SATVIKLIFE.GOLD Private Limited ('SATVIKLIFE.GOLD', 'we', 'our', or 'the Company') is committed to protecting the personal data of all users of our Platform. This Privacy Policy explains what information we collect, why we collect it, how it is used and protected, and your rights in respect of your data. This policy is formulated in compliance with the Information Technology Act, 2000 ('IT Act'), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('IT Rules'), applicable RBI guidelines, the Prevention of Money Laundering Act, 2002 (PMLA), and in alignment with the principles of the Digital Personal Data Protection Act, 2023 ('DPDPA 2023').

SATVIKLIFE.GOLD does not collect, store, or process Sensitive Personal Data or Information (SPDI) as defined under the IT Rules. In particular, the Platform does not store any financial data - all payment processing is handled exclusively by RBI-regulated third-party payment gateways, and no financial credentials, card details, or banking passwords are transmitted to or retained on our servers at any point. We do not store biometric data of any kind.

1. Information We Collect

1.1 Information You Provide Directly

• Identity Information: Full name, date of birth, nationality
• Contact Information: Mobile number, email address, delivery address
• Identity Document Details: PAN card number - stored on our platform and authenticated through verification mechanisms provided by the Income Tax Department of India (such as NSDL/UTI PAN verification APIs). Aadhaar-based e-KYC is currently under development and not yet active on the platform; KYC is presently completed through manual document verification.
• Transaction Data: Purchase history, SIP records, redemption orders, sell transactions
• KYC Documentation: Copies of identity and address proof documents as required under PMLA 2002, submitted manually at the time of registration. Retained only for the duration mandated by law.
• Nominee Information: Nominee registration is not currently collected. This feature is under development and will be introduced in a future update. This Privacy Policy will be updated accordingly when the feature is live.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features accessed, time spent on the platform, and interaction patterns - collected in aggregate and anonymised form for the purpose of platform improvement
• IP Address and Approximate Location: Derived from your IP address for fraud detection, security monitoring, and regulatory compliance purposes
• Session Data: Login timestamps, session identifiers, and transaction metadata
• Cookie Data: Session cookies required for platform functionality; anonymised analytics cookies for understanding aggregate usage patterns (see Section 7)

1.3 Information from Third Parties

• PAN Verification: Verification status of your PAN card through mechanisms provided by the Income Tax Department (NSDL/UTI) - verification result only; we do not receive or store data beyond confirmation of validity.
• Aadhaar-based e-KYC: Not currently active. Once introduced, this will function through UIDAI-licensed e-KYC providers and this policy will be updated to reflect the specifics of that process prior to go-live.
• Payment Gateways: Transaction confirmation and failure status received from RBI-regulated, PCI-DSS compliant payment gateway providers. No financial data - including card numbers, CVVs, net banking credentials, or UPI PINs - is transmitted to or stored by SATVIKLIFE.GOLD at any point. All financial data is handled exclusively within the payment gateway's own secured environment.
• Logistics Partners: Delivery confirmation and tracking status from courier service providers, limited to the information required to fulfil and confirm your order.

2. What We Do Not Collect or Store

SATVIKLIFE.GOLD explicitly does not collect or store the following:

• Any financial data whatsoever - including payment card numbers, CVVs, net banking credentials, UPI PINs, or bank account passwords. All payment processing is conducted entirely within the secured environments of RBI-regulated, PCI-DSS compliant payment gateways. This data does not reach or pass through our servers.
• Device-specific identifiers such as device hardware IDs, OS version, IMEI, or unique device fingerprints - we do not collect or store device information.
• Biometric data of any kind.
• Health, religious, political, or caste-related information.
• Sensitive Personal Data or Information (SPDI) as defined under the IT (SPDI) Rules, 2011.

3. How We Use Your Information

• Account Creation and KYC Compliance: To verify identity and fulfil mandatory obligations under PMLA 2002 and RBI KYC norms.
• Service Delivery: To process transactions, execute SIPs, manage redemption orders, and facilitate delivery.
• Communication: To send transaction confirmations, SIP alerts, order updates, support responses, and account security notifications.
• Legal Compliance: To respond to requests from regulatory bodies (FIU-IND, CBDT, GST authorities), courts, or law enforcement as required under applicable Indian law.
• Fraud Prevention and Risk Management: To detect and prevent fraudulent transactions and money laundering activity.
• Platform Improvement: To analyse anonymised usage patterns and improve platform performance and user experience.
• Marketing Communications: To share relevant product updates, new listings, and investment insights. You may opt out of marketing emails at any time via your account settings or the unsubscribe link in any email.

4. User Rights Regarding Personal Data

Under applicable Indian law and in alignment with global best practices, you hold the following rights:

• Right to Access: Request a copy of personal data we hold about you by contacting our Grievance Officer.
• Right to Correction: Request correction of inaccurate or incomplete information via your account settings or by contacting us.
• Right to Data Portability: Request your transaction and account data in a structured, machine-readable format.
• Right to Erasure (subject to legal retention requirements): Request deletion of personal data upon account closure. Note that certain data must be retained for periods prescribed by law (see Section 8) and erasure requests are subject to these obligations.
• Right to Withdraw Consent: Withdraw consent for non-mandatory data processing (such as marketing) at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Right to Nominate: Under DPDPA 2023, you may designate a nominee to exercise these rights on your behalf in the event of death or incapacity.
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 10).

5. Third-Party Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party for commercial or marketing purposes. Your data may be shared only in the following defined circumstances:

• Regulatory and Legal Compliance: With FIU-IND, CBDT, GST authorities, RBI, law enforcement agencies, or courts as required under applicable Indian law or valid legal process.
• KYC and Identity Verification: PAN card details are verified through mechanisms provided by the Income Tax Department of India (NSDL/UTI PAN verification services). Manual KYC documents are reviewed by authorised personnel. Aadhaar-based e-KYC is not yet active; when introduced, sharing with UIDAI-licensed providers will be governed by a revised version of this policy published before go-live.
• Payment Processors: With RBI-regulated, PCI-DSS compliant payment gateway providers for the sole purpose of processing transactions. SATVIKLIFE.GOLD shares only the transaction amount and reference; no financial credentials are transmitted to or stored by us. The payment gateway operates independently under its own RBI authorisation and security framework.
• Logistics Partners: With courier and delivery service providers, limited to the delivery address, contact number, and order reference required for shipment.
• Technology Service Providers: With cloud hosting and platform infrastructure providers under data processing agreements that impose equivalent security and confidentiality obligations.
• Business Restructuring: In the event of a merger, acquisition, or sale of business assets, your data may be transferred to the succeeding entity, with prior notice provided to you.

All third-party service providers are contractually required to process your data solely for specified purposes and to maintain security standards consistent with this policy.

6. Data Security

The Company implements technical and organisational security measures appropriate to the nature and volume of data processed on the Platform:

• 256-bit SSL/TLS encryption for all data in transit between your device and our servers
• • Encryption of personal data at rest for fields such as identity document references and contact information
• • Multi-Factor Authentication (MFA) for account access and high-value transactions
• Role-based internal access controls - staff access personal data strictly on a need-to-know basis
• No financial data is stored on our servers at any point; all payment data is handled exclusively by RBI-regulated payment gateways in their own secured infrastructure
• Incident response procedures aligned with CERT-In guidelines (CERT-In Directions, April 2022), including timely reporting of reportable security incidents

In the event of a data breach likely to result in harm to users, we will notify affected users and relevant authorities within the timeframes required under applicable law.

7. Cookies and Tracking Technologies

The Platform uses session cookies to maintain your logged-in state and platform functionality, and anonymised analytics cookies to understand aggregate usage patterns. We do not use cross-site behavioural advertising cookies. You may manage cookie preferences through your browser settings. Disabling certain cookies may affect platform functionality.

8. Data Retention

Personal data is retained only for as long as necessary for the purposes for which it was collected, subject to legal minimum retention periods:

• KYC and Identity Documents (PAN, address proof): Minimum 5 years after the end of the business relationship, as required under PMLA 2002
• Transaction Records: Minimum 5 years from the date of each transaction (PMLA compliance)
• Account Data: Duration of the account plus 5 years following closure
• Customer Support Communications: 3 years
• Server and Access Logs: 180 days, as required under CERT-In Directions, 2022
• Marketing Consent Records: Until withdrawn or the account is closed
• Nominee Data: Not currently collected. When this feature is introduced, applicable retention terms will be stated at that time.

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

9. Children's Privacy

The Platform is not directed at individuals below the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has used our platform without appropriate consent, please contact our Grievance Officer immediately.

10. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in our practices or applicable law. Material changes will be communicated to registered users via email or in-app notification at least 30 days before taking effect. Continued use of the Platform after the revised policy is effective constitutes acceptance of the updated terms.

11. Grievance Officer

In accordance with the Information Technology Act, 2000 and applicable rules, and in alignment with DPDPA 2023, the Company has appointed a Grievance Officer to address data-related concerns: