PRIVACY POLICY

Finclimb Money
Effective Date: [14 Aug 2025]

Company: Finclimb Wealth Advisory Pvt Ltd ("Company", "Finclimb", "we", "our", "us")
Brand: Finclimb Money ("Platform", "App", "Services")

1. INTRODUCTION AND SCOPE

1.1 Our Commitment to Privacy

Finclimb Wealth Advisory Pvt Ltd ("Finclimb Money") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, process, store, and protect your personal information in compliance with Indian data protection laws and international best practices.

1.2 Legal Framework Compliance

This Privacy Policy is designed to comply with:

• Digital Personal Data Protection Act, 2023 ("DPDP Act")

• Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

• Reserve Bank of India (RBI) guidelines on data protection and cybersecurity

• Securities and Exchange Board of India (SEBI) regulations on client data protection

• Account Aggregator Framework guidelines issued by RBI

1.3 Scope of Application

This Privacy Policy applies to:

• All users of the Finclimb Money platform, mobile application, and website

• Personal data collected through Account Aggregator framework

• Data processed by our AI and machine learning systems

• Information shared with our licensed partners and service providers

• Data transfers and processing activities within and outside India

1.4 Key Definitions

• "Data Principal" means the individual whose personal data is being processed (you)

• "Data Fiduciary" means Finclimb Money as the entity determining the purpose and means of processing personal data

• "Personal Data" means data about or relating to a natural person who is directly or indirectly identifiable

• "Sensitive Personal Data" includes financial information, health data, biometric data, and other categories as defined under applicable laws

2. DATA COLLECTION

2.1 Information You Provide Directly

We collect the following personal information when you register and use our services:

Identity Information:

• Full name, date of birth, gender

• Mobile number and email address

• Permanent Account Number (PAN)

• Aadhaar number (where legally required and with consent)

• Address proof and identity documents

Financial Information:

• Income details and employment information

• Investment goals and risk tolerance

• Bank account details for transactions

• Investment portfolio information

• Insurance and loan details

Profile Information:

• Investment preferences and goals

• Risk assessment responses

• Communication preferences

• Feedback and survey responses

2.2 Information Collected Automatically

Device and Usage Data:

• Device identifiers (IMEI, device ID, advertising ID)

• IP address, browser type, and operating system

• App usage patterns and feature interactions

• Location data (with consent)

• Session duration and frequency of use

Technical Data:

• Log files and error reports

• Performance and diagnostic information

• Cookies and similar tracking technologies

• API usage and integration data

2.3 Information from Account Aggregators

Through RBI-licensed Account Aggregators, with your explicit consent, we collect:

Banking Information:

• Account balances and transaction history

• Credit/debit card spending patterns

• Loan and EMI details

• Fixed deposit and savings information

Investment Data:

• Mutual fund holdings and NAV details

• Stock portfolio and trading history

• Insurance policies and premium payments

• Provident fund and pension details

Credit Information:

• Credit score and credit history

• Loan repayment patterns

• Credit utilization data

2.4 Information from Third Parties

We may receive information from:

• Our licensed partners (mutual fund companies, insurance providers, banks)

• Credit bureaus (with your consent)

• KYC service providers

• Marketing partners (with appropriate consent)

• Public databases and registries

3. AI AND MACHINE LEARNING DATA USE

3.1 AI-Powered Services

We use artificial intelligence and machine learning technologies to:

• Analyze your financial data and spending patterns

• Generate personalized investment recommendations

• Assess your risk profile and investment suitability

• Provide automated financial insights and alerts

• Detect fraudulent transactions and security threats

• Improve our services and user experience

3.2 AI Data Processing Principles

Explainable AI: Our AI models are designed to provide transparent and explainable recommendations. We maintain documentation of our AI methodologies and can provide general explanations of how recommendations are generated.

Bias Prevention: We implement measures to prevent algorithmic bias, including:

• Regular testing for discriminatory outcomes

• Diverse training data sets

• Human oversight of AI-generated recommendations

• Continuous monitoring and model improvement

Model Governance: We maintain robust AI governance frameworks including:

• Model validation and performance monitoring

• Regular audits of AI systems

• Data quality checks and validation

• Version control and change management

3.3 AI Data Retention and Security

• AI training data is anonymized and aggregated where possible

• Model outputs are subject to the same security controls as other personal data

• We maintain audit trails of AI decision-making processes

• Personal data used for AI training is retained only as long as necessary for model performance

4. PURPOSES OF PROCESSING

4.1 Core Service Delivery

We process your personal data to:

• Provide financial data aggregation and portfolio tracking services

• Generate AI-powered financial insights and recommendations

• Facilitate investment transactions through our partner network

• Offer personalized financial planning and advisory services

• Maintain and improve our Platform functionality

4.2 Legal and Regulatory Compliance

• Comply with KYC (Know Your Customer) and AML (Anti-Money Laundering) requirements

• Meet regulatory reporting obligations to RBI, SEBI, and other authorities

• Respond to legal requests from law enforcement agencies

• Maintain records as required under applicable financial regulations

• Conduct risk assessments and due diligence procedures

4.3 Security and Fraud Prevention

• Authenticate your identity and prevent unauthorized access

• Detect and prevent fraudulent transactions and activities

• Monitor for suspicious behavior patterns

• Implement cybersecurity measures and threat detection

• Maintain transaction audit trails and security logs

4.4 Communication and Support

• Send you transaction confirmations and account updates

• Provide customer support and resolve queries

• Share important product and regulatory updates

• Conduct user research and feedback collection

• Send marketing communications (with your consent)

4.5 Business Operations and Improvement

• Analyze usage patterns to improve our services

• Conduct research and development for new features

• Perform statistical analysis and market research

• Ensure quality assurance and service optimization

• Support business continuity and disaster recovery

5. LEGAL BASIS FOR PROCESSING

5.1 Consent

We process personal data based on your explicit consent for:

• Account Aggregator data fetching and analysis

• Marketing communications and promotional offers

• Optional features like location-based services

• Data sharing with specific third-party partners

• Participation in research studies or surveys

5.2 Contractual Necessity

Processing is necessary for:

• Providing services under our Terms and Conditions

• Facilitating investment transactions and portfolio management

• Maintaining your account and providing customer support

• Processing payments and managing subscriptions

• Fulfilling our obligations under service agreements

5.3 Legal Obligations

We process data to comply with:

• KYC and AML requirements under RBI guidelines

• SEBI regulations for investment advisory services

• Income tax reporting obligations

• Court orders and legal proceedings

• Regulatory investigations and audits

5.4 Legitimate Interests

We may process data for legitimate business purposes including:

• Fraud prevention and security monitoring

• Service improvement and innovation

• Risk management and compliance

• Business analytics and reporting

• Protection of our legal rights and interests

6. DATA SHARING AND DISCLOSURE

6.1 Sharing with Licensed Partners

We share your data with our registered and licensed partners to provide financial services:

Investment Services:

• SEBI-registered Investment Advisors and Research Analysts

• AMFI-registered Mutual Fund Distributors

• Stock brokers and trading platforms

Banking and Payment Services:

• RBI-regulated banks and NBFCs

• Payment aggregators and gateways

• Digital wallet providers

Insurance Services:

• IRDAI-licensed insurance companies and agents

• Insurance repositories and intermediaries

6.2 Account Aggregator Ecosystem

• Financial Information Providers (FIPs): Banks, mutual funds, insurance companies providing your financial data

• Account Aggregators: RBI-licensed entities facilitating secure data sharing

• Technology Service Providers: AA ecosystem technology partners

6.3 Service Providers and Vendors

We engage third-party service providers for:

• Cloud computing and data storage

• Application development and maintenance

• Customer support services

• Marketing and analytics services

• Cybersecurity and monitoring services

Data Protection Measures for Vendors:

• Contractual data protection obligations

• Regular security audits and assessments

• Limited access on need-to-know basis

• Compliance with Indian data protection laws

6.4 Regulatory and Legal Disclosures

We may disclose personal data to:

• Regulatory Authorities: RBI, SEBI, IRDAI, FIU-IND, and other financial regulators

• Tax Authorities: Income Tax Department for tax compliance

• Law Enforcement: Police, courts, and investigating agencies as legally required

• Legal Proceedings: In response to court orders, subpoenas, or legal processes

6.5 Business Transfers

In case of merger, acquisition, or business transfer:

• We will provide notice before personal data is transferred

• The acquiring entity will be bound by privacy commitments

• You will have the right to object to such transfers

• Data protection standards will be maintained

7. ACCOUNT AGGREGATOR DATA

7.1 AA Framework Compliance

Our use of Account Aggregator services complies with:

• RBI Master Direction on Account Aggregator Framework

• NBFC-AA regulations and guidelines

• Technical standards specified by RBI

• Data security and privacy requirements

7.2 Consent Management for AA Data

Explicit Consent: We obtain your explicit consent before accessing financial data through AAs, specifying:

• Purpose of data collection and use

• Types of financial accounts and data to be accessed

• Duration of consent and data retention period

• Right to withdraw consent at any time

Granular Control: You can:

• Choose specific accounts and data types to share

• Set time limits for data access permissions

• Modify or revoke consent for individual data sources

• Monitor data access through consent dashboards

7.3 AA Data Security Measures

• End-to-End Encryption: All data transmitted through AA framework is encrypted

• No Credential Storage: We never store your banking passwords or PINs

• Token-Based Authentication: Secure token-based access without exposing credentials

• Regular Security Audits: Periodic assessment of AA integration security

7.4 Data Retention for AA Information

• AA-sourced data is retained only for the consented purpose and duration

• Data is automatically purged upon consent withdrawal

• We maintain audit logs of AA data access and usage

• Retention periods comply with RBI guidelines and regulatory requirements

8. CROSS-BORDER DATA TRANSFERS

8.1 Data Localization Compliance

In compliance with Indian data localization requirements:

• Critical Personal Data: Stored and processed only within India

• Sensitive Personal Data: Primary processing within India, with limited exceptions for business purposes

• General Personal Data: May be transferred outside India with appropriate safeguards

8.2 International Transfer Safeguards

When transferring data outside India, we ensure:

• Adequacy Decisions: Transfers only to countries with adequate data protection laws

• Contractual Safeguards: Standard contractual clauses with international partners

• Certification Programs: Partners certified under recognized international privacy frameworks

• Regular Monitoring: Ongoing assessment of international data protection standards

8.3 Restricted Transfers

We do not transfer data to countries that:

• Lack adequate data protection frameworks

• Have been identified as high-risk by Indian regulators

• Do not provide equivalent protection for Indian citizens' data

• Are subject to data transfer restrictions under Indian law

9. DATA SECURITY AND PROTECTION

9.1 Technical Security Measures

Encryption: We implement strong encryption for:

• Data in transit using TLS 1.3 or higher

• Data at rest using AES-256 or equivalent encryption

• Database encryption and encrypted backups

• API communications and data exchanges

Access Controls:

• Multi-factor authentication for all user accounts

• Role-based access controls for internal systems

• Regular access reviews and privilege management

• Segregation of duties for sensitive operations

Network Security:

• Firewalls and intrusion detection systems

• Regular vulnerability assessments and penetration testing

• Secure network architecture with DMZ implementation

• DDoS protection and traffic monitoring

9.2 Organizational Security Measures

Privacy by Design: We implement privacy and security considerations from the design stage of all systems and processes.

Security Training: Regular training for all employees on:

• Data protection and privacy requirements

• Cybersecurity best practices

• Incident response procedures

• Regulatory compliance obligations

Security Governance:

• Information Security Officer responsible for security oversight

• Regular security audits by independent third parties

• Incident response team and procedures

• Business continuity and disaster recovery plans

9.3 Data Breach Response

In the event of a data breach:

• Immediate Containment: Immediate steps to contain and mitigate the breach

• Assessment: Rapid assessment of the scope and impact of the breach

• Notification: Notification to affected users and regulators within prescribed timelines

• Remediation: Implementation of corrective measures and prevention strategies

Breach Notification Timeline:

• Internal detection and assessment: Within 24 hours

• Regulatory notification: Within 72 hours (as required)

• User notification: Without undue delay for high-risk breaches

• Public disclosure: As required by applicable laws

10. YOUR RIGHTS UNDER DPDP ACT

10.1 Right to Access

You have the right to:

• Obtain confirmation of whether we are processing your personal data

• Access your personal data and information about how it is being processed

• Receive a copy of your personal data in a structured, commonly used format

• Request information about the purpose and legal basis for processing

How to Exercise: Submit a written request through our grievance mechanism with proper identification.

10.2 Right to Correction

You can:

• Request correction of inaccurate or incomplete personal data

• Update your profile information through the Platform

• Modify your consent preferences and communication settings

• Request correction of data held by our partners (subject to their policies)

10.3 Right to Erasure

You can request deletion of your personal data when:

• It is no longer necessary for the purposes for which it was collected

• You withdraw consent and there is no other legal ground for processing

• The data has been unlawfully processed

• Erasure is required for compliance with legal obligations

Limitations: We may retain data when required for:

• Compliance with legal obligations

• Establishment, exercise, or defense of legal claims

• Regulatory reporting requirements

• Fraud prevention and security purposes

10.4 Right to Data Portability

You can:

• Receive your personal data in a structured, machine-readable format

• Transfer your data to another service provider (where technically feasible)

• Request direct transfer of data between service providers

• Export your financial data aggregated through our Platform

10.5 Right to Withdraw Consent

You can:

• Withdraw consent for any processing based on consent

• Modify Account Aggregator consent permissions

• Opt out of marketing communications

• Change privacy settings and preferences

Effect of Withdrawal: Withdrawal of consent may affect the availability of certain services but will not affect the lawfulness of processing before withdrawal.

10.6 Right to Nominate

Under DPDP Act, you can nominate another individual to exercise your rights in case of death or incapacity. The nominee can:

• Exercise all rights available to you under this Privacy Policy

• Request access, correction, or erasure of your personal data

• Withdraw consents and modify privacy preferences

• File complaints with regulatory authorities

11. DATA RETENTION

11.1 Retention Principles

We retain personal data only for as long as necessary to:

• Fulfill the purposes for which it was collected

• Comply with legal and regulatory obligations

• Resolve disputes and enforce our agreements

• Protect our legitimate interests and rights

11.2 Retention Periods

Account Data: Retained for the duration of your account plus:

• 7 years for financial transaction records (as per tax laws)

• 5 years for KYC documents (as per RBI/SEBI guidelines)

• 3 years for communication records and support interactions

AA-Sourced Data:

• Retained only for the consented purpose and duration

• Automatically purged upon consent withdrawal

• Maximum retention of 5 years unless longer retention is legally required

Marketing Data:

• Until you opt out of marketing communications

• 2 years from last interaction for inactive marketing contacts

• Anonymized for statistical purposes after individual identification removal

11.3 Secure Data Disposal

When data is no longer needed:

• Secure deletion using industry-standard data destruction methods

• Physical destruction of storage media containing sensitive data

• Anonymization where historical data analysis is required

• Certification of data destruction by authorized vendors

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 Types of Cookies We Use

Essential Cookies: Required for basic Platform functionality including:

• User authentication and session management

• Security and fraud prevention

• Load balancing and system performance

• Remembering your preferences and settings

Analytics Cookies: Help us understand how you use our Platform:

• Usage patterns and popular features

• Performance optimization and error tracking

• A/B testing for service improvement

• Aggregated statistical analysis

Marketing Cookies: Used for personalized marketing (with consent):

• Targeted advertisements and promotions

• Social media integration and sharing

• Cross-platform user identification

• Campaign effectiveness measurement

12.2 Cookie Management

You can control cookies through:

• Browser settings to block or delete cookies

• Opt-out mechanisms provided in our cookie banner

• Privacy settings in your account dashboard

• Third-party opt-out tools and preference centers

12.3 Third-Party Tracking

We may use third-party services that set their own cookies:

• Google Analytics for usage analysis

• Social media plugins (Facebook, Twitter, LinkedIn)

• Advertising networks for targeted marketing

• Customer support chat services

13. CHANGES TO THIS PRIVACY POLICY

13.1 Policy Updates

We may update this Privacy Policy to reflect:

• Changes in applicable laws and regulations

• New features and services offered through our Platform

• Improvements in our data protection practices

• Feedback from users and regulatory authorities

13.2 Notification of Changes

Material Changes: We will notify you of significant changes through:

• Email notification to your registered email address

• In-app notifications when you next use the Platform

• Prominent notice on our website

• SMS notification for critical privacy changes

Minor Updates: Non-material changes will be:

• Updated on our website with change date indication

• Available for review in your account settings

• Included in our regular communication updates

13.3 Your Response to Changes

After notification of material changes:

• 30-day period to review and accept changes

• Right to object to new processing purposes or methods

• Option to withdraw consent if you disagree with changes

• Account closure available if you cannot accept updated terms

Continued use of our Platform after the effective date constitutes acceptance of the updated Privacy Policy.

14. CONTACT INFORMATION AND GRIEVANCE REDRESSAL

14.1 Grievance Officer Contact

Grievance Officer:

Designation: Chief Compliance Officer
Email: hello@finclimb.money
Office Hours: Monday to Friday, 9:00 AM to 6:00 PM (IST)

14.2 Complaint Process

Step 1: Internal Grievance

• Submit complaint through email, phone, or written application

• Acknowledgment within 3 working days

• Resolution within 30 days of receipt

• Regular updates on complaint status

15. REGULATORY COMPLIANCE DECLARATIONS

15.1 DPDP Act Compliance

This Privacy Policy is designed to comply with the Digital Personal Data Protection Act, 2023, and we confirm our commitment to:

• Processing personal data lawfully, fairly, and transparently

• Collecting data for specified, explicit, and legitimate purposes

• Ensuring data adequacy, relevance, and proportionality

• Maintaining accuracy and keeping data up to date

• Limiting storage duration to what is necessary

• Implementing appropriate security measures

15.2 Sectoral Compliance

RBI Compliance: Our data practices comply with:

• Master Direction on Information Technology Framework for NBFCs

• Guidelines on Digital Lending

• Account Aggregator Framework guidelines

• Cybersecurity Framework for banks and NBFCs

SEBI Compliance: Our investment advisory data practices comply with:

• SEBI (Investment Advisers) Regulations, 2013

• SEBI (Research Analysts) Regulations, 2014

• Guidelines on client asset protection

• Cybersecurity and cyber resilience framework

Finclimb Wealth Advisory Pvt Ltd
Email: hello@finclimb.money
Website: www.finclimb.money

Last Updated: [14 Aug 2025]
Version: 1.0

This Privacy Policy is an electronic record generated under the Information Technology Act, 2000, and rules thereunder as applicable and does not require physical or digital signatures.