This Privacy Policy outlines how The Financialist, operated by Finfam Investment Advisors Private Limited (“we”, “us”, “our”), collects, processes, stores, and safeguards your personal information when you interact with our website https://thefinancialist.co, our client portal at https://app.thefinancialist.co, our mobile application, or any other service operated by us (collectively, the “Platform”).
We are committed to protecting your privacy and handling your data responsibly, in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, the SEBI (Investment Advisers) Regulations, 2013, the Information Technology Act, 2000 and rules issued thereunder, and other applicable Indian laws.
Last updated: 29 May 2026
1. Who We Are
Finfam Investment Advisors Private Limited
Registered Name: Finfam Investment Advisors Private Limited
SEBI RIA Registration No: INA000018036
BSE Enlistment No.: BASL2392
CIN: U67190MH2021PTC373220
Type of Registration: Non-Individual
Validity of Registration: June 06, 2023 – Perpetual
Registered Address: 1201, CTS 137/8, Silver Leaf, Wing A, Akurli Road, Opp. Goshala, Kandivali East, Mumbai – 400101
Principal Place of Business: Office No. 605, Grand Edifice, Akurli Road, Akurli Industry Estate, Kandivali East, Mumbai – 400101
For the purposes of the DPDP Act, we act as the Data Fiduciary in respect of personal data we collect from you.
2. Scope of This Policy
This policy applies to all personal data processed by us through the Platform, including data collected from prospective clients, clients, employees of clients, family members covered under a family advisory engagement, and visitors to our website.
It does not apply to third-party websites, applications, or services that may be linked to or integrated with the Platform; such third parties are governed by their own privacy policies.
3. Types of Personal Data We Collect
Identity Information: Name, gender, date of birth, PAN, Aadhaar (last four digits, where required for KYC), photograph
Contact Information: Email address, mobile number, residential and correspondence address
Financial Information: Income, assets, liabilities, bank account details, mutual fund and demat holdings, insurance policies, loan details, tax filings, transaction history, and other portfolio data
Lifestyle & Goals: Financial goals, family profile, dependents, risk appetite, time horizons, behavioural preferences
KYC & Regulatory Information: KYC records, FATCA/CRS declarations, accredited investor status (where applicable), and other data required under SEBI, PMLA and tax laws
CAS & Statement Data: Consolidated Account Statements (CAS) and similar statements obtained, with your explicit consent, from CDSL/NSDL, MF Central, registrars (CAMS, KFintech), Account Aggregators, or your email inbox via Gmail OAuth (see Section 6)
Account Aggregator Data: Financial information shared by Financial Information Providers through an RBI-licensed Account Aggregator, pursuant to your consent (see Section 7)
Device & Usage Data: IP address, device identifiers, browser type and version, operating system, referring URLs, pages viewed, in-app actions, session duration, cookies, and similar telemetry
Communications: Emails, WhatsApp messages, call recordings, video meeting recordings, chat messages, form inputs, survey responses, and any documents you submit to us during advisory or onboarding
We do not knowingly collect special categories of data (such as biometric data, health data, or political opinions) unless strictly required for a specific service you have requested and to which you have separately consented.
4. Purpose of Data Collection
We collect and process your personal data for the following purposes:
To verify your identity and complete KYC, AML and risk profiling requirements
To assess your suitability for, and provide, investment and financial advisory services
To prepare your financial plan, recommendations, portfolio reviews, and ongoing advice
To execute and administer our agreement with you, including the Investment Advisory Agreement
To communicate with you regarding service updates, reports, advisory communications, and operational matters
To fulfil our obligations under SEBI regulations, the Companies Act, PMLA, FEMA, the Income-tax Act, and other applicable laws, including record-keeping, audit, regulatory reporting, and responding to lawful requests from authorities
To detect, investigate and prevent fraud, unauthorised access, and other security incidents
To improve the Platform, measure feature usage, debug issues, and develop new features
With your consent, to share relevant research, insights, marketing communications or updates
We do not sell or rent your personal data. We do not use your personal data to train third-party machine learning or generative AI models.
5. Legal Basis for Processing
We process your personal data on one or more of the following grounds under the DPDP Act and other applicable laws:
Consent: Explicit, informed consent given when you sign up, sign the Investment Advisory Agreement, or grant specific data access permissions (such as Gmail OAuth or Account Aggregator consent)
Performance of contract: Processing necessary to provide the services you have engaged us for
Legal obligation: Compliance with SEBI, BASL, IAASB, PMLA, FEMA, tax laws and other applicable obligations
Legitimate use: Limited internal use for service improvement, security, fraud prevention, audit and grievance redressal, in accordance with applicable law
You may withdraw consent at any time (see Section 12). Withdrawal does not affect the lawfulness of processing done before withdrawal, and may affect our ability to continue providing certain services to you.
6. Gmail Access for CAS Statement Parsing
If you choose to connect your Google account during onboarding, we use Google OAuth to request read-only access to your Gmail mailbox strictly for the purpose of locating and reading Consolidated Account Statement (CAS) emails sent by mutual fund registrars (such as CAMS and KFintech), depositories, and similar regulated entities. This is offered as a convenience so that your existing investments can be hydrated into your dashboard without manual upload.
What we access: Only those emails and attachments that match CAS-related sender domains, subjects, and file patterns. We do not browse, index or retain other emails.
What we do with it: We extract structured holdings data from CAS attachments (PDF/encrypted PDF), store the extracted portfolio data and the associated CAS file in encrypted storage linked to your account, and use it solely to power your dashboard, planning tools and advisory.
What we do not do: We do not sell or share Gmail data with third parties for advertising. We do not use Gmail data to train, develop or improve any generalised or third-party AI/ML models. We do not allow human reading of your Gmail data, except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised and is used for internal operations.
Limited Use disclosure: The Financialist’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Revocation: You can revoke our access to your Google account at any time from your Google Account at https://myaccount.google.com/permissions or from the connected accounts section of your client portal. Revocation will stop future access; previously extracted CAS data will continue to be retained per the retention rules in Section 9 unless you separately request deletion.
7. Account Aggregator Framework
We may, with your specific consent, retrieve your financial information through the Account Aggregator (AA) framework regulated by the Reserve Bank of India. In this flow, we act as a Financial Information User (FIU) and rely on RBI-licensed NBFC-AAs (such as, but not limited to, Onemoney, Finvu, NESL Asset Data, CAMS Finserv and Perfios Account Aggregation Services) to securely fetch your data from Financial Information Providers (FIPs) such as your banks, depositories, mutual funds and insurers.
Each AA request is initiated only after you provide explicit, granular consent within the AA application or our integrated consent flow, specifying the data categories, purpose, frequency and duration of access. You can review, pause or revoke any active consent at any time directly through your Account Aggregator.
We may, where necessary, engage other RBI-regulated entities, Technology Service Providers, or SEBI-recognised intermediaries to facilitate this access; such engagements are subject to written contracts that require data confidentiality and security at standards no less protective than those described in this policy.
8. Cookies & Analytics
We use first- and third-party cookies, pixels, and similar technologies, and the following analytics tools, to understand how the Platform is used and to improve it:
Google Analytics 4 and Google Tag Manager — for site and product analytics, tag management and conversion measurement
PostHog — for product analytics, session-level usage measurement, and feature experimentation
These tools may collect device and usage data described in Section 3. They are configured to avoid collecting unnecessary identifiers and, where supported, IP addresses are anonymised. We do not use these tools to build advertising profiles of you.
You may disable cookies in your browser settings or use the cookie preference controls offered on the Platform. Disabling cookies may limit certain functionality.
9. Data Storage, Retention & Localisation
Data is stored in encrypted form on cloud infrastructure operated by reputable providers (primarily Amazon Web Services). Primary storage is located in India.
Where our service providers (including Google APIs, analytics tools, and email/communication providers) operate from servers outside India, your data may be transferred to, and processed in, those jurisdictions. We rely on contractual safeguards and the providers’ own compliance certifications (e.g. ISO 27001, SOC 2) for such transfers, subject to applicable Indian law.
We retain client data for the duration of your engagement with us and for a minimum of five (5) years thereafter, as required under the SEBI (Investment Advisers) Regulations, 2013 and the Prevention of Money Laundering Act, 2002. Some categories of data may be retained for longer where required by tax, accounting or other applicable laws.
Non-client data (e.g. unsolicited inquiry forms, prospective leads that do not convert) is deleted after a reasonable period unless retention is required by law.
10. Data Sharing
Your personal data may be shared with the following categories of recipients, only to the extent necessary and under appropriate safeguards:
Authorised personnel — your assigned advisor, supervising advisors, analysts, support and compliance personnel within Finfam Investment Advisors Private Limited
Service providers — cloud infrastructure (AWS), email and messaging providers, CRM platforms, analytics providers (PostHog, Google Analytics), document storage, video conferencing, payment processors, KYC/AML verification providers, and similar vendors, each engaged under data protection contracts
Regulated intermediaries — RBI-licensed Account Aggregators and their ecosystem participants, in accordance with Section 7
Regulators and authorities — SEBI, RBI, the Income-tax Department, the Financial Intelligence Unit (FIU-IND), exchanges, BASL/IAASB, courts and other authorities, where required by law or in response to lawful requests
Professional advisors — auditors, lawyers, tax consultants and similar professionals, under confidentiality obligations
Successor entities — in connection with any merger, acquisition, restructuring or sale of business
Partners — only where you have explicitly consented to such sharing
We do not share your data with advertisers, data brokers, or other unrelated third parties.
11. Advisor Access & Confidentiality
Information you share during the course of an advisory engagement — including financial details, family circumstances, goals and other personal information — is treated as strictly confidential.
Access within The Financialist is governed by role-based access controls and the principle of least privilege:
Your assigned advisor and their direct supervisor have access to your full advisory record
Other staff (engineering, support, compliance, analytics) have access only to the minimum data necessary for their role, and such access is logged
Family members covered under a single family engagement may have access to consolidated views only with your explicit consent
Where you engage with us as part of a family or joint engagement, we will clearly identify whose data is being shared with whom and obtain consent accordingly.
12. Your Rights
Subject to applicable law, you have the right to:
Access the personal data we hold about you and obtain a summary of how it is processed
Request correction or updation of inaccurate or incomplete data
Withdraw consent previously given, in respect of any specific processing activity
Request erasure of your personal data, subject to our regulatory retention obligations
Nominate another individual to exercise your rights in the event of your death or incapacity
Lodge a grievance with our Grievance Officer (see Section 16), and, if unresolved, escalate to the Data Protection Board of India once it is operational, or to SEBI through the SCORES platform for advisory-related grievances
To exercise any of these rights, please write to the contact addresses listed in Section 16. We will respond within the timelines prescribed under applicable law.
13. Security Measures
We implement, and continually improve, technical and organisational measures designed to protect your data, including:
Encryption of data in transit (TLS) and at rest
Role-based access control, multi-factor authentication for privileged accounts, and audit logging
Network segmentation, firewalling, and monitoring of administrative access
Periodic vulnerability scans, dependency audits and penetration testing
Secure software development practices and code review
Personnel training on data protection, confidentiality and incident response
Vendor due diligence and contractual data protection obligations
In the event of a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board of India and affected individuals in accordance with the DPDP Act and rules issued thereunder.
14. Children’s Privacy
The Platform and our services are not intended for individuals under the age of 18. We do not knowingly collect personal data of children, except where a parent or lawful guardian has provided verifiable consent in the course of a family advisory engagement.
If you believe we have inadvertently collected data of a child without proper consent, please contact us and we will delete it.
15. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services or legal requirements. The “Last updated” date at the top of this policy indicates when it was last revised. Material changes will be notified to you through the Platform or by email. Continued use of the Platform after such notice constitutes acceptance of the updated policy.
16. Contact Us
For any questions, feedback, requests to exercise your rights, or grievances, please reach out to:
General queries
Email: hello@thefinancialist.co
Principal Officer
Name: Rohit Bornarkar
Email: po@finfaminvestmentadvisors.com
Phone: +91 97625 33162
Compliance Officer
Name: Priyank Shah
Email: priyank@finfaminvestmentadvisors.com
Phone: +91 98192 69225
Grievance Officer / Data Protection contact
Name: Vatsal Majithia
Email: vatsal@finfaminvestmentadvisors.com
Phone: +91 90224 82377
Office: Office No. 605, Grand Edifice, Akurli Road, Akurli Industry Estate, Kandivali East, Mumbai, Maharashtra 400101
If your grievance relating to investment advisory services is not resolved to your satisfaction, you may escalate to SEBI via the SCORES platform at https://scores.sebi.gov.in or use the Online Dispute Resolution mechanism at https://smartodr.in.