Privacy Policy – Bamboo Roots Wealth Management

Effective Date: September 17, 2025

Bamboo Roots Wealth Management (“Bamboo Roots”, “we”, “us”, “our”) operates the website https://www.bamboorootswealth.com (the “Website”). We are registered in Trivandrum,Kerala, India. This Privacy Policy explains how we collect, use, disclose, and protect personal data, and describes your rights and choices.

1. Who we are
Bamboo Roots Wealth Management
Website: https://www.bamboorootswealth.com
Primary contact email: contact@bamboorootswealth.com

2. Scope and legal basis
This Policy applies to personal data collected through the Website and in connection with our services. We process personal data where necessary for: (a) the performance of a contract with you; (b) compliance with legal and regulatory obligations (including KYC/AML and tax rules); (c) our legitimate interests (for example fraud prevention and service improvement); and (d) where required, with your consent (for example marketing or non-essential cookies). We aim to comply with applicable Indian law including the Digital Personal Data Protection Act (DPDP), 2023, as well as applicable international data protection laws when relevant.

3. Information we collect
We may collect the following categories of information:
• Identity & contact information: name, email, phone number, postal address, date of birth.
• Financial & KYC data: PAN, Aadhaar or other government ID, bank account details, investment profile, transaction history, documents provided to complete KYC/AML requirements. (Collection of sensitive financial or identity data is only when required for service delivery or regulatory compliance.)
• Technical data: IP address, browser user-agent, device identifiers, cookies, and log files.
• Communications & interaction data: messages submitted via contact forms, call recordings (where consented or required), emails, and support requests.
• Any other data you choose to provide to us.

4. How we use your information
We use personal data to:
• Provide and administer wealth management, advisory and related services;
• Complete KYC, AML checks and other regulatory reporting;
• Process transactions and service agreements;
• Respond to enquiries and communicate with you;
• Personalize and improve our Website and services;
• Send marketing communications where you have consented (you may opt out anytime);
• Detect and prevent fraud and protect the security of our systems; and
• Fulfil legal and regulatory obligations.

5. Cookies and tracking technologies
We use cookies and similar technologies to operate the Website, remember preferences, and analyze usage. We provide a cookie notice and mechanisms to consent to or manage cookie preferences (essential vs optional cookies). You can also control cookies through your browser settings.

6. Comments and user content
When visitors leave comments, we collect the commenter’s data from the comment form, their IP address, and browser user agent string to assist spam detection. After a comment is approved, the commenter’s profile picture (e.g., Gravatar) may be publicly visible in context of the comment.

7. Media uploads
If you upload images, avoid embedding location data (EXIF GPS). Visitors can download images and potentially extract embedded metadata.

8. Who we share your data with
We do not sell personal data. We may share personal data with:
• Third-party service providers (for example KYC/verification vendors, payment processors, email services, IT and analytics providers) under contracts that require confidentiality and security;
• Regulators, courts, law enforcement or government authorities as required by law;
• Professional advisors, auditors and compliance partners; and
• A successor entity in the event of a merger, acquisition or sale (with notice to affected individuals where practicable).
Where we transfer data outside India, we use appropriate safeguards such as contractual protections or other mechanisms required by applicable law.

9. Third-party processors and embedded content
We use third-party processors for certain services. We require such processors to maintain adequate security and to use data only for the contracted purposes. The Website may contain embedded content (videos, feeds, calculators) from external sites; interacting with that content may result in collection of data by those third parties under their own privacy policies.

10. Retention of data
We retain personal data only as long as necessary for the purposes collected and to meet legal and regulatory obligations. Typical retention periods include:
• Comments and related metadata: retained indefinitely unless deleted by you;
• Contact form messages and enquiry records: retained for up to 3 years (or as needed to respond/resolve matters);
• KYC and transaction records: retained for the period required by applicable financial, tax and regulatory laws (commonly 8 years or as required by law);
• Account information: retained while the account is active and for a reasonable period thereafter to meet legal obligations.
If a legal requirement prevents deletion, we will retain the data as required and inform you.

11. Data security
We implement reasonable technical and organizational measures to protect personal data, including SSL/TLS encryption in transit, access controls, secure storage for sensitive records, staff training, and periodic security assessments. We require our processors to implement appropriate safeguards.

12. Data breach response and notification
If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will act promptly to contain and investigate the incident and will notify affected individuals and relevant authorities as required by applicable law. Where applicable, notifications will be made without undue delay and in accordance with statutory timelines (for example typically within 72 hours where required).

13. Your rights and how to exercise them
Subject to verification and applicable law, you may:
• Request access to the personal data we hold about you;
• Request correction or update of inaccurate or incomplete data;
• Request deletion of your personal data (subject to legal/regulatory retention obligations);
• Object to or restrict certain processing activities;
• Withdraw consent where processing is based on consent (for example cookies or marketing);
• Request portability of data you have provided in a commonly used format.
To exercise your rights, contact our primary contact or our Grievance Officer/DPO (details below). We will verify requests to protect privacy and respond within applicable statutory timelines.

14. GDPR and international data protection (if applicable)
If you are an EU resident, you also have rights under the GDPR (e.g., right to lodge a complaint with a supervisory authority). Where we process EU personal data, we will observe relevant GDPR obligations (lawful basis, data subject rights, appropriate safeguards for transfers, etc.).

15. Automated decision-making and profiling
We do not make solely automated decisions that produce legal or similarly significant effects on you. Where we use profiling or automated tools for personalization or risk assessment, we will explain the purpose and allow you to request human review where appropriate.

16. Marketing communications
We send marketing communications only where you have consented or as otherwise permitted by law. Each marketing message includes an easy and free opt-out/unsubscribe mechanism.

17. Cross-border transfers
Where personal data is transferred outside India, we will ensure adequate protections are in place (for example contractual safeguards or mechanisms required by applicable law). We will aim to notify you where such transfers are material to the service.

18. Children
Our Website and services are not directed to children under 18. We do not knowingly collect personal data from children. If we learn that a child’s data has been collected without parental consent, we will delete the data unless retention is required by law.

19. Changes to this Privacy Policy
We may update this Policy from time to time. The Effective Date at the top indicates when the Policy was last updated. Material changes will be notified on the Website and, where appropriate, by other means.

20. Contact and grievance officer / DPO
Primary contact: contact@bamboorootswealth.com
Grievance Officer: Vipin Krishnan
Email: vipin.krishnan@bamboorootswealth.com
Phone: +91 860 660 1885
Postal address for notices: Bamboo Roots Wealth Management, Krishna Kripa, Periyar Lane, Kattachal Road Thirumala PO Pin 695006 Trivandrum, India.
If you are not satisfied with our response, you may escalate to the relevant supervisory authority or data protection regulator in your jurisdiction.

21. How to complain to a supervisory authority
If you are based in the EU or other jurisdiction with a supervisory authority and remain dissatisfied after contacting us, you may file a complaint with your local data protection authority.

22. Where your data is sent
Visitor data (including comments) may be processed or scanned by automated spam detection services. Data may also be transferred to our third-party processors as described in this Policy.

Last reviewed: September 17, 2025
For any questions about this Privacy Policy or to exercise your rights, please contact us at contact@bamboorootswealth.com.