Privacy Policy

1. INTRODUCTION AND OVERVIEW

Kodo Technologies Private Limited ("Company", "We", "Us", "Our") is committed to protecting the privacy and security of the personal data and financial information of the users ("You", "Your", "User") of the Kodo North platform ("Platform"). This Privacy Policy describes how We collect, use, store, process, disclose, and protect Your data in connection with Your use of the Platform.

This Privacy Policy is published in accordance with:

• The Digital Personal Data Protection Act, 2023 ("DPDP Act") and the rules thereunder;

• The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT SPDI Rules");

• SEBI and AMFI guidelines on KYC, data privacy, and investor data protection;

• Prevention of Money Laundering Act, 2002 and KYC norms.

By using the Platform, You consent to the collection, processing, and use of Your personal data as described in this Privacy Policy. If You do not agree, please discontinue use of the Platform.

2. CATEGORIES OF PERSONAL DATA COLLECTED

2.1  Identity and KYC Data

• Full legal name(s) of entity and authorised personnel;

• Permanent Account Number (PAN);

• Aadhaar number (where voluntarily provided and collected with appropriate consent under UIDAI guidelines);

• Passport, driving licence, voter ID, or other government-issued identity documents;

• Date of birth and nationality;

• Photographs and biometric data (where applicable);

• CKYC reference number.

  
  

2.2  Financial and Account Data

• Bank account details including account numbers, IFSC codes, and branch details;

• Financial statements, audited accounts, and balance sheets (for entity onboarding);

• Mutual fund folio numbers and investment transaction data;

• Investment amounts, portfolio holdings, and performance data;

• Income and wealth declarations;

• Demat account details (if applicable);

• Tax Deduction Account Number (TAN) and GST registration number (for entities).

  
  

2.3  Organisational and Authorisation Data (Entities)

• Certificate of Incorporation, MOA, AOA, partnership deeds, or equivalent;

• Board resolutions and authorisation letters;

• Beneficial ownership declarations;

• Directors, partners, trustees, and authorised signatories' personal data.

  
  

2.4  Account and Authentication Data

• User IDs, encrypted passwords, OTPs (hashed/not stored in plain text);

• Login timestamps, IP addresses, session data;

• Multi-factor authentication records.

  
  

2.5  Device and Technical Data

• IP address and geolocation (approximate);

• Browser type, version, and operating system;

• Device identifiers;

• Clickstream data and Platform usage analytics;

• Error logs and crash reports.

  
  

2.6  Communication Data

• Email correspondence and in-Platform messages;

• Phone numbers and call records (for support interactions);

• WhatsApp or messaging app identifiers (for communication consent).

  
  

2.7  Transaction and Activity Data

• All Platform transactions including subscriptions, redemptions, and switches;

• Approval workflow records;

• API call logs;

• Audit trails and Electronic Instruction records.

  
  

3. SENSITIVE PERSONAL DATA AND FINANCIAL INFORMATION

3.1  The following categories of data collected by the Company constitute "Sensitive Personal Data" under the IT SPDI Rules and/or "personal data" under the DPDP Act and are handled with heightened protection:

• Financial information including bank account details, credit card data, and investment data;

• Biometric data (where collected);

• Passwords and authentication credentials.

  
  

3.2  PAN data is handled in accordance with applicable SEBI, AMFI, and income tax regulations. PAN is used for KYC verification, transaction reporting, and tax deduction purposes.

3.3  Aadhaar data, if collected, is handled in strict compliance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and UIDAI guidelines. Aadhaar authentication (if used) is conducted through UIDAI-authorised channels only. Aadhaar numbers are not stored in raw form.

4. PURPOSE OF DATA PROCESSING

Your personal data is collected and processed for the following purposes:

4.1  Service Delivery

• Provision and operation of the Platform and Services;

• User onboarding, KYC verification, and account management;

• Processing and execution of mutual fund transactions;

• Treasury operations and financial management facilitation;

• Portfolio tracking, reporting, and analytics.

  
  

4.2  Legal and Regulatory Compliance

• Compliance with KYC/AML obligations under PMLA, SEBI, AMFI, and RBI regulations;

• Reporting to FIU-IND, SEBI, AMFI, income tax authorities, and other regulators;

• Maintaining statutory records;

• Responding to regulatory inquiries, audits, and investigations.

  
  

4.3  Security and Fraud Prevention

• Transaction monitoring and fraud detection;

• Account security and unauthorised access detection;

• Cybersecurity incident investigation.

  
  

4.4  Communications

• Sending transaction confirmations, account alerts, and regulatory notices;

• Customer support interactions;

• Product updates, service notifications, and marketing communications (with consent).

  
  

4.5  Analytics and Platform Improvement

• Product development, analytics, and user experience improvement;

• Performance monitoring and capacity planning.

  
  

5. LEGAL BASIS FOR PROCESSING

The Company processes Your personal data on the following legal bases:

• Consent: For marketing communications, optional data sharing, and specific processing activities notified to You (consent may be withdrawn at any time, subject to lawful processing already completed);

• Contract Performance: Processing necessary for the performance of services under these Terms and the Agreement;

• Legal Obligation: Processing required to comply with applicable laws including PMLA, SEBI regulations, income tax law, and other statutes;

• Legitimate Interests: Processing for fraud prevention, platform security, analytics, and service improvement, balanced against Your privacy rights.

  
  

6. DATA SHARING AND DISCLOSURE

6.1  Sharing with Service Providers and Partners

The Company shares personal data with the following categories of recipients as necessary to provide Services:

• AMCs and RTAs: For processing mutual fund transactions and maintaining investor folios;

• Banking partners: For payment processing, account verification, and banking integrations;

• KYC Registration Agencies (KRAs): For KYC verification and CKYC registration;

• Technology service providers and cloud infrastructure providers: For Platform hosting and operations;

• Data analytics providers: For Platform analytics and fraud detection;

• Legal and compliance advisers;

• Auditors: For statutory and internal audits.

  
  

6.2  Regulatory Disclosure

The Company will disclose personal data to regulatory authorities, law enforcement agencies, courts, and government bodies when required by law, legal process, or governmental request, including:

• FIU-IND: Suspicious transaction reports and cash transaction reports under PMLA;

• SEBI and AMFI: Compliance reporting and investor complaint investigation;

• Income Tax authorities: TDS reporting and information requests;

• Courts and tribunals: In response to valid legal process.

  
  

6.3  Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of the Company's assets, personal data may be transferred to the acquiring or successor entity, subject to equivalent data protection obligations.

6.4  Cross-Border Processing

Personal data is primarily processed and stored within India. To the extent any personal data is transferred to or processed outside India (for example, by cloud service providers with infrastructure in other jurisdictions), such transfer shall be in compliance with applicable data protection law, including such frameworks as may be notified under the DPDP Act.

6.5  No Sale of Personal Data

The Company does not sell, rent, or trade personal data to third parties for their independent marketing purposes.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1  The Platform uses cookies, web beacons, pixel tags, and similar tracking technologies to:

• Maintain session state and authentication;

• Remember user preferences;

• Analyse Platform usage and performance;

• Detect and prevent fraudulent activity.

  
  

7.2  Categories of cookies used:

• Strictly Necessary Cookies: Essential for Platform functionality and security; cannot be disabled;

• Functional Cookies: Enable enhanced features and personalisation;

• Analytics Cookies: Collect aggregate usage data for Platform improvement;

• Session Cookies: Temporary cookies that expire when the browser session ends.

  
  

7.3  Users may manage cookie preferences through their browser settings. Disabling certain cookies may affect Platform functionality.

8. DATA RETENTION

8.1  The Company retains personal data for as long as necessary to fulfil the purposes for which it was collected, including:

• KYC and AML records: Minimum five (5) years from the end of the business relationship, as required under PMLA;

• Mutual fund transaction records: As required by SEBI and AMFI regulations;

• Financial records: As required by applicable accounting and tax law;

• Account data: For the duration of the account and a reasonable post-closure period;

• Audit logs and security records: Minimum three (3) years.

  
  

8.2  Upon expiry of the applicable retention period, the Company shall delete or anonymise personal data in a secure manner, subject to any ongoing legal or regulatory obligation to retain such data.

9. USER RIGHTS UNDER DPDP ACT AND APPLICABLE LAW

Subject to applicable legal obligations and the DPDP Act, Users have the following rights in respect of their personal data:

9.1  Right of Access

You may request information about the personal data held by the Company about You and the purposes for which it is being processed.

9.2  Right to Correction and Updation

You may request the correction of inaccurate or incomplete personal data. Please contact the Data Protection Officer/Grievance Officer with specific details of the data to be corrected.

9.3  Right to Erasure

You may request deletion of personal data that is no longer necessary for the purpose for which it was collected, subject to the Company's legal and regulatory obligations to retain data. Note that deletion of KYC, AML, and transaction data may not be possible during the mandatory regulatory retention period.

9.4  Right to Withdraw Consent

Where processing is based on consent, You may withdraw consent at any time. Withdrawal shall not affect the lawfulness of processing prior to withdrawal. Note that withdrawal of consent for certain processing may prevent the Company from continuing to provide Services.

9.5  Right to Grievance Redressal

You have the right to lodge a grievance with the Company's Data Protection Officer / Grievance Officer in respect of any privacy concern.

9.6  Exercising Rights

To exercise any of the above rights, please contact: support@kodonorth.com

10. SECURITY PRACTICES AND TECHNICAL SAFEGUARDS

10.1  The Company implements appropriate technical and organisational security measures to protect personal data, including:

• Encryption of data in transit using TLS/SSL protocols;

• Encryption of sensitive data at rest;

• Role-based access controls and principle of least privilege;

• Multi-factor authentication for Platform access;

• Regular vulnerability assessments and security audits;

• Intrusion detection and monitoring systems;

• Secure coding practices and code reviews;

• Employee training on data protection and security.

  
  

10.2  Notwithstanding the foregoing, no security system is impenetrable. The Company does not warrant that its security measures will prevent all security incidents. In the event of a data breach, the Company shall notify affected Users and the relevant Data Protection Board as required under applicable law.

11. INCIDENT RESPONSE DISCLAIMER

11.1  In the event of a personal data breach or security incident, the Company will:

• Take immediate containment and remediation actions;

• Notify the Data Protection Board of India as required under the DPDP Act;

• Notify affected Data Principals as required by applicable law;

• Conduct a root-cause analysis and implement corrective measures.

  
  

11.2  The Company shall not be liable for losses arising from security incidents caused by cyber-attacks, Zero-Day exploits, or other threats outside the Company's reasonable control, provided the Company has implemented industry-standard security practices.

12. MARKETING COMMUNICATIONS AND OPT-OUTS

12.1  Subject to Your consent, the Company may send You marketing communications about new products, features, and service updates through email, SMS, and other channels.

12.2  You may opt out of marketing communications at any time by:

• Clicking the unsubscribe link in marketing emails;

• Contacting support@kodo.in with an opt-out request;

• Updating Your communication preferences in Platform settings.

  
  

12.3  Opt-out of marketing does not affect transactional, compliance, or regulatory communications, which the Company is required to send.

13. CHILDREN'S PRIVACY

13.1  The Platform is not intended for use by individuals below the age of eighteen (18) years. The Company does not knowingly collect personal data from children.

13.2  If the Company becomes aware that personal data of a child has been collected without verified parental consent, it shall take prompt steps to delete such data.

14. API AND WEBHOOK DATA HANDLING

14.1  Where Users access the Platform via APIs or configure webhooks, data transmitted through such channels is subject to this Privacy Policy.

14.2  API credentials are the User's responsibility. The Company is not liable for data exposures resulting from compromise of API credentials.

14.3  Webhook payloads may contain personal data and financial data. Users are responsible for ensuring secure handling of webhook data at their endpoint.

15. THIRD-PARTY INTEGRATIONS

15.1  The Platform integrates with third-party services including banking APIs, payment gateways, and data providers. Each third-party service has its own privacy policy governing their handling of Your data.

15.2  The Company is not responsible for the privacy practices of third-party services. Users should review the applicable third-party privacy policies.

16. DATA PROTECTION OFFICER / GRIEVANCE OFFICER

Kodo Technologies Private Limited has designated a Data Protection Officer / Grievance Officer as required under applicable law:

Data Protection Officer / Grievance OfficerName: Deepti Sanghi

Email: support@kodonorth.com

Address: 1108. One Lodha Place, Senapati Bapat Marg, Lower Parel, Mumbai – 400013, India

Working Hours: Monday to Friday, 10:00 AM to 6:00 PM (IST), excluding public holidays

17. POLICY UPDATES

17.1  This Privacy Policy may be updated from time to time to reflect changes in the Company's practices, legal requirements, or Platform features. The updated Privacy Policy shall be published on the Platform with the date of revision.

17.2  Material changes shall be notified to registered Users through in-Platform notifications or email. Continued use of the Platform following publication of the updated Privacy Policy constitutes Your acceptance of the changes.

18. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by the laws of India. Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India, subject to the arbitration provisions in the Terms of Service.

19. CONTACT INFORMATION

For all privacy-related inquiries, data rights requests, or concerns:

Kodo Technologies Private Limited, 1108, One Lodha Place, Senapati Bapat Marg, Lower Parel, Mumbai – 400013, India

General: support@kodonorth.com

Website: www.kodonorth.com