We, at One MobiKwik Systems Ltd. (“MobiKwik” or
“We”) understand Privacy and its value. Therefore, it is all the more important
for us to make You (“You” or
“Customer” or “User”), the User of the website
www.MobiKwik.com (the “Website”) and its associated mobile
applications, MobiKwik (“Application" or
"App”) (collectively, the “Platform”)
understand the reason behind collection of your information and its usage and the manner in which we
collect, use, store and share information about you (“Privacy Policy”).
This Privacy Policy has been prepared in compliance with:
- Master Directions on Prepaid Payment Instruments (PPIs) issued by Reserve Bank of
India
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or
Information) Rules, 2011;
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021;
- Guidelines on Digital Lending issued by the Reserve Bank of India (RBI), 2022;
- Other applicable acts, regulations and rules which requires the publishing of a privacy
policy for
handling of or dealing in personal information including sensitive personal data or information and all
applicable laws, regulations, guidelines provided by applicable regulatory authorities including but not
limited to the RBI.
CONSENT
You hereby expressly consent to provide the information that may be required in relation to the Services (as
defined below) being rendered on the Platform by us. You acknowledge that we shall collect the information
detailed under this Privacy Policy to facilitate lending & non-lending services by partnering with
various financial lenders, third parties, service providers, etc based on your requirement to avail such
Services (“Services”).
MobiKwik will only be using the information for providing the Services to you.
To avail any Services being provided by MobiKwik by itself or in partnership with the lenders or
other third parties it is important that YOU READ, UNDERSTAND, ACKNOWLEDGE AND UNCONDITIONALLY AGREE TO
BE BOUND BY THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY.
IF YOU DO NOT AGREE TO THIS POLICY OR ANY PART THEREOF, PLEASE DO NOT USE/ ACCESS/ DOWNLOAD/ INSTALL
THE PLATFORM OR ANY PART THEREOF.
For the users consenting to continue accessing the Platform and avail the Services, this Privacy Policy
explains our policies and practices regarding the collection, use, and disclosure of Your information.
COLLECTION OF INFORMATION
The collection of information under this Privacy Policy are conducted for the following categories of
services:
(i) Part A: Information for Digital Lending Services: Information collected by Platform
for facilitation of Loans being disbursed by the financial lending partners whose details are available on
the Platform and who are registered with the Reserve Bank of India (“Lending Partners”).
(ii) Part B: Information for Non-Lending Services: Information collected by Platform
while registering a User on the Platform or while providing Prepaid Instrument Services including but not
limited to wallet / UPI etc. (i.e., all services other than facilitation of loans).
A. Traffic Data Collected
We automatically track and collect the following categories of information when you visit our Platform:
- IP addresses;
- Domain servers;
- Types of computers accessing the Platform;
- Types of web browsers used to access the Platform;
- Referring source which may have sent you to the Platform; and
- Other information associated with the interaction of your browser and the Platform
(collectively
"Traffic Data").
B. Information we collect about you
To facilitate the PPI, lending and non-lending services, MobiKwik will be required to access, collect
and share Personal Information with its lending partners that may be banks or NBFCs registered with the
Reserve Bank of India or any other third-party providing value added services in partnership with MobiKwik.
In such cases, MobiKwik will share the information securely and ensure that all personal information
recipients comply with confidentiality, fidelity and secrecy obligations and sign covenants in this regard.
MobiKwik may make information available to third parties that are financial and non-financial companies,
government agencies, courts, legal investigators, and other non-affiliated third parties as requested by You
or Your authorized representative, or otherwise when required or permitted
1. User Personal Information: The data points we collect from You for both lending and
non-lending services include, inter alia, your full name, email id, PAN, Aadhar, GST Network user id &
password, address, mobile number, postal code.
2. Social Account Information: MobiKwik may provide you with the option to register
using social accounts (Google) to access the app and shall collect only such registered email id and user
public profile information like name, email depending on the platform used by You to log-into the
Application during registration/ sign in process in the Platform. How we use this information: We may
collect, and store email id, name and address associated with that account for the purpose of verification
and to pre-populate relevant fields during Platform interface. However, we shall not collect / store account
passwords.
3. SMS Information: MobiKwik does not collect or store personal SMS from your Inbox. We
collect, store and monitor only SMS sent by 6 - digit alphanumeric senders. How we use this information: We
use this data to provide you with updates or confirmation of any actions taken in our Platform during the
term of Services. We shall collect any SMS information for facilitating you any lending services and
non-lending service including such purposes as may be required by the Lending Partners or as per applicable
law. This category of information is only collected for providing the non-lending services or our
value-added services
4. Device Information and Installed Apps data: We additionally collect certain device
information provided herein for our lending and non-lending services. Information which the Application
collects, and its usage, depends on how you manage your privacy controls on your device. (i) Device
Information: When you install the Application, we store the information we collect with unique identifiers
tied to the device you are using. We collect information from the device when you download and install the
Application and explicitly seek permissions from You to get the required information from the device.
Additionally, we also collect your Log information (via the domain server through which the User accesses
the App Search queries, IP address, crashes, date etc for the purpose of improvising the Application
functionality. In addition to the above, we also track and collect the data related to the performance of
the Application and other diagnostic data for identifying and resolving any technical glitches that may be
identified from such data and for improving the overall functionality of the Application. How we use the
information: We collect information about your device to provide automatic updates and additional security
so that your account is not used in other people’s devices. In addition, the information provides us
valuable feedback on your identity as a device holder as well as your device behaviour, thereby allowing us
to improve our quality of Services and provide an enhanced customized user experience to you. We further
collect other identifiable information such as your transactions history on the Platform when you set up a
free account with us. (ii) Installed Application Data: We collect and transmit a list of specific installed
applications’ metadata information which includes the application name, package name, installed time,
updated time, version name and version code of each installed application on your device. This data may be
collected even when the app is closed or not in use. How we use this information: We use this information
for your onboarding and Know Your Customer (KYC) purpose with your explicit consent.
5. Location, Camera, Microphone, Contact List Access: In the pursuit of facilitating
lending services and adhering strictly to legal mandates, we shall acquire information regarding the
location of your device and seek authorization for camera and microphone usage. Our utilization of this data
will be governed solely by relevant legislation.
Specifically, we will gather device location data to validate your address and streamline the Know Your
Customer (KYC) and onboarding procedures for our services. Furthermore, we may require camera access to scan
and capture the necessary KYC documents as mandated by our Lending Partners, again in compliance with
pertinent laws. It is imperative to note that we will promptly transfer such data to our Lending Partners
without retaining any records thereof.
For the purpose of facilitating Video KYC procedures pertaining to Lending Services, we necessitate
microphone permissions to facilitate seamless two-way communication between our authorized agents and
yourself. Your audio interactions will be recorded for regulatory compliance.
Additionally, access to your contact list will be strictly limited to the provision of wallet, UPI, and
payment-related services, and will not extend to any lending-related activities.
C. Information about you we collect from third parties
For making the Services available to you, we may collect credit information by obtaining specific
authorisations from you (if required under applicable laws), from certain third parties such as credit
bureaus or credit rating companies as your 'authorised representative' from time to time in
accordance with applicable laws during the loan journey as may be requested by our Lending Partners.
To facilitate credit products to you, we may receive certain information pertaining to document verification,
MobiKwik status etc from certain third parties including NSDL, MobiKwik gateway providers.
We may further collect your GST details from Official GSTIN API stack or other relevant websites using the
GST Network user id and password details or OTP as provided by you.
We shall only collect this information on a need basis strictly for the purpose of providing you with the
Services. The information collected from such third parties are not retained by us. We collect this
information as part of our outsourcing obligations to our Lending Partners and is directly transferred to
the Lending Partners upon collection.
D. Information you give us about you
In due course of using our Services, you are required to submit data to enable our Services. We use this data
to create your profile and provide you with the best available services. Mentioned below is some of the data
we collect from you:
- Data provided by you by filling in forms on the Platform.
- Data provided by corresponding with us (for example, by e-mail or chat).
- Data and information, you provide when you register to use the Website, download or
register on our App,
subscribe to any of our Services (such as applying for a loan), search for a Service, and when you
report a problem with our App, our Services, or any of our Sites.
- Data including your name, address, gender, date of birth, e-mail address, phone number,
username,
password and other registration information.
- PAN Card, Aadhaar Card, financial information such as employer name, monthly salary, bank
account no.,
bank statements, credit information, GST information, copies of identification documents which are
forwarded to our Lending Partners for the onboarding of your application to avail the services.
This data helps us create your profiles, complete mandatory KYC as per the requirements of our Lending
Partners who offer you the Services, unlock and approve loans and provide you with customized support in
case of issues. Please note that we do not store any data provided by you except for the basic information
such as name, address, contact details etc.
Wherever possible, we indicate the mandatory and the optional fields. You always have the option to not
provide any information by choosing not to use a particular service or feature on the Platform. While you
can browse some sections of our Platform without being a registered member as mentioned above, certain
activities (such as availing of loans from the third-party lenders on the Platform) require registration and
for you to provide the above details.
We under no circumstances and at no point take any biometric data from you for any of our services or
operations. In case, if any of our representatives ask for the same from you, we request you to kindly
refrain from doing the same and address this concern to our Grievance Officer (the details of the same have
been provided below).
E. Storage of Personal Information
In the context of furnishing lending services, our data retention practices are meticulous. We confine
ourselves to storing only essential personal details—namely, name, address, and contact
information—indispensable for executing our non-lending functions. Rest assured, each piece of data we
gather undergoes meticulous storage on servers domiciled in India, ensuring full compliance with all
statutory and regulatory obligations.
Regarding additional personal information acquired through our outsourcing endeavours for Lending Partners,
we operate strictly under their directives. Upon their instruction, we procure such data and subsequently
transfer it to them upon the conclusion of preliminary onboarding procedures.
F. Collection of Certain Non-Personal Information
We automatically track certain information about you based upon your behaviour on our Platform. We use this
information to do internal research on our users’ demographics, interests, and behaviour to better
understand, protect and serve our users and improve our services. This information is compiled and analysed
on an aggregated basis.
G. Collection of Certain Non-Personal Information
Cookies:
Cookies are small data files that a Website stores on Your computer. We will
use cookies on our Website like other lending websites / apps and online marketplace websites / apps. Use of
this information helps Us identify You to make our Website more user friendly. Most browsers will permit You
to decline cookies but if You choose to do this it might affect service on some parts of Our Website.
If you choose to make a purchase through the Platform, we collect information about your buying behaviour. We
retain this information as necessary to resolve disputes, provide customer support and troubleshoot problems
as permitted by law. If you send us personal correspondence, such as emails or letters, or if other users or
third parties send us correspondence about your activities or postings on the Website, we collect such
information into a file specific to you.
Users’ Responsibilities
The User acknowledges and consents to the absence of any joint venture, partnership, employment, or agency
association between themselves and MobiKwik arising from their utilization of the Platform. The content,
encompassing material, information, data, news items, software, text, images, graphics, video, and audio,
provided on the Platform is purely for general informational purposes. It should not serve as the sole basis
for business or commercial decisions, including investment choices.
Users are strongly advised to exercise prudence and, if necessary, seek independent counsel prior to engaging
in any arrangement or financial commitment based on the Platform's content. The availability of Services
is contingent upon MobiKwik's discretion, subject to the specific contractual terms and conditions
governing each Service offering. Furthermore, MobiKwik reserves the right to withdraw or modify such
Services at its discretion and without prior notification. It is pertinent to note that the complete
spectrum of Services may not be accessible in all geographical locations.
Use of the Services described at the Platform may not be permitted in some geographical locations and if in
doubt, User should check either with the local regulator or authority or with MobiKwik before requesting
further information on such Services.
To obtain Services from MobiKwik from time to time, the User must create an account (“User
Account”) with us by registering himself/ herself. You are solely responsible for maintaining the
secrecy of your user id and password for the User Account and shall be responsible for all activities that
occur in connection with your User Account. In case of any unauthorized use of your User Account the same
shall be intimated to us. You shall not create multiple User Accounts and shall not use your User Account
for any purpose that is unlawful, illegal or forbidden by law. As a consideration for availing loan/ service
through the Platform, you may be required to pay certain fee, charges, interest or cost as may be applicable
as mentioned in our Platform or as per the terms for respective Services as prescribed by us. You understand
that application of loan/ service through online means is dependent on technical factors which inter alia
includes your connectively to internet, your ability to make payment through online means which in-turn is
depended on payment services from your bank or similar service providers, capability of the computer or
phone which you use for the purpose, your careful approach in reading the terms, understanding the same and
following the process. You have sole responsibility for adequate protection and back up of data and/or
equipment and for undertaking reasonable and appropriate precautions to scan for computer viruses or other
destructive properties. We make no representations or warranties regarding the accuracy, functionality or
performance of any third-party software that may be used in connection with the Platform.
PURPOSE OF COLLECTION
We shall use the information collected from you for facilitating the Lending and Non-Lending Services for the
following purposes as detailed below. We understand the importance of your information and ensure that it is
used for the following intended purposes only.
The intended purpose of collecting information provided by you is to:
- Establish identity and verify the same
- To facilitate your KYC as per instructions from our Lending Partners;
- Provide our service i.e., facilitating loans to You or providing our value-added services
or non-lending
services to you.
- Design and offer customized Services offered by our third-party partners;
- Analyse how the Platform is used, diagnose service or technical problems and maintain
security;
- Send communications notifications, information regarding the loan products or Services
requested by You
or process queries and applications that You have made on the Platform;
- Measure consumer interest and satisfaction in our Services and manage Our relationship with
You;
- Marketing and promotional purposes including sending you promotional SMS, Email and
WhatsApp and inform
you about online and offline offers, loan products, Services, and updates;
- Conduct data analysis to improve the Services provided to the User;
- Use the User information to comply with country laws and regulations;
- Use the User information in other ways permitted by law to enable You to take financial
services from
our lending partners.
- Resolve disputes and detect and protect us against suspicious or illegal activity, fraud
and other
criminal activity;
- Customize your experience and enforce our terms and conditions.
We will use and retain only such basic personal information such as your name, contact information, address
details and such other information which are necessary for the provision of Services and for such periods as
necessary to provide You the Services on the Platform, to comply with our legal obligations, to resolve
disputes, and enforce our agreements.
DISCLOSURE TO THIRD PARTIES
We will share Your information only with our third parties including our regulated financial partners,
vendors etc for facilitation of Services on the Platform.
We will share the information only in such manner as described below:
- We disclose and share Your information with the financial service providers, banks or NBFCs
and our
Lending Partners for facilitation of a loan or facility or line of credit or purchase of a product;
- We share Your information with our third-party partners to conduct data analysis to serve
You better and
provide Services our Platform;
- We may disclose Your information, to enforce or apply our terms of use or assign such
information during
corporate divestitures, mergers, or to protect the rights, property, or safety of us, our users, or
others. This includes exchanging information with other companies and organizations for the purposes of
fraud protection and credit risk reduction.
- We will disclose the data / information provided by a user with other technology partners
to track how
the user interact with the Platform on our behalf.
- We and our affiliates may share Your information with another business entity should we (or
our assets)
merge with, or be acquired by that business entity, or re-organization, amalgamation, restructuring of
business for continuity of business. Should such a transaction occur than any business entity (or the
new combined entity) receiving any such information from us shall be bound by this Policy with respect
to your information.
- We will disclose the information to our third-party technology or third-party data source
providers;
- We will share Your information under a confidentiality agreement with the third parties and
restrict use
of the said information by third parties only for the purposes detailed herein. We warrant that there
will be no unauthorised disclosure of your information shared with third parties.
- We shall disclose your KYC journey or any data with respect to the same to the relevant
regulatory
authorities as a part of our statutory audit process. Please note that your Aadhaar number shall never
be disclosed.
We may share your personal information with the governmental authorities, quasi-governmental authorities,
judicial authorities and quasi-judicial authorities if we are acting under any duty, request or order as
part of our legal obligations and in accordance with the applicable laws. By accepting this Privacy Policy,
you hereby provide your consent to disclose your personal information for such regulatory disclosure.
Any disclosure to third parties is subject to the following:
- If we are under a duty to disclose or share your personal data to comply with any legal or
regulatory
obligation or request, we shall not seek your explicit consent however we shall reasonably endeavour to
notify the same to you accordingly as the case may be as stated under subclause 3;
- We shall take your express consent in the event we share your personal data with third
parties;
- We shall share your information with third-party only on a need basis and only for the
purpose stated
hereunder, as per the applicable laws.
- We shall additionally seek express consent through a separate consent for at appropriate
stages of data
collection, if so, required under applicable laws.
- Usage of your information by such third parties is subject to their privacy policies. We
share limited
information with them, strictly to the extent required. We recommend you have a look at the privacy
policies of such third parties.
List of entities with whom your information is shared can be assessed
here.
DATA RETENTION AND DELETION
At MobiKwik, we are committed to safeguarding your personal data against unauthorized access, misuse, and
disclosure. We implement appropriate security measures tailored to the nature of the data and our processing
activities. Retaining information about you enables us to deliver a seamless user experience, provide
necessary support, and manage your account effectively. Furthermore, this data retention facilitates the
detection, mitigation, prevention, and investigation of fraudulent or illegal activities throughout our
service provision.
We maintain your data for the duration required to furnish our Services efficiently. Additionally, we may
retain and utilize essential personal information such as your name, contact number, transactional history,
and address details to fulfil our legal obligations, resolve disputes, and enforce contractual agreements,
all of which align with relevant legal frameworks.
Under this provision, we entertain reasonable written requests for data deletion at any juncture. However,
please note that deletion may result in the cessation of your ability to access our services.
CHANGES IN THIS PRIVACY POLICY
We retain the prerogative to amend, alter, supplement, or revoke sections of this Privacy Policy at our
discretion and without prior notice, for any rationale. Should any modifications occur, we will promptly
update the Policy on the Platform. Once published, these alterations take immediate effect, unless otherwise
specified.
We advocate periodic review of this page to stay abreast of our latest privacy protocols. Continued access to
or utilization of the Services signifies your acknowledgment of the modifications and acceptance of the
revised Privacy Policy.
SECURITY PRECAUTIONS
The Platform intends to protect your information and to maintain its accuracy as confirmed by you. We
implement reasonable physical, administrative and technical safeguards to help us protect your information
from unauthorized access, use and disclosure. For example, we encrypt all information when we transmit over
the internet. We also require that our registered third-party service providers protect such information
from unauthorized access, use and disclosure.
Our Platform has stringent security measures in place to protect the loss, misuse and alteration of
information under control. We endeavour to safeguard and ensure the security of the information provided by
you. We use Secure Sockets Layers (SSL) based encryption, for the transmission of the information, which is
currently the required level of encryption in India as per applicable law.
We blend security at multiple steps within our Services with the state-of-the-art technology to ensure our
systems maintain strong security measures and the overall data and privacy security design allow us to
defend our systems ranging from low hanging issue up to sophisticated attacks.
We aim to protect from unauthorized access, alteration, disclosure or destruction of information we hold,
including:
- use of encryption to keep your data secure;
- offering of security features like an OTP / biometric verification to help you protect your
account;
- regular review of information collection, storage, and processing practices, including
physical security
measures, to prevent unauthorized access to our systems;
- restricted access to personal information to our employees, contractors, and agents who
need that
information to process it. Anyone with this access is subject to strict contractual confidentiality
obligations and may be disciplined or terminated if they fail to meet these obligations;
- Compliance with regulations and applicable laws;
- regular review of this Privacy Policy and make sure that we process your information in
ways that comply
with it.
Data protection laws vary among countries, with some providing more protection than others. We also comply
with certain legal frameworks relating to the transfer of data as mentioned and required under the
Information Technology Act, 2000, rules and the amendments made thereunder.
When we receive formal written complaints, we respond by contacting the person who made the complaint. We
work with the appropriate regulatory authorities, including local data protection authorities, to resolve
any complaints regarding the transfer of your data that we cannot resolve with you directly.
YOUR RIGHTS
Modifying or rectifying your information: If any Personal Information provided by You
is inaccurate, incomplete or outdated then You shall have the right to provide Us with the accurate,
complete and up to date data and have Us rectify such data at Our end immediately. We urge You to ensure
that You always provide Us with accurate and correct information/data to ensure Your use of Our Services is
uninterrupted. In case of modification of Personal Information, Users will be required to furnish supporting
documents relating to change in Personal Information for the purpose of verification by the Company.
Your Privacy Controls: You have certain choices regarding the information we collect
and how it is used:
- Your device may have controls that determine what information we collect. For example, you
can modify
permissions on your Android/iOS device or Browser to remove any permissions that may have been given.
However, Platform does not provide a guarantee of Services if any such controls are exercised.
- Delete the App from your device
- You can also request to remove content from our servers in accordance with Clause (b).
Withdrawal/Denial of consent: You acknowledge that the Platform has duly collected the
information with your consent, and you have the option to not provide such information or deny consent for
use of specific information or revoke the consent already given. However, any withdrawal of such personal
information will not be permitted in case any Service availed by You is active. Where a consent has been
withdrawn the Platform does not guarantee or be liable for providing such Service. You shall have the
following rights pertaining to your information collected by us.
- Deny Consent: You shall have the right to deny consent for use of
specific data,
restrict disclosure to third parties, data retention, revoke consent already granted to collect personal
data and if required, make the App delete/ forget the data. However, any such denial will not prejudice
the right of the Lending Partners to retain any data in relation to the loans availed by you or by the
non-lending service providers in relation to the non-lending services provided to you. Further, in case
of a denial of a consent, the Platform does not provide a guarantee or will not be liable towards the
continued facilitation of the Services if any such controls are exercised.
- Withdraw Consent: You may withdraw Your consent to contact You, for
the continued
collection, use or disclosure of Your information, at any time, or request for deletion of your Login
account by raising a request on the Platform or by mailing Us at grievance@mobikwik.com. However, Platform
does not provide a guarantee of Services if any such controls are exercised. Further, if You have
availed any loan facilities from Our lending partner, the lending partner shall have the right to
continue processing Your information till such credit facility has been repaid in full, along with any
interest and dues payable and/or for such period as may be allowed under applicable law. However, We,
shall not retain Your data and information if it is no longer required by Us and there is no legal
requirement to retain the same. Do note that multiple legal bases may exist in parallel, and We may
still have to retain certain data and information at any time. Also, the information may still be used
for execution of any outstanding or termination activity of any Lending or Non-lending
Services.
Report an issue: You have a right to report a security
incident to the GRO (detailed mentioned hereinbelow). You are entitled shall be entitled to prevent
unauthorised such usage of your information by our personnel/agents by informing us, within 10 days of
being informed of the proposed use, that you do not wish to disclose such information. You can also
exercise the right at any time by contacting us at grievance@mobikwik.com Notwithstanding anything to the
contrary stated above, the following are specific scenarios listed below which may have consequences to
your withdrawal of consent:
-
Marketing and Communication: The consent for this information be withdrawn if
You
write an email to the email address at grievance@mobikwik.com
GRIEVANCE REDRESSAL
You may make a request for deleting any information from the Platform at any stage upon making a
request to
Us in the following manner:
Grievance Officer
In accordance with Information Technology Act 2000 and rules made there under, the name and contact
details
of the Grievance Officer are provided below for your reference:
Name: Prashant Gandhi
Address: One MobiKwik Systems Limited Unit No. 102, 1st Floor, Block-B, Pegasus One, Golf Course
Road, Sector-53, Gurugram, Haryana-122003, India
Email: nodal@mobikwik.com
Contact: +918069898317
Time: Mon - Sat (10:00am - 07:00pm)
If you have questions or concerns, feel free to e-mail us or to correspond at MobiKwik Helpdesk and we will attempt to address
your
issue.
MobiKwik is also a registered e-KYC user agency (KUA). Therefore, the below section/policy applies to
protecting personal data/information of Aadhaar number holders.
Definitions
- “Aadhaar number” means an identification number issued to an individual under
sub-section
(3) of section 3 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and
Services) Act, 2016.
- “Aadhaar number holder” means an individual who has been issued an Aadhaar
number under the
Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
- "Anonymization" in relation to personal data, means such irreversible process of
transforming
or converting personal data to a form in which an individual cannot be identified, which meets the
standards of irreversibility.
- “Authentication” means the process by which the Aadhaar number along with
demographic
information or biometric information of an individual is submitted to the Central Identities Data
Repository for its verification and such repository verifies the correctness, or the lack thereof, based
on information available with it.
- “Authority” means the Unique Identification Authority of India established
under sub-section
(1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and
Services) Act, 2016.
- “Biometric information” means photograph, fingerprint, iris scan, or such other
biological
attributes of an individual as may be specified by regulations.
- “Central Identities Data Repository” (CIDR) means a centralised database in one
or more
locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding
demographic information and biometric information of such individuals and other information related
thereto.
- “De-identification” means the process by which a data fiduciary or data
processor may
remove, or mask identifiers from personal data, or replace them with such other fictitious name or code
that is unique to an individual but does not, on its own, directly identify the data principal.
- “Demographic information” includes information relating to the name, date of
birth, address
and other relevant information of an individual, as may be specified by regulations for the purpose of
issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language,
records of entitlement, income or medical history.
- “Hardware Security Module (HSM)” means a device that will store the keys used
for digital
signing of Auth XML and decryption of e-KYC response data received from UIDAI.
- “Identity information” in respect of an individual, includes his Aadhaar
number, his
biometric information and his demographic information.
- “Personal data” means data about or relating to a natural person who is
directly or
indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of
the identity of such natural person, whether online or offline, or any combination of such features with
any other information, and shall include any inference drawn from such data for the purpose of
profiling.
- “PID Block” means the Personal Identity Data element which includes necessary
demographic
and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.
- "Processing" in relation to personal data, means an operation or set of
operations performed
on personal data, and may include operations such as collection, recording, organisation, structuring,
storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by
transmission, dissemination or otherwise making available, restriction, erasure or destruction.
- “Requesting Entity” means an agency or person that submits the Aadhaar number,
and
demographic information or biometric information, of an individual to the Central Identities Data
Repository for authentication.
- “Resident” means an individual who has resided in India for a period or periods
amounting in
all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of
application for enrolment.
- “Sensitive personal data or information” means such personal information which
consists of
information relating to — i. password; ii. financial information such as Bank account or credit
card or debit card or other payment instrument details; iii. physical, physiological and mental health
condition; iv. sexual orientation; v. medical records and history; vi. Biometric information; vii. any
detail relating to the above clauses as provided to body corporate for providing service; and viii. any
of the information received under above clauses by body corporate for processing, stored or processed
under lawful contract or otherwise; provided that, any information that is freely available or
accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for
the time being in force shall not be regarded as sensitive personal data or information for the purposes
of these rules.
- “Virtual ID (VID)” means any alternative virtual identity issued as an
alternative to the
actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be
specified by regulations.
Purpose:
- The purpose of this policy is to provide direction to the various stakeholders and
responsible personnel
within MobiKwik to protect personal data of Aadhaar number holders in compliance to the relevant
provisions of the Aadhaar Act, 2016; the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar
(Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of
Information) Regulations, 2016; and the Information Technology Act, 2000, and regulations thereunder.
Personal Information Collection:
- MobiKwik shall collect the personal data including Aadhaar number/Virtual ID, directly from
the Aadhaar
number holder for conducting authentication with UIDAI at the time of providing the services.
Specific Purpose for collection of Personal data/Information:
-
(a) The Identity information including Aadhaar number / Virtual ID shall be collected for the purpose
of authentication of Aadhaar number holder to provide e-KYC for opening of account-based
relationship with MobiKwik; (b) The identity information collected and processed shall only be used
pursuant to applicable law and as permitted under the Aadhaar Act 2016 or its Amendment and
Regulations; (c) The identity information shall not be used beyond the mentioned purpose without
consent from the Aadhaar number holder and even with consent, use of such information for other
purposes should be under the permissible purposes in compliance with the Aadhaar Act 2016; and (d)
Process shall be implemented to ensure that Identity information is not used beyond the purposes
mentioned in the notice/consent form provided to the Aadhaar number holder.
Notice / Disclosure of Information to Aadhaar number holder
- a) Aadhaar number holder shall be provided relevant information prior to collection of
identity
information / personal data. These shall include:
- The purpose for which personal data / identity information is being
collected;
- The information that shall be returned by UIDAI upon authentication;
- The information that the submission of Aadhaar number or the proof of Aadhaar is
mandatory or
voluntary for the specified purpose and if mandatory the legal provision mandating it;
- The alternatives to submission of identity information (if applicable);
- The information that Virtual ID can be used in lieu of Aadhaar number at the time
of
Authentication;
- The name and address of MobiKwik that is collecting and processing the personal
data;
- b) Aadhaar number holder shall be notified of the authentication either through the e-mail
or phone or
SMS at the time of authentication and MobiKwik shall maintain logs of the same.
Obtaining Consent
- The consent of the user shall not be valid unless such consent is— (a) free; (b)
informed; (c)
specific; (d) clear; and (e) capable of being withdrawn. Consent of the user in respect of processing of
any sensitive personal data shall be explicitly obtained— (a) after informing him/her the purpose
of, or operation in, processing which is likely to cause significant harm to the user; (b) in clear
terms without recourse to inference from conduct in a context.
- a) Upon notice / disclosure of information to the Aadhaar number holder, consent shall be
taken in
writing or in electronic form on the website or mobile application or other appropriate means and
MobiKwik shall maintain logs of disclosure of information and Aadhaar number holder’s
consent.
- b) Legal department shall be involved in vetting the method of taking consent and logging
of the same,
and formal approval shall be recorded from the legal department.
Processing of Personal Information/Data
- The identity information, including Aadhaar number, biometric /demographic information
collected from
the Aadhaar number holder by MobiKwik shall only be used for the Aadhaar authentication process by
submitting it to the Central Identities Data Repository (CIDR);
- Aadhaar authentication or Aadhaar e-KYC shall be used for the specific purposes declared to
UIDAI and
permitted by UIDAI. Such specific purposes shall be notified to the residents / customers / Individuals
at the time of authentication through disclosure of information notice;
- MobiKwik shall not use the Identity information including Aadhaar number or e-KYC for any
other purposes
than allowed under and informed to the resident / customers / individuals at the time of
Authentication.
- For the purpose of e-KYC, the demographic details of the individual received from UIDAI as
a response
shall be used for identification of the individual for the specific purposes of providing the specific
services for the duration of the services,
Retention of Personal Information
- The authentication transaction logs shall be stored for a period of 2 years after which the
logs shall
be archived for a period of 5 years or as per the regulations governing the entity, whichever is later
and upon expiry of which period, barring the authentication transaction logs required to be maintained
by a court order or pending dispute, the authentication transaction logs shall be deleted.
Sharing of Personal Information/Data
- Identity information shall not be shared in contravention to the Aadhaar Act 2016, its
Amendment,
Regulations and other circulars released by UIDAI from time to time.
- Biometric information collected shall not be transmitted over any network without creation
of encrypted
PID block as per Aadhaar Act and regulations;
- MobiKwik shall not require an individual to transmit the Aadhaar number over the Internet
unless such
transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission
is required for correction of errors or redressal of grievances.
Data Security
- The Aadhaar number shall be collected over a secure application, transmitted over a secure
channel as
per specifications of UIDAI and the identity information returned by UIDAI shall be stored
securely;
- The biometric information shall be collected, if applicable, using the registered devices
specified by
UIDAI. These devices encrypt the biometric information at device level and the application sends the
same over a secure channel to UIDAI for authentication.
- OTP information shall be collected in a secure application and encrypted on the client
device before
transmitting it over a secure channel as per UIDAI specifications;
- Aadhaar /VID number that are submitted by the resident / customer / individual to the
requesting entity
and PID block hence created shall not be retained under any event and entity shall retain the parameters
received in response from UIDAI;
- e-KYC information shall be stored in an encrypted form only. Such encryption shall match
UIDAI
encryption standards and follow the latest Industry best practice;
- The keys used to digitally sign the authentication request and for encryption of Aadhaar
numbers in Data
vault shall be stored only in HSMs in compliance to the HSM and Aadhaar Data vault circulars;
- MobiKwik shall use only Standardisation Testing and Quality Certification (STQC) / UIDAI
certified
biometric devices for Aadhaar authentication (if biometric authentication is used); h) All applications
used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being
deployed in production and after every change that impacts the processing of Identity information; The
applications shall be audited on an annual basis by information systems auditor(s) certified by STQC,
CERT-IN or any other UIDAI recognized body;
- In the event of an identity information breach, the organisation shall notify UIDAI of the
following:
• A description and the consequences of the breach; • A description of the number of Aadhaar
number holders affected and the number of records affected; • The privacy officer’s contact
details; • Measures taken to mitigate the identity information breach;
- Appropriate security and confidentiality obligations shall be implemented in the
non-disclosure
agreements (NDAs) with employees/contractual agencies /consultants/advisors and other personnel handling
identity information;
- Only authorized individuals shall be allowed to access Authentication application, audit
logs,
authentication servers, application, source code, information security infrastructure. An access control
list shall be maintained and regularly updated by organisation;
- Best practices in data privacy and data protection based on international Standards shall
be
adopted;
- The response received from CIDR in the form of authentication transaction logs shall be
stored with
following details: • The Aadhaar number against which authentication is sought. • Specified
parameters received as authentication response; • The record of disclosure of information to the
Aadhaar number holder at the time of authentication; and • Record of consent of the Aadhaar number
holder for authentication but shall not, in any event, retain the PID information.
- An Information Security policy in-line with ISO27001 standard, UIDAI specific Information
Security
policy and Aadhaar Act 2016 shall be formulated to ensure Security of Identity information.
- Aadhaar numbers shall only be stored in Aadhaar Data vault as per the specifications
provided by UIDAI.
Rights of Aadhar Number Holder
- The Aadhaar number holder has the right to obtain and request update of identity
information stored with
the organisation, including Authentication logs. The collection of core biometric information, storage
and further sharing is protected by Section 29 of the Aadhaar Act 2016, hence the Aadhaar number holder
cannot request for the core biometric information.
- MobiKwik shall provide a process for the Aadhaar number holder to view their identity
information stored
and request subsequent updates after authenticating the identity of the Aadhaar number holder. In case
the update is required from UIDAI, same shall be informed to the Aadhaar number holder.
- The Aadhaar number holder may, at any time, revoke consent given to MobiKwik for storing
his e-KYC data,
and upon such revocation, MobiKwik shall delete the e-KYC data in a verifiable manner and provide an
acknowledgement of the same to the Aadhaar number holder.
- The Aadhaar number holder has the right to lodge a complaint with the privacy officer who
is responsible
for monitoring of the identity information processing activities so that the processing is not in
contravention of the law.
Aadhar Number Holder Access Request
- A process shall be formulated to handle the queries and process the exercise of rights of
Aadhaar number
holders with respect to their identity information / personal data. As part of the process it shall be
mandatory to authenticate the identity of the Aadhaar number holder before providing access to any
identity information.
- All requests from the Aadhaar number holder shall be formally recorded and responded to
within a
reasonable period.
- Compliance to the relevant data protection / privacy law (s) shall be ensured.
Privacy by design
- Processes shall be established to embed privacy aspects at the design stage of any new
systems,
products, processes and technologies involving data processing of identity information of Aadhaar number
holders;
- MobiKwik, in possession of the Aadhaar number of Aadhaar number holders, shall not make
public any
database or records of the Aadhaar numbers unless the Aadhaar numbers have been redacted or blacked out
through appropriate means, both in print and in electronic form;
- Before going live with any new process that involves processing of identity information,
the
organisation shall ensure that Disclosure of information / Privacy notice in compliance to the Aadhaar
Act 2016 is provided to the resident / customer / individual and that consent is taken and recorded in
compliance to Aadhaar Act 2016.
- Quarterly self-assessments shall be conducted to ensure compliance to disclosure of
information and
consent requirements.
- Privacy enhancing organizational and technical measures like anonymization,
de-identification and
minimization shall be implemented to make the collection of identity information adequate, relevant, and
limited to the purpose of processing.
Governance and accountability
- A Privacy committee shall be established to provide strategic direction on Privacy
matters
- A person (Privacy Officer) responsible for developing, implementing, maintaining and
monitoring the
comprehensive, organization-wide governance and accountability shall be designated to ensure compliance
with the applicable laws.
- The name of the Privacy Officer and contact details shall be made available to UIDAI and
other external
agencies through appropriate channel;
- The Privacy Officer shall be responsible to assess privacy risks of processing Identity
information /
personal data and mitigate the risks;
- The Privacy Officer shall be independent and shall be involved in all the issues relating
to processing
of identity information;
- The Privacy Officer shall be an expert in data protection and privacy legislations,
regulations and best
practices;
- The Privacy Officer shall advise the top management on the privacy obligations;
- The Privacy Officer shall advise on high-risk processing and the requirement of data
privacy impact
assessments;
- The Privacy Officer shall act as a point of contact for UIDAI for coordination and
implementation of
privacy practices and other external agencies for any queries;
- The Privacy Officer shall be responsible for managing privacy incidents and responding to
the
same;
- The Privacy Officer shall also be responsible for putting in place measures to create
awareness and
training of staff involved in processing identity information, about the legal consequences of data
breach to the reputation of the organization;
- Privacy Officer shall ensure that the Authentication operations, systems and applications
are audited by
CERT-IN (Indian Computer Emergency Response Team), Standardisation Testing and Quality Certification
(STQC) empanelled auditors or any other UIDAI recognised body at least on an annual basis;
- Privacy Officer shall conduct internal audits (through internal audit team) on a quarterly
basis and
monitor compliance through these audits against Aadhaar Act 2016;
- Privacy Officer shall ensure that the front-end operators interacting with Aadhaar number
holders are
trained on a periodic basis to ensure they communicate the disclosure of information to the Aadhaar
number holder, take consent appropriately after showing the screen to the Aadhaar number holder and
ensure Security of identity information. Such trainings shall be documented for audit purposes;
- Aadhaar specific trainings to developers, systems admins and other users shall be provided
to ensure
they are aware of the obligations for their respective roles; Completion of such trainings shall be
documented;
- Privacy Officer shall be responsible to formally communicate this policy to all
stakeholders and staff
who need to comply with this policy; Any changes to the policy shall be communicated immediately;
- Privacy Officer shall facilitate formal Privacy performance reviews with the relevant
stakeholders /
Privacy Committee and suggest improvements. The reviews shall consider the results of various audits,
privacy incidents, privacy initiatives, UIDAI requirements etc.
Transfer of Identity information outside India is prohibited:
- Identity information shall not be hosted or transferred outside the territory of India in
compliance to
the Aadhaar Act and its Regulations.
Grievance Redressal Mechanism
- Aadhaar number holders with grievances about the processing can contact the
organisation’s Privacy
Officer via multiple channels like on the website, through phone, SMS, mobile application etc.
- Reasonable measures shall be taken to inform the residents / customers / individuals about
the Privacy
Officer and its contact details;
- The contact details of Privacy Officer and the format for filing the complaint shall be
displayed on the
organisations’ website and other such mediums that are commonly used for interaction with the
residents / customers / individuals;
- Where the medium of interaction is not electronic (such as physical), Poster / Notice board
that is
prominently visible shall be used to display the name of Privacy officer and contact details;
- If any issue is not resolved through consultation with the management of MobiKwik, Aadhaar
number
holders can seek redressal by way of mechanisms as specified in Section 33B of the Aadhaar Act, 2016.
Responsibility for implementation and enforcement of the policy
- The overall responsibility of monitoring and enforcement of this policy through various
mechanisms such
as Audits etc. shall be with the Privacy Officer.
- Responsibility of the implementation of controls of this policy shall be the Privacy
Officer.
- Responsibility of review of Disclosure of information notice, consent clause, method of
consent, logging
of consent etc. shall be with the Manager Legal.
Relevant Provisions of Aadhaar Act and Supreme court judgement
- Following relevant documents shall be referred to for ensuring compliance to the Aadhar
requirements:
-
Judgement of Honourable Supreme court dated September 2018
-
Aadhaar Act 2016
-
Aadhaar and Other Laws (Amendment) Act 2019
-
Aadhaar (Authentication) Regulations 2016
-
Aadhaar (Data Security) Regulations 2016
-
Aadhaar (Sharing of Information) Regulations 2016
-
Any other Regulations or notices or Circulars issued by UIDAI from time to time
Contact Details
- Name of Privacy Officer: Mr. Neeraj Khandelwal
- Email: privacy.officer@mobikwik.com
Effective From July 15, 2024
Last updated on July 10, 2024