Zerodha regtech and data privacy: who processes your KYC data

Zerodha regtech and data privacy describes how, when you open and run a Zerodha account, your personal and financial data is processed not only by the broker but by a chain of regulatory-technology vendors: KYC Registration Agencies , the Central KYC Records Registry operated by CERSAI, the depository CDSL , registrar and transfer agents such as CAMS and KFin Technologies , the Aadhaar e-sign provider Digio , and a penny-drop bank-verification service. Each holds a defined slice of your data for a defined regulatory purpose, under SEBI rules, the Prevention of Money Laundering Act 2002 , the Depositories Act 1996, and now the Digital Personal Data Protection Act 2023 .

This article maps that chain. The point is that “your data at Zerodha” is not held in one place by one company; account opening and operation route it through a regtech stack, each layer of which is a separate processor with its own holding, its own legal basis, and its own retention. Knowing which vendor holds what, and why, is the precondition for exercising any data-protection right meaningfully, because a right exercised against the wrong holder achieves nothing. The article covers each processor in turn, what it holds, the rule that authorises the sharing, how Aadhaar is minimised, and the rights a data principal has under the DPDP Act 2023 against this distributed structure.

Conflict-of-interest disclosure. This article is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this article does not carry it and earns no referral commission.

The regtech stack at a glance

Opening a Zerodha account online is not a single transaction with a single company. It is a sequence of handoffs to specialised intermediaries, each performing one regulated function. Zerodha’s privacy policy states that the broker tries to build most products in-house and that third parties access information on a need-to-know basis, restricted to the purpose for which it is shared. The policy also names the categories that may receive data for legal and regulatory compliance: the RBI, SEBI, the exchanges, depositories, registrar and transfer agents, KRAs, asset management companies, collecting banks and other financial intermediaries. The table below sets out the principal processors and what each holds.

Each row is a separate data flow with its own purpose limitation. The KRA does not get your bank line; the penny-drop service does not get your trade history; Digio gets your Aadhaar only for the signing step.

KRA and CKYC: the shared KYC registries

The single most consequential fact about KYC data is that it does not stay with the broker who collected it. Under the SEBI KRA Regulations 2011, when Zerodha verifies your KYC it uploads proof of identity, proof of address, PAN, and the KYC form with supporting documents to a SEBI-registered KYC Registration Agency. The KRA centralises the record so that any other regulated intermediary you later approach can fetch it rather than re-collect it. Responsibility for actually verifying the documents stays with the intermediary, Zerodha, not the KRA; the KRA is the repository.

A second registry sits above this. The Central KYC Records Registry, operated by CERSAI under PMLA rules, holds a cross-sector KYC record keyed to a 14-digit CKYC identifier. SEBI requires KRAs to upload KYC information to the CKYCR, and your permanent account number is the key that fetches the existing record. The effect is that a KYC once verified for securities-market purposes can be recognised across banking, insurance and other financial sectors, which is why a returning investor with a CKYC identifier is onboarded by downloading the existing data rather than starting fresh.

The privacy trade-off is structural. The same design that spares you repeat paperwork also means your KYC record sits in shared registries, accessible to regulated intermediaries you grant onboarding to, not only with the one broker you chose. The zerodha-kra entry and the broader KRA ecosystem cover how this fetch-and-reuse mechanism works in practice.

CDSL: the depository layer

Securities you hold are recorded not by Zerodha but by the depository , CDSL in Zerodha’s case, which maintains the beneficial-owner record under a BO ID . CDSL holds your holdings, your verified bank line, and the data needed to route corporate-action payouts, dividends, interest and bonus issues, to the right account. This sharing is bounded by function: the depository receives what it needs to hold securities and settle entitlements, not the risk-profiling dataset the broker collected for suitability. The Depositories Act 1996 and CDSL’s operating rules govern what the depository may hold and how it must protect it.

RTAs: CAMS and KFintech

If you hold mutual funds through Zerodha Coin , a third processor enters: the registrar and transfer agent. CAMS (Computer Age Management Services) and KFin Technologies are the two dominant RTAs, and between them they service the folios of most Indian fund houses. The RTA holds your folio data and transaction history tied to your PAN, processes purchases and redemptions, and produces the consolidated account statement and capital-gains statement . Your data reaches the RTA because the fund house, not the broker, maintains the unit holder record, and the RTA is the fund house’s processor. The how to check KYC status at CAMS and KFin entry covers querying the RTA directly.

Digio e-sign and Aadhaar minimisation

The account-opening form has to be signed, and online it is signed with Aadhaar e-sign through Digio (Digiotech Solutions Pvt Ltd). During the online flow your Aadhaar is shared with Digio for the single purpose of digitally signing the form. This is where the Aadhaar-minimisation question is sharpest, and Zerodha’s privacy policy is explicit: it does not store Aadhaar numbers or any biometric information, and where Aadhaar authentication is required for KYC it is carried out via licensed entities in compliance with UIDAI guidelines and with the user’s informed consent. Where address is captured through DigiLocker , the broker extracts and stores only the address from the digitally signed document, not the raw Aadhaar number. The design intent is to keep the evidence the broker needs, the address and the signed form, without retaining the Aadhaar number that would expose the holder to misuse. The eSign entry covers the Aadhaar e-sign mechanism in detail.

Penny-drop bank verification

Before your bank account is linked, Zerodha verifies it with a penny drop. Using IMPS, the broker transfers a few paise to the account number and IFSC you supplied; the transaction returns the account holder’s name as recorded by the bank, which is matched against your KYC record. If the name matches, the account is confirmed to belong to you and is linked. The data held here is narrow, the bank account number, IFSC and the returned holder name, and the purpose is fraud prevention: it closes off the route of linking a bank account that is not yours. Zerodha’s penny-drop verification and penny-drop refund entries cover the mechanics and the paise refund.

The legal frame: four regimes

Four legal regimes govern this distributed processing, and each binds a different part of the stack. SEBI’s KRA Regulations 2011 authorise and require the KRA upload and reuse. The PMLA 2002 drives the CKYC registry and sets retention duties on the broker, the depository participant and the registry. The Depositories Act 1996 and CDSL’s rules govern the depository layer. Over all of them now sits the DPDP Act 2023, which treats Zerodha as a data fiduciary and each processor as either a fiduciary or a data processor with its own obligations of purpose limitation, security and accountability. The older sectoral rules set what must be collected and shared and for how long; the DPDP Act sets the baseline duties on how it must be handled and the rights you hold over it.

Your rights over the distributed record

Under the DPDP Act 2023 a data principal has rights of access, correction and erasure over personal data, exercisable through the data fiduciary. In this structure that means you can ask to see the KYC details held against your PAN, correct fields that have changed, address, income range, occupation, marital status, and request erasure of data not bound by a retention duty. A correction matters across the chain: because the KRA record is the shared source, an update Zerodha makes is disseminated to the KRA and reaches every other intermediary that uses the record, which is the efficiency of the registry working in your favour.

The limit is the same one that governs any data deletion request to a broker. The erasure right under DPDP Section 12(3) yields where retention is necessary to comply with a law in force, and SEBI’s record-keeping rules, the PMLA, and the depository rules each impose such retention. So the regulated core of your data, KYC documents, the depository record, trade and folio history, stays for its statutory period regardless of an erasure request, while non-statutory data such as marketing preferences can be acted on. If you believe a processor has mishandled data, shared it beyond the permitted entities or failed to act on a valid request, the escalation runs through the broker’s grievance officer, SEBI’s SCORES for securities-market grievances, and the Data Protection Board of India once it is operational under the DPDP Act.

See also

• Zerodha
• Zerodha account data collection
• Zerodha data deletion request
• Zerodha cyber security
• Digital Personal Data Protection Act 2023
• Data principal
• Data fiduciary
• KYC Registration Agency
• KRA ecosystem
• Zerodha KRA
• Central KYC Records Registry
• Prevention of Money Laundering Act 2002
• Know your customer
• Permanent account number
• Aadhaar
• DigiLocker
• eSign
• Digio
• FATCA
• CDSL
• Depository
• Depository participant
• CAMS
• KFin Technologies
• How to check KYC status at CAMS and KFin
• Zerodha penny-drop verification
• Zerodha SCORES
• SEBI

External references

• Zerodha: Privacy policy
• Zerodha: Know your KYC (Z-Connect)
• Zerodha: Customer verification at Zerodha (Z-Connect)
• Digital Personal Data Protection Act 2023 (MeitY)
• SEBI (KYC Registration Agency) Regulations 2011
• CERSAI Central KYC Records Registry
• UIDAI: Aadhaar authentication and e-KYC

References

1. Zerodha, Privacy policy, listing recipient categories (RBI, SEBI, exchanges, depositories, RTAs, KRAs, AMCs, collecting banks) and the Aadhaar-minimisation statement (no Aadhaar numbers or biometrics stored) (as of 20 June 2026).
2. Zerodha, Customer verification at Zerodha, describing Digio e-sign and the penny-drop bank-verification method (as of 20 June 2026).
3. SEBI (KYC Registration Agency) Regulations 2011, on KRA upload, central record and reuse across intermediaries.
4. Prevention of Money Laundering Act 2002, Section 12 (record retention by reporting entities) and the CKYC framework operated by CERSAI.
5. Digital Personal Data Protection Act 2023, on data fiduciary obligations and the rights of access, correction and erasure (Section 12).
6. Depositories Act 1996 and CDSL operating rules on beneficial-owner records and corporate-action data.

WebNotes Editorial Team prepares factual reference entries based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited or any vendor named here. Vendor arrangements and privacy practices are subject to change; verify current details at zerodha.com/privacy-policy before relying on them.