Privacy Policy

This Privacy Policy ("Policy") is issued by DHANSAMRIDDHI FINVEST PRIVATE LIMITED ("Octaraa", "Company", "We", "Us", or "Our"), a company incorporated under the Companies Act, 2013, with its registered office in India, operating a digital financial services platform at https://octaraa.com ("Platform").

This Policy governs the collection, receipt, storage, use, processing, retention, transfer, disclosure, and protection of Personal Data and Sensitive Personal Data or Information (SPDI) relating to every person who interacts with the Platform. It forms an integral part of Octaraa's Terms and Conditions and must be read conjunctively with them.

This document is published in plain language to the greatest extent possible, as required under the DPDPA 2023, to ensure that every User fully understands how their data is handled.

This Policy is issued in compliance with the following laws, regulations, and guidelines as amended or re-enacted from time to time:

• The Information Technology Act, 2000 ("IT Act") - Sections 43A, 72, 72A - and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");
• The Digital Personal Data Protection Act, 2023 ("DPDPA") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules");
• The Companies Act, 2013 - Sections 134, 149, 177 (Board reporting, Audit Committee, corporate governance obligations relating to data practices);
• The Prevention of Money-Laundering Act, 2002 ("PMLA") and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005;
• The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 - Sections 29, 32 - and associated UIDAI Regulations and Circulars;
• The Reserve Bank of India (RBI) Master Direction on Digital Payment Security Controls, 2021; RBI Cybersecurity Framework for Banks/NBFCs; and the RBI Master Direction on Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 (updated 2021) ("AA Master Direction");
• The Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020 ("E-Commerce Rules");
• The Telecom Commercial Communications Customer Preference Regulations, 2018 ("TCCCPR") and all applicable TRAI directions on unsolicited commercial communications;
• The Income Tax Act, 1961 - Sections 194-IA, 285BA and reporting obligations relevant to investment transactions;
• The Limitation Act, 1963 - for data retention periods;
• The Indian Evidence Act, 1872 / Bharatiya Sakshya Adhiniyam, 2023 - for admissibility of electronic records;
• AMFI Guidelines on Know Your Customer (KYC) and Anti-Money Laundering for mutual fund advisers;
• Any other applicable laws, rules, regulations, guidelines, or directions issued by a competent authority from time to time.

By accessing or using the Platform in any manner, you:

• (a) confirm you are at least 18 years of age and legally competent to contract under the Indian Contract Act, 1872;
• (b) grant your free, informed, specific, and unambiguous consent (as required under Section 6 of the DPDPA) to the collection, processing, and use of your Personal Data and SPDI as set out herein;
• (c) acknowledge that provision of certain Personal Data (including PAN, KYC documents) is mandatory for performance of the Services and that refusal to provide mandatory data will preclude access to those Services;
• (d) represent and warrant that all information provided by you is accurate, current, and complete.

Where you provide Personal Data of a third party (including family members under the Family Tree feature), you warrant that you are duly authorised by such person, that they have been made aware of this Policy, and that their consent has been obtained. You shall indemnify and hold Octaraa harmless from any claim, loss, or liability arising from breach of this warranty.

• Internet Protocol (IP) address and approximate geolocation derived therefrom;
• Device type, model, operating system version, and browser type and version;
• Unique device identifiers (including UDID, IMEI, and advertising IDs where permitted and lawful);
• Clickstream data: pages visited, features accessed, time and duration of visits, and navigation paths;
• Referring URLs and exit URLs;
• Performance data including crash reports and error logs;
• Session tokens and authentication identifiers (encrypted);
• Cookies, web beacons, pixel tags, and local storage data (see Section 9 for the full Cookie Policy).

• Central KYC Records Registry (CKYC) and KYC Registration Agencies: CAMS KRA, CDSL Ventures Ltd., NSDL Database Management Ltd., and CVL KRA;
• BSE Star MF and NSE NMF II - for transaction confirmation and portfolio data;
• Registrar and Transfer Agents (RTAs): CAMS and KFin Technologies Limited - for MF folio and NAV data;
• Account Aggregators (AAs) licensed by RBI - with your explicit, specific, and revocable consent;
• Payment gateways, banking partners, and UPI service providers - for transaction processing;
• Credit information companies (CIBIL, Equifax, Experian, CRIF High Mark) - with your explicit prior consent;
• Government databases (DigiLocker, Income Tax e-Filing portal) - to the extent permitted and with your explicit consent.

We collect and retain data you voluntarily provide through: (a) customer support interactions (email, chat, telephone); (b) queries or instructions to Samaira AI; (c) feedback forms and surveys. You should avoid sharing more Personal Data than is necessary in any such interaction.

In compliance with Section 4(1) of the DPDPA, We process Personal Data only for lawful, specific, clearly defined, and legitimate purposes. We do not process Personal Data in a manner incompatible with the purpose for which it was originally collected without obtaining fresh consent.

Marketing communications are sent only on the basis of your separate, explicit, and freely given consent. You may withdraw marketing consent at any time by: (a) clicking 'Unsubscribe' in any promotional email; (b) adjusting notification preferences in your account dashboard; (c) sending 'STOP' to Our registered WhatsApp/SMS number; or (d) writing to connect@octaraa.com.

Withdrawal of marketing consent shall not affect Our ability to send service, transactional, or regulatory communications.

We do not sell, rent, trade, license, or otherwise transfer your Personal Data or SPDI to any third party for their independent commercial or marketing purposes. Personal Data is shared only in the specific, limited circumstances described in this Section.

All Data Processors are bound by written Data Processing Agreements (DPAs) that: (a) restrict use of Personal Data to specified purposes only; (b) require maintenance of security standards equivalent to those described in Section 6; (c) prohibit further sub-processing without Our prior written approval; (d) require prompt notification to Us in the event of a Personal Data Breach; and (e) require deletion or return of Personal Data upon termination of the engagement. We conduct annual vendor security assessments for all critical Data Processors.

In the event of a merger, acquisition, de-merger, restructuring, sale of assets, or insolvency involving Octaraa, your Personal Data may be transferred to the successor entity, provided that: (a) such entity commits to honouring the terms of this Policy or provides equivalent privacy protections; (b) you are notified at least 30 days in advance where practicable; and (c) you are provided the option to request deletion of your account if you do not consent to the transfer.

We may publish or license aggregated, anonymised, or de-identified data sets (from which re-identification is not reasonably possible) with research institutions or as industry insights. Such sharing is not subject to the restrictions in this Section, provided that the anonymisation is irreversible and technically robust.

We have implemented a comprehensive information security programme in compliance with Rule 8 of the SPDI Rules, Section 8(5) of the DPDPA. The programme is structured across three layers:

In the event of a Personal Data Breach, in compliance with the DPDPA, DPDP Rules:

• We will notify the Data Protection Board of India as soon as practicable, and in any event within the timeline prescribed under the DPDP Rules (targeted at 72 hours where feasible);
• We will notify affected Data Principals of the breach, the Personal Data affected, and remedial measures taken;
• We will maintain a detailed internal Breach Register for all breaches, whether or not notifiable;
• Root cause analysis and corrective action report shall be completed within 30 days of any significant breach.

You are responsible for: (a) maintaining the confidentiality of your account credentials; (b) logging out after each session; (c) not sharing your login credentials with any third party; and (d) notifying Us immediately at connect@octaraa.com upon suspecting any unauthorised access to your account. While We employ commercially reasonable security measures, no method of electronic transmission or storage is 100% secure.

Your Personal Data is primarily stored and processed within India. We use data centres located within Indian territory for all primary storage and processing of Personal Data.

Any transfer of Personal Data outside India shall be in strict compliance with Section 16 of the DPDPA and the DPDP Rules:

• Transfers shall only be made to countries or entities approved by the Central Government of India as providing adequate data protection;
• Where no such approval exists, transfers shall be subject to Standard Contractual Clauses (SCCs) as prescribed under the DPDP Rules, ensuring equivalent protection;
• Transfers are limited to what is strictly necessary for Service performance or legal compliance;
• SPDI shall not be transferred outside India without your explicit written consent, except as required by law.

• Aadhaar-based e-KYC is performed exclusively through UIDAI's authenticated and UIDAI-licensed e-KYC ecosystem, using UIDAI's OTP-based or biometric authentication infrastructure;
• Aadhaar data is used solely for regulatory KYC verification as required under PMLA, and RBI guidelines;
• Aadhaar shall not be used for any purpose other than KYC verification, and shall not be used as general proof of address or identity beyond regulatory requirements.

• FULL Aadhaar numbers are NEVER stored in Our databases at any time;
• Only the last 4 digits of the Aadhaar number may be retained for reference purposes, and these shall be masked in all user-facing display interfaces;
• Aadhaar XML files and authentication responses are used for real-time verification only and are NOT retained post-verification;
• Biometric data (fingerprints, iris scans) associated with Aadhaar authentication is NEVER collected, stored, or processed by Octaraa under any circumstances.

• Aadhaar numbers and Aadhaar-linked data shall not be shared with any third party except: (a) UIDAI's authenticated e-KYC infrastructure; (b) licensed KYC Registration Agencies under their RBI regulatory mandate;
• Aadhaar data shall NEVER be used for commercial profiling, marketing, advertising targeting, or any non-KYC purpose;
• Aadhaar data shall NEVER be transferred outside India under any circumstances.

Any grievance relating to Aadhaar data processing may be raised with the DPO at connect@octaraa.com and, separately, reported to UIDAI at https://uidai.gov.in/contact-support.html or the UIDAI Helpline: 1947.

Octaraa is registered as a Principal Entity on the TRAI Distributed Ledger Technology (DLT) platform. All commercial SMS communications are sent through registered DLT message templates and registered telemarketer IDs only, in compliance with TRAI TCCCPR 2018.

• We respect your DND preferences as registered on the TRAI DND Registry. You will not receive unsolicited commercial calls or SMS if registered on the NDNC registry;
• Transactional and service messages (OTPs, transaction alerts, account notifications, regulatory disclosures) are exempt from DND restrictions and will continue irrespective of your DND status;
• You may register your DND preference at https://trai.gov.in or by dialling 1909;
• Commercial voice calls are not made to numbers registered on the NDNC registry.

WhatsApp communications are sent only to Users who have provided prior explicit consent. You may opt out at any time by: (a) sending 'STOP' to Our registered WhatsApp business number; (b) updating communication preferences in your account dashboard; or (c) writing to connect@octaraa.com.

Each commercial email shall contain: (a) clear identification of DHANSAMRIDDHI FINVEST PRIVATE LIMITED as the sender; (b) Our valid registered postal address; (c) a functional, prominent, and one-click unsubscribe mechanism. Transactional emails (OTPs, trade confirmations, regulatory communications) shall continue regardless of email marketing preferences.

• Right to be protected against hazardous services and unfair trade practices: Octaraa shall not engage in misleading advertisements, false representations, or unfair contract terms;
• Right to be informed: all material information about data processing is disclosed in this Policy in clear and accessible language;
• Right to be heard: consumer grievances are addressed through the mechanism in Section 26;
• Right to seek redressal: consumers may approach the District Consumer Disputes Redressal Commission, State Commission, or NCDRC as applicable, in addition to the Data Protection Board;
• Right to consumer education: Octaraa provides financial literacy resources and Platform usage guides on the Platform.

This Policy and all associated agreements shall not contain any provision that: (a) imposes an unreasonable burden or condition on consumers; (b) excludes or restricts consumer rights under the Consumer Protection Act 2019; or (c) constitutes an 'unfair trade practice' under Section 2(47) of the said Act. Any such provision, if found to exist, shall be void to the extent of the unfairness.

Octaraa shall not unilaterally change material terms to the consumer's detriment without prior notice and fresh consent.

Where Octaraa's digital Services constitute a 'product' within the meaning of Chapter VI of the Consumer Protection Act 2019, Octaraa acknowledges its product liability obligations in respect of deficiencies in Services attributable to its own acts or omissions, subject to applicable defences under the Act.

• Octaraa conducts risk-based Customer Due Diligence (CDD) on all Users at onboarding and on an ongoing basis;
• Enhanced Due Diligence (EDD) is applied to higher-risk customers including Politically Exposed Persons (PEPs), non-resident individuals, customers with complex ownership structures, and those exhibiting high-risk transaction patterns;
• Where We are unable to complete mandatory CDD/EDD, We reserve the right to decline to establish or continue the customer relationship and to report the same to FIU-IND;
• Periodic re-KYC is conducted as required under PMLA guidelines.

We file Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) required under Section 12 of the PMLA. As noted in Section 4.6, We are legally prohibited from disclosing to any person that an STR or CTR has been filed.

We screen all customers and transactions against applicable sanctions lists including UN Security Council Consolidated List, OFAC SDN List, and any lists notified by the Government of India under applicable law.

• Monitoring compliance with the DPDPA, DPDP Rules, SPDI Rules, and this Policy;
• Advising Octaraa's Board and employees on all data protection obligations;
• Serving as primary contact for Data Principals exercising their rights;
• Serving as contact for the Data Protection Board of India;
• Overseeing mandatory Data Protection Impact Assessments (DPIAs) for high-risk processing;
• Maintaining the Record of Processing Activities (RoPA);
• Overseeing Personal Data Breach response, notification, and remediation;
• Conducting and overseeing mandatory staff data protection training;
• Submitting Board/Audit Committee reports on privacy compliance as required under the Companies Act 2013.

Octaraa maintains a comprehensive RoPA documenting: the identity of the Data Fiduciary; categories of Personal Data processed; purposes and legal basis; categories of Data Principals and recipients; cross-border transfer details; retention periods; and security measures. The RoPA is maintained in digital form and is available for inspection by the Data Protection Board upon request.

Octaraa conducts DPIAs for processing activities likely to result in a high risk to the rights of Data Principals, including: large-scale processing of SPDI; automated decision-making with significant effects; deployment of new technologies affecting privacy; and onboarding of new significant Data Processors. DPIA findings are reviewed by the DPO and, where required, submitted to the Data Protection Board.

In compliance with the DPDP Rules, Octaraa generates and maintains a Consent Artefact for each instance of consent obtained. Each Consent Artefact records:

• Identity and contact details of the Data Fiduciary;
• The description of Personal Data for which consent is sought;
• The specific, separate purpose(s) for which consent is given;
• The manner in which consent may be withdrawn;
• The date and timestamp of consent, and the session identifier;
• The version of the Privacy Policy in force at the time of consent.

Consent Artefacts are retained for the life of the consent plus 7 (seven) years. You may request a copy of your Consent Artefact at any time by writing to the DPO at connect@octaraa.com.

In compliance with Section 6(7) of the DPDPA, Octaraa supports the Consent Manager framework. You may choose to exercise your consent rights through a registered Consent Manager (as listed on the Data Protection Board's official website), rather than directly with Octaraa. Octaraa will honour all instructions received from a registered Consent Manager relating to consent withdrawal, modification, or exercise of Data Principal rights, subject to appropriate verification.

• Consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before withdrawal;
• Consequences of consent withdrawal (including impact on Services) shall be communicated to you before you withdraw;
• Upon withdrawal, We will: (a) cease processing for the purpose for which consent was given; (b) update the Consent Artefact; (c) acknowledge withdrawal in writing within 3 business days;
• Processing under a legal basis other than consent (e.g., legal obligation) shall continue despite withdrawal of consent.

• Submit a written request to the DPO at connect@octaraa.com with the subject line 'DPDPA NOMINATION REQUEST';
• Attach: (a) full name, address, and contact details of the nominee; (b) relationship of the nominee to you; (c) a copy of your government-issued identity document; and (d) your signed and dated letter of nomination;
• Octaraa shall acknowledge receipt and register the nomination within 7 business days;
• You may change or revoke your nomination at any time by submitting a fresh written request to the DPO;
• Upon receipt of satisfactory documentary evidence of death or incapacity, the registered nominee shall be permitted to exercise rights under Section 7, subject to verification.

A Nominated Representative may exercise data rights on behalf of the deceased or incapacitated Data Principal but shall not receive any financial proceeds, investment redemptions, or commercial benefits through the exercise of data rights. Financial succession is governed separately by applicable succession laws and the terms of the investment instruments.

Octaraa implements Privacy by Design principles across all product development, infrastructure, and business process initiatives, including: (a) data minimisation from the outset of system design; (b) privacy-protective default settings; (c) end-to-end security integrated into system architecture; (d) full lifecycle protection of Personal Data; and (e) full transparency about what data is collected and why.

Octaraa strictly prohibits retaliation against any person who, in good faith, reports a suspected privacy violation or cooperates with an investigation. Any employee engaging in retaliatory conduct shall be subject to disciplinary action including termination. This commitment is consistent with the vigil mechanism requirements under Section 177(9) of the Companies Act, 2013.

• Octaraa does not store payment card numbers (debit or credit), CVV codes, expiry dates, or any cardholder data on its systems;
• All card payment processing is delegated to PCI-DSS v4.0 compliant payment gateway partners;
• UPI mandates are processed through NPCI-registered Payment Service Providers (PSPs) only;
• Bank account details provided for investment mandates are stored in AES-256 encrypted form and used exclusively for the investment transaction(s) for which they were provided.

• Investment data collected for advisory purposes is used exclusively for providing personalised advice and facilitating transactions;
• Investment and suitability data shall never be sold or shared with any entity for commercial, marketing, or profiling purposes;
• Portfolio data received through the Account Aggregator framework is subject to the additional provisions of Section 13;
• Suitability assessment records shall be maintained for the period required.

Octaraa complies with the applicable portions of the RBI Cyber Security Framework and the RBI Master Direction on Digital Payment Security Controls 2021, including: (a) prescribed security controls for digital payment systems; (b) reporting of cyber incidents involving payment data to RBI within prescribed timelines; and (c) annual cyber audit.

This Policy is governed by and construed exclusively in accordance with the laws of the Republic of India, without regard to conflict of law principles.

• Step 1 - Internal Resolution: Raise the matter with the Grievance Officer (Section 26); allow 30 days for resolution;
• Step 2 - Data Protection Board: If unresolved, disputes relating to Personal Data processing may be referred to the Data Protection Board of India under Section 25 of the DPDPA;
• Step 3 - Consumer Forum: Disputes relating to services may be referred to the appropriate Consumer Disputes Redressal Commission under the Consumer Protection Act 2019;
• Step 4 - Arbitration: Disputes not resolved through the above mechanisms may be referred to arbitration under the Arbitration and Conciliation Act, 1996, with the seat of arbitration at Gurgaon, India;
• Step 5 - Judicial Proceedings: Disputes not resolved through arbitration shall be subject to the exclusive jurisdiction of the courts of competent jurisdiction at Gurgaon, India.

This Policy, read together with Octaraa's Terms and Conditions, KYC Terms, Risk Disclosure Document, and any other policies published on the Platform, constitutes the entire agreement between you and Octaraa with respect to the processing of your Personal Data.

If any provision of this Policy is found to be invalid, illegal, or unenforceable under applicable law, such provision shall be severed and the remaining provisions shall continue in full force and effect.

Failure or delay by Octaraa in exercising any right under this Policy shall not constitute a waiver of that right.

This Policy is written in English. In the event of any conflict between the English version and any translated version, the English version shall prevail as the definitive and binding text.

Octaraa shall not be liable for any failure or delay in fulfilling obligations under this Policy to the extent caused by events beyond its reasonable control, including acts of God, government orders, cyberattacks by third parties, pandemics, or natural disasters, provided that Octaraa uses commercially reasonable efforts to mitigate such failures and comply with its notification obligations at the earliest opportunity.

Nothing in this Policy creates any agency, partnership, joint venture, employment, or fiduciary relationship between you and Octaraa. Octaraa acts solely as a Data Fiduciary in relation to your Personal Data.