Bullsmart

Privacy Policy

1. INTRODUCTION

Skywards Investec Private Limited ("the Company", "we", "our", or "us") operates the "Bullsmart" brand and platform providing stock broking, investment advisory, and related financial services. We are registered with the Securities and Exchange Board of India ("SEBI") as a Stock Broker and are a member of recognized Stock Exchanges in India.

This Privacy Policy ("Policy") describes how Bullsmart collects, uses, stores, shares, and protects personal information of its clients, prospects, website visitors, and app users (collectively, "Users" or "you"). This Policy has been formulated in compliance with:

The Securities and Exchange Board of India (Stock Brokers) Regulations, 1992, and circulars issued thereunder
The Securities and Exchange Board of India (Prohibition of Insider Trading) Regulations, 2015
The Prevention of Money Laundering Act, 2002 ("PMLA") and the rules framed thereunder
The Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
The Digital Personal Data Protection Act, 2023 ("DPDP Act")
The Depositories Act, 1996 and applicable CDSL/NSDL regulations
Reserve Bank of India ("RBI") guidelines applicable to payment systems and KYC norms
Any other applicable laws, rules, regulations, and guidelines issued by SEBI, BSE, NSE, MCX, CDSL, NSDL, or any other regulatory authority

By accessing the Bullsmart website, mobile application, or using our services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please discontinue use of our platform and services immediately.

2. DEFINITIONS

Personal Data: Under the DPDP Act, 2023, "personal data" means any data about an individual who is identifiable by or in relation to such data (Section 2(t)). The DPDP Act applies only to digital personal data, i.e., personal data in digital form or personal data collected in non-digital form and subsequently digitised. Under the IT (SPDI) Rules, 2011, "personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person (Rule 2(i)). In this Policy, "personal data" and "personal information" are used interchangeably and encompass both definitions.
Sensitive Personal Data or Information (SPDI): As defined under Rule 3 of the SPDI Rules, 2011, sensitive personal data or information of a person means such personal information which consists of information relating to: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to a body corporate for providing service; and (viii) any of the information received under the above clauses by a body corporate for processing, stored or processed under lawful contract or otherwise. Information that is freely available or accessible in the public domain, or furnished under the Right to Information Act, 2005 or any other law, shall not be regarded as SPDI. Note: Unlike the GDPR, the DPDP Act, 2023 does not create a separate category of "sensitive personal data" — all personal data is regulated uniformly under that Act.
Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. In the context of this Policy, Skywards Investec Private Limited (Bullsmart) is the Data Fiduciary. A Data Fiduciary is responsible and accountable for all processing of personal data, irrespective of any agreement to the contrary or any failure on the part of the Data Principal, including processing undertaken by any Data Processor acting on its behalf (Section 8(1), DPDP Act, 2023).
Data Principal: The individual to whom the personal data relates. In the case of a child, the term includes the parent or lawful guardian of such child. In the case of a person with disability, it includes the lawful guardian acting on behalf of such person. In this Policy, "Data Principal" means you, our User, client, or prospective client whose personal data is collected and processed by us.
Data Processor: Any person who processes personal data on behalf of a Data Fiduciary. A Data Processor processes data only to the extent and for the purposes authorised by the Data Fiduciary and is engaged through a valid legal contract. Examples include our technology vendors, KYC agencies, and payment processors who handle your data solely on our instructions.
Processing: A wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.
Consent: Consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with a clear affirmative action, signifying agreement to the processing of personal data for the specified purpose. Consent must be limited to such personal data as is necessary for such specified purpose. Consent may be withdrawn by the Data Principal at any time, and withdrawal shall be as easy as the giving of consent. Where a Data Principal is a child (below 18 years), verifiable consent of a parent or lawful guardian is required before processing.
Body Corporate: Any company and includes a firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities. Skywards Investec Private Limited is a "body corporate" within the meaning of the IT Act, 2000 and is therefore subject to the obligations prescribed under the SPDI Rules, 2011, including the requirement to maintain a privacy policy, designate a Grievance Officer, and implement reasonable security practices.
KYC (Know Your Customer): The mandatory process of customer identification and due diligence prescribed by SEBI, the Reserve Bank of India (RBI), and the Prevention of Money Laundering Act, 2002 (PMLA) for verifying the identity and address of clients prior to commencement of business relationship. KYC includes collection of Officially Valid Documents (OVDs) as defined under the PML Rules, 2005, such as Passport, Voter's Identity Card, Driving Licence, Aadhaar card, NREGA job card, or National Population Register letter, along with PAN and other prescribed information.
Significant Data Fiduciary (SDF): A Data Fiduciary notified by the Central Government on account of factors such as the volume and sensitivity of personal data processed, risk to rights of Data Principals, risk to sovereignty and integrity of India, risk to electoral democracy, security of the State, or public order. SDFs have additional obligations including appointing a Data Protection Officer (DPO) resident in India, conducting periodic Data Protection Impact Assessments (DPIAs), and undergoing independent audits. The Company will comply with SDF obligations if and when it is so notified by the Central Government.
Compliance Officer / Grievance Officer: A person designated by the Company who is responsible for: (a) monitoring compliance with SEBI Acts, rules, regulations, and exchange bye-laws, and handling investor grievance redressal (under SEBI Regulations); and (b) redressing grievances of information providers relating to personal data processing within one month of receipt (under the SPDI Rules, 2011). The Company has designated a single officer to hold both responsibilities. Contact details are provided in Section 14.
Reporting Entity / Stock Broker: Skywards Investec Private Limited is a "Reporting Entity" under the PMLA, 2002, being a person carrying on designated business or profession (securities market intermediary), and is thereby subject to anti-money laundering obligations including client due diligence, record-keeping, and suspicious transaction reporting. It is also registered as a "Stock Broker" under the SEBI (Stock Brokers) Regulations, 2026, being a member of a recognized stock exchange.

3. INFORMATION WE COLLECT

We collect and process the following categories of information in the course of providing our services and meeting our regulatory obligations:

3.1 Identity and KYC Information

Full legal name (as per PAN card and Aadhaar)
Permanent Account Number (PAN)
Aadhaar number (as permitted and masked in accordance with Aadhaar Act, 2016)
Date of birth
Gender
Nationality and residential status
Photographs and signature
Proof of identity documents (Passport, Voter ID, Driving Licence)
Proof of address documents

3.2 Contact Information

Registered mobile number and alternate contact numbers
Email address(es)
Permanent and correspondence address

3.3 Financial and Banking Information

Bank account details (account number, IFSC code, bank name and branch)
UPI ID and linked payment instrument details
Income details and net worth declarations (as required under SEBI KYC norms)
Tax residency information and FATCA/CRS declarations
Demat account number(s) and Depository Participant details

3.4 Trading and Investment Information

Order history, trade records, holdings, and transaction logs
Risk profile and investment preferences
Margin obligations and exposure details
Ledger balances and contract notes
Portfolio valuation and P&L statements

3.5 Technical and Usage Information

IP address, device identifiers, operating system, and browser type
Login activity, session data, and access logs
Pages visited, features used, and clickstream data on the Bullsmart platform
Cookies and similar tracking technologies (refer Section 12)
Location data, where enabled on your device

3.6 Communication Records

Records of correspondence via email, chat, telephone (including recorded calls as required by SEBI regulations), and in-person
Grievance and complaint records
Survey responses and feedback

4. PURPOSE AND LEGAL BASIS FOR PROCESSING

We process your personal data for the following purposes and on the following legal bases:

4.1 Regulatory Compliance (Legal Obligation)

Processing is mandatory under applicable law and SEBI regulations, including:

Conducting KYC and anti-money laundering (AML) checks as mandated by SEBI and PMLA
Reporting obligations to SEBI, BSE, NSE, MCX, CDSL, NSDL, Income Tax Department, and Financial Intelligence Unit – India (FIU-IND)
Maintenance of records as required under the SEBI (Stock Brokers) Regulations, 1992 and Prevention of Money Laundering (Maintenance of Records) Rules, 2005
Issuance of contract notes, account statements, and margin call intimations
Compliance with the Depositories Act, 1996, and CDSL/NSDL bye-laws
Compliance with Income Tax Act, 1961, including TDS deductions and Form 26AS reporting.

4.2 Contract Performance (Contractual Necessity)

Processing is necessary to execute the brokerage agreement and provide trading services:

Account opening, activation, and management
Execution and settlement of orders on recognized stock exchanges
Fund transfers, payout processing, and ledger maintenance
Providing demat account services through our depository participant arrangements
Customer support and dispute resolution
Sending trade confirmations, account alerts, and margin notifications.

4.3 Consent-Based Processing

With your explicit consent, we may also use your information for:

Sending promotional communications about new products, services, investment opportunities, or market insights
Sharing your data with group entities or affiliates for cross-selling financial products
Market research, surveys, and service improvement initiatives

You may withdraw consent for marketing communications at any time by using the unsubscribe link in emails, SMS opt-out, or by contacting our Grievance Officer.

4.4 Legitimate Interests

We may process data based on our legitimate business interests, including:

Fraud prevention, risk management, and detection of unauthorized access or trading
Cybersecurity, platform integrity, and IT systems management
Internal audits, analytics, and business planning (using anonymized or aggregated data)
Legal defence in case of regulatory investigations or litigation.

5. DISCLOSURE AND SHARING OF INFORMATION

We do not sell, rent, or trade your personal data to any third party for commercial purposes. We may share your information only in the following circumstances:

5.1 Regulatory and Statutory Authorities

We are legally required to disclose information to the following authorities when mandated:

Securities and Exchange Board of India (SEBI)
Stock exchanges (BSE, NSE, MCX, and other recognized exchanges)
Depositories (CDSL, NSDL) and Depository Participants
Income Tax Department and Tax authorities under Section 285BA of the Income Tax Act
Financial Intelligence Unit – India (FIU-IND) under PMLA
Enforcement Directorate, Central Bureau of Investigation, or other law enforcement agencies pursuant to lawful orders
Courts, tribunals, and quasi-judicial bodies pursuant to court orders

5.2 Service Providers and Processors

We engage third-party vendors and processors who assist in providing our services, including:

Technology service providers (cloud hosting, cybersecurity, software vendors)
KYC Verification Agencies (KRA – CDSL Ventures, CAMS KRA, Karvy KRA, etc.)
Payment aggregators and banking partners for fund management and payouts
Risk management and surveillance system providers
Audit firms, legal advisors, and compliance consultants
Communication service providers (SMS gateway, email delivery, push notification services)

All third-party processors are bound by contractual obligations of confidentiality and are required to process data only as per our instructions and in accordance with applicable law.

5.3 Group Entities

We may share information within the Skywards Investec group of companies, or with entities in which the Company holds a stake, strictly on a need-to-know basis for the purpose of providing integrated financial services to you. Any such sharing is subject to your consent where required.

5.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, your personal data may be transferred to the successor entity. We will provide notice of such transfer and the applicable privacy policy.

6. DATA SECURITY

The security of your personal and financial data is of paramount importance to us. We implement appropriate technical and organizational measures in accordance with the SPDI Rules, 2011, and the DPDP Act, 2023, including:

SSL/TLS encryption for all data transmitted between your device and our servers
AES-256 encryption for sensitive data at rest
Multi-factor authentication (MFA) for account login and critical transactions
Role-based access controls and least-privilege principles for our employees and systems
Regular vulnerability assessments, penetration testing, and security audits
Firewalls, intrusion detection systems, and DDoS protection mechanisms
Secure data centers with ISO 27001-aligned physical security controls
Employee background verification and periodic data privacy training
Incident response and breach notification procedures

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are advised to keep your login credentials confidential and to report any unauthorized access to your account immediately.

In the event of a data breach that is likely to adversely affect your rights and freedoms, we will notify you and the relevant regulatory authority (including the Data Protection Board of India, once constituted under the DPDP Act, 2023) as required by applicable law.

7. DATA RETENTION

We retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, and in accordance with our statutory and regulatory obligations:

Category of Data	Retention Period	Regulatory Basis
KYC and identity documents	8 years from closure of account or end of business relationship	PMLA, 2002; SEBI KYC Norms; PML Rules, 2005
Trading records and order logs	5 years from the date of transaction	SEBI (Stockbrokers) Regulations, 1992; Regulation 17A
Contract notes and trade confirmations	5 years	SEBI Circulars; BSE/NSE Byelaws
Fund ledger and financial records	8 years	PMLA; Companies Act, 2013 (Section 128)
Communication records (calls, emails)	5 years	SEBI (Prohibition of Fraudulent and Unfair Trade Practices) Regulations
Grievance and complaint records	3 years from resolution	SEBI Grievance Redressal Framework (SCORES)
Marketing consent records	Until withdrawal of consent + 3 years	DPDP Act, 2023; IT Act, 2000

Upon expiry of the applicable retention period, personal data will be securely deleted, anonymized, or destroyed using industry-standard methods, unless retention is required for ongoing litigation, regulatory investigation, or by court order.

8. YOUR RIGHTS AS A DATA PRINCIPAL

Subject to applicable law and regulatory requirements, you have the following rights with respect to your personal data:

Right to Access: You may request a copy of the personal data we hold about you and information about how it is processed.
Right to Correction: You may request correction of inaccurate or incomplete personal data. KYC corrections may be subject to validation through SEBI-authorized KRA processes.
Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal and regulatory retention obligations under PMLA, SEBI regulations, and other applicable laws. Please note that data required for compliance cannot be deleted during the mandatory retention period.
Right to Data Portability: You may request your personal data in a structured, commonly used, and machine-readable format, to the extent technically feasible.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal will not affect the lawfulness of processing prior to such withdrawal.
Right to Grievance Redressal: You have the right to have your grievances addressed in a timely and effective manner by our Grievance Officer.
Right to Nominate: Under the DPDP Act, 2023, you may nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of the above rights, please submit a request in writing to our Grievance Officer at the contact details provided in Section 14. We will respond to your request within the timelines prescribed under applicable law.

9. KYC, AML/CFT COMPLIANCE

In accordance with the Prevention of Money Laundering Act, 2002 and SEBI's KYC norms, we are mandated to verify the identity and address of all clients before enabling them to trade. This involves collection of certain personal and financial documents. KYC information collected by us may be shared with Central KYC Registry (CKYCRR), KYC Registration Agencies (KRAs), FIU-IND, and other authorities as required by law.

We conduct ongoing transaction monitoring and may file Suspicious Transaction Reports (STRs) or Cash Transaction Reports (CTRs) with FIU-IND without prior notice to you, in compliance with PMLA. We are prohibited by law from disclosing to you that such a report has been filed.

10. CROSS-BORDER DATA TRANSFERS

We primarily process and store your personal data in India. To the extent any personal data is transferred outside India (for example, for cloud services, cybersecurity monitoring, or technology support), such transfers shall be carried out in compliance with the provisions of the DPDP Act, 2023 and applicable SEBI guidelines. We will ensure that adequate contractual safeguards and data protection standards are in place with recipients in such countries as may be notified by the Central Government.

11. MARKETING COMMUNICATIONS AND OPT-OUT

With your prior consent, we may send you promotional communications about our products, services, features, market insights, and investment opportunities via email, SMS, WhatsApp, push notifications, or telephone. These communications are always clearly identified as being from Bullsmart / Skywards Investec Private Limited.

You may opt out of marketing communications at any time through any of the following channels:

Clicking the "Unsubscribe" link in any marketing email
Replying STOP to marketing SMS
Adjusting notification preferences in your Bullsmart app settings
Contacting our customer support or Grievance Officer

Opting out of marketing communications will not affect transactional messages related to your account, trades, regulatory notices, or service-related alerts, which we are obligated to send.

12. COOKIES AND TRACKING TECHNOLOGIES

The Bullsmart website and mobile application use cookies, web beacons, pixel tags, and similar technologies to enhance user experience and analyze usage patterns. These technologies may collect:

Session identifiers and preferences
Device type, browser type, and operating system
Pages visited, features accessed, and session duration
Referring URLs and exit pages

Cookie Type	Purpose
Essential	Necessary for the platform to function; cannot be disabled (e.g., session management, security tokens)
Functional	Remember your preferences and settings to personalize your experience
Analytics	Help us understand how you interact with our platform to improve features and performance
Marketing	Used to show relevant advertisements and measure campaign effectiveness (only with consent)

You may manage cookie preferences through your browser settings. Disabling certain cookies may impact the functionality of the Bullsmart platform.

13. THIRD-PARTY LINKS AND PLATFORMS

The Bullsmart platform may contain hyperlinks to third-party websites, applications, or services (including exchanges, depositories, payment gateways, and research platforms). This Policy does not apply to such third-party platforms. We are not responsible for the privacy practices, content, or security of external websites. We encourage you to review the privacy policies of any third-party platforms you visit or use.

14. GRIEVANCE OFFICER/COMPLIANCE OFFICER

In accordance with the IT Act, 2000, SPDI Rules, 2011, and the DPDP Act, 2023, we have designated a Compliance Officer to address any concerns, complaints, or queries you may have regarding the processing of your personal data or any other matter covered under this Policy.

Name	Subhra Sumantinee
Designation	Compliance Officer
Company	Skywards Investec Private Limited (trading as Bullsmart)
Address	Startup Huts, 3rd Floor, Unit-2, #109, 27th Main, Sector-2, HSR Layout, Bengaluru, Bangalore KA 560102 IN
Email	[email protected]
Phone	+91-9513461115
Grievance Submission Hours	Monday to Friday, 9:00 AM to 6:00 PM (IST), excluding public holidays

We will endeavour to acknowledge your grievance within 48 hours and resolve it within 30 days of receipt. If you are not satisfied with the resolution, you may approach SEBI's online grievance redressal system (SCORES), the National Consumer Disputes Redressal Commission, or any other appropriate regulatory authority. Once the Data Protection Board of India is constituted under the DPDP Act, 2023, you may also file complaints before such Board.

15. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory obligations. Any material changes will be notified to you via email, SMS, or a prominent notice on the Bullsmart platform at least 30 days prior to the changes taking effect, where practicable. The updated Policy will carry a revised "Effective Date" at the top. Your continued use of the platform after the effective date of any changes constitutes your acceptance of the updated Policy.

16. DISCLAIMER

Investments in securities markets are subject to market risks. Please read all scheme-related documents carefully before investing. The information collected under this Policy is used solely for the purposes stated herein and to provide regulated financial services. Bullsmart is not responsible for the privacy practices of third-party platforms or services.

17. ACKNOWLEDGEMENT

By opening an account and using the Bullsmart platform, you confirm that you have read, understood, and agreed to this Privacy Policy.