analytics, telemetry, or error-tracking services (no Google Analytics, Mixpanel, PostHog, Segment, Sentry, or similar). We do not send your data to any large-language-model or AI training service.

Your Rights and Account Deletion

You can permanently delete your Kayova account and all associated data from Settings → Delete account inside the app. Confirming deletion immediately removes:

  • Your portfolio uploads and parsed transactions
  • Your full transaction ledger and computed portfolio snapshots
  • Email-ingestion configuration and stored PDFs
  • Any classification preferences and entity-name settings
  • Your Kayova profile and your Firebase Authentication record

Cloud-platform backups are purged within 30 days of deletion.

You can also revoke Kayova's access to your Google account at any time from Google Account → Third-party apps & services. Note that revoking Google access prevents future sign-in but does not by itself delete the data already stored in your Kayova account — use the in-app deletion flow above for that.

Contact

For privacy-related questions or data deletion requests, contact us at: support@kayova.com

← Back to Kayova · Terms of Service