Privacy Policy
How MintByte Investment Services Pvt Ltd processes Personal Data under DPDP 2023 + GDPR/UK GDPR (where applicable). Data Fiduciary identification, lawful basis, Data Principal rights, sub-processors, breach-notification timelines, Grievance Officer.
Effective date: 31 May 2026 Last updated: 31 May 2026 Supersedes: Privacy Policy dated 26 May 2026 Version: 2.0
1. About this Policy
This Privacy Policy ("Policy") explains how MintByte Investment Services Private Limited (CIN: U66190MH2024PTC434330; "MintByte", "we", "us", "our") collects, uses, processes, stores, shares, transfers and protects your personal data when you visit www.mintbyte.com, any sub-domain we operate, or use any service we offer (collectively, the "Services").
It is issued in compliance with:
- the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the rules made thereunder;
- the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");
- the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR, to the extent applicable to Data Principals located in the European Economic Area ("EEA"), the United Kingdom or Switzerland at the time of interaction;
- regulations, master circulars and guidelines issued by the Securities and Exchange Board of India ("SEBI"), the Association of Mutual Funds in India ("AMFI"), the Association of Portfolio Managers in India ("APMI") and the Reserve Bank of India ("RBI") for our regulated activities.
By accessing or using the Services, you confirm that you have read and understood this Policy. Where law requires explicit consent for a particular processing activity, we will obtain it separately and prior to that processing.
2. Data Fiduciary / Data Controller
- Under the DPDP Act, MintByte Investment Services Private Limited is the Data Fiduciary (s.2(i)).
- Under the GDPR / UK GDPR, MintByte is the Data Controller (Art. 4(7)).
Registered office and Grievance Officer contact details are in §16.
2.1 Significant Data Fiduciary status (DPDP s.10)
We have undertaken a self-assessment against the s.10 factors. As of the effective date, MintByte is not designated as a Significant Data Fiduciary by the Central Government. If we are subsequently notified or our self-assessment changes, we will appoint a Data Protection Officer and an independent Data Auditor as required.
4. Personal Data we collect
| Category | Examples | Source |
|---|---|---|
| (a) Identification and contact | full name, DoB, gender, address, telephone, email, photograph, signature | Directly from you; KRA/CKYC |
| (b) Government identifiers | PAN, Aadhaar (masked unless full mandated), passport (NRI/OCI), Form 60, CKYC identifier | Directly from you; KRA/CKYC; e-KYC providers |
| (c) Financial information (SPDI) | bank account, IFSC, demat account, holding statements, transaction history, source-of-funds, income range, net-worth declarations, FATCA/CRS declarations, tax-residency status | Directly from you; AMCs; depositories; RTAs |
| (d) KYC and risk-profiling | KRA / CKYC / e-KYC / V-CIP records, investment objectives, risk tolerance, horizon, liquidity needs, prior experience | Directly from you; KRAs |
| (e) Transactional & behavioural | orders, redemptions, switches, SIPs, support tickets, call recordings (where lawful), session logs | Directly from you; partner trading platforms |
| (f) Technical & device | IP address, browser, device identifiers, OS, timezone, referring URL, pages viewed, clickstream, cookie identifiers, approximate location (with consent) | Automatically via cookies and server logs |
| (g) Marketing preferences | newsletter subscription status, downloads, event registrations, social-media interactions | Directly from you; HubSpot |
5. Purposes of Processing
- Onboarding & KYC — verify identity, complete KYC, on-board you as a client.
- Transaction execution & settlement — mutual funds, PMS, bonds, NPS, insurance, US stocks (via partners) and other products we are authorised to distribute.
- Account servicing — answer queries, process complaints, send statements, intimations, support.
- Regulatory compliance — SEBI, AMFI, APMI, RBI; PMLA; Income-tax Act; FATCA and CRS; orders of courts, tribunals and regulators.
- Fraud & security — detect, prevent and investigate fraud, money-laundering, unauthorised access, abuse.
- Service security & availability — system integrity, confidentiality, availability.
- Analytics & product improvement — aggregated, de-identified analysis.
- Transactional communications — statements, regulatory disclosures, service alerts (cannot opt out while account is active).
- Marketing communications — with your consent.
- Legal claims & records — exercise or defend legal claims; retain records as required by law.
We do not sell or rent your Personal Data to any third party for that third party's marketing purposes.
6. Legal basis for Processing
6.1 Under the DPDP Act
| Basis | Where used |
|---|---|
| Your consent (s.6) | Marketing, optional cookies, non-statutory communications, voluntary surveys |
| Specified Legitimate Uses (s.7) | KYC, regulatory filings, court orders |
| Performance of a contract | Executing a transaction you have authorised |
| Compliance with a legal obligation | PMLA, FATCA/CRS, SEBI/AMFI/APMI/RBI reporting |
| Our legitimate interest (where not overridden) | Fraud prevention, system security, internal analytics |
6.2 Under the GDPR (EEA/UK/Swiss Data Principals only)
| Art. 6 basis | Example | Art. 9 condition |
|---|---|---|
| 6(1)(a) consent | Marketing emails, optional cookies | 9(2)(a) explicit consent |
| 6(1)(b) contract | Executing transactions | — |
| 6(1)(c) legal obligation | KYC, PMLA, FATCA/CRS | 9(2)(g) substantial public interest |
| 6(1)(f) legitimate interest | Fraud prevention, security logs, analytics | — |
You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, nor relieve us of legal obligations.
7. Recipients of Personal Data
We share Personal Data only on a need-to-know basis with: group companies and authorised MintByte personnel; regulators and statutory authorities (SEBI, AMFI, APMI, BSE, NSE, RBI, Income-tax, FIU-IND, CERT-In, Data Protection Board, courts and tribunals); KRAs, CERSAI/CKYC, depositories (NSDL, CDSL), DPs, stock exchanges, clearing corporations; AMCs, Portfolio Managers, AIFs, NPS Trustees, insurance companies, bond issuers; payment aggregators and banks; technology sub-processors (see §8); professional advisers (legal, audit, tax); and any acquirer / successor subject to no-less-protective obligations.
8. Sub-processor list
| Sub-processor | Purpose | Hosting region | Transfer mechanism (EU data) |
|---|---|---|---|
| Google Cloud Platform (asia-south1 — Mumbai) | Primary site/app/database hosting | India | SCCs for any EU residency |
| Cloudflare, Inc. | CDN, WAF, bot management, DDoS | Global edge | EU SCCs, UK IDTA |
| CookieYes Limited | Cookie-consent management | EU | N/A intra-EU; adequacy for IN |
| HubSpot, Inc. | CRM, lead capture, forms, chat, marketing | US / EU | EU SCCs, UK IDTA, EU-US DPF |
| Google LLC (Analytics 4 via Site Kit) | Aggregated traffic analytics | US / EU | EU SCCs, EU-US DPF |
| TrustIndex.io kft | Embedded reviews widget | EU (Hungary) | N/A intra-EU |
| TradingView, Inc. | Embedded market data | US / Cyprus | EU SCCs |
| Calendly LLC | Meeting scheduling | US | EU SCCs, EU-US DPF |
| YouTube (Google LLC) | Embedded video (privacy-enhanced where possible) | US / global | EU SCCs, EU-US DPF |
| Google reCAPTCHA | Anti-bot protection | US / global | EU SCCs, EU-US DPF |
The current list is also published at /cookie-policy/. Material changes notified via prominent notice or email to clients of record.
8.1 Transfer of Personal Data outside India
Transfers are made consistent with s.16 of the DPDP Act and only to jurisdictions not subject to any restriction notified by the Central Government for the time being in force. Recipients are contractually bound to a standard no less stringent than Indian law.
8.2 Transfer of Personal Data outside the EEA / UK (GDPR)
We rely on (a) European Commission / UK adequacy decisions where applicable; (b) the EU Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum (March 2022); or (c) derogations under Article 49 GDPR where appropriate. A copy of our transfer-impact assessment summary is available on request to the Grievance Officer.
9. Data retention
| Category | Retention period | Basis |
|---|---|---|
| KYC documents | Minimum 5 years from cessation of business relationship | PMLA Rules |
| Transaction records (MF, PMS, bond, NPS) | Minimum 8 years from transaction date | SEBI master circulars |
| Tax-related records | As required | Income-tax Act; FATCA/CRS |
| Communications & complaint records | Minimum 8 years from resolution | SEBI investor-grievance norms |
| Marketing consent records | Until withdrawn + 3 years (evidentiary) | DPDP s.6(4), evidentiary |
| Website server & security logs | 90 days rolling, then aggregated | Security legitimate interest |
| Cloudflare WAF / edge security events | 30 days raw + 1 year aggregated | Security legitimate interest |
After the applicable period we will either erase or anonymise so you can no longer be identified.
11. Your Rights
Subject to applicable law and identity verification, we will respond within 30 calendar days (DPDP) / one month (GDPR), with extension by up to 60 days for complex requests on prior notice.
11.1 Rights available to all Data Principals
- Access · summary of Personal Data and processing
- Correction & completion · of inaccurate / incomplete data
- Erasure · subject to legal-retention obligations
- Grievance redressal · via Grievance Officer (§16) and Data Protection Board
- Nomination · designate another to exercise rights on death or incapacity
- Withdraw consent · at any time, prospective effect
11.2 Additional rights for GDPR-covered Data Principals
- Restriction of processing (Art. 18)
- Data portability (Art. 20) — structured, machine-readable format
- Object to processing (Art. 21) — including direct marketing (unconditional)
- Not subject to solely automated decision-making (Art. 22). MintByte does not engage in any solely-automated decision-making.
- Lodge a complaint with your local supervisory authority
11.3 How to make a request
Send a verified request to [email protected] (subject: DSAR — [type of request]) with proof of identity. No fee unless the request is manifestly unfounded or excessive.
12. Security
We deploy reasonable security practices: TLS 1.2+ in transit, encryption at rest, RBAC + least privilege, MFA for admin access, Cloudflare WAF + edge security, periodic vulnerability scanning + penetration testing, secure SDLC, background-verified trained staff bound by confidentiality. ISO 27001 and ISO 9001 certified. No method of transmission is 100% secure.
12.1 Personal-data breach notification
- Within 6 hours — report to CERT-In under s.70B IT Act + CERT-In Directions 2022;
- Without undue delay, within 72 hours — notify the Data Protection Board of India and the relevant GDPR supervisory authority (where applicable);
- Without undue delay — notify each affected Data Principal where high risk to rights and freedoms.
Notifications include nature of breach, categories and approximate number of affected Data Principals, likely consequences, measures taken or proposed.
13. Cookies
Non-essential cookies are deployed only after consent (CookieYes banner). Change preferences via the floating "Cookie Settings" icon at the bottom-left of every page, or by clearing the cookieyes-consent cookie. Full cookie-by-cookie table at Cookie Policy.
Global Privacy Control / Do Not Track. Where your browser sends a GPC signal, we treat it as a valid opt-out for tracking-based advertising and analytics where consent is the legal basis.
14. Children and persons with disability
The Services are not directed to individuals under the age of 18. We do not knowingly collect Personal Data of children except where a parent/guardian is on-boarding the child as a beneficiary/nominee.
In such cases: (1) we obtain verifiable consent of the parent/guardian under s.9 DPDP; (2) the parent/guardian's KYC is completed; (3) the child's data is limited to what is strictly necessary; (4) no tracking, behavioural monitoring or advertising targeted at children; (5) the child gains control on attaining majority.
For Data Principals with disability who have a lawful guardian, we obtain the guardian's verifiable consent and process per DPDP, the Rights of Persons with Disabilities Act, 2016 and other applicable law.
16. Grievance Officer and contact
| Field | Detail |
|---|---|
| Name | Ms. Abhilasha Tiwari, Compliance Officer |
| Designation | Grievance Officer (Data Protection) — DPDP s.8(9) |
| Email — DSAR / privacy | [email protected] |
| Email — regulatory | [email protected] |
| Postal | HD-327, WeWork Oberoi Commerz II, 20th Floor, CTS No. 95, Off W. E. Highway, Oberoi Garden City, Goregaon East (D2), Mumbai, Maharashtra 400063, India |
| Phone | +91 9833139568 (Mon–Fri, 10:00–18:00 IST, excl. public holidays) |
| Acknowledgement | 2 business days |
| Resolution | 30 calendar days |
Escalation: Data Protection Board of India (DPDP); for GDPR-covered Data Principals, your local supervisory authority. For complaints relating to our regulated activities, also use the SEBI SCORES portal (https://scores.sebi.gov.in/).
18. Governing law and jurisdiction
Governed by the laws of India. Subject to regulatory grievance mechanisms above, the courts at Mumbai, Maharashtra have exclusive jurisdiction. Nothing limits the right of an EEA / UK / Swiss Data Principal to enforce mandatory GDPR / UK GDPR rights before their local courts.
MintByte is a SEBI-recognised Mutual Fund Distributor (AMFI ARN-314872 / APMI APRN-01658) and a SEBI-registered Authorised Person (NSE APCM-AP0297610463; BSE APAP01044601177076). ISO 27001 and ISO 9001 certified.