Privacy Policy

Overview

This Privacy Policy describes how Agroy Finance and Investment Limited (“Agroy”, “we”) collects, uses, stores and protects information that you provide when you use our website (https://www.agroy.com), trading platforms, mobile applications and related services (collectively, the “Services”).

DPDP Act 2023 framework

This policy is operative under the Digital Personal Data Protection Act 2023 (“DPDP Act”) read with the Information Technology Act 2000, SEBI’s Master Circular for Stock Brokers, CDSL bye-laws, and applicable Exchange rules.

• Data Fiduciary: Agroy Finance and Investment Limited is the Data Fiduciary that determines the purpose and means of processing your personal data.
• Data Principal: You are the Data Principal whose personal data is being processed.
• Lawful basis:We process your data either with your consent (e.g. marketing communications) or under the “legitimate uses” permitted by DPDP §7 (e.g. to comply with SEBI / Exchange obligations, to perform the contract under which we provide the Services, or where required by law).

Information we collect

• Account information: name, address, PAN, Aadhaar (for KYC; see the Aadhaar section below), date of birth, mobile number, email, bank account details, demat account details.
• Trading and transaction data: orders placed, trades executed, positions held, funds movements, contract notes and statements.
• Technical information: IP address, device type, browser, operating system, pages visited and time spent on the site (for analytics, fraud prevention and security).
• Communications: emails, chat messages, call recordings made to or from our customer-care team.

Aadhaar handling

Aadhaar is collected only for eKYC purposes per the Aadhaar Act 2016 and SEBI’s e-KYC framework. Aadhaar data is treated as a sensitive category of personal information and is processed strictly through UIDAI-authorised channels (KRA, e-KYC API, offline XML). We do not store the Aadhaar number in clear text outside the UIDAI-prescribed envelope, and we do not share Aadhaar data with third parties except KRAs and the Depositories as required by SEBI rules.

How we use your information

Each purpose below is tied to a specific lawful ground under the DPDP Act 2023: either your consent (§6) or a legitimate use (§7), which for a SEBI intermediary includes performing the contract under which we provide the Services and complying with the law:

• To provide and operate the Services and process your transactions — basis: performance of contract (§7);
• To meet our regulatory and compliance obligations under SEBI, NSE, BSE, CDSL and other applicable rules — basis: legal obligation (§7);
• To verify your identity (KYC) and prevent fraud — basis: legal obligation (§7);
• To send you transaction confirmations, contract notes, statements and important regulatory communications — basis: performance of contract / legal obligation (§7);
• To improve our Services and develop new features — basis: consent for non-essential analytics (§6);
• To provide customer support — basis: performance of contract (§7);
• To send you research reports, market updates and marketing communications — basis: your consent (§6), which you can withdraw at any time.

Sharing of information

We do not sell your personal data. We may share information with:

• SEBI, the Exchanges (NSE/BSE), and Depositories (CDSL/NSDL) as required by law;
• KRAs (KYC Registration Agencies) for KYC compliance;
• Banks and payment service providers for fund transfers;
• Our technology service providers (e.g. cloud hosting, email, SMS, analytics) under written confidentiality obligations and the security obligations of DPDP §8;
• Courts, law-enforcement agencies and other authorities where legally required.

Cross-border transfer

Personal data is primarily hosted in India on regulated cloud infrastructure (AWS Mumbai / Hyderabad regions). Some of our sub-processors (for example, analytics or e-mail delivery providers) may process data outside India. Such transfers are made only to countries that are not restricted under DPDP §16 notifications issued by the Central Government from time to time, and only under written contractual protections.

Retention

We retain personal information for the concrete periods prescribed by SEBI, Exchange and Depository regulations:

• Trade and order records: 8 years from the date of the trade.
• KYC records: 5 years from the date of cessation of the client relationship.
• Contract notes & statements: 7 years.
• Call recordings: Per SEBI norms and our internal retention schedule (typically 90 days to 3 years depending on call type).

Where you request erasure under DPDP §12(2)(c), we will delete data that is no longer required to be retained under the above rules and notify you of the data we are obliged to keep.

Your rights (DPDP §11-§14)

As a Data Principal, you have the following rights:

• Right to summary & access (§11): Obtain confirmation of whether your personal data is being processed and a summary of the personal data being processed.
• Right to correction & erasure (§12): Request correction of inaccurate or incomplete data, and erasure of data no longer required (subject to our regulatory retention obligations).
• Right of grievance redressal (§13): Approach our Grievance Officer for data (named below). We respond within the SEBI-mandated 21-day window for grievances; DPDP grievances are addressed within the statutory timelines.
• Right to nominate (§14): Nominate an individual to exercise these rights in the event of your death or incapacity.
• Right to withdraw consent:Where processing is based on consent, you can withdraw it at any time. The withdrawal does not affect the legality of processing carried out before the withdrawal, nor does it affect processing carried out under the “legitimate uses” ground (DPDP §7), for example, regulatory record-keeping continues.

Cookies & consent

We use cookies and similar technologies in three broad categories:

• Strictly necessary: session management, authentication, fraud prevention. These are set without your consent because the Services cannot function without them.
• Analytics: page-view and performance telemetry that helps us improve the site. Set only with your consent.
• Marketing: set only with your consent and only if you have opted into marketing communications.

You can withdraw cookie consent at any time through your browser settings or our on-site consent control (where shown). Withdrawing analytics/marketing consent will not affect the operation of the Services.

Children’s data

Per DPDP §9, we do not knowingly process the personal data of individuals under 18 years of age without verifiable parental consent. Account opening through our KYC flow is restricted to individuals aged 18+. Website analytics and cookies do not track minors intentionally; if you believe we may have inadvertently collected data from a minor, contact the Grievance Officer for data so we can investigate and delete the relevant records.

Security & breach notification

We employ industry-standard security measures including TLS encryption in transit, encryption at rest where applicable, access controls, least-privilege policies, intrusion detection and regular security audits.

Per DPDP §8(6), in the event of a personal-data breach we will notify the Data Protection Board of India and the affected Data Principals in the manner and within the timelines prescribed by the Act. No method of transmission over the internet is 100% secure; we work hard to protect your data but cannot guarantee its absolute security.

Grievance Officer for data

For privacy-related queries, requests to exercise your rights under the DPDP Act, or to file a data-grievance, contact the designated Grievance Officer for data:

• Ashish Kumar Gupta · Compliance Officer (also designated as Grievance Officer for data under DPDP §13(3))
• Email: compliance@agroy.com
• Phone: +91-8448897103
• Or write to our registered office via the contact page.