Zerodha data deletion request: what can and cannot be erased
A Zerodha data deletion request is a request by a client to have the broker erase the personal data it holds, and Zerodha’s stated answer is that it cannot permanently delete client data on request. The constraint is regulatory, not a matter of Zerodha’s preference. SEBI requires a stockbroker to maintain records of all client documents for at least 8 years, so the KYC, ledger and trade records that make up most of what a broker holds about you sit under a legal retention duty that an erasure request cannot override. The Digital Personal Data Protection Act 2023 gives a right to erasure, but that right yields to a retention obligation imposed by any other law in force.
This entry sets out the two regimes that collide on this question and how they resolve. On one side is the SEBI record-retention framework and the Prevention of Money Laundering Act 2002 , which make a broker keep client records for years after the relationship ends. On the other is the DPDP Act 2023, which gives a data principal a right to ask a data fiduciary to erase personal data. The practical reconciliation is partial erasure: the broker deletes what it lawfully can while preserving everything a statute requires it to keep. The article covers what Zerodha can delete, what it cannot, how the 8-year floor works, the distinction between deletion and account closure, and how to escalate if data is genuinely mishandled.
Conflict-of-interest disclosure. This article is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this article does not carry it and earns no referral commission.
Zerodha’s stated position
Zerodha’s own support documentation is direct: it cannot permanently delete client data on request, because client documents and logs are retained for audit and review. The page grounds this in SEBI’s requirement that brokers maintain records of all client documents for at least 8 years, and links the Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations 2018 as the regulatory basis. So the first thing to understand is that the answer is not a customer-service brush-off; it reflects a legal duty the broker owes the regulator, not the client.
That duty does not evaporate when you stop trading or close the account. The retention clock runs from the relevant transaction or account event, not from the day you ask for deletion, so records created during the life of the account stay under the retention obligation for the full period afterwards. A client who closes a Zerodha account and asks for a clean wipe will find the account inactive but the records preserved.
The SEBI retention duty and the 8-year floor
Stockbrokers in India operate under a record-keeping regime that predates any general data-protection law. SEBI’s regulations and circulars require a broker to maintain books of account, client registration documents, KYC records, order and trade logs, contract notes, and the client ledger, and to make them available for inspection. The headline figure Zerodha cites is at least 8 years for client documents. The point of the duty is evidentiary: if a trade is disputed, an account is questioned, or SEBI inspects the broker, the records must exist to reconstruct what happened.
A second statute reinforces this. Section 12 of the PMLA 2002 requires a reporting entity, which includes a stockbroker and a depository participant , to maintain records of transactions and of client identity for a prescribed period after the business relationship ends. The KYC documents a broker collects at account opening , PAN, address proof, the FATCA declaration, bank verification, fall under this duty as well as SEBI’s. Two separate legal regimes, securities regulation and anti-money-laundering law, both bar the broker from deleting the same core records, which is why a request to erase them cannot succeed.
The DPDP Act erasure right and its limit
The DPDP Act 2023 gives an individual real rights over personal data, and erasure is one of them. Section 12(3) lets a data principal request the erasure of personal data the data fiduciary processed on the basis of the principal’s consent. On its own, that reads like a delete-on-demand right. It is not, because the same provision carves out an exception: the fiduciary need not erase where retention of the data is necessary for the specified purpose or for compliance with any law for the time being in force.
That exception is the hinge. SEBI’s record-retention rules and the PMLA are laws for the time being in force, and they make retention of broking records necessary for legal compliance. So when the DPDP erasure right meets the SEBI retention duty, the retention duty wins for every record a statute requires the broker to keep. The DPDP Act follows a storage-limitation logic rather than a free-standing right to demand deletion of anything at any time: a fiduciary is expected to erase personal data once the purpose it was collected for is served and no legal obligation requires keeping it, but not before. For a broker, the purpose is not served and the obligation is live for the whole 8-year retention window.
The DPDP Rules 2025 set out the procedure for exercising these rights, including erasure, under the rights-of-data-principals provisions. The mechanism exists; the substantive limit is what determines the outcome.
What can and cannot be deleted
The reconciliation between the two regimes is partial erasure: delete what can be deleted, retain only what the law requires. Mapping that onto a Zerodha account:
Data that can be acted on includes preferences and non-statutory items not tied to a retention obligation, for example marketing-communication consent. The DPDP Act gives you a clear right to withdraw consent and to stop unsolicited marketing, and that is separate from the trade-record question; for the marketing side specifically, see how to stop stock-tip SMS from Zerodha and the consent-withdrawal route.
Data that cannot be deleted is the regulated core: KYC documents, the client ledger, contract notes, order and trade logs, and the account-opening file, each held under the SEBI and PMLA retention duties. Layered on top, deletion is barred entirely while any SEBI enforcement action, dispute or investigation involving the account is live, because the records are then evidence. Even after the relationship ends and the account is closed, these stay for the retention period and are deleted only when that period expires, not when the client asks.
This table sets out the split.
| Category | Example | Deletable on request? | Why |
|---|---|---|---|
| Marketing preferences | SMS and email marketing consent | Yes, via consent withdrawal | Not tied to a statutory retention duty |
| KYC documents | PAN, address proof, FATCA declaration | No | SEBI and PMLA retention duties |
| Trade and ledger records | Contract notes, order logs, client ledger | No | SEBI record-keeping rules, at least 8 years |
| Records in active dispute or investigation | Anything relevant to a live SEBI action | No | Evidence; deletion barred while action is live |
| Time-expired records | Documents past the retention window | Deleted by the broker | Storage-limitation logic; erased once duty ends |
Deletion is not account closure
A frequent confusion is to treat asking for data deletion as the way to leave the broker. They are different actions. Closing a Zerodha account stops trading, ends the demat relationship and halts annual maintenance charges ; it does not erase the records, which remain under the retention duty. Data deletion, where it is possible at all, is the separate exercise of a DPDP right over specific non-statutory data. A client who wants to stop using Zerodha should follow how to close a Zerodha account ; a client who specifically wants marketing data or consent acted on should make a DPDP consent-withdrawal or erasure request and accept that the regulated records stay.
How to make the request and escalate
To raise a deletion or consent-withdrawal request, use the broker’s grievance and support channel: raise a ticket describing exactly what you want acted on, separating the marketing or non-statutory items, which can be addressed, from the regulated records, which cannot. Zerodha is a data fiduciary under the DPDP Act, so it must respond to a valid erasure or consent request through the procedure the DPDP Rules 2025 prescribe, and act on the part it lawfully can.
If you believe data has been mishandled rather than merely retained, deletion of records that were not required to be kept, sharing beyond the permitted entities, or a failure to respond to a valid DPDP request, the escalation path runs through the broker’s grievance officer, then SEBI’s SCORES platform for securities-market grievances, and, once the Data Protection Board of India is operational under the DPDP Act, a complaint to the Board for a data-protection breach. The distinction to hold onto is between lawful retention, which is not a grievance, and actual mishandling, which is.
See also
- Zerodha
- Zerodha account data collection
- Zerodha regtech and data privacy
- Digital Personal Data Protection Act 2023
- Data principal
- Data fiduciary
- Prevention of Money Laundering Act 2002
- SEBI
- Know your customer
- KYC Registration Agency
- Central KYC Records Registry
- FATCA
- Depository participant
- CDSL
- How to close a Zerodha account
- Zerodha account closure charges
- How to stop stock-tip SMS from Zerodha
- How to revoke connected apps on Kite
- Zerodha grievance redressal
- Zerodha SCORES
- Zerodha cyber security
- Permanent account number
- Demat account
- Trading account
- Zerodha Console
External references
- Zerodha support: Can Zerodha delete client data on request?
- Digital Personal Data Protection Act 2023, full text (MeitY)
- DPDP Act 2023, Section 12 (rights of data principal)
- SEBI: legal framework and record-keeping regulations
- Prevention of Money Laundering Act 2002 (India Code)
References
- Zerodha support, Can Zerodha delete client data on request? citing SEBI’s requirement to maintain records of all client documents for at least 8 years and the SECC Regulations 2018 (as of 20 June 2026).
- Digital Personal Data Protection Act 2023, Section 12(3), right to erasure and the exception where retention is necessary for compliance with any law in force.
- Digital Personal Data Protection Rules 2025, rights of data principals (procedure for erasure and correction requests).
- SEBI (Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations 2018) and SEBI record-keeping circulars on broker document retention.
- Prevention of Money Laundering Act 2002, Section 12 (record maintenance by reporting entities, including stockbrokers and depository participants).
WebNotes Editorial Team prepares factual reference entries based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. Data-protection law and retention rules are subject to change; verify current requirements at support.zerodha.com and with the primary statutes before acting.