THFS Logo

Privacy Policy

Last updated: November 18, 2024

Quick Navigation

Introduction Information Collection Data Usage Data Sharing Security Measures User Rights Data Retention International Transfers Policy Updates Contact Information

1. Introduction

This Privacy Policy ("Policy") is a legally binding document between you ("User", "you", "your") and THFS (Trusted Hands Financial Services Private Limited) ("THFS", "we", "us", "our"), a company incorporated under the Companies Act, 2013, having its registered office at [Address]. This Policy governs the collection, usage, storage, and protection of your personal information across our suite of financial products and services including PaisaOnClick, CreditPe, Vridhi Money, BimaLok, and Accumo (collectively referred to as "Services").

1.1 Scope of Policy

  • Digital Platforms: All websites, web applications, and mobile applications operated by THFS and its subsidiaries, including but not limited to www.trustedhandsfintech.com, app.paisaonclick.com, and related domains.
  • Mobile Applications: Native and hybrid applications available on iOS, Android, and other mobile platforms, including all features, functionalities, and services offered therein.
  • Website Interactions: All forms of user engagement, including browsing, account creation, transactions, and communication through our digital platforms.
  • Customer Support: All communication channels including but not limited to email, phone, chat, and social media platforms used for customer service and support.
  • Third-party Integrations: Services and features provided through partnerships, including payment gateways, credit bureaus, and other financial service providers.

1.2 Regulatory Compliance

  • Information Technology Act, 2000: Compliance with data protection requirements under Section 43A and related rules regarding sensitive personal information.
  • Personal Data Protection Bill: Adherence to proposed data protection framework including data localization, consent requirements, and user rights.
  • RBI Guidelines on Digital Lending: Compliance with regulatory requirements for data collection, storage, and processing in digital lending operations as per RBI circular dated June 20, 2022.
  • SEBI Guidelines: Adherence to securities market regulations regarding investor data protection and privacy as applicable to investment platforms.
  • IRDAI Requirements: Compliance with insurance regulatory guidelines on policyholder data protection and privacy as per IRDAI circular IRDA/INT/GDL/ASM/059/03/2017.

2. Information Collection

In accordance with applicable laws and regulations, including but not limited to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we collect various categories of personal and financial information necessary for providing our services.

2.1 Personal Information

Basic Information

  • Full Legal Name: As appearing in official documents, required for KYC compliance under PMLA Rules, 2005.
  • Date of Birth: For age verification and compliance with product-specific eligibility requirements under various financial regulations.
  • Gender: For demographic analysis and regulatory reporting requirements.
  • Contact Details: Required under RBI's Know Your Customer (KYC) norms and for maintaining communication records as per regulatory requirements.
  • Residential Address: Mandatory for address verification under Prevention of Money Laundering Act, 2002 and RBI guidelines.
  • Email Address: For official communications and notices as required under IT Act, 2000 and various financial regulations.
  • Mobile Number: Required for two-factor authentication as per RBI circular on Additional Factor of Authentication.

Identity Documents

  • Aadhaar Number: Collected as per UIDAI guidelines for e-KYC verification, subject to voluntary submission and explicit consent.
  • PAN Card Details: Mandatory under Income Tax Act, 1961 for financial transactions exceeding specified limits.
  • Passport Information: Accepted as an officially valid document (OVD) under RBI's KYC Master Direction, 2016.
  • Driving License: Alternative identity proof accepted under regulatory guidelines for KYC verification.
  • Voter ID: Recognized as valid identity proof under RBI's simplified measures for low-risk customers.
  • Utility Bills: Required for address verification as per RBI's KYC Master Direction, not older than two months.

2.2 Financial Information

Income Details

  • Salary Slips: Required for income verification as per RBI's guidelines on income assessment for retail loans.
  • Form 16: Collected for income verification and tax compliance under Income Tax Act, 1961.
  • Bank Statements: Required for 6-12 months as per RBI's guidelines on credit assessment and income verification.
  • Investment Portfolios: Collected for wealth management services under SEBI (Investment Advisers) Regulations, 2013.
  • Tax Returns: Required for business loans and high-value transactions as per regulatory guidelines.

Credit Information

  • Credit Score: Obtained from credit information companies as per Credit Information Companies (Regulation) Act, 2005.
  • Loan History: Accessed through authorized credit bureaus for credit assessment as per RBI guidelines.
  • Credit Card Statements: Required for assessing credit behavior and repayment capacity.
  • Repayment Records: Maintained as per RBI's circular on Reporting of Loan Information to Credit Information Companies.
  • Default History: Checked as part of credit assessment process under RBI's prudential norms.
// ... Continue with more sections

3. Data Usage

All data usage activities are conducted in compliance with the Information Technology Act, 2000, RBI Master Directions on Digital Lending, and applicable data protection laws. We process your information based on legitimate purposes and with explicit consent where required by law.

3.1 Primary Purposes

  • Service Delivery:

    Processing necessary for the performance of contractual obligations under Section 10 of the Indian Contract Act, 1872, including:

    • Loan application processing as per RBI guidelines
    • Investment account management under SEBI regulations
    • Insurance policy issuance per IRDAI norms
    • Digital payment processing under Payment and Settlement Systems Act, 2007
  • Risk Assessment:

    Conducted under RBI's Master Circular on Risk Management and Inter-bank Dealings, including:

    • Credit risk evaluation using authorized credit information
    • Fraud detection and prevention measures
    • Anti-money laundering checks under PMLA, 2002
    • Market risk assessment for investment products

3.2 Secondary Purposes

  • Product Development:

    Data analysis for service improvement, subject to:

    • Anonymization requirements under IT Rules, 2011
    • Data minimization principles
    • Purpose limitation restrictions
  • Marketing Communications:

    Conducted in compliance with:

    • TRAI regulations on commercial communications
    • RBI guidelines on unsolicited commercial communications
    • Explicit opt-in requirements
    • Unsubscribe options as per IT Act rules

4. Data Sharing

Data sharing is conducted strictly in accordance with regulatory requirements and based on data sharing agreements that ensure adequate protection of personal information under Section 43A of the IT Act, 2000.

4.1 Authorized Recipients

  • Regulatory Bodies:

    Mandatory reporting and disclosures to:

    • Reserve Bank of India (RBI) under applicable regulations
    • SEBI for investment-related activities
    • IRDAI for insurance operations
    • Financial Intelligence Unit (FIU) under PMLA
  • Service Providers:

    Data sharing under contractual obligations with:

    • Credit Information Companies under CICRA, 2005
    • Payment processors under PSS Act, 2007
    • KYC Verification Agencies under RBI guidelines
    • Cloud service providers under IT Act regulations

4.2 Data Transfer Safeguards

  • Contractual Measures:

    Implementation of:

    • Data Processing Agreements (DPAs) with service providers
    • Confidentiality clauses as per IT Act requirements
    • Data protection addendums for international transfers
    • Audit rights and compliance monitoring provisions
  • Technical Controls:

    Implementation of:

    • End-to-end encryption for data transfers
    • Access controls and authentication mechanisms
    • Audit logging and monitoring systems
    • Data loss prevention measures

5. Security Measures

We implement comprehensive security measures in accordance with Section 43A of the IT Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, along with RBI's Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds.

5.1 Technical Security

  • Encryption Standards:

    Implementation of:

    • 256-bit AES encryption for data at rest
    • TLS 1.3 for data in transit
    • Hardware Security Modules (HSM) for key management
    • End-to-end encryption for sensitive communications
  • Access Controls:

    Implementation as per ISO 27001 standards:

    • Multi-factor authentication (MFA)
    • Role-based access control (RBAC)
    • Principle of least privilege
    • Regular access reviews and audits

5.2 Operational Security

  • Security Monitoring:

    24/7 monitoring including:

    • Security Information and Event Management (SIEM)
    • Intrusion Detection and Prevention Systems (IDS/IPS)
    • Security Operations Center (SOC)
    • Automated threat intelligence
  • Incident Response:

    Procedures compliant with:

    • CERT-In reporting requirements
    • RBI's Cyber Security Framework
    • IT Act breach notification rules
    • Data breach response protocols

6. User Rights

Users are entitled to specific rights regarding their personal data as per the IT Act, 2000, and various financial sector regulations. These rights are exercisable through formal requests and subject to applicable legal restrictions.

6.1 Core Rights

  • Right to Access:

    Under Section 43A of IT Act:

    • Request copy of personal data held
    • Obtain processing information
    • View data sharing recipients
    • Access processing purposes
  • Right to Correction:

    As per RBI guidelines:

    • Update inaccurate information
    • Correct incomplete data
    • Modify outdated details
    • Request data verification

6.2 Additional Rights

  • Right to Data Portability:

    Under Account Aggregator framework:

    • Request data in structured format
    • Transfer data to another provider
    • Access machine-readable formats
    • Obtain direct transmission where feasible
  • Right to Withdraw Consent:

    As per IT Rules, 2011:

    • Revoke processing permissions
    • Opt-out of marketing communications
    • Cancel data sharing authorizations
    • Withdraw specific consents

7. Data Retention

Our data retention policies comply with various regulatory requirements including RBI Master Directions, SEBI Regulations, IRDAI Guidelines, and the Prevention of Money Laundering Act, 2002 (PMLA) requirements for record keeping.

7.1 Retention Periods

  • Financial Records:

    Retention as per regulatory mandates:

    • Loan documentation: 8 years after loan closure (RBI guidelines)
    • Investment records: 5 years from transaction (SEBI regulations)
    • Insurance documents: 10 years from policy termination (IRDAI)
    • Transaction records: 5 years (PMLA requirements)
  • KYC Documents:

    Maintained as per regulatory requirements:

    • Identity proofs: 5 years after account closure
    • Address proofs: 5 years from last verification
    • Video KYC records: 10 years from verification
    • Due diligence records: 5 years (PMLA)

8. International Transfers

International data transfers are conducted in compliance with RBI's Guidelines on Cross Border Data Flows, IT Act requirements, and applicable international data protection regulations.

8.1 Transfer Mechanisms

  • Legal Framework:

    Transfers conducted under:

    • Standard Contractual Clauses (SCCs)
    • Binding Corporate Rules (BCRs)
    • Adequacy decisions where applicable
    • Explicit user consent mechanisms
  • Data Localization:

    Compliance with:

    • RBI's data localization norms
    • Payment system data requirements
    • Critical personal data restrictions
    • Financial data storage mandates

9. Policy Updates

This Privacy Policy is periodically reviewed and updated to ensure compliance with evolving regulatory requirements and industry standards. All updates are communicated to users as per legal requirements.

9.1 Update Process

  • Notification Requirements:

    Communication through:

    • Email notifications 30 days prior to changes
    • In-app notifications and alerts
    • Website announcements
    • SMS for significant changes
  • User Rights:

    During policy updates:

    • Right to review changes
    • Option to accept or reject updates
    • Grace period for decision-making
    • Right to terminate services

10. Contact Information

For any privacy-related queries, complaints, or requests, you can reach out to our dedicated Data Protection Team through the following channels, as per Section 43A of the IT Act and Rule 5(9) of the IT Rules, 2011.

Data Protection Officer

Grievance Officer

Submit a Privacy Request

// ... Continue with contact section and additional interactive elements