Updated on 09 Feb, 2026
1. Introduction
This Data Protection Agreement (“DPA”) describes how Floatr (Valuefloat Technologies Private Limited) processes personal data in connection with its financial wellness platform, investment facilitation services, retirement planning support, lending enablement, and related financial services.
This DPA supplements Floatr’s Terms of Use and Privacy Policy and is intended to provide transparency regarding:
- Processing of personal data
- Security and privacy safeguards
- Sub-processors and infrastructure
- Data localisation practices
- Compliance with applicable regulations including:
Digital Personal Data Protection Act, 2023 (India)
Financial regulatory obligations (including AMFI, SEBI, RBI, PFRDA where applicable)
2. Scope of Processing
Floatr processes personal data for:
- Financial wellness services – financial planning, retirement planning, wealth management
- Investment & lending facilitation (mutual funds, NPS, lending etc.)
- Compliance verification and KYC
- Customer support and platform operations
- Security monitoring and fraud prevention.
Processing activities may include:
- Collection
- Storage
- Analysis
- Transmission
- Deletion or anonymisation.
3. Controller and Processor Roles
Floatr may act in multiple capacities depending on service context:
Data Controller
Where Floatr:
- Determines purposes and means of processing
- Collects personal data directly from users
- Provides direct financial services or advisory tools.
Data Processor
Where Floatr:
- Processes data on behalf of employers, financial partners, or regulated institutions
- Acts under contractual instructions.
These roles may overlap depending on the service relationship.
4.Data Localisation
All personal and financial data processed by Floatr:
- Is stored within secure cloud infrastructure located in India
- Is processed within India
- Is not transferred outside India unless legally mandated.
Floatr primarily services customers within the Indian jurisdiction only.
5. Security Safeguards
Floatr maintains administrative, technical, and organisational security measures including:
- Encryption of data in transit and at rest
- Role-based access controls and least privilege principles
- Multi-factor authentication for sensitive systems
- Secure cloud infrastructure
- Vulnerability assessments and penetration testing
- Continuous monitoring and logging
- Incident response framework
- Employee confidentiality obligations.
Security practices align with recognised industry standards ISO 27001, SOC-2 & DPDPA compliances.
6. Personal Data Breach Management
Floatr maintains a documented incident response program.
In case of confirmed breach:
- Initial notification typically within 24 hours where applicable
- Investigation and mitigation measures initiated immediately
Regulatory notifications made where required.
7. Data Retention Principles
Personal data is retained only as long as necessary for:
- Service delivery
- Regulatory compliance
- Security monitoring
- Financial record-keeping obligations
- Dispute resolution.
Data is securely deleted or anonymised when retention requirements expire.
One can also send request to delete their data by sending an email to privacy@floatr.in
8. Data Protection Governance
Floatr has appointed a Data Protection Officer responsible for:
- Privacy compliance
- Data governance
- Incident coordination
- Regulatory engagement.
Data Protection Officer:
Sumit Kumar Srivastava
sumit@floatr.in
9. Updates to this Addendum
This DPA may be updated periodically to reflect:
- Regulatory changes
- Service enhancements
- Security improvements.
Latest version will always be available on Floatr’s website.
10. Document Version and Release Information
| Version | Release Date | Description of Changes | Approved By |
| 1.0 | 09 Feb, 2026 | Initial public release of Floatr Data Processing Addendum aligned with DPDPA compliance and data processing transparency disclosures. | Floatr Compliance Team |
Annexure A — Categories of Personal Data Processed
| Category | Data Types | Purpose |
| Identity / KYC Data | Name, PAN, Aadhaar last 4-digit, DOB, photographs, address proof, signature | Identity verification, regulatory compliance |
| Family, Nominees | Name, Relation, DOB, Email Mobile, ID Proof | Assign nominee to investments |
| Contact Data | Email, phone number, address | Communication, account management |
| Financial Data | Bank account details, investment accounts, NPS data, loan data | Financial service facilitation |
| Employment Data | Employer information, corporate email id, employee ID, Income | Corporate benefits, compliance |
| Transaction Data | Investment transactions, contributions, financial activity | Reporting and service execution |
| Technical Data | Device info, IP logs, login activity, usage analytics | Security and optimisation |
Annexure B — Sub-Processors
| Sub-Processor | Purpose | Data Type | Location |
| AWS India Region | Cloud hosting and storage | Application data | India |
| CRA (KFINTECH, Protean, CAMS) | NPS recordkeeping | Personal Information, Pension account data | India |
| Point of Presence (POP) | NPS services | Personal Information, , Investment data | India |
| RTA (KFINTECH, CAMS) | Mutual fund facilitation | Personal Information, Investment data | India |
| Lending Parters, NBFC, Banks | Lending enablement | Personal Information, Financial data | India |
| Other SEBI, RBI Registered Intermediaries | For investment & lending services | Personal Information, Financial data | India |
| Security Assessment Vendors | Security testing | Controlled system access | India |
Annexure C — Security Controls Overview
| Control Area | Measures |
| Encryption | TLS encryption in transit, encrypted storage at rest |
| Access Control | RBAC, MFA, least privilege |
| Infrastructure Security | Cloud firewall, segmentation |
| Monitoring | Audit logging and monitoring |
| Testing | VAPT and vulnerability scans |
| Compliance | ISO 27001, SOC 2 and DPDPA |
Annexure D — Data Retention Overview
| Data Type | Retention Basis |
| Customer Account Data | Duration of service + regulatory obligations |
| KYC / Financial Records | As required by financial regulators |
| Application Logs | Typically ~1 year operationally |
| Security Logs | Minimum 12 months |
| Backup Data | As per disaster recovery policy, 2 years |
