Data Protection Standard
Data Protection
| Field | Value |
|---|---|
| Document ID | STD-006 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
This doc explains how we classify, protect, and handle customer and business data to ensure its confidentiality, integrity, and availability.
Data Classification
We classify all data into four categories:
| Classification | Description | Examples | Handling Requirements |
|---|---|---|---|
| Public | Information that can be freely disclosed. | Marketing materials, public website content. | No special handling. |
| Internal | Business information for internal use only. | Internal policies, procedures, meeting notes. | Access limited to employees. |
| Confidential | Sensitive business or customer information. | Customer lists, financial reports, business strategies. | Encrypted storage, access logging. |
| Restricted | Highly sensitive data requiring the strictest controls. | PII, financial data, credentials, auth tokens. | Encrypted at rest and in transit, strict access controls, full audit logging. |
PII Handling
We process Personally Identifiable Information (PII) to provide our services.
How We Protect PII
| Control | Implementation |
|---|---|
| Access Restriction | Role-based access ensures only authorized personnel can view PII. |
| Masking | Sensitive identifiers like PAN and Aadhaar are masked in the UI and logs (only the last 4 digits are visible). |
| Encryption | All PII is encrypted at rest using AES-256. |
| Audit Logging | All access to PII is logged for auditing. |
| Data Minimization | We only collect the PII that is necessary for our operations. |
Data Subject Rights
We support the following rights for our users regarding their data:
- Right to Access: Users can request a copy of their personal data, which we provide in a machine-readable format within 30 days.
- Right to Rectification: Users can request the correction of inaccurate data.
- Right to Data Portability: Users can request an export of their data in a standard format (JSON/CSV).
- Right to Erasure: Users can request the deletion of their profile and personal data. Upon a deletion request, the account is soft-deleted and access is revoked. The data is retained for a 6-month period for regulatory reasons and then permanently purged (hard-deleted).
Note: Certain data may be retained for longer if required for legal, regulatory, or legitimate business purposes.
DPDP Act 2023 — Data Fiduciary Obligations
Under India’s Digital Personal Data Protection Act, 2023, Wealthy is the Data Fiduciary for customer personal data we collect and process. Our vendors processing data on our instructions are Data Processors (assessed per the Vendor Security Assessment Standard (STD-015)).
Lawful Basis
We process personal data on one of the following grounds:
| Basis | When used |
|---|---|
| Consent | Customer onboarding, marketing communications, optional features |
| Legitimate use | Account servicing, fraud prevention, legally mandated disclosures, regulatory reporting (SEBI / IRDAI / CERT-In) |
Consent is captured explicitly at KYC; withdrawal is available in-app and honoured within the SLA below.
Data Principal Rights (DPDP §11–14)
In addition to the rights listed above, DPDP Act 2023 grants:
| Right | Implementation | SLA |
|---|---|---|
| Right to information about processing | Privacy Notice at signup + in-app | Real-time |
| Right to correction / erasure | In-app self-serve + DPO mailbox | 30 days |
| Right to grievance redressal | Grievance Officer escalation path | 30 days |
| Right to nominate (in case of death / incapacity) | In-app nomination flow | N/A |
| Right to withdraw consent | In-app toggle; affected processing stops prospectively | Real-time |
Grievance Officer / DPO
- Mailbox:
privacy@wealthy.in - Escalation: security@wealthy.in → CTO (interim CISO)
- Grievances are acknowledged within 72 hours and resolved within 30 days per DPDP §13.
Cross-Border Data Transfer
- Primary storage: GCP
asia-south1(Mumbai). No routine cross-border transfer. - Exception: limited metadata may transit to vendor regions (e.g. US-hosted SaaS); each such transfer is documented in the Vendor Risk Register with its legal basis.
- The Central Government’s “notified countries” list under DPDP is monitored by Compliance; transfers outside that list are not permitted without explicit consent and an approved DPA.
Breach Notification
Per DPDP Act §8(6), every personal-data breach affecting a Data Principal is notified to both the Data Protection Board and the affected Data Principals without undue delay. Wealthy’s internal SLA is tighter than the statutory minimum — see the Data Breach Response Policy (POL-008) for the concrete timelines and escalation.
Children’s Data
We do not knowingly process personal data of children (< 18) per DPDP §9. Age is verified at KYC; any signal of under-18 registration triggers account hold and review.
Data Processor Obligations (when Wealthy acts as Processor)
Where Wealthy processes data on behalf of another Fiduciary (e.g. partner integrations), we:
- Process strictly on documented instructions of the Fiduciary
- Do not engage sub-processors without written Fiduciary consent
- Assist the Fiduciary in responding to Data Principal rights requests
- Notify the Fiduciary of any breach without undue delay
- Return or delete personal data at the end of the engagement per the DPA
Data Retention
Our data retention schedule is based on the data type:
| Data Type | Retention Period | Post-Retention Action |
|---|---|---|
| User Profile Data | 6 months after account deletion | Hard delete |
| Transaction Records | As per regulatory requirements | Archive or delete |
| Audit Logs | 1 year minimum | Archive |
| Session Logs | 90 days | Auto-purge |
| Backups | 90 days | Rotate out |
Access Control
We follow the principle of least privilege. Users and services are granted the minimum access required for their role. Access levels are reviewed quarterly, and any privileged access requires additional approval.
Incident Response
In the event of a data breach or suspected unauthorized access, we follow a clear incident response plan:
- Detection: Automated monitoring and alerting identify the issue.
- Containment: We immediately revoke access or take other steps to contain the breach.
- Assessment: We determine the scope and impact of the incident.
- Notification: We notify affected users and relevant authorities as required.
- Remediation: We fix the root cause and enhance our security controls.
See our Data Breach Response Policy (POL-008) for detailed procedures.