A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Angel One was reviewed on 2026-03-06.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Fintech

Angel One

Ready Score 68/100
Moderate Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 6 Mar 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-03-06
  • Company: Angel One
  • Readiness score: 68/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Consent is still bundled with general platform access and browsing
  • No specific mention of the Right to Nominate under Section 14
  • Marketing and 'business development' claimed as lawful bases without separate opt-ins
  • Cross-border transfer details are vague regarding specific geographic safeguards
  • No explicit timeline for data deletion once the 'purpose' is fulfilled

✅ Strengths

  • Explicitly mentions the DPDP Act 2023 in its definitions
  • Highly detailed breakdown of data categories including 'Appography' and biometric data
  • Strong alignment with ISO 27001 and SEBI cybersecurity frameworks
  • Clear process for requesting names of third-party data processors

Overview

Angel One is one of India’s largest stockbrokers. Because they handle your PAN, bank details, income proof, and even biometrics, they are what the law calls a Data Fiduciary—the entity responsible for deciding how your data is handled. You are the Data Principal—the owner of the data.

Since they are regulated by SEBI and the RBI, they have to keep your data for a long time, but the new DPDP Act adds extra rules on top of those financial regulations.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Angel One tries to get your permission the moment you land on their site. This is a common shortcut, but the DPDP Act says consent must be a “clear affirmative action.”

What the policy says: “By accessing our website… you acknowledge that you have read, understood, and agreed to the terms… You provide your explicit consent.”

What the law requires: Consent must be free, specific, informed, and unconditional. Simply browsing a website shouldn’t count as “explicit consent” for data processing.

The problem: This is “bundled consent.” You can’t say “Yes to stock trading” but “No to marketing calls” during signup. Under the DPDP Act, these should ideally be separate checkboxes.

Section 7 — Certain Legitimate Uses ⚠️

The law allows companies to process data without a fresh “I Agree” button for specific things like “voluntary provision” (you gave it to them) or legal requirements.

What the policy says: They claim to process data for “Marketing and Business Development” as part of their “lawful basis.”

What the law requires: Legitimate Use is very narrow. It’s for things like medical emergencies, disasters, or legal duties.

The problem: Using “Legitimate Use” to cover marketing is a stretch. If they want to use your trading history to sell you an insurance policy, they really should be asking for your specific consent first.

Section 8 — Obligations of Data Fiduciary ✅

This is where Angel One shines. They take security very seriously.

What the policy says: “Our information security management practices are aligned with the ISO/IEC 27001 standard… we have adopted a Zero Trust security model.”

What the law requires: The company must take reasonable security safeguards to prevent data breaches.

The problem: None here. They are following high industry standards, which is a great benchmark for any small business owner wondering “how much security is enough?”

Section 9 — Data Retention 🔴

This is a tricky spot for fintech companies because they are caught between two different laws.

What the policy says: “We will retain your Personal Data only for as long as necessary… primarily dictated by Regulatory Mandates (SEBI, PMLA).”

What the law requires: Data must be deleted once the purpose is fulfilled, unless a law says otherwise.

The problem: While they mention SEBI rules, they don’t give you a clear “shelf life” for your data. If you close your account, does your data vanish in 5 years or 10? The policy stays vague with “as long as necessary,” which doesn’t give the user much peace of mind.

Section 11 — Rights of Data Principal ⚠️

The DPDP Act gives you “superpowers” over your data, like the right to correct it or delete it.

What the policy says: They acknowledge you can withdraw consent and access your data.

What the law requires: You also have the Right to Nominate. This means you can pick someone to manage your data rights if you pass away or become unable to do it yourself.

The problem: Angel One doesn’t mention the Right to Nominate in this policy. In a financial context, this is a huge deal.

Section 12 — Right of Grievance Redressal ⚠️

If you’re unhappy with how your data is handled, you need a clear path to complain.

What the policy says: They mention a grievance process and the ability to reach out for support.

What the law requires: You must be able to complain to the company first, and if they don’t fix it, you have the right to go to the Data Protection Board of India.

The problem: The policy doesn’t explicitly name the Data Protection Board as the final escalation point, which is a requirement under the new law.

Section 16 — Cross-Border Data Transfer ⚠️

What the policy says: They mention sharing data with “Cloud Computing” and “Third-Party Service Providers” but don’t specify where those servers are.

What the law requires: Data can only be sent to countries that the Indian government hasn’t “blacklisted” (restricted).

The problem: For a small business owner, the lesson here is: know where your servers are. If your data is in a “restricted” country, you’re in trouble. Angel One’s policy is a bit too “hazy” on the geography.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory FineMediumFines for bundled consent can reach ₹200 Cr+
Consent ValidityHigh”Browse-wrap” consent (agreeing by using) is legally weak
Data RetentionMediumConflict between SEBI rules and DPDP deletion rules
Nomination RightsLowMissing a specific DPDP right (Section 14)

Recommendations

  1. Unbundle your checkboxes. Don’t make “Marketing” a requirement for “Account Opening.” Give your users a choice.
  2. Add a ‘Data Nominee’ field. Just like a bank nominee, let users pick a digital nominee. It’s a DPDP requirement!
  3. Be specific about ‘The End’. Tell users exactly how many years after account closure their data is wiped (e.g., “8 years as per PMLA”).
  4. Mention the Data Protection Board. Give people the full address of where they can take their complaints if you don’t solve them.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Consent Management Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call