Zerodha zerodha kyc Account opening data protection fatca

What details Zerodha collects when you open an account, and why

From WebNotes, a public knowledge base. Last updated 19 June 2026. Reading time ~14 min.

Key facts

Core identity proof	PAN, mandatory under SEBI KYC rules as the sole identifier for securities-market transactions
Address and identity capture	Aadhaar via DigiLocker eKYC; only an address XML is stored, the Aadhaar number is not saved
Financial data	Bank account number, IFSC and MICR; income range; income proof for derivatives
Risk and compliance flags	Occupation, trading experience, marital status, FATCA or CRS declaration, PEP status
Primary legal basis	SEBI KYC norms, the PMLA 2002, and the SEBI KRA Regulations 2011
Where KYC is stored	Uploaded to a SEBI-registered KYC Registration Agency and the Central KYC Records Registry
Retention	KYC and transaction records kept for at least five years under Section 12 of the PMLA

The data Zerodha collects when you open an account is the standard regulatory dataset that every SEBI-registered stockbroker and depository participant must gather under India’s know your customer norms, the Prevention of Money Laundering Act 2002 , and the SEBI KYC Registration Agency Regulations 2011. It runs from PAN and Aadhaar through bank details, income, occupation, trading experience, a FATCA or CRS tax declaration, and a politically-exposed-person status flag, each tied to a specific rule rather than collected at the broker’s discretion.

This matters because the account-opening form can read like an intrusive questionnaire. A retail investor opening a Zerodha account is asked for marital status, educational qualifications and political exposure before placing a single trade. None of it is Zerodha’s invention. Every field maps to a SEBI circular, a PMLA obligation, an inter-government tax agreement, or a depository requirement, and the broker is the data fiduciary that collects, stores and shares it within limits the regulator sets.

This article walks through each data point Zerodha collects, states the legal basis for it, explains how the data is stored and who it is shared with, and sets out the obligations Zerodha and the depository carry once they hold it. It closes on the investor’s rights over that data. For the closely related question of which physical and digital documents you must produce, see the companion entry on the documents required for a Zerodha account .

The regulatory frame: why a broker collects what it collects

A stockbroker is not free to decide what to ask. SEBI mandates a uniform KYC procedure across the securities market, so the same identity, address, financial and compliance fields are captured whether an investor opens an account with Zerodha, Upstox , Groww or ICICI Direct . The uniformity is deliberate: it lets a single KYC record, once verified, be reused across intermediaries rather than recreated each time.

Three legal pillars define the dataset. The first is the SEBI KYC framework, which sets the core proof-of-identity, proof-of-address and financial-detail requirements. The second is the Prevention of Money Laundering Act 2002, which adds client due diligence, the beneficial-owner and politically-exposed-person checks, and a record-retention rule. The third is the SEBI KRA Regulations 2011, which created the KYC Registration Agencies that hold the central KYC record and share it across the market.

Two further regimes attach to specific fields. The Foreign Account Tax Compliance Act, an American law operating in India through an inter-government agreement, and the OECD Common Reporting Standard, drive the tax-residency declaration. The Depositories Act 1996 and the rules of CDSL , the depository Zerodha uses, govern the holding-side data and how it moves for settlements and corporate actions. Each field below is grounded in one or more of these.

Identity and contact data

Mobile number and email

The first items captured are the mobile number and email address, each verified through a one-time password. Zerodha states these let it, the exchanges and the depositories convey important information to the account holder, from margin calls to corporate-action notices. They are not merely a login convenience; regulated communications such as contract notes and consolidated account statements travel to the registered email, so an unverified or shared address creates a compliance gap.

PAN

The permanent account number is the spine of the entire record. Zerodha describes PAN as the sole identification number for all transactions in the securities market, used for online KYC, for fetching existing KYC details, and for opening both the trading and demat accounts. SEBI made PAN the single mandatory identifier so that a person’s holdings and trades across every broker and depository can be linked to one number, which is also what makes the one-PAN rule on multiple accounts enforceable.

PAN does more than name the client. It is the key against which a KYC Registration Agency and the Central KYC Records Registry store and retrieve the record, so a returning investor whose PAN already carries a verified KYC can be onboarded by fetching that record rather than starting fresh.

Aadhaar, address and DigiLocker

Address is captured in one of two ways. If the investor already holds a KYC-registered record, Zerodha fetches the address from the KRA. If not, the address is established through Aadhaar using DigiLocker , the government document wallet, in an electronic KYC flow that pulls a digitally signed identity document straight from the issuing source.

The storage detail here is the one investors most often ask about. Zerodha states that it extracts the address and saves an XML copy of the Aadhaar carrying that address, and that the Aadhaar number itself is not copied or saved anywhere else. The distinction follows UIDAI rules on Aadhaar data minimisation: the broker keeps what it needs to evidence the address, not the raw Aadhaar number that would expose the holder to misuse.

Photograph, signature and video verification

A photograph and a specimen signature are collected as authentication anchors. The signature is cross-referenced against later request forms to confirm that an instruction genuinely comes from the account holder. A short video in-person verification records the applicant on camera with a time stamp, IP address and location, confirming that the person signing up is the same person opening the account. This is the modern, remote form of the in-person verification that SEBI’s KRA guidelines have required since 2011, now delivered as video KYC rather than a physical meeting.

Financial and bank data

Bank account details

Zerodha collects the bank account number, the Indian Financial System Code and the Magnetic Ink Character Recognition code. The stated purpose is secure fund transfer: money moves only between the trading account and this verified bank account, which closes off a common fraud route. Verification confirms the account belongs to the client before it is linked.

The bank data also leaves the broker for a defined reason. Zerodha states these details are shared with the depositories so that payouts for corporate actions, such as dividends, are credited accurately. The dividend on a share sits with the registrar and flows through the depository to the holder’s bank, so the depository needs the same verified bank line the broker captured.

Income range and income proof

Every applicant declares an income range. This is a SEBI KYC field used for suitability and risk assessment, and it is the trigger for periodic re-KYC prompts when a record goes stale. For equity-only investors, the declared range is enough and no document is uploaded.

Documentary income proof is a separate, narrower requirement. Zerodha collects it to confirm the financial capacity of clients who want to trade in derivatives, where leverage can magnify losses well beyond the sum invested. It is a protective gate: the proof, typically a bank statement, salary slip or income tax return, evidences that the client can bear derivative risk before the futures-and-options segment is enabled.

Compliance and risk-profile data

Occupation, trading experience and background

A cluster of background fields, name, date of birth, educational qualifications, occupation, residential status, trading experience, income details and marital status, is collected together. Zerodha states the purpose is regulatory compliance and risk assessment. Occupation feeds money-laundering risk profiling, since some occupations carry higher scrutiny. Trading experience informs suitability, particularly for the derivatives segment. Residential status separates resident accounts from the NRI route, which carries different documentation and tax treatment.

FATCA and CRS declaration

The tax-residency declaration is mandatory. Under the FATCA framework and the OECD Common Reporting Standard, every applicant confirms whether they are a tax resident of any country other than India. A resident Indian declares India alone. A person with foreign tax residency must supply the country and a tax identification number, which India then exchanges with that country’s tax authority under the relevant inter-government agreement. For a foreign national or an Overseas Citizen of India opening an account in India, the TIN entry in the FATCA declaration is compulsory. The declaration sits in the KYC flow after the profile and bank details are confirmed.

Politically-exposed-person status

The applicant declares whether they are a politically exposed person , or a close relative or associate of one. This question comes directly from the PMLA 2002 and its rules, which require enhanced due diligence for PEP relationships because of the heightened corruption and money-laundering risk they carry. Declaring the status does not block the account; it lets the broker apply the extra scrutiny and senior-management sign-off the law prescribes. A false declaration, by contrast, is a compliance breach.

Nominee

Nominee details, the name, mobile number and email of the nominee , are collected so the authorised nominee can be verified and can act during claims settlement on the account holder’s death. SEBI requires every account holder either to appoint a nominee or to record an explicit opt-out, so the nominee field is functionally compulsory in the sense that it cannot be left blank and ignored. It is the demat-account counterpart to nomination on a bank account, and it matters most for joint and individual holders planning for transmission.

How the data is stored and shared

Upload to the KRA and CKYCR

Once collected and verified, the KYC record does not stay only with Zerodha. Under the SEBI KRA Regulations 2011, the broker uploads the proof of identity, proof of address, PAN, the KYC form and supporting documents to a SEBI-registered KYC Registration Agency . The KRA centralises the record so that any other regulated intermediary the client later approaches can fetch it rather than re-collect it. The responsibility for actually verifying the documents stays with the intermediary, Zerodha, not the KRA.

A second layer is the Central KYC Records Registry , the cross-sector repository operated under the PMLA rules. SEBI requires KRAs to upload KYC information to the CKYCR, which assigns a CKYC identifier. The effect is that a verified securities-market KYC can be recognised across banking, insurance and other financial sectors, reducing repeat paperwork. When a client who already holds a CKYCR identifier opens an account, the broker downloads the existing data and validates it rather than capturing everything afresh.

The holding side of the record moves to the depository. Zerodha is a depository participant of CDSL , so the demat-account data and the verified bank line flow to CDSL, which maintains the beneficial-owner records and routes corporate-action payouts. This sharing is functional and bounded: the depository receives what it needs to hold securities and settle dividends, interest and bonus issues, not the entire risk-profiling dataset.

Retention

Records are not held indefinitely at the broker’s whim, nor discarded at will. Section 12 of the PMLA 2002 requires a reporting entity, which includes a stockbroker and a depository participant, to maintain records of transactions and of client identity for at least five years. The retention clock and the data-minimisation practice, such as not storing the raw Aadhaar number, sit side by side: the law sets a floor on how long records are kept and the UIDAI and SEBI rules set limits on what is kept.

Data-protection obligations and the client’s rights

Zerodha operates as a data fiduciary over this dataset, bound by SEBI’s intermediary obligations, the PMLA’s confidentiality and security requirements, CDSL’s depository participant rules, and India’s general data-protection law. In practice this means the data may be used only for the purposes for which it was collected, KYC, compliance, settlement and statutory reporting, and shared only with the entities the rules name: the KRA, the CKYCR, the depository, the exchanges and the relevant authorities.

The client retains rights over the record. An investor can view the KYC details held against their PAN, can correct or update fields such as address, income range, occupation, marital status or PEP status through a re-KYC or KYC modification flow, and any update Zerodha makes is disseminated by the KRA to every other intermediary that uses that record. The investor can also raise a grievance through the broker, the depository or SEBI’s grievance escalation matrix if data is mishandled. The right to be informed sits behind the whole structure: the account-opening flow discloses what is collected and why, which is why the FATCA, PEP and nominee declarations are presented as explicit consented steps rather than buried defaults.

External references

References

Zerodha Support, “What details does Zerodha collect when you open an account, and why?”, account-opening help centre, accessed 19 June 2026.
SEBI, Securities and Exchange Board of India (KYC Registration Agency) Regulations 2011, last amended 28 November 2024.
SEBI circular, “Uploading of KYC information by KYC Registration Agencies (KRAs) to Central KYC Records Registry (CKYCRR)”, June 2024.
Prevention of Money Laundering Act 2002, Section 12 (record-keeping obligations of reporting entities).
UIDAI, Aadhaar eKYC and DigiLocker usage rules.

Frequently asked questions

Why does Zerodha ask for my income when opening an account?

SEBI KYC norms require an income range so the broker can assess suitability and risk. Documentary income proof is needed only to trade in derivatives, where it confirms the financial capacity to take on leverage. Equity-only investors declare a range without uploading proof.

Does Zerodha store my Aadhaar number?

No. When Aadhaar is used through DigiLocker, Zerodha extracts the address and saves an XML copy that carries the address. The Aadhaar number itself is not copied or saved anywhere else, so the full number does not sit in Zerodha’s records.

What is the FATCA declaration during Zerodha account opening?

FATCA and CRS are tax-residency declarations. You confirm whether you are a tax resident of any country other than India. Resident Indians declare India alone; persons with foreign tax residency must give the country and a tax identification number, which is reported under inter-government tax agreements.

Why does Zerodha ask whether I am a politically exposed person?

The PEP question comes from the Prevention of Money Laundering Act 2002. A politically exposed person, or a close relative or associate, attracts enhanced due diligence. Declaring the status lets the broker apply the extra scrutiny the law requires without blocking the account.

Who can see the KYC data I give Zerodha?

Your KYC record is uploaded to a SEBI-registered KYC Registration Agency and the Central KYC Records Registry, so other regulated intermediaries can fetch it for your future account openings. Bank and holding data is shared with the depository, CDSL, to settle payouts and corporate actions.

Can I refuse to share some of these details with Zerodha?

Identity, address, PAN, bank and the compliance declarations are mandatory under SEBI and PMLA rules; an account cannot be opened without them. Optional items include the nominee, which you may instead opt out of, and income proof, which is needed only for derivatives.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed: 19 June 2026
Conflicts of interest: WebNotes is independent. No relationship with any broker, registrar or bank named in this article.