Privacy is an absolute non-negotiable when it comes to money. In this post we lay out our honest and transparent approach to privacy. There’ll be parts you like, parts you don’t agree with, and parts we could’ve missed. In any case, we are open for dialogue towards anything that can make Fold better and trustworthy for everyone.
Privacy by law
We are part of a regulated and self-policing ecosystem that ensures data safety and protects against data misuse.
- Fold is a certified Financial Information User in the Account Aggregator ecosystem and adhere to technical specifications prescribed by ReBIT, an undertaking of the Reserve Bank of India.
- Finvu and CAMSFinserv, both RBI-regulated Account Aggregators, are our partners to ensure that we access your data through a secure and encrypted process.
- Fold is regulated by SEBI and is a registered Investment Adviser (SEBI Registration Number:INA000018072).
- We are a member of Sahamati, an industry alliance coordinating and promoting the Account Aggregator ecosystem in India.
- We are ISO 27001 certified, a widely recognised standard for information security.
- We are in the process of obtaining PCI DSS and SOC2 compliance certificates before going out of beta in 2024.
- We work with third parties that are regulated and adhere to industry-standard compliance and auditing practices.
Privacy by design
We take the following measures in designing our databases:
- Our database is encrypted using AES 256-bit encryption at rest and we limit access to the database to only authorised Fold services.
- We encrypt data in transit using TLS/HTTPS protocol when accessed by our clients (iOS/Android/Web app).
- Our infrastructure is built on top of Amazon Web Services, which has more than 96 industry security certifications, including ISO 27001, PCI DSS, and SOC3.
- All data is stored only in AWS data centres in India.
- We have a database backup retention policy of 3 days with encrypted backups.
- Transactions are processed only to provide financial insights and automatic categorisation.
- Fold doesn’t read your emails or messages in any case or scenario. All your financial data is securely fetched through an RBI Licensed Account Aggregator.
Building a bulletproof system from the outset is hard work–more so for a small team like ours–but it’s not impossible. Some of our most delightful features, the ones we love and you’re going to love the most depend on processing certain data, we promise to be transparent about it, and about our privacy practices. Our Privacy Policy can be read here.
We hope this post helps Fold in securing your confidence, and if you were on the fence, you give Fold a shot. We want to make better financial products for India, we are homegrown and proud and we won’t be able to do it without your trust and help. We are available at [email protected].
Update: Feb 29, 2024
After the launch, we received a flood of requests for credit card integration. Our initial assumption, that credit cards are secondary to bank accounts and only a fringe population uses them regularly, proved to be wrong. After much delay, deliberation, and tweaking, we shipped credit card integration to Fold on January 19, 2024. The way we help you track credit cards, and the only reliable and real-time method on earth to do so, is through emails. This approach is necessary as credit card data is not yet live on the Account Aggregator (AA) framework—the system we utilize for fetching all your financial data. We have taken every necessary measure and are including additional privacy-related features (like manual email forwarding to a Fold email address) as we iterate and polish. For a breakdown of our process, check out this blog post. In summary, your emails are fetched and processed on the device, and only transaction-related data is sent to our servers for enrichment.