Privacy Policy
This Privacy Policy explains how Nucleus AAR Advisors LLP (the Investment Manager to Soonicorn Angel Trust-I) collects, uses, shares, and protects personal data in connection with the Soonicorn Ventures investor platform at deals.soonicornventures.com and this marketing website (together, the "Platform").
We process personal data in line with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and applicable rules thereunder.
Draft pending counsel review. This Privacy Policy is being finalised with our legal counsel ahead of public launch. We expect minor edits before go-live.
1. Who we are (Data Fiduciary)
For the purposes of the DPDP Act, the Data Fiduciary is Nucleus AAR Advisors LLP, the Investment Manager to Soonicorn Angel Trust-I (a SEBI-registered Category I AIF — Angel Fund, Reg. No. IN/AIF1/23-24/1338). All references to "we", "our", or "us" in this policy mean the Data Fiduciary unless stated otherwise.
2. What data we collect
| Category | Examples |
|---|---|
| Identity & KYC | Name, date of birth, PAN, Aadhaar (masked), passport, photograph, signature, address, occupation, source of funds, net-worth declarations. |
| Contact | Email, mobile number, postal address. |
| Investor profile | Sectors of interest, ticket-size range, accredited-investor declarations, investment history. |
| Financial | Bank account details for drawdowns and distributions, transaction history on the Platform, tax residency. |
| Platform usage | Account IDs, log-in events, IP address, device and browser metadata, audit-log entries, communication records (email, WhatsApp), pitch-call attendance and Q&A. |
| Founder data (if you are a founder) | Company details, cap table, founder profiles, pitch deck, financials, deal documents. |
3. Why we collect it
- Onboarding & KYC — to verify your identity and eligibility under SEBI AIF regulations.
- Deal flow & matching — to surface deals matched to your stated preferences.
- Transaction execution — to issue agreements, drawdown notices, statements, and unit certificates.
- Regulatory compliance — to maintain audit trails required for SEBI, the Income-tax Department, and the FIU-IND.
- Communication — to send transactional emails and WhatsApp messages relating to your account, commitments, drawdowns, and pitch calls.
- Platform improvement — to operate, secure, and improve the Platform.
- Fraud prevention & security — to detect misuse and protect investors and founders.
4. Legal basis for processing
We process personal data on one or more of the following bases:
- Your consent, given at sign-up and at material consent moments (e.g., commitment, KYC upload).
- Performance of a contract to which you are a party (the Contribution Agreement).
- Compliance with a legal obligation applicable to us, including SEBI AIF Regulations 2012, PMLA, Income-tax Act, and the DPDP Act.
- Our legitimate interests in operating, securing, and improving the Platform, balanced against your rights.
6. How long we keep it
We retain personal data for as long as your account is active, plus the longer of:
- Seven (7) years after the closure of the Fund or your last commitment (whichever is later) — to comply with SEBI, Income-tax, and PMLA record-keeping requirements;
- any longer period required by an order of a court, tribunal, or regulator.
After this period, we will erase or anonymise your data unless retention is required by law.
7. How we secure it
- Row-level security (RLS) on every database table — access is gated by your authenticated identity, not by client code.
- Encryption of data in transit (TLS 1.2+) and at rest (database and object-storage native encryption).
- Private storage buckets with short-lived signed URLs for sensitive documents (CKYC, agreements, drawdowns).
- Strict environment-variable secrets management; no hardcoded credentials in client code.
- Multi-factor authentication on administrative accounts.
- Comprehensive audit logging — every state change on commitments, agreements, drawdowns, and certificates is recorded with user ID, timestamp, IP, and user-agent.
Despite these safeguards, no system is impenetrable. If we suffer a personal-data breach, we will notify the Data Protection Board and you in line with the DPDP Act.
8. Your rights
Under the DPDP Act, you have the right to:
- Access a summary of personal data we hold about you.
- Correct or update inaccurate or incomplete data.
- Erase data that is no longer needed for the purpose for which it was collected, subject to our legal retention obligations.
- Withdraw consent at any time — note that some processing (e.g., audit log) is mandated by law and continues regardless.
- Nominate another person to exercise your rights in case of death or incapacity.
- Lodge a grievance with our Grievance Officer (see Section 13) and, if unresolved, with the Data Protection Board of India.
10. Cross-border transfers
Your data is primarily stored in India (Mumbai region). Some processors (e.g., email and SMS gateways) may operate from other jurisdictions. We rely on contractual safeguards and applicable law to ensure your data continues to be protected when transferred outside India.
11. Children
The Platform is not intended for, and we do not knowingly process personal data of, anyone under 18. If we learn that we have collected such data, we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified to you by email or in-platform notice at least 14 days before they take effect, except where a shorter notice period is required by law.
13. Contact & grievance
Data Protection & Grievance Officer: Neha Rathore, Soonicorn Angel Trust-I.
Email: neha@soonicornventures.com
Investment Manager (legal correspondence): legal@soonicornventures.com
For unresolved grievances, see the Grievance redressal page or escalate to SEBI's SCORES portal (opens in new tab).