Privacy Policies

This Document is an electronic record in terms of Information Technology Act, 2000 and rules made there under as applicable and the provisions pertaining to electronic records in various statues as amended by the Information Technology Act, 2000. This electronic record is generated by a computer system and does not require any physical or digital signatures.

This Privacy Policy ("Privacy Policy") describes the manner in which Sheeraj Codeworks Private Limited, a company incorporated under the laws of India and having its registered office at 1411, Tower 1, DLF Corporate Greens, SPR Road, Sector 74A, Narsinghpur, Gurgaon, Haryana – 122004, India (the "Company", "we", "us", or "our"), collects, uses, stores, shares, and otherwise processes personal data of users ("User", "you", "your" or “Data Principal”) through the mobile-based personal finance application titled “FAT Money” and the website operated by the Company (collectively, the "Platform").

This Privacy Policy forms an integral part of and is to be read together with the Terms of Use of the Platform ("Terms"). This Privacy Policy explains how personal data is collected, used, disclosed, stored, and otherwise processed by the Company in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the rules made thereunder. This Privacy Policy should be read together with the Terms and any specific notices, consent requests, or disclosures provided at the time of collection of personal data. Capitalised terms not defined herein shall have the meaning ascribed to them under the Terms and/ or the DPDP Act, as the case may be. In the event of any inconsistency, the provisions of this Privacy Policy shall prevail solely with respect to matters relating to personal data.

1. Status of the Company and scope of this Privacy Policy

The Company acts as a “Data Fiduciary” under the DPDP Act and determines the purpose and means of processing personal data collected through the Platform. This Privacy Policy applies to all personal data processed when you access or use the Platform, including: Registration and account creation; Use of accounting, portfolio aggregation, and AI-assisted features; Communications with us; and Integrations with third-party brokers or service providers. By using the Platform, you consent to the practices described in this Privacy Policy.

2. Categories of personal data collected

1. Ownership and Operation of the Platform

The Company is the lawful owner and operator of the Platform and provides access to the Platform solely for the purpose of facilitating the provision of the services described herein (the "Services"), subject to and in accordance with these Terms.

2. Status of the Company: No Financial Services

The Company is a private limited company incorporated under the Companies Act, 2013. The Company acts solely as a technology intermediary and does not itself provide any financial services to Users. Without limitation, the Company is not registered with the Reserve Bank of India, is not a financial institution within the meaning of the Companies Act, 2013 or the Banking Regulation Act, 1949, and is not a deposit-taking company, chit fund, non-banking financial company, or an entity offering or soliciting any investment, credit, or savings schemes under applicable laws in force in India.

In line with the Terms, the Company may collect and process the following categories of personal data, subject to the principles of data minimisation and purpose limitation:

1. a. Account and identification data, such as name, email address, mobile number and login credentials;
2. b. Financial and transactional information, including information extracted from SMS messages and emails (such as bank account details, card information, loan account details, transaction amounts and dates), where you have expressly consented to such access for availing the Accounting Services described in the Terms;
3. c. Portfolio and investment-related information obtained on a read-only basis from third-party brokers, solely for the purpose of portfolio aggregation and analytics;
4. d. User-provided data, including manually entered transactions, budgets and preferences;
5. e. Technical and usage data, such as device information, app version, log data and interaction data necessary for security, troubleshooting and service improvement;
6. f. Grievance and communication data, including records of queries, complaints and correspondence.

The Company does not collect biometric data or sensitive personal data beyond what is necessary for the lawful purposes described in the Terms.

3. Purpose of processing and lawful basis

Personal data is processed strictly for lawful and specified purposes, including:

1. a. Enabling access to and use of the Platform and maintaining User accounts;
2. b. Providing the Accounting Services and Trading Services facilitation as described under the Services section of the Terms;
3. c. Operating AI-assisted features such as expense categorisation, summaries and chat-based assistance;
4. d. Responding to User queries, requests and grievances, and exercising rights under the DPDP Act;
5. e. Complying with applicable laws, court orders, regulatory requirements and lawful requests from authorities;
6. f. Ensuring platform security, fraud prevention and system integrity; and
7. g. Sending service-related and administrative communications, and marketing communications only where explicit consent has been provided.

We do not use your data for lending decisions, targeted advertising, or sale to third parties.

Processing is undertaken on the basis of:

1. i) Free, specific, informed, unconditional and unambiguous consent provided by the User under section 6 of the DPDP Act; and/or
2. ii)“Certain legitimate uses” as permitted under section 7 of the DPDP Act, including compliance with law, prevention of fraud and provision of services voluntarily requested by the User.

4. Consent and withdrawal

Consent is obtained through clear affirmative action, including account creation, feature activation and clicking the “I Agree” button, as described in the Terms. The User may withdraw consent at any time using the in-app consent management tools or by contacting the Company, with the ease of withdrawal being comparable to the ease of giving consent.

Withdrawal of consent shall not affect the legality of processing carried out prior to such withdrawal. The consequences of withdrawal, including potential restriction or discontinuation of Services, are set out in the Terms.

5. Data accuracy and user obligations

Users are required to ensure that personal data provided to the Company is accurate, complete and up to date. The Company may rely on the last provided information where Users fail to update their data.

6. Engagement of data processors and third parties

The Company may engage third-party service providers as data processors for hosting, analytics, communication, AI support and other operational purposes. All such engagements are governed by written agreements requiring processors to:

• process personal data only on documented instructions of the Company;
• implement reasonable security safeguards;
• not retain, use or disclose personal data for unauthorised purposes; and
• delete or return personal data upon completion of services, unless retention is required by law.

Where Users choose to link third-party broker accounts or avail services of third-party service providers, the processing of personal data by such third parties is governed by their respective privacy policies and terms, and the Company does not assume responsibility for such independent processing.

7. Use of artificial intelligence systems

The Company uses AI systems only for the limited purposes described in the Terms and processes only the minimum necessary data required for such purposes. AI systems do not independently initiate actions or access User data, and AI-generated outputs are informational and assistive in nature only. Users retain the right to seek human review or grievance redressal in relation to AI-driven interactions, as set out in the Terms.

8. Personal data of children

The Platform is not intended for use by children without verifiable parental or lawful guardian consent, in accordance with section 9 of the DPDP Act and Clause 8 of the Terms. The Company does not undertake tracking, behavioural monitoring or targeted advertising directed at children.

9. Security safeguards and data breaches

The Company implements reasonable technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or loss, as required under section 8 of the DPDP Act and the Terms. Such measures are designed to prevent personal data breaches and to safeguard personal data against unauthorised access, disclosure, alteration, loss, or destruction, having regard to the nature, scope, and purpose of processing. The Company takes reasonable steps to periodically review and update its security safeguards in line with evolving risks, technological developments, and applicable legal requirements.

In the event of a personal data breach, the Company shall take prompt remedial action and notify the Data Protection Board of India and affected Users, where required, in accordance with Clause 14 of the Terms and applicable law.

10. Retention and erasure

Personal data is retained only for so long as necessary to fulfil the specified purposes or to comply with applicable legal obligations. Upon withdrawal of consent or where the purpose is no longer served, personal data shall be erased or anonymised, unless retention is required by law.

11. Cross-border transfer of personal data

Personal data may be processed or stored outside India only in such countries or territories as may be permitted by the Central Government, and subject to appropriate safeguards.

12. Rights of data principals

Subject to applicable law, Users have the following rights in relation to their personal data:

1. Access: The User has the right to obtain confirmation as to whether the Company processes their personal data and to access a summary of such personal data and related processing activities, in accordance with applicable law. This includes the right to obtain the identities of other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with a description of the categories of personal data so shared.
2. Correction and Erasure: The User has the right to request correction of inaccurate or misleading personal data and erasure of personal data that is no longer necessary for the specified purpose, subject to applicable legal requirements.
3. Withdrawal of Consent: Where processing of personal data is based on consent, the User has the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.
4. Grievance Redressal: The User has the right to raise grievances regarding the processing of their personal data and to have such grievances addressed by the Company in accordance with the grievance redressal mechanism described in this Privacy Policy and the Terms.
5. Right to Nominate: The User has the right to nominate another individual to exercise their rights under the DPDP Act in the event of death or incapacity.

The exercise of the above rights is subject to limitations, conditions, and exceptions prescribed under the DPDP Act and applicable rules.

Requests for the exercise of User rights may be made through the Company’s designated contact details or user account interfaces, as applicable. The Company may require reasonable identifiers (such as registered email address, username, or account ID) to verify the identity of the User before processing such requests.

13. Grievance redressal mechanism

The Company has established an effective grievance redressal mechanism to address any concerns, complaints, or grievances raised by Users in relation to the processing of their personal data. The contact details set out below may also be used by the Users to submit requests for the exercise of their rights under Section 12 of this Privacy Policy. Where a User is dissatisfied with the handling or outcome of such request, they may raise a grievance under this mechanism.

A User may submit a request for the exercise of its right(s), grievance, or query by contacting the Company through the details provided below:

Level 1:

You can reach Us for any query/complaint through any of the channels from Monday to Saturdays except on mandatory holidays:

• Telephone: 8595910946 (Timings: Monday to Saturday – 9:30 am to 6 pm - Excluding public holidays)
• Email: support@thefatmoney.com (We generally respond within 24-48 hours.)

Level 2:

If the Complaint/Grievance is not redressed by the Customer Service Centre within 7 working days, the customer shall approach the Grievance Redressal Officer (GRO) of the Company at below details:

• Name: Mr. Yash Dhankhar
• Address: 1411, Tower-1,Corporate Greens,Sector-74A, Gurugram
• Email: support@thefatmoney.com

The Company shall acknowledge and respond to grievances within the timelines prescribed under the Terms and shall take reasonable steps to resolve such grievances in an efficient and transparent manner. A User is required to first exhaust the grievance redressal mechanism provided by the Company before approaching the Data Protection Board of India.

14. Changes to this Policy

The Company may update or modify this Privacy Policy from time to time to reflect changes in applicable law, regulatory guidance, business practices, or the manner in which personal data is processed. Where required under applicable law, the Company shall provide appropriate notice of material changes to this Privacy Policy. The updated version of the Privacy Policy shall be effective from the date specified therein. Users are encouraged to review this Privacy Policy periodically to stay informed about how their personal data is processed.

15. Governing law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India, including the Digital Personal Data Protection Act, 2023, and the rules and regulations framed thereunder, without regard to conflict of laws principles.