This Privacy Policy describes how Finwiser ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you access or use the Finwiser Platform (website/mobile application and related services).
1.1 About the entities behind Finwiser
The Finwiser service involves two distinct legal identities, each with a different role:
Finwiser Technologies LLP is the platform provider. Technologies LLP publishes the Finwiser mobile app on Google Play and the iOS App Store, operates the servers, manages app distribution and technical infrastructure, and is the entity that enters into the platform agreement with you as a user.
Chandrachuda Sarma Yemmanuru, a SEBI Registered Investment Adviser (Individual), holds SEBI RIA registration INA000021331 and provides the regulated investment advisory services offered through the platform. The RIA licence is held individually by Chandrachuda Sarma Yemmanuru and will transfer to Finwiser Advisory LLP upon its formation; any future transfer will be communicated to users in advance.
Both identities are collectively referred to as "Finwiser", "we", "us" or "our" in this policy. Where a right or obligation is specific to one identity, this policy names it explicitly.
This Policy applies to:
all users of the Platform; and
personal data processed by Finwiser in connection with Platform usage, including where Finwiser acts as a Financial Information User (FIU) under the Account Aggregator framework (where applicable).
Finwiser is the Data Fiduciary for personal data processed through the Platform, and may engage third parties as Data Processors to provide Platform functionality.
if you choose to avail regulated investment advisory services, the Investment Advisory Agreement.
Important: Use of the Platform (including viewing projections or generic insights) does not create an investment advisory relationship. A regulated advisory relationship arises only if you execute a valid Investment Advisory Agreement.
device identifiers, device type, operating system and app version;
IP address and approximate location signals derived from IP (if applicable);
login and security logs;
Platform interaction and usage metadata (pages/screens accessed, feature usage, timestamps).
2.3 Financial Information Accessed via Account Aggregator (Consent-Based)
Where you provide explicit consent through the Account Aggregator framework, Finwiser may access and process Financial Information made available by Financial Information Providers (such as banks, AMCs, and other regulated entities) through your chosen Account Aggregator. This may include, depending on consent scope:
account and holding summaries;
balances; and/or
transaction or cashflow information.
Finwiser is not a Financial Information Provider (FIP) and does not act as the system of record for such information.
Finwiser operates on a Transient Data Model for raw Financial Information. We do not act as a secondary storage provider for bank statements or transaction records.
2.4 Derived or Generated Data
Finwiser may generate derived data from inputs and permitted data sources, such as:
net worth summaries, ratios, and diagnostics;
projections, simulations, and scores; and
categorisations and trend indicators.
Derived outputs are dependent on inputs, assumptions, and data availability.
2.5 Minor's Data
The Platform is intended for use by individuals aged 18 years and above. Finwiser does not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected without appropriate legal authorisation, such data will be deleted in accordance with Applicable Law.
Finwiser processes personal data only for specific, explicit, and lawful purposes consistent with the DPDP Act and Applicable Law. The purposes below are grouped by context.
3.1 Platform Access and Account Management (Mandatory for All Users)
Finwiser processes personal data to:
create and manage your user account;
authenticate access and protect account security;
provide core Platform features you request;
send essential service communications (logins, security alerts, critical updates);
prevent fraud, detect abuse, and maintain system integrity; and
comply with Applicable Law.
This processing is required to operate the Platform and cannot be disabled without affecting account access.
3.2 Platform Features and Generic Outputs (All Users)
Finwiser processes personal data and user-provided inputs to:
compute net worth views, summaries, and financial overviews;
generate projections, simulations, scores, or generic insights based on assumptions and available inputs;
improve Platform reliability, performance, and user experience; and
run internal product analytics using aggregated or anonymised data where feasible.
These outputs are Generic Outputs and do not constitute personalised investment advice.
Generic Outputs are provided for informational and educational purposes only and do not constitute a recommendation to buy, sell, hold, or allocate to any financial product or security.
No fiduciary, advisory, or suitability obligation arises from Generic Outputs. Personalised investment advice is provided only after execution of a valid Investment Advisory Agreement and completion of mandatory risk profiling.
3.3 Account Aggregator and Financial Information Processing (Consent-Based)
Where you provide explicit consent through the Account Aggregator framework, Finwiser processes Financial Information to:
aggregate financial positions and holdings;
compute cashflow patterns and obligations;
generate financial health indicators and diagnostics; and
support scenario modelling and Platform insights.
This processing is:
read-only and purpose-limited;
restricted to the scope, duration, and data types authorised in your consent artefact; and
discontinued upon consent expiry or revocation, subject to Applicable Law and regulatory record-keeping obligations.
Upon expiry or revocation of consent, Finwiser ceases fetching any new Financial Information.
Limited historical derived summaries and security or audit logs (excluding raw Financial Information payloads) may be retained solely for security monitoring, dispute resolution, and regulatory compliance, as permitted under Applicable Law.
3.4 Conditional Processing for Investment Advisory Services (Clients Only)
This section applies only if you execute a valid Investment Advisory Agreement with Finwiser.
Where you become a Client, Finwiser may additionally process personal data to:
perform risk profiling and suitability assessment as required under SEBI regulations;
analyse financial position for advisory purposes;
prepare, document, and deliver personalised advice;
maintain advice records, audit trails, and compliance documentation; and
manage grievances and regulatory escalations relating to advisory services.
Such processing does not occur for users who have not entered into an Investment Advisory Agreement.
3.5 Legal, Regulatory, and Compliance Purposes
Finwiser may process personal data to:
comply with Applicable Law and lawful directions;
respond to regulatory or authority requests;
investigate fraud, security incidents, or misuse; and
enforce rights, resolve disputes, or manage claims.
This may continue after account closure to the extent required by law.
mandatory processing, where necessary to provide core Platform functionality or comply with Applicable Law; and
consent-based processing, where required under the DPDP Act or other applicable regulations.
Consent, where required, is obtained in a free, informed, specific, and unambiguous manner and is limited to the stated purpose.
4.2 Platform Access and Mandatory Processing
Certain personal data processing is essential to operate the Platform, including:
account creation and authentication;
security, fraud prevention, and system integrity;
essential service and regulatory communications; and
compliance with Applicable Law.
Withdrawal of consent for such mandatory processing may result in:
restriction of Platform features; or
inability to continue providing access to the Platform.
4.3 Consent for Account Aggregator and Financial Information Processing
Access to Financial Information through the Account Aggregator framework is entirely consent-driven.
Where you choose to provide consent:
consent is granted through your chosen Account Aggregator;
the consent artefact specifies data types, accounts, purpose, frequency, and duration; and
Finwiser processes Financial Information strictly within the scope of such consent.
You may review, modify, or revoke Account Aggregator consent at any time using your Account Aggregator's interface.
4.4 Consequences of Withdrawing Account Aggregator Consent
Upon expiry or revocation of Account Aggregator consent:
Finwiser will cease further access to Financial Information;
previously fetched data will no longer be refreshed or updated; and
certain Platform features that rely on such data (including aggregated views, diagnostics, or projections) may become limited or unavailable.
Revocation of consent does not affect:
processing already carried out prior to revocation; or
retention required under Applicable Law or regulatory obligations.
4.5 Consent for Investment Advisory Services (Clients Only)
Processing of personal data for investment advisory purposes occurs only after you execute a valid Investment Advisory Agreement.
Such processing is governed by:
this Privacy Policy; and
the specific disclosures and consent terms set out in the Investment Advisory Agreement.
If you withdraw consent or terminate the Investment Advisory Agreement:
Finwiser will cease providing investment advisory services; and
data processing will be limited to regulatory record-keeping, audit, and dispute resolution requirements.
4.6 Withdrawal of Consent and Its Effects
You may withdraw consent for any consent-based processing by:
using available Platform controls (where applicable); or
contacting Finwiser through the grievance or support channels.
Withdrawal of consent:
does not operate retrospectively;
may affect availability or quality of certain Platform features; and
does not override processing required under Applicable Law.
Finwiser will inform you of any material consequences before acting on a withdrawal request, where practicable.
4.7 Purpose-Linked and Feature-Gated Consent
Certain core financial aggregation, analytics, and diagnostic features of the Platform require processing of personal data and Financial Information that is integral to the nature of those features.
Where such processing is necessary, Finwiser may be unable to provide access to those features in the absence of the required consent.
Account creation, authentication, and basic Platform access may remain available; however, refusal or withdrawal of consent may result in restricted or no access to features that depend on such processing.
process Account Aggregator-enabled Financial Information strictly within your consent artefact;
comply with Applicable Law; or
protect the Platform, Users, and Finwiser from fraud, misuse, or security threats.
Where feasible, Finwiser shares data in a minimised form (limited to what is necessary for the specific purpose).
5.2 Categories of Recipients
Finwiser may share personal data with the following categories of recipients:
5.2.1 Service Providers and Data Processors
Finwiser uses the following named third-party service providers to deliver the service. Each processor receives only the minimum data necessary for its function, under written or published contractual terms:
MongoDB Atlas (hosted database, MongoDB Inc.) — stores your financial data encrypted at rest in the Mumbai, India region.
MSG91 (OTP SMS delivery, WALKOVER WEB SOLUTIONS PVT LTD) — delivers the one-time password to your registered mobile number during login. Receives only your mobile number and the OTP.
Finvu and Saafe (RBI-licensed Account Aggregators) — receive your consent to share financial data from your banks and mutual funds, and relay encrypted data to Finwiser. Finwiser is registered as a Financial Information User (FIU) with these Account Aggregators.
Google Firebase Cloud Messaging (push notifications, Google LLC) — delivers non-financial push notifications (e.g. goal reminders) to your device. Does not receive financial data.
Google Cloud Platform (email push infrastructure, Google LLC) — used to receive notifications from Gmail when you have connected Gmail for email-based statement ingestion (optional, off by default).
Zoho Mail (business email, Zoho Corporation Pvt Ltd) — hosts the grievance-officer mailbox ([email protected]).
These recipients act as Data Processors and are contractually required to:
process data only on Finwiser's instructions;
apply appropriate security safeguards; and
not use the data for their own independent purposes.
We do not sell your personal or financial data to any third party.
5.2.2 Account Aggregator Ecosystem Participants
Where you provide consent through the Account Aggregator framework, Finwiser will exchange the minimum required technical and consent-related information with:
your chosen Account Aggregator; and
Financial Information Providers (FIPs) through the AA ecosystem rails,
strictly as required to fulfil the consent artefact (such as initiating a data request and receiving Financial Information responses).
Finwiser does not disclose raw Financial Information or consent-linked responses to any third party outside the Account Aggregator ecosystem, except where required under Applicable Law.
Notwithstanding the above, Finwiser may use derived, aggregated, or irreversibly anonymised data (which does not identify you and does not constitute Financial Information) for:
internal analytics and research;
platform improvement and model training;
statistical analysis; and
use by automated systems or AI-based tools operating under Finwiser's control.
Such anonymised or de-identified data is subject to technical and organisational safeguards, is used only for internal analytics, research, or model improvement, and is not used for re-identification or third-party profiling.
5.2.3 Regulated Service Context (Clients Only)
This applies only if you execute an Investment Advisory Agreement.
In connection with regulated advisory services, Finwiser may share limited personal data:
with compliance, audit, or record-management service providers engaged by Finwiser; and/or
as required for regulatory reporting or grievance handling.
Finwiser will not share client data with product manufacturers, distributors, brokers, or intermediaries for marketing or referral purposes.
5.2.4 Corporate Transactions
If Finwiser undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be shared with relevant counterparties and advisers as part of such transaction, subject to:
confidentiality obligations; and
Applicable Law.
5.2.5 Legal and Regulatory Disclosure
Finwiser may disclose personal data where required to comply with:
Applicable Law;
court orders or lawful requests from competent authorities;
regulatory directions; or
legal processes.
We may also disclose data where necessary to:
investigate, prevent, or address fraud, security incidents, or abuse; or
enforce our rights and agreements.
5.3 What We Do Not Do
Finwiser does not:
sell personal data;
rent personal data; or
share personal data with third parties for their independent marketing purposes.
5.4 International Transfers
If Finwiser uses service providers that store or process data outside India, such transfers will be undertaken only:
in accordance with Applicable Law; and
with appropriate contractual and security safeguards.
Finwiser retains personal data only for as long as necessary to:
provide the Platform and requested features;
comply with Applicable Law and regulatory obligations;
maintain security, prevent fraud, and ensure platform integrity; and
resolve disputes, grievances, and enforcement matters.
Where feasible, Finwiser minimises retention by:
retaining only necessary categories; and
deleting or irreversibly anonymising data when no longer required.
6.2 Retention by Data Category (High-Level)
Finwiser typically retains the following categories of data:
6.2.1 Account and Core Platform Data
Retained while your Account remains active and for a reasonable period thereafter to:
comply with legal obligations;
prevent fraud/abuse; and
enable dispute resolution.
6.2.2 Device, Security, and Audit Logs
Retained for a reasonable period to:
detect and investigate suspicious activity;
maintain Platform security; and
meet audit and compliance requirements.
6.2.3 Account Aggregator Financial Information
Raw Financial Information fetched via the Account Aggregator framework is processed on a transient basis and purged from Finwiser's active systems within a limited period, in accordance with the requirements of the Account Aggregator ecosystem, applicable consent artefacts, and Applicable Law.
Such purging timelines may vary based on the nature of the data, technical processing requirements, and obligations imposed by the relevant Account Aggregator or Financial Information Provider.
Finwiser does not retain raw Financial Information as a long-term record store. Only derived summaries, analytical outputs, and regulatory or suitability logs (which do not contain raw FI payloads) may be retained for longer periods where required for Platform functionality or compliance.
6.2.4 Derived or Generated Data
Derived data (such as summaries, ratios, trends, categorisations, and projections) may be retained to:
maintain continuity of user experience; and
support Platform features and insights.
Where you request deletion or close your account, derived data will be deleted or irreversibly anonymised unless retention is required under Applicable Law.
6.3 Account Deletion and Data Handling on Deletion
You may request deletion of your Finwiser account at any time, either:
in-app: Profile → "Delete my account" (two-step confirmation);
When you request account deletion, we take the following actions:
We permanently delete the following data from our active systems:
your user account record (name, email, mobile number, date of birth, PAN, address, profile details);
your onboarding progress, financial profile, risk profile, and goals;
your budgets, holdings, transactions, net-worth snapshots, and cash-flow snapshots; and
all JWT refresh tokens and active session credentials.
We delete our local copy of your Account Aggregator consent artefacts and immediately stop all scheduled data fetches against them.
Important — Account Aggregator consent revocation is done by you at the Account Aggregator. Under the RBI/ReBIT Account Aggregator framework, only the user (Data Principal) can revoke a consent issued to a Financial Information User (FIU). Finwiser, as the FIU, cannot revoke your AA consents programmatically on your behalf. To fully revoke the consent at the AA provider, please open your Account Aggregator app (Finvu or Saafe) and revoke the consent there. The deletion confirmation screen in the Finwiser app displays the consent IDs you need to revoke and provides links where available. We have stopped using the consent from the moment you requested deletion; full revocation at the AA is the final step only you can take.
Backup copies of deleted data are purged from our backups within 30 days of your request.
Anonymous, non-identifying aggregate statistics (e.g. total active user counts) may persist in our analytics systems; these do not contain any data that could identify you after deletion.
Finwiser may retain limited information after deletion where necessary for:
compliance with Applicable Law;
regulatory record-keeping (including SEBI requirements where applicable);
fraud prevention and security; or
resolution of disputes and grievances.
6.4 Erasure, Portability, and Legal Overrides
Finwiser may provide access to, or export of, basic profile information, user-provided data, and derived summaries where technically feasible and permitted under Applicable Law.
Finwiser does not provide exports of raw Financial Information payloads, bank statements, or original records. Re-use or transfer of original financial records should be undertaken through the Account Aggregator framework or by approaching the relevant Financial Information Provider.
6.5 Anonymisation
Where feasible and lawful, Finwiser may retain anonymised and aggregated data that cannot reasonably identify you, for:
Finwiser implements reasonable security safeguards, appropriate to the nature of personal data processed, in accordance with the Digital Personal Data Protection Act, 2023 and Applicable Law.
Security measures are designed to:
protect personal data against unauthorised access, disclosure, alteration, or destruction; and
maintain the confidentiality, integrity, and availability of Platform systems and data.
8. User Rights under the Digital Personal Data Protection Act, 2023
Finwiser recognises and facilitates the rights available to Users as Data Principals under the DPDP Act, subject to Applicable Law.
8.1 Right to Access Information
You may request access to information about:
the categories of personal data processed by Finwiser;
the purposes of such processing; and
the identities of categories of data recipients, where applicable.
The Right to Access includes the ability to view Financial Information fetched via the Account Aggregator framework as displayed on the Platform during the active consent period.
This right does not extend to providing certified statements, official records, or raw data files. For original records or certified copies, Users should approach their respective Financial Information Providers or Account Aggregator.
The Right to Access does not extend to Finwiser's proprietary algorithms, internal models, scoring logic, or trade secrets used to generate Generic Outputs, as permitted under Applicable Law.
Derived summaries and analytical outputs may remain accessible after consent expiry or revocation, subject to retention policies. Viewing of raw Financial Information requires an active Account Aggregator consent.
8.2 Right to Correction and Updating
You may request correction or updating of personal data that is:
inaccurate;
incomplete; or
outdated.
Where correction is not feasible (for example, historical records required for compliance), Finwiser may retain such data with appropriate annotation.
8.3 Right to Erasure
You may request erasure of personal data that is:
no longer necessary for the stated purpose; or
processed based on consent that has been withdrawn.
Erasure requests are subject to:
retention obligations under Applicable Law; and
regulatory record-keeping requirements (including those applicable to registered investment advisers).
8.4 Right to Grievance Redressal
You may raise grievances regarding:
processing of personal data; or
exercise of rights under the DPDP Act.
Grievances will be addressed in accordance with Section 9 of this Privacy Policy.
8.5 Right to Nomination
You may nominate another individual to exercise your rights under the DPDP Act in the event of death or incapacity, in accordance with Applicable Law.
8.6 Limitations
The exercise of rights under this section may be limited where:
In accordance with the Digital Personal Data Protection Act, 2023 and Applicable Law, Finwiser has appointed a Grievance Redressal Officer to address concerns relating to the processing of personal data and the exercise of Data Principal rights.
any perceived non-compliance with this Privacy Policy.
Grievances may be submitted via:
email to the Grievance Redressal Officer; or
such other channels as may be made available on the Platform.
9.3 Resolution Timelines
Finwiser shall:
acknowledge grievances within reasonable timelines; and
endeavour to resolve them in accordance with timelines prescribed under Applicable Law.
Where additional time is required due to the nature of the grievance, you will be informed accordingly.
9.4 Regulatory Escalation
If a grievance is not resolved to your satisfaction, you may exercise your statutory right to escalate the matter before the appropriate authority under Applicable Law.
Nothing in this Privacy Policy restricts your right to approach a competent regulatory or judicial authority.
Finwiser may update this Privacy Policy from time to time to reflect:
changes in Applicable Law;
regulatory guidance;
changes in Platform functionality; or
operational or security requirements.
10.2 Notification of Changes
Where material changes are made, Finwiser will take reasonable steps to notify Users through:
the Platform; and/or
electronic communication.
The updated Privacy Policy will be made available on the Platform with the revised effective date.
10.3 Continued Use
Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of such updated Privacy Policy, to the extent permitted under Applicable Law.
If you do not agree with the updated Privacy Policy, you may discontinue use of the Platform and request account closure.
This Privacy Policy is governed by and construed in accordance with the laws of India. The courts at Bengaluru, Karnataka shall have exclusive jurisdiction over any disputes arising out of or in connection with this policy.