Privacy Policy
Last Updated: January 15, 2026How Vertias collects, stores, and protects data for SEBI-registered advisory firms — with India data residency and tamper-evident record-keeping by design.
1Introduction
Vertias ("Vertias", "we", "our", "us") provides compliance and record-keeping technology to SEBI Registered Investment Advisers ("RIAs") and Research Analysts ("RAs"). This Privacy Policy explains what personal and business data we process, why we process it, and the rights available to you.
This policy applies to our public website and the Vertias console. It does not describe the independent privacy practices of the RIA or RA firm that engages us; where Vertias processes end-investor data, we do so as a processor on behalf of that regulated firm, which remains the data controller.
2Data We Collect (SEBI Mandate)
As a platform serving SEBI-regulated intermediaries, we are required to help our customers retain complete, tamper-evident records of advisory activity. The categories of data we process include:
- Account and identity data — name, work email, role, and TOTP authenticator enrolment used for magic-link and second-factor sign-in.
- Advisory records — communications, recommendations, risk profiling, suitability assessments, and consent artefacts logged to the hash-chained audit ledger.
- Compliance metadata — HMAC-SHA-256 hash-chain entries, timestamps, and evidence-pack exports generated for audit.
- Operational telemetry — security and reliability logs strictly necessary to operate a banking-grade service.
We do not sell personal data, and we do not use advisory content for advertising or for training third-party models.
3Data Residency & Storage
Customer and end-investor data is stored and processed on India-region cloud infrastructure (S3-compatible object storage), consistent with SEBI and RBI expectations for local data residency. Advisory records are protected by an HMAC-SHA-256 hash chain so that any tampering is detectable during audit. Write-once, read-many (WORM) object-lock retention is on our roadmap and not yet enabled by default.
Encryption is applied in transit (TLS) and at rest. Access to production data is limited to authorised personnel on a least-privilege basis and is itself logged.
4Data Retention
Advisory and compliance records are retained for the minimum period required under the SEBI (Investment Advisers) Regulations and the SEBI (Research Analysts) Regulations — currently at least five years, or longer where an inspection, dispute, or legal hold applies. Because these records are hash-chained, any alteration or deletion is detectable when the ledger is verified. Enforced write-once (WORM) object-lock retention is on our roadmap.
5Your Rights
Subject to the Digital Personal Data Protection Act, 2023 and applicable law, you may request access to, correction of, or erasure of your personal data. Where Vertias acts as a processor for a regulated firm, requests relating to end-investor data should be directed to that firm as the data controller; we will support them in responding.
- Right to access the personal data we hold about you.
- Right to correction of inaccurate or incomplete data.
- Right to erasure, except where retention is mandated by SEBI or other law.
- Right to withdraw consent for optional processing.
7Contact & Grievances
For privacy questions or to exercise your rights, contact our Grievance Officer: Mr. Rahul Sharma, grievance@vertias.app, Mumbai, India. We aim to acknowledge requests within a reasonable period consistent with regulatory expectations.