Legal & Compliance
Understanding and exercising your rights under GDPR, India's Digital Personal Data Protection Act 2023, and IT Act 2000 — in plain English.
Section 01
Under GDPR and India's DPDP Act 2023, you have the following rights over your personal data. Rights tagged GDPR + DPDP apply under both frameworks; others are framework-specific.
Request a copy of all personal data we hold about you, how we use it, and who we share it with. We respond within 30 days.
GDPR + DPDPRequest correction of any inaccurate or incomplete personal data we hold about you. We will update records promptly.
GDPR + DPDPRequest deletion of your personal data ("right to be forgotten") — subject to legal retention requirements under SEBI, RBI, and tax laws.
GDPR + DPDPReceive your data in a structured, machine-readable format (JSON or CSV) and transfer it to another service provider.
GDPRObject to processing of your data for direct marketing, profiling, or legitimate interest purposes at any time.
GDPRRequest that we limit how we use your data — for example, while disputing accuracy or pending an objection decision.
GDPRWithdraw consent for any data processing based on consent, at any time, without affecting past lawful processing.
GDPR + DPDPUnder India's DPDP Act 2023, nominate another person to exercise your data rights on your behalf in case of death or incapacity.
DPDP 2023Section 02
The Data Controller (the entity that determines how and why your data is processed) for all NovaRock Group services is:
NovaRock Group
Registered Office: Kurukshetra, Haryana, India
Data Protection Officer: Jasvinder Singh
Email: compliance@novarock.co.in
Phone: +91 94683 65162
Individual subsidiaries — NovaRock Advisory, NovaRock Technology, and NovaRock Financial Services — may act as Data Processors under this controller when handling your data to deliver specific services. All subsidiaries operate under the same data protection standards.
Section 03
Full name, email address, phone number, postal address, date of birth, nationality, and government-issued identification (PAN, Aadhaar, Passport — only where legally required for KYC compliance).
Income details, bank account information, investment portfolio details, credit history, loan application data, insurance policy information, and tax identification numbers. This data is processed solely to deliver financial advisory, lending intermediary, or insurance broking services.
IP address, browser type and version, device identifiers, operating system, pages visited, session duration, referral source, and cookie identifiers. Collected automatically when you use our website.
Emails, WhatsApp messages, phone call records, and form submissions sent to NovaRock Group. Retained for service delivery and regulatory compliance purposes.
We do not intentionally collect sensitive personal data (health, biometric, religious, political data) unless specifically required by regulation (e.g., health data for certain insurance products). Where collected, explicit consent is obtained and additional safeguards applied.
Section 04
Under GDPR, every processing activity must have a valid legal basis. Under India's DPDP Act, processing requires either consent or a legitimate use. Here is our legal basis for each processing purpose:
| Purpose | GDPR Legal Basis | DPDP Legal Basis |
|---|---|---|
| Delivering financial advisory services | Contract (Art. 6(1)(b)) | Consent + Legitimate Use |
| KYC / AML compliance | Legal Obligation (Art. 6(1)(c)) | Legal Obligation |
| Marketing communications | Consent (Art. 6(1)(a)) | Consent |
| Website analytics | Legitimate Interest (Art. 6(1)(f)) | Legitimate Use |
| Tax / regulatory reporting | Legal Obligation (Art. 6(1)(c)) | Legal Obligation |
| Fraud prevention & security | Legitimate Interest (Art. 6(1)(f)) | Legitimate Use |
Section 05
Exercising your rights is free and straightforward. Follow these steps:
Email compliance@novarock.co.in with the subject line "Data Rights Request — [Your Name]". Clearly state which right you are exercising and provide a brief description.
We will ask you to verify your identity to prevent unauthorised access to another person's data. This usually requires a government-issued ID and the email address on your account.
We will respond within 30 days for most requests. Complex requests may take up to 3 months — we will inform you within the first 30 days if an extension is needed.
We will either fulfil your request, explain why a legal exemption applies (e.g., SEBI requires 5-year retention), or offer an alternative. All responses are in writing.
If you are not satisfied with our response, you may escalate to our Grievance Officer at grievance@novarock.co.in or file a complaint with the relevant supervisory authority (see Section 11).
⚡ Quick requests: To unsubscribe from marketing emails, click the "Unsubscribe" link at the bottom of any email — no form required. For cookie opt-out, use the consent banner or clear your browser cookies.
Section 06
Cookies are small text files stored on your device when you visit our website. We use the following categories of cookies:
Section 07
We retain personal data only as long as necessary for the purpose it was collected, or as required by law:
| Data Type | Retention Period | Reason |
|---|---|---|
| Investment advisory records | 5 years | SEBI requirement |
| KYC / identity documents | 5 years after relationship ends | PMLA / RBI AML rules |
| Tax preparation records (US/India) | 7 years | IRS & IT Act requirements |
| Website analytics data | 26 months | Google Analytics default |
| Marketing email opt-in records | Until opt-out + 3 years | Evidence of consent |
| Job application data (unsuccessful) | 12 months | Future vacancy consideration |
After retention periods expire, data is securely deleted or irreversibly anonymised. You may request early deletion — we will comply unless a legal retention obligation prevents it, and will inform you of any such constraint.
Section 08
As a financial services group serving NRI clients globally and using cloud infrastructure, some personal data may be transferred outside India. Here is how we protect it:
You may request details of specific transfer safeguards for any processing activity by emailing compliance@novarock.co.in.
Section 09
Our services are intended for individuals aged 18 and above. We do not knowingly collect personal data from children under 18. Under India's DPDP Act 2023, processing of children's personal data requires verifiable parental consent and is prohibited for tracking or behavioural monitoring purposes.
If you believe a child has submitted data to us, contact compliance@novarock.co.in immediately. We will delete the data within 72 hours of confirmation.
Section 10
Under GDPR Article 22, you have the right not to be subject to decisions made solely by automated processing that significantly affects you. At NovaRock Group:
Section 11
If you are unsatisfied with how we have handled your personal data or a rights request, you have the right to escalate:
Grievance Officer: Jasvinder Singh, NovaRock Group
Email: grievance@novarock.co.in
Response time: Within 30 days as required by IT Act 2000
Once constituted under the DPDP Act 2023, you may file a complaint with India's Data Protection Board. We will provide updated contact details as soon as the Board is formally established by the Central Government.
EU and EEA residents may contact their national Data Protection Authority (DPA). A full list is available at edpb.europa.eu.
UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.
Section 12
For any questions about this page, your data rights, or our data practices, contact our Data Protection Officer directly:
Data Protection Officer — NovaRock Group
Name: Jasvinder Singh
Email: compliance@novarock.co.in
Phone: +91 94683 65162
Address: Kurukshetra, Haryana, India
Response Time: Within 30 days. Urgent security matters responded to within 72 hours.
Send us a data rights request — it's free, straightforward, and we respond within 30 days. Or email us directly if you have a question before submitting a formal request.