Finwiser Privacy Policy

1. Applicability and Scope

This Privacy Policy describes how Finwiser ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you access or use the Finwiser Platform (website/mobile application and related services).

This Policy applies to:

all users of the Platform; and
personal data processed by Finwiser in connection with Platform usage, including where Finwiser acts as a Financial Information User (FIU) under the Account Aggregator framework (where applicable).

For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"):

you are the Data Principal; and
Finwiser is the Data Fiduciary for personal data processed through the Platform, and may engage third parties as Data Processors to provide Platform functionality.

This Policy should be read together with:

the Platform Terms & Conditions; and
if you choose to avail regulated investment advisory services, the Investment Advisory Agreement.

Important: Use of the Platform (including viewing projections or generic insights) does not create an investment advisory relationship. A regulated advisory relationship arises only if you execute a valid Investment Advisory Agreement.

2. Categories of Personal Data Collected

Depending on how you use the Platform, Finwiser may process the following categories of personal data:

2.1 Data You Provide Directly

identity and contact information (name, mobile number, email address);
demographic details you choose to provide (such as age or date of birth, where required for features);
user-entered financial inputs (goals, preferences, assumptions, questionnaire responses).

2.2 Device, Technical, and Usage Data

device identifiers, device type, operating system and app version;
IP address and approximate location signals derived from IP (if applicable);
login and security logs;
Platform interaction and usage metadata (pages/screens accessed, feature usage, timestamps).

2.3 Financial Information Accessed via Account Aggregator (Consent-Based)

Where you provide explicit consent through the Account Aggregator framework, Finwiser may access and process Financial Information made available by Financial Information Providers (such as banks, AMCs, and other regulated entities) through your chosen Account Aggregator. This may include, depending on consent scope:

account and holding summaries;
balances; and/or
transaction or cashflow information.

Finwiser is not a Financial Information Provider (FIP) and does not act as the system of record for such information.

Finwiser operates on a Transient Data Model for raw Financial Information. We do not act as a secondary storage provider for bank statements or transaction records.

2.4 Derived or Generated Data

Finwiser may generate derived data from inputs and permitted data sources, such as:

net worth summaries, ratios, and diagnostics;
projections, simulations, and scores; and
categorisations and trend indicators.

Derived outputs are dependent on inputs, assumptions, and data availability.

2.5 Minor's Data

The Platform is intended for use by individuals aged 18 years and above. Finwiser does not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected without appropriate legal authorisation, such data will be deleted in accordance with Applicable Law.

3. Purpose of Processing Personal Data

Finwiser processes personal data only for specific, explicit, and lawful purposes consistent with the DPDP Act and Applicable Law. The purposes below are grouped by context.

3.1 Platform Access and Account Management (Mandatory for All Users)

Finwiser processes personal data to:

create and manage your user account;
authenticate access and protect account security;
provide core Platform features you request;
send essential service communications (logins, security alerts, critical updates);
prevent fraud, detect abuse, and maintain system integrity; and
comply with Applicable Law.

This processing is required to operate the Platform and cannot be disabled without affecting account access.

3.2 Platform Features and Generic Outputs (All Users)

Finwiser processes personal data and user-provided inputs to:

compute net worth views, summaries, and financial overviews;
generate projections, simulations, scores, or generic insights based on assumptions and available inputs;
improve Platform reliability, performance, and user experience; and
run internal product analytics using aggregated or anonymised data where feasible.

These outputs are Generic Outputs and do not constitute personalised investment advice.

Generic Outputs are provided for informational and educational purposes only and do not constitute a recommendation to buy, sell, hold, or allocate to any financial product or security.

No fiduciary, advisory, or suitability obligation arises from Generic Outputs. Personalised investment advice is provided only after execution of a valid Investment Advisory Agreement and completion of mandatory risk profiling.

3.3 Account Aggregator and Financial Information Processing (Consent-Based)

Where you provide explicit consent through the Account Aggregator framework, Finwiser processes Financial Information to:

aggregate financial positions and holdings;
compute cashflow patterns and obligations;
generate financial health indicators and diagnostics; and
support scenario modelling and Platform insights.

This processing is:

read-only and purpose-limited;
restricted to the scope, duration, and data types authorised in your consent artefact; and
discontinued upon consent expiry or revocation, subject to Applicable Law and regulatory record-keeping obligations.

Upon expiry or revocation of consent, Finwiser ceases fetching any new Financial Information.

Limited historical derived summaries and security or audit logs (excluding raw Financial Information payloads) may be retained solely for security monitoring, dispute resolution, and regulatory compliance, as permitted under Applicable Law.

3.4 Conditional Processing for Investment Advisory Services (Clients Only)

This section applies only if you execute a valid Investment Advisory Agreement with Finwiser.

Where you become a Client, Finwiser may additionally process personal data to:

perform risk profiling and suitability assessment as required under SEBI regulations;
analyse financial position for advisory purposes;
prepare, document, and deliver personalised advice;
maintain advice records, audit trails, and compliance documentation; and
manage grievances and regulatory escalations relating to advisory services.

Such processing does not occur for users who have not entered into an Investment Advisory Agreement.

3.5 Legal, Regulatory, and Compliance Purposes

Finwiser may process personal data to:

comply with Applicable Law and lawful directions;
respond to regulatory or authority requests;
investigate fraud, security incidents, or misuse; and
enforce rights, resolve disputes, or manage claims.

This may continue after account closure to the extent required by law.

4. Consent, Withdrawal, and Consequences

4.1 Basis of Processing and Consent Structure

Finwiser processes personal data on the basis of:

mandatory processing, where necessary to provide core Platform functionality or comply with Applicable Law; and
consent-based processing, where required under the DPDP Act or other applicable regulations.

Consent, where required, is obtained in a free, informed, specific, and unambiguous manner and is limited to the stated purpose.

4.2 Platform Access and Mandatory Processing

Certain personal data processing is essential to operate the Platform, including:

account creation and authentication;
security, fraud prevention, and system integrity;
essential service and regulatory communications; and
compliance with Applicable Law.

Withdrawal of consent for such mandatory processing may result in:

restriction of Platform features; or
inability to continue providing access to the Platform.

4.3 Consent for Account Aggregator and Financial Information Processing

Access to Financial Information through the Account Aggregator framework is entirely consent-driven.

Where you choose to provide consent:

consent is granted through your chosen Account Aggregator;
the consent artefact specifies data types, accounts, purpose, frequency, and duration; and
Finwiser processes Financial Information strictly within the scope of such consent.

You may review, modify, or revoke Account Aggregator consent at any time using your Account Aggregator's interface.

4.4 Consequences of Withdrawing Account Aggregator Consent

Upon expiry or revocation of Account Aggregator consent:

Finwiser will cease further access to Financial Information;
previously fetched data will no longer be refreshed or updated; and
certain Platform features that rely on such data (including aggregated views, diagnostics, or projections) may become limited or unavailable.

Revocation of consent does not affect:

processing already carried out prior to revocation; or
retention required under Applicable Law or regulatory obligations.

4.5 Consent for Investment Advisory Services (Clients Only)

Processing of personal data for investment advisory purposes occurs only after you execute a valid Investment Advisory Agreement.

Such processing is governed by:

this Privacy Policy; and
the specific disclosures and consent terms set out in the Investment Advisory Agreement.

If you withdraw consent or terminate the Investment Advisory Agreement:

Finwiser will cease providing investment advisory services; and
data processing will be limited to regulatory record-keeping, audit, and dispute resolution requirements.

4.6 Withdrawal of Consent and Its Effects

You may withdraw consent for any consent-based processing by:

using available Platform controls (where applicable); or
contacting Finwiser through the grievance or support channels.

Withdrawal of consent:

does not operate retrospectively;
may affect availability or quality of certain Platform features; and
does not override processing required under Applicable Law.

Finwiser will inform you of any material consequences before acting on a withdrawal request, where practicable.

4.7 Purpose-Linked and Feature-Gated Consent

Certain core financial aggregation, analytics, and diagnostic features of the Platform require processing of personal data and Financial Information that is integral to the nature of those features.

Where such processing is necessary, Finwiser may be unable to provide access to those features in the absence of the required consent.

Account creation, authentication, and basic Platform access may remain available; however, refusal or withdrawal of consent may result in restricted or no access to features that depend on such processing.

5. Data Sharing and Disclosure

5.1 General Principle

Finwiser does not sell your personal data.

We share personal data only where necessary to:

provide Platform functionality you request;
process Account Aggregator-enabled Financial Information strictly within your consent artefact;
comply with Applicable Law; or
protect the Platform, Users, and Finwiser from fraud, misuse, or security threats.

Where feasible, Finwiser shares data in a minimised form (limited to what is necessary for the specific purpose).

5.2 Categories of Recipients

Finwiser may share personal data with the following categories of recipients:

5.2.1 Service Providers and Data Processors

We may share personal data with vendors who process data on our behalf to operate the Platform, such as:

cloud hosting and infrastructure providers;
database, storage, and backup providers;
communication providers (SMS, email, WhatsApp or equivalent channels, if used);
customer support tooling (ticketing/helpdesk);
analytics and performance monitoring tools;
security and fraud-prevention providers; and
identity verification/KYC service providers, only when required for a specific feature or onboarding step.

These recipients act as Data Processors and are contractually required to:

process data only on Finwiser's instructions;
apply appropriate security safeguards; and
not use the data for their own independent purposes.

5.2.2 Account Aggregator Ecosystem Participants

Where you provide consent through the Account Aggregator framework, Finwiser will exchange the minimum required technical and consent-related information with:

your chosen Account Aggregator; and
Financial Information Providers (FIPs) through the AA ecosystem rails,

strictly as required to fulfil the consent artefact (such as initiating a data request and receiving Financial Information responses).

Finwiser does not disclose raw Financial Information or consent-linked responses to any third party outside the Account Aggregator ecosystem, except where required under Applicable Law.

Notwithstanding the above, Finwiser may use derived, aggregated, or irreversibly anonymised data (which does not identify you and does not constitute Financial Information) for:

internal analytics and research;
platform improvement and model training;
statistical analysis; and
use by automated systems or AI-based tools operating under Finwiser's control.

Such anonymised or de-identified data is subject to technical and organisational safeguards, is used only for internal analytics, research, or model improvement, and is not used for re-identification or third-party profiling.

5.2.3 Regulated Service Context (Clients Only)

This applies only if you execute an Investment Advisory Agreement.

In connection with regulated advisory services, Finwiser may share limited personal data:

with compliance, audit, or record-management service providers engaged by Finwiser; and/or
as required for regulatory reporting or grievance handling.

Finwiser will not share client data with product manufacturers, distributors, brokers, or intermediaries for marketing or referral purposes.

5.2.4 Corporate Transactions

If Finwiser undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be shared with relevant counterparties and advisers as part of such transaction, subject to:

confidentiality obligations; and
Applicable Law.

5.2.5 Legal and Regulatory Disclosure

Finwiser may disclose personal data where required to comply with:

Applicable Law;
court orders or lawful requests from competent authorities;
regulatory directions; or
legal processes.

We may also disclose data where necessary to:

investigate, prevent, or address fraud, security incidents, or abuse; or
enforce our rights and agreements.

5.3 What We Do Not Do

Finwiser does not:

sell personal data;
rent personal data; or
share personal data with third parties for their independent marketing purposes.

5.4 International Transfers

If Finwiser uses service providers that store or process data outside India, such transfers will be undertaken only:

in accordance with Applicable Law; and
with appropriate contractual and security safeguards.

6. Data Retention and Erasure

6.1 Retention Principles

Finwiser retains personal data only for as long as necessary to:

provide the Platform and requested features;
comply with Applicable Law and regulatory obligations;
maintain security, prevent fraud, and ensure platform integrity; and
resolve disputes, grievances, and enforcement matters.

Where feasible, Finwiser minimises retention by:

retaining only necessary categories; and
deleting or irreversibly anonymising data when no longer required.

6.2 Retention by Data Category (High-Level)

Finwiser typically retains the following categories of data:

6.2.1 Account and Core Platform Data

Retained while your Account remains active and for a reasonable period thereafter to:

comply with legal obligations;
prevent fraud/abuse; and
enable dispute resolution.

6.2.2 Device, Security, and Audit Logs

Retained for a reasonable period to:

detect and investigate suspicious activity;
maintain Platform security; and
meet audit and compliance requirements.

6.2.3 Account Aggregator Financial Information

Raw Financial Information fetched via the Account Aggregator framework is processed on a transient basis and purged from Finwiser's active systems within a limited period, in accordance with the requirements of the Account Aggregator ecosystem, applicable consent artefacts, and Applicable Law.

Such purging timelines may vary based on the nature of the data, technical processing requirements, and obligations imposed by the relevant Account Aggregator or Financial Information Provider.

Finwiser does not retain raw Financial Information as a long-term record store. Only derived summaries, analytical outputs, and regulatory or suitability logs (which do not contain raw FI payloads) may be retained for longer periods where required for Platform functionality or compliance.

6.2.4 Derived or Generated Data

Derived data (such as summaries, ratios, trends, categorisations, and projections) may be retained to:

maintain continuity of user experience; and
support Platform features and insights.

Where you request deletion or close your account, derived data will be deleted or irreversibly anonymised unless retention is required under Applicable Law.

6.3 Account Closure and Deletion Requests

You may request account deletion or closure through the Platform or support channels. Upon closure:

Finwiser will disable access to the Platform; and
commence deletion or anonymisation processes in accordance with this Policy.

Finwiser may retain limited information after closure where necessary for:

compliance with Applicable Law;
regulatory record-keeping (including SEBI requirements where applicable);
fraud prevention and security; or
resolution of disputes and grievances.

6.4 Erasure, Portability, and Legal Overrides

Finwiser may provide access to, or export of, basic profile information, user-provided data, and derived summaries where technically feasible and permitted under Applicable Law.

Finwiser does not provide exports of raw Financial Information payloads, bank statements, or original records. Re-use or transfer of original financial records should be undertaken through the Account Aggregator framework or by approaching the relevant Financial Information Provider.

6.5 Anonymisation

Where feasible and lawful, Finwiser may retain anonymised and aggregated data that cannot reasonably identify you, for:

analytics;
product improvement.

7. Data Security Safeguards

7.1 Security Principles

Finwiser implements reasonable security safeguards, appropriate to the nature of personal data processed, in accordance with the Digital Personal Data Protection Act, 2023 and Applicable Law.

Security measures are designed to:

protect personal data against unauthorised access, disclosure, alteration, or destruction; and
maintain the confidentiality, integrity, and availability of Platform systems and data.

7.2 Organisational Safeguards

Finwiser maintains organisational measures including:

internal access controls based on role and necessity;
confidentiality obligations for employees, contractors, and service providers;
periodic internal reviews of access privileges;
documented incident handling and escalation procedures; and
training and awareness programs relevant to data protection and information security.

7.3 Technical Safeguards

Finwiser uses appropriate technical safeguards, which may include:

encryption of data in transit and at rest, where applicable;
secure authentication mechanisms;
system monitoring and logging;
segregation of environments (development, testing, production); and
periodic security testing and vulnerability assessments.

Specific technical implementations may change over time to respond to evolving security threats.

7.4 Access Control and Least Privilege

Access to personal data is restricted to authorised personnel only and granted strictly on a need-to-know basis.

Access rights are reviewed periodically and revoked promptly where no longer required.

7.5 Incident Management

In the event of a personal data breach, Finwiser will:

take reasonable steps to contain, assess, and remediate the incident;
notify affected users and authorities where required under Applicable Law; and
document the incident and corrective actions taken.

7.6 User Responsibilities

Users are responsible for:

safeguarding their account credentials;
notifying Finwiser of unauthorised access or suspicious activity; and
ensuring the security of their devices and networks used to access the Platform.

8. User Rights under the Digital Personal Data Protection Act, 2023

Finwiser recognises and facilitates the rights available to Users as Data Principals under the DPDP Act, subject to Applicable Law.

8.1 Right to Access Information

You may request access to information about:

the categories of personal data processed by Finwiser;
the purposes of such processing; and
the identities of categories of data recipients, where applicable.

The Right to Access includes the ability to view Financial Information fetched via the Account Aggregator framework as displayed on the Platform during the active consent period.

This right does not extend to providing certified statements, official records, or raw data files. For original records or certified copies, Users should approach their respective Financial Information Providers or Account Aggregator.

The Right to Access does not extend to Finwiser's proprietary algorithms, internal models, scoring logic, or trade secrets used to generate Generic Outputs, as permitted under Applicable Law.

Derived summaries and analytical outputs may remain accessible after consent expiry or revocation, subject to retention policies. Viewing of raw Financial Information requires an active Account Aggregator consent.

8.2 Right to Correction and Updating

You may request correction or updating of personal data that is:

inaccurate;
incomplete; or
outdated.

Where correction is not feasible (for example, historical records required for compliance), Finwiser may retain such data with appropriate annotation.

8.3 Right to Erasure

You may request erasure of personal data that is:

no longer necessary for the stated purpose; or
processed based on consent that has been withdrawn.

Erasure requests are subject to:

retention obligations under Applicable Law; and
regulatory record-keeping requirements (including those applicable to registered investment advisers).

8.4 Right to Grievance Redressal

You may raise grievances regarding:

processing of personal data; or
exercise of rights under the DPDP Act.

Grievances will be addressed in accordance with Section 9 of this Privacy Policy.

8.5 Right to Nomination

You may nominate another individual to exercise your rights under the DPDP Act in the event of death or incapacity, in accordance with Applicable Law.

8.6 Limitations

The exercise of rights under this section may be limited where:

required to comply with Applicable Law;
necessary to protect the rights of other users.

9. Grievance Redressal

9.1 Grievance Redressal Officer

In accordance with the Digital Personal Data Protection Act, 2023 and Applicable Law, Finwiser has appointed a Grievance Redressal Officer to address concerns relating to the processing of personal data and the exercise of Data Principal rights.

Grievance Redressal Officer:

Name: Chandrachuda Sarma Y

Email: helpdesk@finwiser.org

9.2 Raising a Grievance

You may raise a grievance relating to:

processing of personal data;
exercise of rights under the DPDP Act;
consent management or withdrawal; or
any perceived non-compliance with this Privacy Policy.

Grievances may be submitted via:

email to the Grievance Redressal Officer; or
such other channels as may be made available on the Platform.

9.3 Resolution Timelines

Finwiser shall:

acknowledge grievances within reasonable timelines; and
endeavour to resolve them in accordance with timelines prescribed under Applicable Law.

Where additional time is required due to the nature of the grievance, you will be informed accordingly.

9.4 Regulatory Escalation

If a grievance is not resolved to your satisfaction, you may exercise your statutory right to escalate the matter before the appropriate authority under Applicable Law.

Nothing in this Privacy Policy restricts your right to approach a competent regulatory or judicial authority.

10. Updates to This Privacy Policy

10.1 Policy Updates

Finwiser may update this Privacy Policy from time to time to reflect:

changes in Applicable Law;
regulatory guidance;
changes in Platform functionality; or
operational or security requirements.

10.2 Notification of Changes

Where material changes are made, Finwiser will take reasonable steps to notify Users through:

the Platform; and/or
electronic communication.

The updated Privacy Policy will be made available on the Platform with the revised effective date.

10.3 Continued Use

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of such updated Privacy Policy, to the extent permitted under Applicable Law.

If you do not agree with the updated Privacy Policy, you may discontinue use of the Platform and request account closure.