> ## Documentation Index
> Fetch the complete documentation index at: https://docs.finscreener.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Changelog

> Recent updates and improvements to the Finscreener platform and API

## June 2026

### Product Updates — June 29, 2026

**Removed:**

* **Newly registered company & director access** — the `POST /api/recently-registered/companies` and `POST /api/recently-registered/directors` endpoints are discontinued, along with the `Recent_COMP` and `Recent_DIR` subscription features. Recently registered **GST** access (`Recent_GST`) remains available.
* **Full Company order type** — the `fullcompany` order/lead type is no longer supported. Order companies, directors, and GST registrations individually.
* **MCP Server integration** — the hosted Model Context Protocol server has been retired and its documentation removed.

**Changed:**

* `POST /api/crm/newlead` now supports the `gst` entity type only.
* Orders now refund the credit for any item with no contact data found.

***

## March 2026

### Security & Compliance Hardening — March 25, 2026

Major security update to align backend implementation with our Privacy Policy and Terms & Conditions commitments.

**New Features:**

* **Account deletion endpoint** (`DELETE /api/users/me/account`) — DPDPA Right to Erasure compliance
* **Account suspension system** — admin can suspend/unsuspend users, all sessions invalidated on suspend
* **Persistent IP blocking** — malicious IP bans now stored in MongoDB (survive restarts)
* **Automated threat detection** — brute-force and credential stuffing patterns detected every 15 minutes
* **Scheduled security cleanup** — expired sessions, tokens, rate limits auto-cleaned every 6 hours

**Security Headers:**

* Browser routes now include `Strict-Transport-Security`, `X-Frame-Options`, `Content-Security-Policy`, `Referrer-Policy`, `Permissions-Policy`
* Developer API routes include `Cache-Control: no-store`, `X-RateLimit-*` headers instead of browser-specific headers

**Fixes:**

* MongoDB TLS certificate validation now configurable (was hardcoded to skip validation)
* Developer API suspension check added — suspended users blocked from API key access
* Rate limit info now returned in `X-RateLimit-*` response headers for developer API

**Admin Endpoints:**

* `POST /admin/users/{id}/suspend` — suspend a user account
* `POST /admin/users/{id}/unsuspend` — reactivate a suspended account
* `GET /admin/security/blocked-ips` — view all blocked IPs
* `POST /admin/security/block-ip` — manually block an IP
* `POST /admin/security/unblock-ip` — unblock an IP

### Privacy Policy Update — March 2026

Updated Privacy Policy with comprehensive DPDPA 2023 compliance:

* Key definitions (Data Fiduciary, Data Principal, Processing, Publicly Available Data)
* Detailed data source breakdown (MCA V2/V3, GST, MSME portals)
* Legal basis for processing (5 legal bases with balancing test)
* Full DPDPA user rights (access, correction, erasure, portability, withdraw consent)
* Grievance redressal mechanism (7-day acknowledgment, 30-day resolution)
* Data accuracy disclaimers and liability protections
* Children's privacy protections (under-18)
* International data transfer safeguards

***

### Upcoming — March 26, 2026

* **Run Screener endpoint** (`POST /api/screener/screeners/{id}/run`) — execute a saved screener and get matching results in real-time
