Last Updated: 10/08/2025

1. Introduction

VhoraFundz ("we," "us," "our") is committed to protecting the privacy and security of all personal information entrusted to us. As an AMFI-registered Mutual Fund Distributor (MFD) and registered partner of NJ Wealth, we adhere to the highest standards of data protection in compliance with applicable Indian laws and regulations.

This Data Governance Policy outlines how we collect, use, store, and protect your information across all our services, including our website, WhatsApp-based AI assistant "Samruddhi," and other communication channels.

2. Regulatory Compliance

This policy ensures compliance with:

• Digital Personal Data Protection Act, 2023 (DPDP Act)

• Securities and Exchange Board of India (SEBI) Guidelines

• Association of Mutual Funds in India (AMFI) Code of Conduct

• Information Technology Act, 2000 and related rules

• Prevention of Money Laundering Act (PMLA), 2002

• Reserve Bank of India (RBI) KYC Guidelines

3. Scope and Applicability

This policy applies to:

• All personal data collected through the VhoraFundz platforms

• Interactions with our AI assistant Samruddhi via messaging platforms

• Data shared for mutual fund transactions and advisory services

• Information exchanged with NJ Wealth (VhoraFundz is a registered partner)

• All employees, contractors, and third-party service providers

4. Data Collection

4.1 Types of Data We Collect

Personal Information:

• Name, address, date of birth

• PAN, Aadhaar (as per regulatory requirements)

• Contact details (phone, email, WhatsApp number)

• Bank account and financial information

• Investment objectives and risk profile

Communication Data:

• WhatsApp messages and voice notes

• Email correspondence

• Phone call logs (not recordings)

• Query summaries from Samruddhi

Technical Data:

• IP addresses (anonymised)

• Device information for security purposes

• Access logs and timestamps

4.2 Methods of Collection

• Direct submission through forms

• WhatsApp conversations with Samruddhi

• KYC documentation

• Communication with Mr. Chittaranjan Vhora

• Partner platform (NJ Wealth) data sharing

4.3 Lawful Basis for Processing

We process personal data based on:

• Consent: Explicit consent for marketing and non-essential services

• Contract: Necessary for providing mutual fund distribution services

• Legal Obligation: Compliance with SEBI, AMFI, and KYC requirements

• Legitimate Interest: Fraud prevention and security

5. Data Usage and Purpose Limitation

5.1 Permitted Uses

Personal data is used exclusively for:

• Processing mutual fund transactions

• KYC verification and regulatory compliance

• Providing investment-related information and updates

• Responding to queries via Samruddhi

• Maintaining client servicing records

• Regulatory reporting to SEBI/AMFI/AMCs

• Risk profiling and suitability assessment

5.2 Prohibited Uses

We will NEVER:

• Sell or rent personal data to third parties

• Use data for purposes unrelated to mutual fund services

• Share data beyond regulatory requirements without consent

• Process data for automated decision-making affecting legal rights

• Transfer data outside India without compliance

6. Samruddhi AI Assistant - Special Provisions

6.1 Data Processing by Samruddhi

• Limited Processing: Samruddhi only captures and summarises queries

• No Storage: Conversation data is not permanently stored by the AI

• Purpose Limitation: Used solely to forward queries to Mr. Vhora

• No Advice: Samruddhi does not provide personalised investment advice

6.2 WhatsApp Integration Security

• End-to-end encryption for all messages

• No message content is stored on intermediary servers

• Business verification for authentic communication

• Regular security audits of integration points

6.3 Voice and Image Processing

• Voice notes: Transcribed and immediately deleted after processing

• Images: OCR processing only, no image storage

• Confirmation required before forwarding any interpreted content

7. Data Storage and Retention

7.1 Storage Protocols

• Primary Data: Encrypted cloud storage with Indian data centres

• Backup: Daily encrypted backups with 30-day retention

• Access Control: Role-based access with multi-factor authentication

• Encryption: AES-256 encryption at rest and in transit

7.2 Retention Periods

Data Type Retention Period Basis KYC Documents 10 years from last transaction SEBI/PMLA Requirements Transaction Records 8 years Income Tax/SEBI Requirements Communication Logs 5 years SEBI Guidelines Marketing Preferences Until withdrawal of consent DPDP Act Samruddhi Query Summaries 1 year Business Requirement

7.3 Data Deletion

Upon expiry of the retention period or withdrawal of consent:

• Secure deletion using industry-standard methods

• Certificate of deletion maintained

• Backup purging within 30 days

8. Data Sharing and Third-Party Access

8.1 Authorised Sharing

We share data only with:

• NJ Wealth: As per the partnership agreement for transaction processing

• AMCs: For investment processing and servicing

• RTAs: For transaction execution and record keeping

• Regulatory Bodies: SEBI, AMFI, as per legal requirements

• KYC Registration Agencies: For KYC verification

8.2 Third-Party Obligations

All third parties must:

• Sign confidentiality agreements

• Implement equivalent security measures

• Process data only for specified purposes

• Allow audit rights

• Delete data upon contract termination

9. Data Security Measures

9.1 Technical Safeguards

• Encryption: TLS 1.3 for transmission, AES-256 for storage

• Access Control: IP whitelisting, MFA, session management

• Monitoring: 24/7 security monitoring and intrusion detection

• Vulnerability Management: Quarterly security assessments

• API Security: OAuth 2.0, rate limiting, input validation

9.2 Organisational Safeguards

• Background verification for all employees

• Annual security training is mandatory

• Clean desk policy

• Incident response team

• Regular security drills

9.3 Physical Security

• Secure office premises with CCTV

• Locked cabinets for physical documents

• Visitor access logs

• Secure disposal of physical records

10. Individual Rights (As per DPDP Act)

10.1 Your Rights

You have the right to:

• Access: Obtain copies of your personal data

• Correction: Update inaccurate information

• Erasure: Request deletion (subject to legal obligations)

• Data Portability: Receive data in a structured format

• Consent Withdrawal: Opt-out of non-essential processing

• Grievance: File complaints about data handling

10.2 Exercising Rights

Submit requests to:

• Email: privacy@vhorafundz.com

• WhatsApp: Through Samruddhi with "Privacy Request"

• Written: VhoraFundz office address

Response timeline: Within 30 days of receipt

11. Consent Management

11.1 Obtaining Consent

• Clear, specific purpose stated

• Granular options for different uses

• Easy withdrawal mechanism

• Consent logs maintained

• Parental consent for minors

11.2 Consent Withdrawal

• Available through all communication channels

• Processed within 48 hours

• Does not affect prior lawful processing

• May impact service delivery for essential functions

12. Cross-Border Data Transfer

• Primary Policy: All data stored within India

• Exceptions: Only for NRI services with explicit consent

• Safeguards: Standard contractual clauses

• Countries: Only to jurisdictions with adequate protection

13. Data Breach Response

13.1 Breach Detection and Response

Within 6 hours:

• Incident isolation and containment

• Initial assessment of impact

• Activation of response team

Within 72 hours:

• Notification to Data Protection Board (as per DPDP Act)

• Root cause analysis

• Remediation plan implementation

Within 7 days:

• Notification to affected individuals (if high risk)

• Public disclosure (if required)

• Preventive measures implementation

13.2 Breach Records

Maintain records of:

• Nature and extent of breach

• Affected data categories

• Response actions taken

• Preventive measures implemented

14. Special Categories

14.1 Minors' Data

• Parental consent is mandatory for those under 18

• Limited processing scope

• Enhanced security measures

• No marketing communications

14.2 Sensitive Financial Data

• Additional encryption layer

• Restricted access even within organisation

• Audit trail for all access

• Masked display where possible

15. Governance Structure

15.1 Data Protection Officer

Name: [To be appointed]
Contact: dpo@vhorafundz.com
Responsibilities:

• Policy implementation oversight

• Compliance monitoring

• Breach response coordination

• Rights request handling

15.2 Review and Audit

• Annual policy review

• Quarterly compliance audits

• External audit annually

• Continuous improvement process

16. Training and Awareness

• Mandatory annual training for all staff

• Role-specific advanced training

• Samruddhi operator special training

• Partner notification of policy updates

17. Cookies and Website Analytics

• Only essential cookies by default

• Analytics with IP anonymization

• Clear cookie banner with choices

• Regular cookie audit

18. Contact Information

For Privacy Queries:

• Contact us

For Mutual Fund Services:

• Email: chittaranjan@vhorafundz.com

• WhatsApp: Via Samruddhi

Data Protection Officer:

• Email: dpo@vhorafundz.com

19. Updates to This Policy

• Reviews are conducted annually or upon regulatory changes

• Material changes notified via email/WhatsApp

• 30-day notice for significant changes

• Version history maintained

20. Acknowledgement

By using VhoraFundz services, including interactions with Samruddhi, you acknowledge that you have read, understood, and agree to this Data Governance Policy.

Document Control:

• Approved by: Chittaranjan Vhora, Founder

• Distribution: Public Website, All Employees, Partners

This policy is drafted in compliance with the Digital Personal Data Protection Act, 2023, SEBI Guidelines, and AMFI Code of Conduct. For any clarifications, please contact us.