Privacy Policy

Last updated: 1 June 2025  ·  Effective: 1 June 2025

1. Who We Are

amara.ai Ltd ("AmaraWealth", "we", "us", "our") is a wealth technology company registered in the Dubai International Financial Centre (DIFC), Dubai, UAE, and operating at amarawealth.ai. AmaraWealth is the Data Controller / Data Fiduciary for personal data processed through its platform.

Registered office: Innovation One, Level 3, AI Campus, DIFC, Dubai, UAE. Data Protection contact: privacy@amarawealth.ai

2. Scope of This Policy

This Privacy Policy applies to personal data collected through:

• The AmaraWealth website (amarawealth.ai) and any related microsites
• The AmaraWealth platform and APIs when accessed directly
• AmaraWealth's LifeQuest and LifeQuest Plus applications
• Communications with our team (email, contact forms, events)

If you are an end-user of a white-label implementation operated by one of our institutional partners (banks, fintechs, distributors), the privacy policy of that institution governs your relationship with them. AmaraWealth processes your personal data as a Data Processor on behalf of that institution as the Data Fiduciary.

3. Personal Data We Collect

3.1 Data you provide directly

• Identity data: full name, date of birth, PAN, Aadhaar (for KYC), photograph
• Contact data: email address, mobile number, postal address
• Financial data: bank account details, investment preferences, risk profile
• KYC documents: government-issued ID, address proof, income proof
• Professional data: company name, designation, SEBI registration number (for institutional clients)
• Communications: messages, support tickets, form submissions, event registrations

3.2 Data collected automatically

• Usage data: pages visited, features used, time spent, click paths
• Device data: IP address, browser type, operating system, device identifiers
• Analytics data: aggregated and anonymized platform usage metrics

3.3 Data from third parties

• KYC verification data from NSDL, CDSL, CKYC Registry, and authorised KRA agencies
• Portfolio and transaction data from BSE Star MF, NSE, and RTAs
• Bank verification data via account aggregator (RBI AA framework)

4. How We Use Personal Data

We process personal data for the following purposes:

• Account administration: creating and managing your account and access
• KYC/AML compliance: verifying identity as required by PMLA, SEBI, and AMFI circulars
• Service delivery: processing investment transactions, generating statements, portfolio analytics
• Personalization: tailoring investment recommendations, nudges, and content to your profile
• Communications: responding to enquiries, sending transactional notifications and alerts
• Security: detecting, investigating, and preventing fraud, money laundering, and unauthorized access
• Legal compliance: fulfilling statutory reporting obligations to SEBI, AMFI, RBI, and tax authorities
• Product improvement: analyzing aggregated usage to improve platform features (no individual profiling)

5. Lawful Basis for Processing

Under the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and applicable data protection regulations, we process personal data on the following bases:

• Consent: where you have provided explicit, informed consent (e.g., marketing communications, cookies)
• Contract performance: where processing is necessary to deliver services you have contracted for
• Legal obligation: where processing is required under applicable law (KYC, AML, tax reporting)
• Legitimate interests: for fraud prevention and security, provided your interests are not overridden

Where we rely on consent, you may withdraw it at any time — this does not affect the lawfulness of prior processing.

6. Sharing Personal Data

We do not sell personal data. We may share data with:

• Regulated intermediaries: RTAs (Karvy, CAMS), BSE/NSE, depositories, for executing transactions
• KYC/AML service providers: NSDL Database Management, CKYC Registry, authorised KRAs
• Infrastructure providers: cloud hosting (data processed within the DIFC or compliant jurisdictions), communications platforms
• Institutional partners: where you are an end-user of a partner's implementation, limited data sharing is necessary for service delivery
• Regulators and law enforcement: as required by law, court order, or regulatory direction from SEBI, RBI, or IT Ministry

All third-party processors are contracted to process data only on our instructions, with equivalent data security obligations.

7. Cross-Border Data Transfers

AmaraWealth primarily stores and processes personal data within the DIFC or compliant jurisdictions. Where data is transferred internationally, we ensure adequate protections are in place consistent with the DIFC Data Protection Law framework and applicable transfer mechanisms.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

• KYC records: minimum 5 years after account closure, as required under PMLA
• Transaction records: minimum 5 years from transaction date
• Account data: for the duration of the account and 2 years after closure
• Analytics data: aggregated data may be retained indefinitely; individual usage logs are deleted after 12 months

9. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data, including:

• AES-256 encryption for data at rest; TLS 1.3 for data in transit
• Multi-factor authentication for all administrative access
• Role-based access control with least-privilege principles
• Regular penetration testing and security audits by independent third parties
• ISO 27001-aligned information security management practices
• Incident response procedures with notification timelines per CERT-In requirements

10. Your Data Rights

Under the DIFC Data Protection Law and applicable regulations, you have the right to:

• Access: request a summary of personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Erasure: request deletion of personal data, subject to legal retention obligations
• Grievance: raise a complaint through our Grievance Officer
• Nominate: nominate an individual to exercise rights on your behalf in the event of death or incapacity
• Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@amarawealth.ai. We will respond within 30 days.

Data Protection Officer: [Name], amara.ai Ltd, grievance@amarawealth.ai

11. Children's Privacy

The general AmaraWealth platform is not intended for individuals under 18. LifeQuest (ages 5–17) collects only the minimum personal data necessary for the service, requires verified parental consent before any child data is processed, and complies with all child data protection requirements under the DPDP Act (Section 9). No behavioral tracking or targeted advertising is conducted for child users.

12. Cookies and Tracking

We use cookies and similar tracking technologies on our website. For full details, including how to manage your preferences, see our Cookie Policy.

13. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be notified by email or prominent notice on the platform. The revised policy will take effect on the date stated at the top. Continued use of the Services after that date constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices:

amara.ai Ltd
Data Protection / Privacy Team
Email: privacy@amarawealth.ai
Grievance email: grievance@amarawealth.ai
Innovation One, Level 3, AI Campus, DIFC, Dubai, UAE