MAHIR INVESTMENT ADVISERS PRIVATE LIMITED

2. PERSONAL DATA WE COLLECT

2.1 Categories of Personal Data

We collect the following categories of personal data from you directly and through your use of the Platform:

• Identity Data: Full legal name, PAN card number, Aadhaar number (masked/tokenized as permitted), date of birth, photograph, and specimen signature.
• Contact Data: Residential and correspondence address, email address, mobile number, and emergency contact details.
• Financial Data: Gross annual income, net worth, bank account details (for fee payments), investment portfolio information, existing liabilities, tax status, and FATCA/CRS declarations.
• KYC & AML Data: Documentary evidence for KYC compliance, source of funds and wealth, politically exposed person (PEP) status, and sanctions screening data.
• Risk Profile Data: Risk tolerance questionnaire responses, investment objectives, investment horizon, prior investment experience, and financial goals.
• Platform Usage Data: IP address, device identifiers, browser type and version, operating system, pages visited, session duration, click-stream data, and referral URLs.
• Communication Data: Queries, complaints, call recordings (with consent), correspondence, and meeting notes.
• Technical Data: App crash reports, error logs, and performance diagnostic metrics.

2.2 Sensitive Personal Data or Information (SPDI)

The following categories constitute SPDI under the IT SPDI Rules, 2011 and are collected only with your explicit prior consent:

• Financial information: Bank account numbers, credit card/debit card details (solely for fee payment), income details, and net worth information.
• Biometric data: Where applicable and legally permitted (e.g., for eKYC purposes).
• Aadhaar details: As permitted under the Aadhaar (Targeted Delivery) Act, 2016 and applicable guidelines.

2.3 Data We Do Not Collect

MIA does not collect racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data (unless specifically relevant for insurance advisory, which MIA does not presently offer), genetic data, or sexual orientation data.

3. PURPOSES AND LEGAL BASIS FOR PROCESSING

This section details how your data is used and the legal justification for each use.

4. DATA SHARING AND DISCLOSURE

MIA does not sell, rent, or trade your personal data to any third party for commercial purposes. We may share your data strictly on a need-to-know basis with the following:

• Regulatory Authorities: SEBI, AMFI, Stock Exchanges, Depositories (NSDL/CDSL), Registrar and Transfer Agents, and other financial market regulators as required by law.
• Financial Intelligence Unit — India (FIU-IND): for AML/CFT reporting obligations under PMLA.
• KYC Registration Agencies (KRAs) and Central KYC Registry (CKYCRR): for KYC verification and record maintenance.
• Technology Service Providers: Cloud hosting partners, IT vendors, and software service providers who process data strictly on MIA's behalf and are bound by written data processing agreements with equivalent security standards.
• Professional Advisers: Statutory auditors, legal counsel, and tax advisers, subject to appropriate confidentiality obligations.
• Legal Mandates: Courts, Tribunals, or Law Enforcement Authorities pursuant to a valid court order, summons, or statutory requirement.

All third-party data processors are contractually bound to maintain security standards not lower than those maintained by MIA. Cross-border data transfers, if any, shall comply with provisions of the DPDP Act, 2023, including adequate safeguards.

5. DATA RETENTION PERIODS

Data retention is governed by the longest period required by law or regulation.

Upon expiry of the applicable retention period, personal data shall be securely deleted or irreversibly anonymized in accordance with applicable law. Records subject to ongoing legal/regulatory proceedings shall be retained until resolution.

6. DATA SECURITY MEASURES

MIA implements comprehensive technical and organizational security measures in accordance with IT SPDI Rules, 2011 and DPDP Act, 2023 to protect your personal data:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.
• Access Controls: Role-based access controls (RBAC) ensuring data access is strictly limited to authorized personnel on a need-to-know basis.
• Authentication: Multi-factor authentication (MFA) mandatory for all personnel accessing client data and for Platform login.
• Security Audits: Regular security audits, vulnerability assessments, and penetration testing by qualified third-party security professionals.
• Incident Response: Documented incident response procedures for data breach detection, containment, and notification.
• Data Breach Notification: In the event of a personal data breach, MIA will notify the Data Protection Board of India and affected clients within the timelines prescribed under the DPDP Act, 2023.

7. COOKIE POLICY

The MIA Platform uses cookies and similar tracking technologies (web beacons, pixels, local storage) to provide a seamless user experience. Categories:

• Strictly Necessary Cookies: Essential for core Platform functionality including login sessions, security tokens, and fraud prevention. These cannot be disabled without impacting Platform functionality.
• Analytics Cookies: Used to understand Platform usage patterns, page performance, and user behaviour collected only with your explicit consent.
• Preference Cookies: Used to remember your Platform settings and preferences collected with consent.
• Marketing Cookies: Used to deliver relevant financial content and updates collected only with opt-in consent.

You may manage cookie preferences at any time through your browser settings or the Platform's cookie consent manager. Disabling non-essential cookies will not affect your ability to receive core advisory services.

8. YOUR RIGHTS AS DATA PRINCIPAL

Under the DPDP Act, 2023 and applicable law, you have the following rights with respect to your personal data:

9. CHILDREN'S PRIVACY

The MIA Platform and Services are intended exclusively for persons 18 years of age and above. MIA does not knowingly collect, process, or store personal data from minors under 18 years of age. If MIA becomes aware that personal data of a minor has been inadvertently collected, it shall promptly delete such data in accordance with the DPDP Act, 2023 and notify the parent or guardian.

10. UPDATES TO THIS PRIVACY POLICY

MIA may update this Privacy Policy periodically to reflect changes in legal or regulatory requirements, business practices, data processing activities, or technological changes. Material updates will be communicated via the Platform's notification system and/or by email to registered clients at least 15 days prior to the update taking effect. The date of the latest revision is prominently displayed at the top of this Policy. Continued use of the Platform after notification of changes constitutes acceptance of the updated Policy.