NRI Marketing Privacy Notice: Template and Guidance

7 min read · Compliance · Updated 3 May 2026

Every NRI marketer who buys and uses a licensed dataset has a legal obligation to publish a privacy notice that accurately describes what personal data they process and why. This is not optional — UK GDPR, EU GDPR, CCPA, and DPDP all impose this requirement, and the obligation triggers the moment you import the dataset (not when you press send on the first campaign).

This guide walks through what your privacy notice must cover, with a practical template you can adapt. Your notice will need legal review for your specific business — but starting from the right structure saves substantial work later.

Note: This template is informational, not legal advice. Get a UK or US data-protection solicitor to review your specific notice before publishing.

What every NRI marketing privacy notice must include

The minimum set, drawing from UK GDPR Article 13/14 and equivalent provisions in other regimes:

Identity and contact details of the data controller (your business).
Categories of personal data processed (name, email, phone, location, behavioural segment, etc.).
Sources of personal data (specifically: licensed third-party datasets and the originating consumer fintech platforms).
Purposes and lawful basis for processing (direct marketing under consent obtained at source).
Recipients or categories of recipients (your ESP, CRM, sub-processors).
International transfers (where data flows cross borders, and the safeguards in place).
Retention period (how long you keep the data).
Data subject rights (access, rectification, erasure, objection, portability).
Right to lodge a complaint with the relevant supervisory authority (ICO for UK, EDPB for EU member states, CCPA Agency for California).
Existence of automated decision-making, if any.

Template — adapt to your business

1. Who we are

[Your company name] is a [country]-registered company. Our company number is [number] and our registered office is at [address]. For privacy enquiries, contact [privacy email].

2. What data we process and why

We process the following categories of personal data in connection with our marketing activities:

Identity data (first name, last name);
Contact data (email address, mobile number with country code);
Location data (country of residence, city or region, postcode where applicable);
Demographic data (age band, language preference where self-reported);
Behavioural data (segment membership and sub-segment indicators relating to remittance, real-estate intent, tax-seeking, shopping, or travel behaviours);
Marketing engagement data (whether you opened emails we sent, clicked links, or unsubscribed).

3. Where we get this data

Some of the personal data we process is collected directly from you (for example, when you enquire about our products or sign up for our newsletter). The remainder is licensed from third-party data providers — specifically, providers who aggregate marketing-consented profiles of Non-Resident Indians from public consumer fintech, remittance, and diaspora-services platforms where the data subject opted in for marketing communications at original sign-up.

4. Why we process this data (lawful basis)

We process personal data for the following purposes, on the following lawful bases:

Direct marketing communications — to send you marketing communications about our products and services, on the basis of consent obtained by the originating data source at the point of collection.
Service of contractual and pre-contractual obligations — to respond to enquiries, deliver products and services, and process payments, on the basis of performance of a contract.
Compliance with legal obligations — to maintain accounting records, respond to lawful regulatory requests, and meet anti-money-laundering requirements, on the basis of legal obligation.
Operational legitimate interests — to operate, secure, and improve our website and services, on the basis of legitimate interest.

5. Who we share data with

We share personal data only with:

Service providers who host our website, send transactional and marketing email, and process payments, under contractual confidentiality and security obligations;
Professional advisers (legal, accounting, audit) where strictly necessary;
Regulators or law-enforcement bodies where we are legally required to disclose.

We do not sell personal data.

6. International transfers

Where personal data is transferred outside the UK / EU / your jurisdiction, we rely on adequacy regulations or contractual safeguards (such as the UK Addendum to the EU Standard Contractual Clauses) to ensure your data receives an essentially equivalent level of protection.

7. How long we keep data

Marketing dataset records: until opt-out or 24 months from import, whichever is sooner;
Customer order records: 7 years to satisfy accounting obligations;
Server logs: up to 90 days.

8. Your rights

You have the right to:

Access the personal data we hold about you;
Request correction of inaccurate data;
Request erasure (the right to be forgotten);
Restrict or object to certain processing, including the absolute right to object to direct marketing;
Request portability of data you provided to us;
Withdraw consent at any time (where processing is based on consent);
Lodge a complaint with [the ICO at ico.org.uk / your relevant data protection authority].

To exercise any of these rights, email [privacy email]. We respond within one calendar month.

9. CCPA-specific rights (if you process California residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we have collected, the right to delete your personal information, and the right to opt out of the sale or sharing of your personal information. Visit [link] to exercise these rights.

10. Changes to this notice

We may update this notice from time to time. The "Last updated" date reflects the most recent revision.

Common privacy notice mistakes

Vague source disclosure. "From various sources" is non-compliant. Name the licensed-dataset provider category and the originating platforms.
Missing the right to object to direct marketing. This right is absolute under UK GDPR; failing to mention it is a breach.
No privacy notice at all when using bought lists. The most common mistake — and the easiest to fix.
Notice not updated when adding a new dataset source. Your notice must accurately reflect current processing.

Ready to put this into action?

NRI Financial Services has verified, opt-in NRI marketing data for the UK, UAE, and USA — segmented by remittance, real estate, tax, shopping, travel, and card-spending behaviours. Pick a segment and click Buy Access to get started, or email contact@nrifinancialservices.com for a free 50-row sample.