Privacy Policy

1. Purpose and Scope

This Privacy Policy ("Policy") describes how Usha Financial Services Limited ("UFSL", "Company", "we", "us", or "our"), operating the KreditCall digital lending platform, collects, uses, stores, shares, and protects the personal data of its customers, prospective customers, website visitors, and app users ("you" or "your"). This Policy applies to all personal data processed by UFSL through its digital lending platform KreditCall, mobile application, website, APIs, and any associated services.

2. Policy Hierarchy

This Policy is governed by and shall be read in conjunction with applicable Indian laws and regulations. In the event of any conflict between this Policy and any applicable law or regulation, the applicable law or regulation shall prevail.

3. Applicability

This Policy applies to:

• All individuals who access or use the KreditCall platform, website, or mobile application
• Prospective and existing borrowers
• Visitors to our website or app
• Individuals whose data is processed in connection with our lending services
• All employees, contractors, and third-party service providers who handle personal data on behalf of UFSL

4. Applicable Laws and Regulatory Framework

This Policy is framed in compliance with the following laws and regulations:

• Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Digital Personal Data Protection Act, 2023 (DPDPA)
• Reserve Bank of India (RBI) Guidelines on Digital Lending (September 2022)
• RBI Master Direction on Information Technology Framework for NBFCs
• RBI Fair Practices Code for NBFCs
• Any other applicable laws, rules, and regulations as amended from time to time

5. Definitions

• Personal Data: Any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA, 2023.
• Sensitive Personal Data or Information (SPDI): Includes passwords, financial information, health data, biometric data, sexual orientation, and any other data as specified under IT Rules, 2011.
• Data Principal: The individual to whom the personal data relates (i.e., you, the user/borrower).
• Data Fiduciary: The entity that determines the purpose and means of processing personal data (i.e., UFSL).
• Data Processor: Any entity that processes personal data on behalf of the Data Fiduciary.
• LSP (Lending Service Provider): Any agent of the regulated entity engaged in lending services, including KreditCall platform operations.

6. Privacy Principles

UFSL is committed to the following privacy principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes only.
• Data Minimisation: We collect only the data that is necessary for the specified purpose.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage Limitation: Personal data is retained only for as long as necessary for the purpose for which it was collected.
• Integrity and Confidentiality: We implement appropriate security measures to protect personal data.
• Accountability: We are responsible for and able to demonstrate compliance with these principles.

7. Collection of Data and Purposes

We collect the following categories of personal data for the purposes specified:

7.1 Identity and Contact Information

• Full name, date of birth, gender, PAN, Aadhaar (via Digilocker)
• Mobile number, email address, residential address
• Purpose: KYC verification, identity authentication, communication

7.2 Financial Information

• Bank account details, bank statements (via Account Aggregator), income information
• Credit bureau data (from CRIF or other authorized bureaus)
• Purpose: Credit assessment, loan underwriting, disbursement, repayment processing

7.3 Device and Technical Information

• Device model, OS version, unique device identifiers, IP address, app version
• Purpose: Fraud prevention, security, app performance improvement

7.4 Biometric Data

• Facial image for liveness detection during KYC
• Purpose: Identity verification and fraud prevention

We do NOT collect or access your contacts, call logs, photos, media, or any data beyond what is specifically required for our lending services.

8. Consent Mechanism

We obtain your explicit, informed, and freely given consent before collecting and processing your personal data. Consent is obtained through:

• In-app consent screens with clear descriptions of data being collected and its purpose
• Separate consent for each category of data collection (e.g., camera for face verification, Digilocker for Aadhaar)
• Account Aggregator consent for accessing financial data
• E-sign consent for loan agreement execution

You have the right to refuse or withdraw consent at any time. However, withdrawal of consent may affect your ability to use our services.

9. Your Rights

As a Data Principal under the DPDPA and applicable regulations, you have the following rights:

• Right to Access: You may request information about the personal data we hold about you.
• Right to Correction: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to legal and regulatory retention requirements.
• Right to Withdraw Consent: You may withdraw previously given consent at any time.
• Right to Grievance Redressal: You may raise concerns or complaints regarding data processing.
• Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

10. Withdrawal of Consent and Deletion

You may withdraw consent or request data deletion by contacting our Grievance Officer. Upon receiving such a request:

• We will cease processing your personal data for the purposes for which consent was withdrawn
• Data required to be retained under applicable laws and regulations will be retained for the mandated period
• Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal
• Active loans or pending obligations may require continued retention of certain data

11. How We Share Data

We may share your personal data with the following categories of recipients, strictly on a need-to-know basis:

• Credit Bureaus: For credit assessment and reporting of loan performance
• Account Aggregators: For accessing financial data with your consent
• Banking Partners: For loan disbursement and repayment processing
• KYC Providers: For identity verification (Digilocker, face verification)
• E-sign and E-stamp Providers: For digital agreement execution
• Payment Processors: For repayment collection
• Regulatory Authorities: When required by law or regulation (RBI, courts, government agencies)
• Auditors and Legal Advisors: For compliance and legal purposes

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes. All third-party service providers are bound by contractual obligations to protect data confidentiality and security.

12. LSP and Vendor Controls

In compliance with RBI Digital Lending Guidelines:

• All Lending Service Providers (LSPs) and technology vendors are subject to contractual data protection obligations
• LSPs are prohibited from storing personal data of borrowers beyond what is essential for the transaction
• Periodic audits are conducted to ensure vendor compliance with data protection standards
• Technology vendors handling sensitive data are required to maintain SOC2 or equivalent certifications

13. Data Storage, Localisation and Cross-Border

• All personal data is stored on servers located within India, in compliance with RBI data localisation requirements
• We use industry-standard cloud infrastructure with data centres in India
• No personal data is transferred outside India without your explicit consent and in compliance with applicable laws
• Anonymised and aggregated data may be processed outside India for analytics purposes, where permitted by law

14. Data Retention and Destruction

We retain personal data only for as long as necessary for the purposes outlined in this Policy or as required by applicable law. The following retention schedule applies:

Upon expiry of the retention period, personal data is securely deleted or anonymised using industry-standard data destruction methods.

15. Security Safeguards and Breach Handling

We implement comprehensive security measures to protect your personal data:

• End-to-end encryption (TLS 1.2+) for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication for system access
• Role-based access controls with principle of least privilege
• Regular vulnerability assessments and penetration testing
• Security incident monitoring and logging
• Employee security awareness training

In the event of a data breach that is likely to cause harm to individuals, we will:

• Notify the Data Protection Board of India within the time frame specified under the DPDPA
• Notify affected individuals without undue delay
• Report to CERT-In within 6 hours as required under applicable cyber security directives
• Take immediate remedial measures to contain and mitigate the breach

16. Contact and Grievance Redressal

For any queries, concerns, or complaints regarding this Policy or the processing of your personal data, please contact:

We will acknowledge your grievance within 24 hours and endeavour to resolve it within 30 days. If you are not satisfied with the resolution, you may escalate the matter to the Reserve Bank of India through the RBI Complaint Management System or the RBI Sachet Portal.

17. Amendments

UFSL reserves the right to amend this Privacy Policy at any time. Any changes will be effective upon posting the updated Policy on our website and mobile application. We will notify you of material changes through in-app notifications or email. Your continued use of our services after such modifications constitutes your acceptance of the updated Policy.