Privacy Policy

Niyyam — Privacy Policy

Effective Date: 4th March 2026
Platform / Controller: Niyyam, operated by Tech Margon Wealth Private Limited, Bangalore, Karnataka, India.
Contact / Grievance Officer: Ashok Prasad, Email: ashok@niyyam.com,

1. Introduction

Niyyam (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, your rights, and how you can exercise them. It also explains our security practices and how we handle data incidents. This Policy applies to all users of our website, mobile applications, and related services (the “Platform”).

2. Legal & Regulatory Basis

We process personal data based on lawful bases required by applicable Indian laws and regulations, including:

  • Consent provided by you for specified purposes (as required under the DPDP Act).
  • Legal compliance to meet regulatory and statutory obligations (KYC, PMLA, tax and audit) under SEBI/AMFI/IRDAI rules.
  • Performance of a contract where processing is necessary to provide services you request (e.g., execute investments, process insurance premiums).

We follow the consent and data-processing principles required by the Digital Personal Data Protection Act, 2023 (DPDP Act) and sectoral guidance.

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data, depending on the services you use:

Identity & KYC data: name, date of birth, PAN, Aadhaar (if provided), photograph, signature, father/guardian name, and other KYC-related data required by KRAs/AMCs/insurers.
Contact data: mobile number, email address, postal address.
Financial & transactional data: bank account details, UPI IDs, debit/credit card metadata (where needed), investment history, SIP mandates, policy premiums, payment confirmations.
Account & device data: username, hashed passwords, device IDs, IP addresses, login timestamps, browser / operating system.
Sensitive personal data (if applicable): health or medical information in case of insurance claims (only when you submit or authorize). We process such data only when necessary and with explicit consent.
Communications & support data: call recordings, chat transcripts, emails, complaints, and other correspondence.

We collect only data that is necessary for providing the requested financial services, KYC, compliance checks, fraud prevention and customer support. AMFI/SEBI guidance requires strict handling of investor data shared by AMCs and distributors; we and our partners adhere to these practices.

4. How We Collect Personal Data

We obtain data from several sources:

  • Directly from you: during registration, KYC, account setup, transactions, support interactions.
  • From third parties: KRAs (CKYC/KRA providers), AMCs, RTAs, insurance companies, payment gateways, banks, credit bureaus (for fraud checks), and APIs you authorize.
  • Automatically: via cookies, logs, and analytics when you use our Platform.
  • Public sources: government databases or registries where permitted by law.

We will always indicate at the point of collection why the data is required and how it will be used.

5. Purposes for Which We Use Personal Data

We use personal data for the following lawful purposes:

  • To create and maintain your user account, complete KYC, and verify identity.
  • To process mutual fund purchases/redemptions and insurance premium payments and handle all transactional operations.
  • For regulatory reporting and compliance (SEBI/AMFI/IRDAI/PMLA/tax).
  • To provide customer support, resolve disputes, and handle grievances.
  • To detect and prevent fraud, money laundering, and unauthorized access.
  • To send transactional and regulatory communications (statements, NAV alerts, policy reminders, compliance notices) — with your consent where required.
  • To improve the Platform, perform analytics, and provide personalized (non-personally identifying) recommendations and features.
  • For marketing communications only, where you have explicitly opted in, you may opt out at any time.

Processing necessary for compliance with regulators (e.g., KYC, investor servicing, audit) will be performed irrespective of marketing preferences.

6. Sharing & Disclosure of Personal Data

We may share your personal data with the following categories of recipients as necessary to provide services or comply with law:

  • Asset Management Companies (AMCs), Registrars & Transfer Agents (RTAs), and KRAs — for mutual fund processing, investor servicing, and regulatory compliance.
  • Insurance companies and intermediaries — to bind and service policies, handle claims, and ensure compliance.
  • Payment gateways, banks, and UPI providers — to process payments and refunds.
  • Regulators, law enforcement, courts, or statutory bodies — as required by law or in response to lawful requests.
  • Service providers & processors (cloud hosting, analytics, customer support, KYC vendors, fraud detection companies) under written contracts that require them to protect personal data.
  • Affiliates and partners — only where necessary and with contractual safeguards.

We require third parties to maintain appropriate data protection standards and to process personal data only for the purposes specified in our contracts. AMFI and SEBI expect distributors to adhere to strict confidentiality and data-sharing practices when handling unitholder data.

7. Cross-Border Data Transfers

We generally store and process personal data within India. If we need to transfer personal data outside India (for hosting, analytics, or other services), we will ensure such transfer is made in compliance with the DPDP Act and applicable rules, and only to jurisdictions and processors offering adequate protection or under contractual safeguards. We will inform you where required and, where necessary, obtain your consent.

8. Cookies & Tracking

We use cookies, web beacons, and similar technologies for:

  • Session management and security.
  • Performance and analytics to improve the Platform.
  • Personalization and marketing (only with your consent, where required).

You can modify cookie settings in your browser; however, blocking cookies may affect Platform functionality. A separate Cookies Policy (or a Cookies section within this Policy) will list the specific cookies used.

9. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, to meet legal and regulatory obligations (e.g., KYC, tax, audit retention periods), or to resolve disputes. For mutual funds and insurance records, statutory retention periods set by SEBI/AMFI/IRDAI and tax laws will be followed. Once retention is no longer required, we will securely delete or anonymize the data.

10. Security Measures

We implement organizational, technical, and administrative safeguards to protect personal data, including but not limited to:

  • Encryption of data in transit and at rest where appropriate.
  • Multi-factor authentication (MFA) for access to sensitive operations.
  • Role-based access control and least-privilege principles.
  • Regular security assessments, vulnerability scanning, and penetration testing.
  • Incident response and breach notification procedures aligned with IRDAI/SEBI cyber security guidelines.

11. Data Breach & Incident Reporting

In the event of a data breach affecting user personal data, we will follow our incident response policy and — where required by law or regulatory guidance — notify the affected users and the appropriate regulators promptly, including any reporting required under IRDAI or SEBI circulars and the DPDP Act. We will also take steps to contain and remediate the breach.

12. Your Rights

Subject to applicable law (including exemptions), you have the following rights as a Data Principal under the DPDP Act and related guidance:

  • Right of Access: Request confirmation of whether we process your personal data and obtain a copy.
  • Right to Correction: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of personal data where processing is no longer necessary or consent is withdrawn (subject to legal exceptions such as regulatory retention).
  • Right to Portability: Receive a copy of personal data in a structured, commonly used, machine-readable format and transmit it to another data fiduciary where technically feasible.
  • Right to Withdraw Consent: Withdraw consent previously given for processing (where consent is the lawful basis); withdrawal will not affect processing necessary for compliance with SEBI/IRDAI/other statutory obligations.
  • Right to Grievance Redressal: Lodge complaints with our Grievance Officer. If unresolved, you may approach the statutory grievance mechanism under the DPDP Act or the relevant sectoral regulator (SEBI/IRDAI/AMFI).

How to exercise rights: Send a request to the Grievance Officer at [Grievance Officer Email] with subject line “Data Rights Request – [Your Name]”. We will acknowledge and respond within the timelines required by law (or, if none specified, within 30 days). For complex requests, we may ask for identity verification.

13. KYC, Anti-Money Laundering & Mandatory Disclosures

To comply with KYC and PMLA obligations, we (or our KYC/KRA partners) must collect identity documents (PAN, Aadhaar where required), risk profiles, FATCA/CRS declarations, and other information. These are mandatory and cannot be deleted while regulatory retention obligations apply. We may share these details with regulators, AMCs, RTAs, insurers and banks as required for compliance.

14. Marketing Communications & Opt-Out

We will send marketing messages only with your explicit consent. You may opt out of marketing communications at any time via the “unsubscribe” link in emails or by changing preferences in the app. Transactional and regulatory communications (e.g., trade confirmations, NAV alerts, premium reminders) may still be sent as they are necessary for service delivery and regulatory compliance.

15. Children’s Data

Our services are intended for users 18+. We do not knowingly collect personal data of children. If you believe we have unintentionally collected data of a minor, contact our Grievance Officer and we will take prompt steps to delete such data.

16. Third-Party Sites & Links

Our Platform may contain links to third-party websites or services. This Policy does not apply to those third parties. We encourage you to read their privacy policies. We are not responsible for the data practices of third parties.

17. Changes to this Policy

We may update this Privacy Policy to reflect legal, regulatory, or business changes. When we do, we will revise the “Effective Date” and, where required by law, obtain fresh consent. Material changes will be communicated through prominent notices on the Platform.

18. Contact & Grievance Officer

For any privacy-related queries, data-rights requests, or complaints, please contact:

Grievance Officer:
Tech Margon Wealth Private Limited. (Niyyam)
Email: ashok@niyyam.com
Postal Address: 1,2 A1 Block, Above Chef Bakers, ITPL Main Road, Near Brookefield Hospital, Kundanhalli-560037, Bangalore

If you remain unsatisfied, you may escalate to the relevant statutory grievance mechanism under the DPDP Act or to the applicable sectoral regulator (SEBI/IRDAI/AMFI) as appropriate.

19. Regulatory References (selected)

  • Digital Personal Data Protection Act, 2023 (DPDP Act) — a central framework for consent, rights, and grievance redressal.
  • IRDAI — Information & Cyber Security Guidelines (2023) — sectoral cyber security and incident reporting obligations.
  • AMFI / SEBI guidance on data sharing & best practices for AMCs and distributors (data confidentiality & retention).
  • SEBI Cybersecurity & Cyber Resilience guidance for SEBI-regulated entities.