We, at One MobiKwik Systems Ltd. (“MobiKwik” or “We”) understand Privacy and its value. Therefore, it is all the more important for us to make You (“You” or “Customer” or “User”), the User of the website www.MobiKwik.com (the “Website”) and its associated mobile applications, MobiKwik (“Application" or "App”) (collectively, the “Platform”) understand the reason behind collection of your information and its usage and the manner in which we collect, use, store and share information about you (“Privacy Policy”). This Privacy Policy has been prepared in compliance with:

1. Master Directions on Prepaid Payment Instruments (PPIs) issued by Reserve Bank of India
2. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
3. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021;
4. Guidelines on Digital Lending issued by the Reserve Bank of India (RBI), 2022;
5. Other applicable acts, regulations and rules which requires the publishing of a privacy policy for handling of or dealing in personal information including sensitive personal data or information and all applicable laws, regulations, guidelines provided by applicable regulatory authorities including but not limited to the RBI.

CONSENT

You hereby expressly consent to provide the information that may be required in relation to the Services (as defined below) being rendered on the Platform by us. You acknowledge that we shall collect the information detailed under this Privacy Policy to facilitate lending & non-lending services by partnering with various financial lenders, third parties, service providers, etc based on your requirement to avail such Services (“Services”).

MobiKwik will only be using the information for providing the Services to you.

To avail any Services being provided by MobiKwik by itself or in partnership with the lenders or other third parties it is important that YOU READ, UNDERSTAND, ACKNOWLEDGE AND UNCONDITIONALLY AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY.

IF YOU DO NOT AGREE TO THIS POLICY OR ANY PART THEREOF, PLEASE DO NOT USE/ ACCESS/ DOWNLOAD/ INSTALL THE PLATFORM OR ANY PART THEREOF.

For the users consenting to continue accessing the Platform and avail the Services, this Privacy Policy explains our policies and practices regarding the collection, use, and disclosure of Your information.

COLLECTION OF INFORMATION

The collection of information under this Privacy Policy are conducted for the following categories of services:

(i) Part A: Information for Digital Lending Services: Information collected by Platform for facilitation of Loans being disbursed by the financial lending partners whose details are available on the Platform and who are registered with the Reserve Bank of India (“Lending Partners”).

(ii) Part B: Information for Non-Lending Services: Information collected by Platform while registering a User on the Platform or while providing Prepaid Instrument Services including but not limited to wallet / UPI etc. (i.e., all services other than facilitation of loans).

A. Traffic Data Collected

We automatically track and collect the following categories of information when you visit our Platform:

1. IP addresses;
2. Domain servers;
3. Types of computers accessing the Platform;
4. Types of web browsers used to access the Platform;
5. Referring source which may have sent you to the Platform; and
6. Other information associated with the interaction of your browser and the Platform (collectively "Traffic Data").

B. Information we collect about you

To facilitate the PPI, lending and non-lending services, MobiKwik will be required to access, collect and share Personal Information with its lending partners that may be banks or NBFCs registered with the Reserve Bank of India or any other third-party providing value added services in partnership with MobiKwik. In such cases, MobiKwik will share the information securely and ensure that all personal information recipients comply with confidentiality, fidelity and secrecy obligations and sign covenants in this regard. MobiKwik may make information available to third parties that are financial and non-financial companies, government agencies, courts, legal investigators, and other non-affiliated third parties as requested by You or Your authorized representative, or otherwise when required or permitted

1. User Personal Information: The data points we collect from You for both lending and non-lending services include, inter alia, your full name, email id, PAN, Aadhar, GST Network user id & password, address, mobile number, postal code.

2. Social Account Information: MobiKwik may provide you with the option to register using social accounts (Google) to access the app and shall collect only such registered email id and user public profile information like name, email depending on the platform used by You to log-into the Application during registration/ sign in process in the Platform. How we use this information: We may collect, and store email id, name and address associated with that account for the purpose of verification and to pre-populate relevant fields during Platform interface. However, we shall not collect / store account passwords.

3. SMS Information: MobiKwik does not collect or store personal SMS from your Inbox. We collect, store and monitor only SMS sent by 6 - digit alphanumeric senders. How we use this information: We use this data to provide you with updates or confirmation of any actions taken in our Platform during the term of Services. We shall collect any SMS information for facilitating you any lending services and non-lending service including such purposes as may be required by the Lending Partners or as per applicable law. This category of information is only collected for providing the non-lending services or our value-added services

4. Device Information and Installed Apps data: We additionally collect certain device information provided herein for our lending and non-lending services. Information which the Application collects, and its usage, depends on how you manage your privacy controls on your device. (i) Device Information: When you install the Application, we store the information we collect with unique identifiers tied to the device you are using. We collect information from the device when you download and install the Application and explicitly seek permissions from You to get the required information from the device. Additionally, we also collect your Log information (via the domain server through which the User accesses the App Search queries, IP address, crashes, date etc for the purpose of improvising the Application functionality. In addition to the above, we also track and collect the data related to the performance of the Application and other diagnostic data for identifying and resolving any technical glitches that may be identified from such data and for improving the overall functionality of the Application. How we use the information: We collect information about your device to provide automatic updates and additional security so that your account is not used in other people’s devices. In addition, the information provides us valuable feedback on your identity as a device holder as well as your device behaviour, thereby allowing us to improve our quality of Services and provide an enhanced customized user experience to you. We further collect other identifiable information such as your transactions history on the Platform when you set up a free account with us. (ii) Installed Application Data: We collect and transmit a list of specific installed applications’ metadata information which includes the application name, package name, installed time, updated time, version name and version code of each installed application on your device. This data may be collected even when the app is closed or not in use. How we use this information: We use this information for your onboarding and Know Your Customer (KYC) purpose with your explicit consent.

5. Location, Camera, Microphone, Contact List Access: In the pursuit of facilitating lending services and adhering strictly to legal mandates, we shall acquire information regarding the location of your device and seek authorization for camera and microphone usage. Our utilization of this data will be governed solely by relevant legislation.

Specifically, we will gather device location data to validate your address and streamline the Know Your Customer (KYC) and onboarding procedures for our services. Furthermore, we may require camera access to scan and capture the necessary KYC documents as mandated by our Lending Partners, again in compliance with pertinent laws. It is imperative to note that we will promptly transfer such data to our Lending Partners without retaining any records thereof.

For the purpose of facilitating Video KYC procedures pertaining to Lending Services, we necessitate microphone permissions to facilitate seamless two-way communication between our authorized agents and yourself. Your audio interactions will be recorded for regulatory compliance.

Additionally, access to your contact list will be strictly limited to the provision of wallet, UPI, and payment-related services, and will not extend to any lending-related activities.

C. Information about you we collect from third parties

For making the Services available to you, we may collect credit information by obtaining specific authorisations from you (if required under applicable laws), from certain third parties such as credit bureaus or credit rating companies as your 'authorised representative' from time to time in accordance with applicable laws during the loan journey as may be requested by our Lending Partners.

To facilitate credit products to you, we may receive certain information pertaining to document verification, MobiKwik status etc from certain third parties including NSDL, MobiKwik gateway providers.

We may further collect your GST details from Official GSTIN API stack or other relevant websites using the GST Network user id and password details or OTP as provided by you.

We shall only collect this information on a need basis strictly for the purpose of providing you with the Services. The information collected from such third parties are not retained by us. We collect this information as part of our outsourcing obligations to our Lending Partners and is directly transferred to the Lending Partners upon collection.

D. Information you give us about you

In due course of using our Services, you are required to submit data to enable our Services. We use this data to create your profile and provide you with the best available services. Mentioned below is some of the data we collect from you:

1. Data provided by you by filling in forms on the Platform.
2. Data provided by corresponding with us (for example, by e-mail or chat).
3. Data and information, you provide when you register to use the Website, download or register on our App, subscribe to any of our Services (such as applying for a loan), search for a Service, and when you report a problem with our App, our Services, or any of our Sites.
4. Data including your name, address, gender, date of birth, e-mail address, phone number, username, password and other registration information.
5. PAN Card, Aadhaar Card, financial information such as employer name, monthly salary, bank account no., bank statements, credit information, GST information, copies of identification documents which are forwarded to our Lending Partners for the onboarding of your application to avail the services.

This data helps us create your profiles, complete mandatory KYC as per the requirements of our Lending Partners who offer you the Services, unlock and approve loans and provide you with customized support in case of issues. Please note that we do not store any data provided by you except for the basic information such as name, address, contact details etc.

Wherever possible, we indicate the mandatory and the optional fields. You always have the option to not provide any information by choosing not to use a particular service or feature on the Platform. While you can browse some sections of our Platform without being a registered member as mentioned above, certain activities (such as availing of loans from the third-party lenders on the Platform) require registration and for you to provide the above details.

We under no circumstances and at no point take any biometric data from you for any of our services or operations. In case, if any of our representatives ask for the same from you, we request you to kindly refrain from doing the same and address this concern to our Grievance Officer (the details of the same have been provided below).

E. Storage of Personal Information

In the context of furnishing lending services, our data retention practices are meticulous. We confine ourselves to storing only essential personal details—namely, name, address, and contact information—indispensable for executing our non-lending functions. Rest assured, each piece of data we gather undergoes meticulous storage on servers domiciled in India, ensuring full compliance with all statutory and regulatory obligations.

Regarding additional personal information acquired through our outsourcing endeavours for Lending Partners, we operate strictly under their directives. Upon their instruction, we procure such data and subsequently transfer it to them upon the conclusion of preliminary onboarding procedures.

F. Collection of Certain Non-Personal Information

We automatically track certain information about you based upon your behaviour on our Platform. We use this information to do internal research on our users’ demographics, interests, and behaviour to better understand, protect and serve our users and improve our services. This information is compiled and analysed on an aggregated basis.

G. Collection of Certain Non-Personal Information

Cookies: Cookies are small data files that a Website stores on Your computer. We will use cookies on our Website like other lending websites / apps and online marketplace websites / apps. Use of this information helps Us identify You to make our Website more user friendly. Most browsers will permit You to decline cookies but if You choose to do this it might affect service on some parts of Our Website.

If you choose to make a purchase through the Platform, we collect information about your buying behaviour. We retain this information as necessary to resolve disputes, provide customer support and troubleshoot problems as permitted by law. If you send us personal correspondence, such as emails or letters, or if other users or third parties send us correspondence about your activities or postings on the Website, we collect such information into a file specific to you.

Users’ Responsibilities The User acknowledges and consents to the absence of any joint venture, partnership, employment, or agency association between themselves and MobiKwik arising from their utilization of the Platform. The content, encompassing material, information, data, news items, software, text, images, graphics, video, and audio, provided on the Platform is purely for general informational purposes. It should not serve as the sole basis for business or commercial decisions, including investment choices.

Users are strongly advised to exercise prudence and, if necessary, seek independent counsel prior to engaging in any arrangement or financial commitment based on the Platform's content. The availability of Services is contingent upon MobiKwik's discretion, subject to the specific contractual terms and conditions governing each Service offering. Furthermore, MobiKwik reserves the right to withdraw or modify such Services at its discretion and without prior notification. It is pertinent to note that the complete spectrum of Services may not be accessible in all geographical locations.

Use of the Services described at the Platform may not be permitted in some geographical locations and if in doubt, User should check either with the local regulator or authority or with MobiKwik before requesting further information on such Services.

To obtain Services from MobiKwik from time to time, the User must create an account (“User Account”) with us by registering himself/ herself. You are solely responsible for maintaining the secrecy of your user id and password for the User Account and shall be responsible for all activities that occur in connection with your User Account. In case of any unauthorized use of your User Account the same shall be intimated to us. You shall not create multiple User Accounts and shall not use your User Account for any purpose that is unlawful, illegal or forbidden by law. As a consideration for availing loan/ service through the Platform, you may be required to pay certain fee, charges, interest or cost as may be applicable as mentioned in our Platform or as per the terms for respective Services as prescribed by us. You understand that application of loan/ service through online means is dependent on technical factors which inter alia includes your connectively to internet, your ability to make payment through online means which in-turn is depended on payment services from your bank or similar service providers, capability of the computer or phone which you use for the purpose, your careful approach in reading the terms, understanding the same and following the process. You have sole responsibility for adequate protection and back up of data and/or equipment and for undertaking reasonable and appropriate precautions to scan for computer viruses or other destructive properties. We make no representations or warranties regarding the accuracy, functionality or performance of any third-party software that may be used in connection with the Platform.

PURPOSE OF COLLECTION

We shall use the information collected from you for facilitating the Lending and Non-Lending Services for the following purposes as detailed below. We understand the importance of your information and ensure that it is used for the following intended purposes only.

The intended purpose of collecting information provided by you is to:

1. Establish identity and verify the same
2. To facilitate your KYC as per instructions from our Lending Partners;
3. Provide our service i.e., facilitating loans to You or providing our value-added services or non-lending services to you.
4. Design and offer customized Services offered by our third-party partners;
5. Analyse how the Platform is used, diagnose service or technical problems and maintain security;
6. Send communications notifications, information regarding the loan products or Services requested by You or process queries and applications that You have made on the Platform;
7. Measure consumer interest and satisfaction in our Services and manage Our relationship with You;
8. Marketing and promotional purposes including sending you promotional SMS, Email and WhatsApp and inform you about online and offline offers, loan products, Services, and updates;
9. Conduct data analysis to improve the Services provided to the User;
10. Use the User information to comply with country laws and regulations;
11. Use the User information in other ways permitted by law to enable You to take financial services from our lending partners.
12. Resolve disputes and detect and protect us against suspicious or illegal activity, fraud and other criminal activity;
13. Customize your experience and enforce our terms and conditions.

We will use and retain only such basic personal information such as your name, contact information, address details and such other information which are necessary for the provision of Services and for such periods as necessary to provide You the Services on the Platform, to comply with our legal obligations, to resolve disputes, and enforce our agreements.

DISCLOSURE TO THIRD PARTIES

We will share Your information only with our third parties including our regulated financial partners, vendors etc for facilitation of Services on the Platform.

We will share the information only in such manner as described below:

1. We disclose and share Your information with the financial service providers, banks or NBFCs and our Lending Partners for facilitation of a loan or facility or line of credit or purchase of a product;
2. We share Your information with our third-party partners to conduct data analysis to serve You better and provide Services our Platform;
3. We may disclose Your information, to enforce or apply our terms of use or assign such information during corporate divestitures, mergers, or to protect the rights, property, or safety of us, our users, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
4. We will disclose the data / information provided by a user with other technology partners to track how the user interact with the Platform on our behalf.
5. We and our affiliates may share Your information with another business entity should we (or our assets) merge with, or be acquired by that business entity, or re-organization, amalgamation, restructuring of business for continuity of business. Should such a transaction occur than any business entity (or the new combined entity) receiving any such information from us shall be bound by this Policy with respect to your information.
6. We will disclose the information to our third-party technology or third-party data source providers;
7. We will share Your information under a confidentiality agreement with the third parties and restrict use of the said information by third parties only for the purposes detailed herein. We warrant that there will be no unauthorised disclosure of your information shared with third parties.
8. We shall disclose your KYC journey or any data with respect to the same to the relevant regulatory authorities as a part of our statutory audit process. Please note that your Aadhaar number shall never be disclosed.

We may share your personal information with the governmental authorities, quasi-governmental authorities, judicial authorities and quasi-judicial authorities if we are acting under any duty, request or order as part of our legal obligations and in accordance with the applicable laws. By accepting this Privacy Policy, you hereby provide your consent to disclose your personal information for such regulatory disclosure.

Any disclosure to third parties is subject to the following:

1. If we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or request, we shall not seek your explicit consent however we shall reasonably endeavour to notify the same to you accordingly as the case may be as stated under subclause 3;
2. We shall take your express consent in the event we share your personal data with third parties;
3. We shall share your information with third-party only on a need basis and only for the purpose stated hereunder, as per the applicable laws.
4. We shall additionally seek express consent through a separate consent for at appropriate stages of data collection, if so, required under applicable laws.
5. Usage of your information by such third parties is subject to their privacy policies. We share limited information with them, strictly to the extent required. We recommend you have a look at the privacy policies of such third parties.

List of entities with whom your information is shared can be assessed here.

DATA RETENTION AND DELETION

At MobiKwik, we are committed to safeguarding your personal data against unauthorized access, misuse, and disclosure. We implement appropriate security measures tailored to the nature of the data and our processing activities. Retaining information about you enables us to deliver a seamless user experience, provide necessary support, and manage your account effectively. Furthermore, this data retention facilitates the detection, mitigation, prevention, and investigation of fraudulent or illegal activities throughout our service provision.

We maintain your data for the duration required to furnish our Services efficiently. Additionally, we may retain and utilize essential personal information such as your name, contact number, transactional history, and address details to fulfil our legal obligations, resolve disputes, and enforce contractual agreements, all of which align with relevant legal frameworks.

Under this provision, we entertain reasonable written requests for data deletion at any juncture. However, please note that deletion may result in the cessation of your ability to access our services.

CHANGES IN THIS PRIVACY POLICY

We retain the prerogative to amend, alter, supplement, or revoke sections of this Privacy Policy at our discretion and without prior notice, for any rationale. Should any modifications occur, we will promptly update the Policy on the Platform. Once published, these alterations take immediate effect, unless otherwise specified.

We advocate periodic review of this page to stay abreast of our latest privacy protocols. Continued access to or utilization of the Services signifies your acknowledgment of the modifications and acceptance of the revised Privacy Policy.

SECURITY PRECAUTIONS

The Platform intends to protect your information and to maintain its accuracy as confirmed by you. We implement reasonable physical, administrative and technical safeguards to help us protect your information from unauthorized access, use and disclosure. For example, we encrypt all information when we transmit over the internet. We also require that our registered third-party service providers protect such information from unauthorized access, use and disclosure.

Our Platform has stringent security measures in place to protect the loss, misuse and alteration of information under control. We endeavour to safeguard and ensure the security of the information provided by you. We use Secure Sockets Layers (SSL) based encryption, for the transmission of the information, which is currently the required level of encryption in India as per applicable law.

We blend security at multiple steps within our Services with the state-of-the-art technology to ensure our systems maintain strong security measures and the overall data and privacy security design allow us to defend our systems ranging from low hanging issue up to sophisticated attacks.

We aim to protect from unauthorized access, alteration, disclosure or destruction of information we hold, including:

1. use of encryption to keep your data secure;
2. offering of security features like an OTP / biometric verification to help you protect your account;
3. regular review of information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems;
4. restricted access to personal information to our employees, contractors, and agents who need that information to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations;
5. Compliance with regulations and applicable laws;
6. regular review of this Privacy Policy and make sure that we process your information in ways that comply with it.

Data protection laws vary among countries, with some providing more protection than others. We also comply with certain legal frameworks relating to the transfer of data as mentioned and required under the Information Technology Act, 2000, rules and the amendments made thereunder.

When we receive formal written complaints, we respond by contacting the person who made the complaint. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of your data that we cannot resolve with you directly.

YOUR RIGHTS

Modifying or rectifying your information: If any Personal Information provided by You is inaccurate, incomplete or outdated then You shall have the right to provide Us with the accurate, complete and up to date data and have Us rectify such data at Our end immediately. We urge You to ensure that You always provide Us with accurate and correct information/data to ensure Your use of Our Services is uninterrupted. In case of modification of Personal Information, Users will be required to furnish supporting documents relating to change in Personal Information for the purpose of verification by the Company.

Your Privacy Controls: You have certain choices regarding the information we collect and how it is used:

1. Your device may have controls that determine what information we collect. For example, you can modify permissions on your Android/iOS device or Browser to remove any permissions that may have been given. However, Platform does not provide a guarantee of Services if any such controls are exercised.
2. Delete the App from your device
3. You can also request to remove content from our servers in accordance with Clause (b).

Withdrawal/Denial of consent: You acknowledge that the Platform has duly collected the information with your consent, and you have the option to not provide such information or deny consent for use of specific information or revoke the consent already given. However, any withdrawal of such personal information will not be permitted in case any Service availed by You is active. Where a consent has been withdrawn the Platform does not guarantee or be liable for providing such Service. You shall have the following rights pertaining to your information collected by us.

1. Deny Consent: You shall have the right to deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data and if required, make the App delete/ forget the data. However, any such denial will not prejudice the right of the Lending Partners to retain any data in relation to the loans availed by you or by the non-lending service providers in relation to the non-lending services provided to you. Further, in case of a denial of a consent, the Platform does not provide a guarantee or will not be liable towards the continued facilitation of the Services if any such controls are exercised.
2. Withdraw Consent: You may withdraw Your consent to contact You, for the continued collection, use or disclosure of Your information, at any time, or request for deletion of your Login account by raising a request on the Platform or by mailing Us at grievance@mobikwik.com. However, Platform does not provide a guarantee of Services if any such controls are exercised. Further, if You have availed any loan facilities from Our lending partner, the lending partner shall have the right to continue processing Your information till such credit facility has been repaid in full, along with any interest and dues payable and/or for such period as may be allowed under applicable law. However, We, shall not retain Your data and information if it is no longer required by Us and there is no legal requirement to retain the same. Do note that multiple legal bases may exist in parallel, and We may still have to retain certain data and information at any time. Also, the information may still be used for execution of any outstanding or termination activity of any Lending or Non-lending Services.
   

Report an issue: You have a right to report a security incident to the GRO (detailed mentioned hereinbelow). You are entitled shall be entitled to prevent unauthorised such usage of your information by our personnel/agents by informing us, within 10 days of being informed of the proposed use, that you do not wish to disclose such information. You can also exercise the right at any time by contacting us at grievance@mobikwik.com Notwithstanding anything to the contrary stated above, the following are specific scenarios listed below which may have consequences to your withdrawal of consent:

1. Marketing and Communication: The consent for this information be withdrawn if You write an email to the email address at grievance@mobikwik.com

   GRIEVANCE REDRESSAL

   You may make a request for deleting any information from the Platform at any stage upon making a request to Us in the following manner:

   Grievance Officer

   In accordance with Information Technology Act 2000 and rules made there under, the name and contact details of the Grievance Officer are provided below for your reference:

   Name: Prashant Gandhi

   Address: One MobiKwik Systems Limited Unit No. 102, 1st Floor, Block-B, Pegasus One, Golf Course Road, Sector-53, Gurugram, Haryana-122003, India

   Email: nodal@mobikwik.com

   Contact: +918069898317

   Time: Mon - Sat (10:00am - 07:00pm)

   If you have questions or concerns, feel free to e-mail us or to correspond at MobiKwik Helpdesk and we will attempt to address your issue.

MobiKwik is also a registered e-KYC user agency (KUA). Therefore, the below section/policy applies to protecting personal data/information of Aadhaar number holders.

Definitions

• “Aadhaar number” means an identification number issued to an individual under sub-section (3) of section 3 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
• “Aadhaar number holder” means an individual who has been issued an Aadhaar number under the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
• "Anonymization" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which an individual cannot be identified, which meets the standards of irreversibility.
• “Authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such repository verifies the correctness, or the lack thereof, based on information available with it.
• “Authority” means the Unique Identification Authority of India established under sub-section (1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
• “Biometric information” means photograph, fingerprint, iris scan, or such other biological attributes of an individual as may be specified by regulations.
• “Central Identities Data Repository” (CIDR) means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
• “De-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal.
• “Demographic information” includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.
• “Hardware Security Module (HSM)” means a device that will store the keys used for digital signing of Auth XML and decryption of e-KYC response data received from UIDAI.
• “Identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information.
• “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
• “PID Block” means the Personal Identity Data element which includes necessary demographic and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.
• "Processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
• “Requesting Entity” means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.
• “Resident” means an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.
• “Sensitive personal data or information” means such personal information which consists of information relating to — i. password; ii. financial information such as Bank account or credit card or debit card or other payment instrument details; iii. physical, physiological and mental health condition; iv. sexual orientation; v. medical records and history; vi. Biometric information; vii. any detail relating to the above clauses as provided to body corporate for providing service; and viii. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise; provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
• “Virtual ID (VID)” means any alternative virtual identity issued as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.

Purpose: 

• The purpose of this policy is to provide direction to the various stakeholders and responsible personnel within MobiKwik to protect personal data of Aadhaar number holders in compliance to the relevant provisions of the Aadhaar Act, 2016; the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar (Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of Information) Regulations, 2016; and the Information Technology Act, 2000, and regulations thereunder.

Personal Information Collection:

• MobiKwik shall collect the personal data including Aadhaar number/Virtual ID, directly from the Aadhaar number holder for conducting authentication with UIDAI at the time of providing the services.

Specific Purpose for collection of Personal data/Information:

• (a) The Identity information including Aadhaar number / Virtual ID shall be collected for the purpose of authentication of Aadhaar number holder to provide e-KYC for opening of account-based relationship with MobiKwik; (b) The identity information collected and processed shall only be used pursuant to applicable law and as permitted under the Aadhaar Act 2016 or its Amendment and Regulations; (c) The identity information shall not be used beyond the mentioned purpose without consent from the Aadhaar number holder and even with consent, use of such information for other purposes should be under the permissible purposes in compliance with the Aadhaar Act 2016; and (d) Process shall be implemented to ensure that Identity information is not used beyond the purposes mentioned in the notice/consent form provided to the Aadhaar number holder.

Notice / Disclosure of Information to Aadhaar number holder

• a) Aadhaar number holder shall be provided relevant information prior to collection of identity information / personal data. These shall include: 
  • The purpose for which personal data / identity information is being collected; 
  • The information that shall be returned by UIDAI upon authentication; 
  • The information that the submission of Aadhaar number or the proof of Aadhaar is mandatory or voluntary for the specified purpose and if mandatory the legal provision mandating it; 
  • The alternatives to submission of identity information (if applicable); 
  • The information that Virtual ID can be used in lieu of Aadhaar number at the time of Authentication; 
  • The name and address of MobiKwik that is collecting and processing the personal data; 
• b) Aadhaar number holder shall be notified of the authentication either through the e-mail or phone or SMS at the time of authentication and MobiKwik shall maintain logs of the same.

Obtaining Consent

• The consent of the user shall not be valid unless such consent is— (a) free; (b) informed; (c) specific; (d) clear; and (e) capable of being withdrawn. Consent of the user in respect of processing of any sensitive personal data shall be explicitly obtained— (a) after informing him/her the purpose of, or operation in, processing which is likely to cause significant harm to the user; (b) in clear terms without recourse to inference from conduct in a context.
• a) Upon notice / disclosure of information to the Aadhaar number holder, consent shall be taken in writing or in electronic form on the website or mobile application or other appropriate means and MobiKwik shall maintain logs of disclosure of information and Aadhaar number holder’s consent. 
• b) Legal department shall be involved in vetting the method of taking consent and logging of the same, and formal approval shall be recorded from the legal department.

Processing of Personal Information/Data

• The identity information, including Aadhaar number, biometric /demographic information collected from the Aadhaar number holder by MobiKwik shall only be used for the Aadhaar authentication process by submitting it to the Central Identities Data Repository (CIDR);
• Aadhaar authentication or Aadhaar e-KYC shall be used for the specific purposes declared to UIDAI and permitted by UIDAI. Such specific purposes shall be notified to the residents / customers / Individuals at the time of authentication through disclosure of information notice; 
• MobiKwik shall not use the Identity information including Aadhaar number or e-KYC for any other purposes than allowed under and informed to the resident / customers / individuals at the time of Authentication. 
• For the purpose of e-KYC, the demographic details of the individual received from UIDAI as a response shall be used for identification of the individual for the specific purposes of providing the specific services for the duration of the services,

Retention of Personal Information

• The authentication transaction logs shall be stored for a period of 2 years after which the logs shall be archived for a period of 5 years or as per the regulations governing the entity, whichever is later and upon expiry of which period, barring the authentication transaction logs required to be maintained by a court order or pending dispute, the authentication transaction logs shall be deleted.

Sharing of Personal Information/Data

• Identity information shall not be shared in contravention to the Aadhaar Act 2016, its Amendment, Regulations and other circulars released by UIDAI from time to time. 
• Biometric information collected shall not be transmitted over any network without creation of encrypted PID block as per Aadhaar Act and regulations; 
• MobiKwik shall not require an individual to transmit the Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.

Data Security

• The Aadhaar number shall be collected over a secure application, transmitted over a secure channel as per specifications of UIDAI and the identity information returned by UIDAI shall be stored securely; 
• The biometric information shall be collected, if applicable, using the registered devices specified by UIDAI. These devices encrypt the biometric information at device level and the application sends the same over a secure channel to UIDAI for authentication. 
• OTP information shall be collected in a secure application and encrypted on the client device before transmitting it over a secure channel as per UIDAI specifications; 
• Aadhaar /VID number that are submitted by the resident / customer / individual to the requesting entity and PID block hence created shall not be retained under any event and entity shall retain the parameters received in response from UIDAI; 
• e-KYC information shall be stored in an encrypted form only. Such encryption shall match UIDAI encryption standards and follow the latest Industry best practice; 
• The keys used to digitally sign the authentication request and for encryption of Aadhaar numbers in Data vault shall be stored only in HSMs in compliance to the HSM and Aadhaar Data vault circulars; 
• MobiKwik shall use only Standardisation Testing and Quality Certification (STQC) / UIDAI certified biometric devices for Aadhaar authentication (if biometric authentication is used); h) All applications used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being deployed in production and after every change that impacts the processing of Identity information; The applications shall be audited on an annual basis by information systems auditor(s) certified by STQC, CERT-IN or any other UIDAI recognized body; 
• In the event of an identity information breach, the organisation shall notify UIDAI of the following: • A description and the consequences of the breach; • A description of the number of Aadhaar number holders affected and the number of records affected; • The privacy officer’s contact details; • Measures taken to mitigate the identity information breach; 
• Appropriate security and confidentiality obligations shall be implemented in the non-disclosure agreements (NDAs) with employees/contractual agencies /consultants/advisors and other personnel handling identity information; 
• Only authorized individuals shall be allowed to access Authentication application, audit logs, authentication servers, application, source code, information security infrastructure. An access control list shall be maintained and regularly updated by organisation; 
• Best practices in data privacy and data protection based on international Standards shall be adopted; 
• The response received from CIDR in the form of authentication transaction logs shall be stored with following details: • The Aadhaar number against which authentication is sought. • Specified parameters received as authentication response; • The record of disclosure of information to the Aadhaar number holder at the time of authentication; and • Record of consent of the Aadhaar number holder for authentication but shall not, in any event, retain the PID information. 
• An Information Security policy in-line with ISO27001 standard, UIDAI specific Information Security policy and Aadhaar Act 2016 shall be formulated to ensure Security of Identity information. 
• Aadhaar numbers shall only be stored in Aadhaar Data vault as per the specifications provided by UIDAI.

Rights of Aadhar Number Holder

• The Aadhaar number holder has the right to obtain and request update of identity information stored with the organisation, including Authentication logs. The collection of core biometric information, storage and further sharing is protected by Section 29 of the Aadhaar Act 2016, hence the Aadhaar number holder cannot request for the core biometric information. 
• MobiKwik shall provide a process for the Aadhaar number holder to view their identity information stored and request subsequent updates after authenticating the identity of the Aadhaar number holder. In case the update is required from UIDAI, same shall be informed to the Aadhaar number holder. 
• The Aadhaar number holder may, at any time, revoke consent given to MobiKwik for storing his e-KYC data, and upon such revocation, MobiKwik shall delete the e-KYC data in a verifiable manner and provide an acknowledgement of the same to the Aadhaar number holder. 
• The Aadhaar number holder has the right to lodge a complaint with the privacy officer who is responsible for monitoring of the identity information processing activities so that the processing is not in contravention of the law.

Aadhar Number Holder Access Request

• A process shall be formulated to handle the queries and process the exercise of rights of Aadhaar number holders with respect to their identity information / personal data. As part of the process it shall be mandatory to authenticate the identity of the Aadhaar number holder before providing access to any identity information. 
• All requests from the Aadhaar number holder shall be formally recorded and responded to within a reasonable period. 
• Compliance to the relevant data protection / privacy law (s) shall be ensured.

Privacy by design

• Processes shall be established to embed privacy aspects at the design stage of any new systems, products, processes and technologies involving data processing of identity information of Aadhaar number holders; 
• MobiKwik, in possession of the Aadhaar number of Aadhaar number holders, shall not make public any database or records of the Aadhaar numbers unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and in electronic form; 
• Before going live with any new process that involves processing of identity information, the organisation shall ensure that Disclosure of information / Privacy notice in compliance to the Aadhaar Act 2016 is provided to the resident / customer / individual and that consent is taken and recorded in compliance to Aadhaar Act 2016. 
• Quarterly self-assessments shall be conducted to ensure compliance to disclosure of information and consent requirements. 
• Privacy enhancing organizational and technical measures like anonymization, de-identification and minimization shall be implemented to make the collection of identity information adequate, relevant, and limited to the purpose of processing.

Governance and accountability

• A Privacy committee shall be established to provide strategic direction on Privacy matters 
• A person (Privacy Officer) responsible for developing, implementing, maintaining and monitoring the comprehensive, organization-wide governance and accountability shall be designated to ensure compliance with the applicable laws. 
• The name of the Privacy Officer and contact details shall be made available to UIDAI and other external agencies through appropriate channel; 
• The Privacy Officer shall be responsible to assess privacy risks of processing Identity information / personal data and mitigate the risks; 
• The Privacy Officer shall be independent and shall be involved in all the issues relating to processing of identity information; 
• The Privacy Officer shall be an expert in data protection and privacy legislations, regulations and best practices; 
• The Privacy Officer shall advise the top management on the privacy obligations; 
• The Privacy Officer shall advise on high-risk processing and the requirement of data privacy impact assessments; 
• The Privacy Officer shall act as a point of contact for UIDAI for coordination and implementation of privacy practices and other external agencies for any queries; 
• The Privacy Officer shall be responsible for managing privacy incidents and responding to the same; 
• The Privacy Officer shall also be responsible for putting in place measures to create awareness and training of staff involved in processing identity information, about the legal consequences of data breach to the reputation of the organization; 
• Privacy Officer shall ensure that the Authentication operations, systems and applications are audited by CERT-IN (Indian Computer Emergency Response Team), Standardisation Testing and Quality Certification (STQC) empanelled auditors or any other UIDAI recognised body at least on an annual basis; 
• Privacy Officer shall conduct internal audits (through internal audit team) on a quarterly basis and monitor compliance through these audits against Aadhaar Act 2016; 
• Privacy Officer shall ensure that the front-end operators interacting with Aadhaar number holders are trained on a periodic basis to ensure they communicate the disclosure of information to the Aadhaar number holder, take consent appropriately after showing the screen to the Aadhaar number holder and ensure Security of identity information. Such trainings shall be documented for audit purposes; 
• Aadhaar specific trainings to developers, systems admins and other users shall be provided to ensure they are aware of the obligations for their respective roles; Completion of such trainings shall be documented; 
• Privacy Officer shall be responsible to formally communicate this policy to all stakeholders and staff who need to comply with this policy; Any changes to the policy shall be communicated immediately; 
• Privacy Officer shall facilitate formal Privacy performance reviews with the relevant stakeholders / Privacy Committee and suggest improvements. The reviews shall consider the results of various audits, privacy incidents, privacy initiatives, UIDAI requirements etc.

Transfer of Identity information outside India is prohibited:

• Identity information shall not be hosted or transferred outside the territory of India in compliance to the Aadhaar Act and its Regulations.

Grievance Redressal Mechanism

• Aadhaar number holders with grievances about the processing can contact the organisation’s Privacy Officer via multiple channels like on the website, through phone, SMS, mobile application etc. 
• Reasonable measures shall be taken to inform the residents / customers / individuals about the Privacy Officer and its contact details; 
• The contact details of Privacy Officer and the format for filing the complaint shall be displayed on the organisations’ website and other such mediums that are commonly used for interaction with the residents / customers / individuals; 
• Where the medium of interaction is not electronic (such as physical), Poster / Notice board that is prominently visible shall be used to display the name of Privacy officer and contact details; 
• If any issue is not resolved through consultation with the management of MobiKwik, Aadhaar number holders can seek redressal by way of mechanisms as specified in Section 33B of the Aadhaar Act, 2016.

Responsibility for implementation and enforcement of the policy

• The overall responsibility of monitoring and enforcement of this policy through various mechanisms such as Audits etc. shall be with the Privacy Officer. 
• Responsibility of the implementation of controls of this policy shall be the Privacy Officer. 
• Responsibility of review of Disclosure of information notice, consent clause, method of consent, logging of consent etc. shall be with the Manager Legal.

Relevant Provisions of Aadhaar Act and Supreme court judgement

• Following relevant documents shall be referred to for ensuring compliance to the Aadhar requirements: 
  • Judgement of Honourable Supreme court dated September 2018 
  • Aadhaar Act 2016 
  • Aadhaar and Other Laws (Amendment) Act 2019 
  • Aadhaar (Authentication) Regulations 2016 
  • Aadhaar (Data Security) Regulations 2016
  • Aadhaar (Sharing of Information) Regulations 2016 
  • Any other Regulations or notices or Circulars issued by UIDAI from time to time

Contact Details

• Name of Privacy Officer: Mr. Neeraj Khandelwal
• Email: privacy.officer@mobikwik.com

 

Effective From July 15, 2024
Last updated on July 10, 2024