Overview
Angel One is one of India’s largest stockbrokers. Because they handle your PAN, bank details, income proof, and even biometrics, they are what the law calls a Data Fiduciary—the entity responsible for deciding how your data is handled. You are the Data Principal—the owner of the data.
Since they are regulated by SEBI and the RBI, they have to keep your data for a long time, but the new DPDP Act adds extra rules on top of those financial regulations.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Angel One tries to get your permission the moment you land on their site. This is a common shortcut, but the DPDP Act says consent must be a “clear affirmative action.”
What the policy says: “By accessing our website… you acknowledge that you have read, understood, and agreed to the terms… You provide your explicit consent.”
What the law requires: Consent must be free, specific, informed, and unconditional. Simply browsing a website shouldn’t count as “explicit consent” for data processing.
The problem: This is “bundled consent.” You can’t say “Yes to stock trading” but “No to marketing calls” during signup. Under the DPDP Act, these should ideally be separate checkboxes.
Section 7 — Certain Legitimate Uses ⚠️
The law allows companies to process data without a fresh “I Agree” button for specific things like “voluntary provision” (you gave it to them) or legal requirements.
What the policy says: They claim to process data for “Marketing and Business Development” as part of their “lawful basis.”
What the law requires: Legitimate Use is very narrow. It’s for things like medical emergencies, disasters, or legal duties.
The problem: Using “Legitimate Use” to cover marketing is a stretch. If they want to use your trading history to sell you an insurance policy, they really should be asking for your specific consent first.
Section 8 — Obligations of Data Fiduciary ✅
This is where Angel One shines. They take security very seriously.
What the policy says: “Our information security management practices are aligned with the ISO/IEC 27001 standard… we have adopted a Zero Trust security model.”
What the law requires: The company must take reasonable security safeguards to prevent data breaches.
The problem: None here. They are following high industry standards, which is a great benchmark for any small business owner wondering “how much security is enough?”
Section 9 — Data Retention 🔴
This is a tricky spot for fintech companies because they are caught between two different laws.
What the policy says: “We will retain your Personal Data only for as long as necessary… primarily dictated by Regulatory Mandates (SEBI, PMLA).”
What the law requires: Data must be deleted once the purpose is fulfilled, unless a law says otherwise.
The problem: While they mention SEBI rules, they don’t give you a clear “shelf life” for your data. If you close your account, does your data vanish in 5 years or 10? The policy stays vague with “as long as necessary,” which doesn’t give the user much peace of mind.
Section 11 — Rights of Data Principal ⚠️
The DPDP Act gives you “superpowers” over your data, like the right to correct it or delete it.
What the policy says: They acknowledge you can withdraw consent and access your data.
What the law requires: You also have the Right to Nominate. This means you can pick someone to manage your data rights if you pass away or become unable to do it yourself.
The problem: Angel One doesn’t mention the Right to Nominate in this policy. In a financial context, this is a huge deal.
Section 12 — Right of Grievance Redressal ⚠️
If you’re unhappy with how your data is handled, you need a clear path to complain.
What the policy says: They mention a grievance process and the ability to reach out for support.
What the law requires: You must be able to complain to the company first, and if they don’t fix it, you have the right to go to the Data Protection Board of India.
The problem: The policy doesn’t explicitly name the Data Protection Board as the final escalation point, which is a requirement under the new law.
Section 16 — Cross-Border Data Transfer ⚠️
What the policy says: They mention sharing data with “Cloud Computing” and “Third-Party Service Providers” but don’t specify where those servers are.
What the law requires: Data can only be sent to countries that the Indian government hasn’t “blacklisted” (restricted).
The problem: For a small business owner, the lesson here is: know where your servers are. If your data is in a “restricted” country, you’re in trouble. Angel One’s policy is a bit too “hazy” on the geography.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory Fine | Medium | Fines for bundled consent can reach ₹200 Cr+ |
| Consent Validity | High | ”Browse-wrap” consent (agreeing by using) is legally weak |
| Data Retention | Medium | Conflict between SEBI rules and DPDP deletion rules |
| Nomination Rights | Low | Missing a specific DPDP right (Section 14) |
Recommendations
- Unbundle your checkboxes. Don’t make “Marketing” a requirement for “Account Opening.” Give your users a choice.
- Add a ‘Data Nominee’ field. Just like a bank nominee, let users pick a digital nominee. It’s a DPDP requirement!
- Be specific about ‘The End’. Tell users exactly how many years after account closure their data is wiped (e.g., “8 years as per PMLA”).
- Mention the Data Protection Board. Give people the full address of where they can take their complaints if you don’t solve them.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.