Privacy Policy

01Who we are

Techvoria CrmSoft Solutions Private Limited ("Techvoria", "we", "us", "our") operates MFDStack, a software platform built for mutual fund distribution firms in India.

02Two distinct roles

We process personal data in two different capacities, and your rights work differently in each.

(a) As a Data Fiduciary. When we collect personal data directly from you — for example, your name and email when you book a demo through our website, or details you provide when you sign up as an authorised user of an MFD firm using MFDStack — we are the Data Fiduciary (also called the Controller). This Privacy Policy primarily governs that processing.

(b) As a Data Processor. When a mutual fund distributor firm (the "MFD Firm") uses MFDStack to manage its own clients, prospects, employees, or other contacts, the MFD Firm decides what data goes into the platform and why. In that case, the MFD Firm is the Data Fiduciary and we are the Data Processor acting on the MFD Firm's instructions. Our processing of that data is governed by the Data Processing Addendum between Techvoria and each MFD Firm.

03What personal data we collect

3.1 Information you provide directly

• Demo or contact requests: name, firm name, work email, phone number, team size, and any message you send.
• Account creation and use: name, email, role within your firm, phone number (optional), profile preferences.
• Communications with us: the content of emails, support tickets, chat messages, or other communications you send.
• Billing: bank transfer reference details. We do not collect or store credit or debit card data.

3.2 Information collected automatically

• Website: IP address, browser type, device type, operating system, referring URL, pages viewed, time spent.
• MFDStack platform: login timestamps, IP address, device used, and actions taken within the platform (audit trail).

3.3 Information you upload or generate as a user of MFDStack

• Files, notes, tasks, calendar events, emails synced through Gmail integration, and other content you create or upload as part of operating your MFD practice.

3.4 Personal data of end-investors (processed on behalf of MFD Firms)

When an MFD Firm uses MFDStack to manage its clients, the platform may contain personal data of those clients — for example, name, contact details, PAN, KYC status, folio details, transaction data, financial planning information, and risk profile. We process this data strictly as a Data Processor on the MFD Firm's documented instructions and do not use it for any independent purpose.

3.5 Registrar (RTA) data

At an MFD Firm's direction, the firm forwards reports received from registrars (CAMS, KFintech) to a designated Techvoria processing email address. We parse these reports and surface the relevant folio, transaction, and SIP information inside the MFD Firm's MFDStack workspace. We act solely as Data Processor for this data.

04How we use personal data

We use personal data only for the following purposes:

• To provide, operate, maintain, and improve MFDStack.
• To respond to demo requests, sales enquiries, support tickets, and other communications.
• To send service-related communications (account updates, security notices, scheduled maintenance, billing).
• To understand usage of MFDStack in aggregated, de-identified form, so we can improve the product.
• To detect, prevent, and address technical issues, fraud, and security incidents.
• To comply with legal obligations and respond to lawful requests from authorities.
• To establish, exercise, or defend legal claims.

We do not sell your personal data. We do not use your personal data for advertising. We do not share your personal data with advertising networks.

05Legal basis under the DPDP Act

Under the Digital Personal Data Protection Act, 2023, we rely on the following bases for processing personal data:

• Consent — when you voluntarily provide information (e.g., booking a demo).
• Legitimate use / performance of a contract — to provide MFDStack to paying customers and their authorised users.
• Legitimate use for security, fraud prevention, and product improvement in aggregated form.
• Legal obligation — where required by Indian law.

You may withdraw consent at any time by contacting our Grievance Officer (Section 14). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

06Who we share data with

We share personal data only with the following categories of recipients, and only as necessary for the purposes described in this Policy:

6.1 Sub-processors

6.2 Other recipients

• Authorities or regulators, when required by valid legal process or to protect our rights.
• Acquirers, in the event of a merger, acquisition, or sale of substantially all of our assets, under appropriate confidentiality protections.
• Professional advisors (lawyers, accountants, auditors) under confidentiality obligations.

07Where data is stored

All production personal data processed through MFDStack is stored on Amazon Web Services infrastructure in the Mumbai region (ap-south-1), within India. We do not transfer production personal data outside India for storage.

Limited operational data may be transmitted to international service providers (e.g., transactional email through Mailgun, AI inference through OpenAI) only to deliver specific features. Where such transmission occurs, we ensure it complies with applicable Indian law.

08How long we keep data

• Demo and sales enquiries: retained for up to 24 months unless you request earlier deletion.
• Active accounts and Customer Data: retained for the duration of the subscription.
• After termination of subscription: Customer Data remains accessible for export in CSV format for up to 30 days, after which it is permanently deleted from active systems, except where retention is required by law.
• Backups: daily backups retained for one week, weekly backups for one month, and monthly backups retained for longer-term disaster recovery. Deleted data ages out of backup media according to this cycle.
• Audit and security logs: retained for up to 24 months.
• Records required by law (e.g., invoices, tax records): retained for the statutory period.

09AI features

MFDStack uses third-party AI services (currently OpenAI) to power specific features such as Meeting-of-Minutes (MOM) drafting and SEBI circular summarisation.

When you use these features:

• The text you submit is transmitted to the AI service via a secure API.
• Our AI service account is configured with model training disabled, meaning the AI provider does not use your inputs to train or improve its models.
• We design prompts to minimise the inclusion of sensitive personal identifiers such as PAN, bank account numbers, or KYC documents. Free-text content you choose to include in your inputs is, however, transmitted as part of the request.
• We do not retain a separate copy of your AI inputs once the processed output is returned to MFDStack.
• AI-generated output may contain errors, omissions, or inaccuracies. You should review AI-generated content before sending it to clients or relying on it for compliance, regulatory, or advisory purposes.

10Security measures

We implement reasonable technical and organisational measures appropriate to the nature of the data, including:

• HTTPS / TLS encryption for all data in transit;
• Encryption at rest for production databases;
• Per-firm tenant isolation, so each MFD Firm operates within its own environment;
• Role-based access controls within MFDStack;
• Internal access to production data limited strictly to our technical team on a need-to-know basis;
• Regular backup cycles as described in Section 8;
• Logging and monitoring of administrative actions;
• Periodic review of security practices.

No system is perfectly secure. In the event of a personal data breach affecting your data, we will notify you and the appropriate authorities without undue delay, as required by Indian law.

11Your rights

Under the Digital Personal Data Protection Act, 2023 and other applicable Indian law, you have the right to:

• Access the personal data we hold about you;
• Correct inaccurate or incomplete personal data;
• Have your personal data erased, subject to our legal and contractual obligations;
• Withdraw consent at any time;
• Nominate another individual to exercise your rights in the event of your death or incapacity;
• Lodge a complaint with the Data Protection Board of India.

To exercise these rights with respect to data we hold as a Data Fiduciary, contact our Grievance Officer (Section 14). For data we hold as a Data Processor on behalf of an MFD Firm, please direct your request to that MFD Firm; we will support them in responding.

12Cookies and tracking

Our website uses essential cookies for session management and basic analytics. We do not currently run advertising trackers, retargeting pixels, or third-party advertising cookies. If this changes in the future, we will update this Policy and request your consent where required.

13Children's data

MFDStack is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us and we will delete it.

14Grievance Officer

In compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:

We will acknowledge complaints within 48 hours and aim to resolve them within 30 days of receipt.

15Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page indicates the latest version. We will notify you of material changes via email or a prominent notice in MFDStack.

16Contact us