Privacy Notice

This notice describes how Acornia, the customer relationship management platform operated by Acorn Wealth, collects, uses, retains, and protects personal information.

This page reflects the current pre-production (UAT) release. Production privacy commitments will be confirmed by Acorn Wealth's legal counsel before general availability and may differ in formal language; the substantive controls described below are already in force on the UAT environment.

• Investor records sourced from InvestWell, including name, PAN, contact details, KYC status, folio holdings, and transaction history.
• Internal team member records — name, work email, mobile, role, and access level.
• Operational data generated by the platform — tasks, notes, audit log entries, sync logs, and report exports.
• Authentication metadata — sign-in events, IP address, browser user-agent, and session timing.

Personal information is processed solely to operate the distribution business of Acorn Wealth — including investor servicing, transaction execution, KYC and AML compliance, performance reporting, regulator-mandated audits, and internal administration. Information is not used for marketing or shared with third parties for marketing.

• Access is governed by role-based permissions configured under Settings → Roles & Permissions.
• Personally identifiable details (PAN, full bank account numbers, contact phone/email) are masked by default and only revealed to users whose role explicitly grants the "Show unmasked details" permission for that module.
• System-level templates are read-only and can only be customised by cloning into a separate, editable role.

All administrative actions that change access, roles, permissions, or compliance configuration are written to a tamper-evident audit log. Each entry is sha256-chained to the previous entry, time-stamped, and attributed to the actor by email and IP address. Audit log entries are retained for ten (10) years to satisfy the Prevention of Money Laundering Act, 2002 (PMLA) record-keeping requirements applicable to mutual fund distributors.

Production data is hosted on infrastructure located in India. Data in transit is encrypted using TLS; data at rest is encrypted using disk-level encryption provided by our infrastructure operator. Backups are taken daily and retained per the retention schedule above. Security testing is conducted prior to each release; any reported vulnerabilities can be raised at the contact below.

Investors and team members may request access to or correction of their personal information by writing to the support contact. Statutory log entries (audit log, transaction records) cannot be deleted on request — they may only be redacted to the minimum extent permitted by law and regulator guidance.

The UAT environment may contain test, anonymised, or copied data and is intended only for staged acceptance testing. It is not the system of record. Live regulator-mandated reporting and statutory record-keeping are performed only on the production environment.

Privacy questions, access requests, or vulnerability reports may be sent via the support page. We will acknowledge receipt within two business days.