1accesss

Privacy Policy

1. Introduction

One Accesss FinGlobe Pvt Ltd ("1accesss") is a registered Mutual Fund Distributor (AMFI ARN Holder) and a regulated partner of MMTC-PAMP for the sale of digital and physical gold and silver. We provide financial distribution, investment facilitation, digital onboarding, and wealth enablement services to Non-Resident Indians (NRIs), Overseas Citizens of India (OCIs), Persons of Indian Origin (PIOs), and Indian Residents.

We are committed to protecting your personal data in accordance with:

  • AMFI Code of Conduct & Best Practices
  • SEBI regulations applicable to distributors
  • RBI Guidelines (KYC Master Direction, Digital Lending norms, Outsourcing of Financial Services, NBFC/DL norms where applicable)
  • MMTC-PAMP Digital Gold Policies & BIS guidelines
  • FEMA, FATCA, CRS, and other cross-border data regulations
  • Information Technology Act, 2000 & SPDI Rules, 2011
  • Digital Personal Data Protection Act, 2023 (DPDP Act)
  • GIFT IFSC regulations (if services are offered through partners in GIFT City)
  • GDPR and other international privacy norms (where applicable)

This Privacy Policy explains how we collect, process, store, protect, share, and retain your personal data through our website, applications, digital platforms, and financial distribution operations.

By accessing our services, you confirm that you have read and understood this Privacy Policy.

2. Definitions

2.1 Personal Data

Any information identifying an individual directly or indirectly, including KYC, financial, identity, and regulatory data.

2.2 Sensitive Personal Data

Includes PAN, Aadhaar (collected only as per regulations), passport details, signatures, financial information, tax documentation, FATCA/CRS data, and any data designated as "sensitive" under applicable law.

2.3 Processing

Any operation on personal data—collection, recording, storage, use, transmission, sharing, or deletion.

2.4 Data Controller

1accesss is the Data Controller determining the purpose and means of processing personal data.

2.5 Data Processor

Any regulated third-party entity processing data on behalf of 1accesss (e.g., KYC vendors, MMTC-PAMP, RTAs, payment aggregators).

2.6 Third-Party Provider / Service Provider

Regulated entities supporting our services such as fund houses, payment institutions, MMTC-PAMP, banks, brokers, IT and cloud providers, analytics partners, and regulatory agencies.

3. Our Role and Regulatory Obligations

As a financial intermediary, 1accesss must comply with:

  • AMFI/SEBI Mutual Fund Distributor Regulations
  • SEBI KYC regulations (CKYC/KRA)
  • RBI KYC Master Directions
  • FEMA compliance for NRIs
  • FATCA & CRS reporting
  • MMTC-PAMP gold transaction policies
  • Anti-Money Laundering (AML) & Counter-Terrorist Financing (CFT) obligations
  • Digital Personal Data Protection Act (DPDP Act)

We perform mandatory due-diligence checks (KYC/CKYC, AML/CFT, risk assessments) before activating services.

We may rely on regulated third-party processors to operationalize onboarding, payments, gold transactions, bond distribution, mutual funds, and loan processing.

4. Information We Collect

We collect data necessary for regulatory compliance and service delivery.

4.1 Identification & KYC Data

  • Name, gender, date of birth, nationality
  • PAN, passport, Aadhaar* (as permitted by law), OCI card
  • CKYC/KRA documents
  • Photographs and signatures
  • MMTC-PAMP verification data

*Aadhaar is collected only in accordance with applicable UIDAI/IT Act norms and is not stored unless mandated by law.

4.2 Contact Data

  • Residential address and correspondence address
  • Email address and mobile number
  • Alternate or emergency contact details

4.3 Financial, Regulatory & Investment Data

  • Bank account details and cancelled cheque
  • Income documents
  • FATCA/CRS forms for NRIs
  • Risk profiling attributes
  • Investment transactions (mutual funds, digital gold, bonds, loans)
  • Portfolio data from RTAs (CAMS, KFin, etc.)

4.4 Transactional & Payment Data

  • Digital gold buy/sell/redemption history
  • Mutual fund, bond, and loan application logs
  • Payment records, UPI/Netbanking references
  • Ledger and reconciliation data

4.5 Technical Data

  • IP address and device metadata
  • Browser details, time-zone, and operating system
  • Cookies and behavioral analytics
  • Fraud-detection logs and device fingerprinting

4.6 Communications & Consent Data

  • Emails, chat interactions, and call logs
  • Consent captured digitally as per the DPDP Act

5. Purpose of Processing Your Data

We process your data for the following lawful purposes:

5.1 Regulatory & Compliance Obligations

  • KYC/CKYC/KRA verification
  • AML/CFT monitoring
  • FATCA/CRS reporting
  • FEMA and NRI eligibility checks
  • SEBI/RBI/AMFI compliance

5.2 Service Delivery

  • Mutual fund, bond, gold, and other financial product distribution
  • Digital gold sale/purchase via MMTC-PAMP
  • Investment execution and account management
  • Customer risk profiling and suitability assessment
  • Loan application processing (via regulated partners)

5.3 Fraud & Security

  • Authentication, authorization, and OTP verification
  • Fraud detection and transaction monitoring
  • Cybersecurity and intrusion prevention

5.4 Technology & Platform Management

  • Improving user interface and user experience (UI/UX)
  • System performance analytics
  • Data backup and disaster recovery

5.5 Communication

  • Mandatory alerts (transactions, KYC updates)
  • Service notifications and operational messages
  • Product updates and marketing communications where consented

We do not sell or trade your personal data.

6. Sharing & Disclosure

We share data only when legally required or operationally essential, including:

6.1 Regulated Financial Ecosystem

  • Asset Management Companies (AMCs) and RTAs (CAMS, KFin)
  • Mutual fund platforms
  • MMTC-PAMP for digital and physical gold transactions
  • Banks, custodians, brokers, and payment gateways
  • Credit bureaus (if loan-related products are availed)

6.2 Regulatory Authorities

  • SEBI, RBI, FIU-IND
  • Income Tax Department (including FATCA/CRS reporting)
  • GIFT IFSC regulators (if applicable)
  • Other law enforcement and regulatory agencies as required by law

6.3 Technology & Operational Vendors

  • Cloud hosting providers and data centers
  • Analytics and cybersecurity firms
  • Document verification vendors
  • Customer support, CRM, and communication platforms

6.4 Business Continuity

  • In case of mergers, acquisitions, restructuring, or business transfers, subject to appropriate confidentiality and data protection safeguards.

All service providers are contractually obligated to maintain confidentiality, enforce DPDP-compliant controls, and use data only for specified purposes.

7. International Data Transfers

For NRI clients and certain services, data may be transferred to jurisdictions outside India. Safeguards include:

  • Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable
  • DPDP-compliant processing agreements with overseas processors
  • Encryption and strict access controls
  • Zero-trust architecture for cross-border systems

Where required by law, we obtain explicit client consent before international data transfers.

8. Data Security

In line with CERT-In, RBI Cybersecurity Framework, SEBI Cyber Controls, and global best practices, we implement:

  • AES-grade encryption (for data at rest and in transit)
  • Multi-factor authentication and strong password policies
  • Role-based access control and least-privilege principles
  • Regular Vulnerability Assessment & Penetration Testing (VAPT)
  • ISO 27001-aligned information security policies
  • Disaster Recovery (DR) and Business Continuity Planning (BCP)
  • Background checks for employees where appropriate
  • Continuous monitoring for suspicious and fraudulent behavior

9. Data Retention

We retain data only for as long as required to fulfil the purposes outlined in this Privacy Policy and to comply with applicable laws and regulations. Indicative retention periods include:

  • KYC Records: Typically 10 years post termination of the relationship (as per SEBI/RBI guidelines)
  • Transaction Data: 8–10 years, in line with AML and financial record-keeping requirements
  • Digital Gold Records: As required by MMTC-PAMP and BIS norms
  • Communication Logs: Generally 3–7 years, depending on regulatory need
  • Backups: Retained as per cybersecurity, DR, and business continuity norms

When data is no longer required, it is securely erased, anonymized, or archived in accordance with applicable laws.

10. Your Rights Under Applicable Laws

Subject to applicable laws (including the DPDP Act and, where relevant, GDPR or other foreign regulations), you may have the following rights:

  • Right to Access: Request access to the personal data we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Deletion: Request deletion of your personal data where permitted by financial and regulatory retention requirements.
  • Right to Withdraw Consent: Withdraw consent for processing activities which are based on consent (without affecting prior lawful processing).
  • Right to Data Portability: Request transfer of certain personal data to another service provider, where technically feasible and legally permissible.
  • Right to Be Informed: Be informed about how your data is collected and used.
  • Right to Nominate/Authorized Representative: Appoint a nominee or authorized representative to exercise certain rights on your behalf in accordance with applicable law.

We will respond to valid requests within timelines prescribed under applicable laws. Certain rights may be limited due to overriding legal or regulatory obligations.

11. Cookies, Tracking & Digital Analytics

We use cookies and similar technologies to enhance your experience and to secure our services. These may include:

  • Essential Cookies: Required for core platform functionality and security.
  • Preference Cookies: Remember your settings and preferences.
  • Analytics Cookies: Help us understand usage patterns (e.g., via tools such as Google Analytics or similar platforms).
  • Fraud Prevention & Security Tools: Device fingerprinting and behavioral signals to detect suspicious activity.

You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of our services.

12. Children’s Data

Our services are not intended for individuals under 18 years of age. We do not knowingly collect data of minors except where legally required (for example, minor folios in mutual funds with guardian consent and oversight, as per applicable regulations).

13. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant authorities as per CERT-In and other applicable guidelines.
  • Inform affected users, where required by the DPDP Act or other applicable laws.
  • Implement appropriate containment, investigation, and remediation measures.

14. Updates to This Policy

This Privacy Policy may be updated periodically due to regulatory, technical, or business changes. Revised versions will carry updated effective dates and will be posted on our website and/or applications.

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.

15. Contact & Grievance Redressal

If you have any questions about this Privacy Policy, or if you wish to exercise your rights or raise a concern, please contact our Data Protection & Grievance Officer:

Data Protection & Grievance Officer
One Accesss FinGlobe Pvt Ltd
NESCO IT Park, Building No 4, North Wing, 10th Floor,
W.E. Highway, Goregaon (E), Mumbai - 400063
Email: info@1accesss.com
Phone: +91-9819033112

As required by the DPDP Act and other applicable regulations, our Grievance Officer will endeavour to respond to and resolve your concerns within the timelines prescribed by law (typically within 30 days).