Data Privacy Policy

Finacus Solutions Private Limited (“Finacus”, “Company”, “we”, “our”, or “us”) is committed to protecting and respecting the privacy of personal data processed in the course of providing our technology services.

This Privacy Policy explains how we collect, use, store, disclose, and safeguard personal data in compliance with:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act)
  • Applicable RBI/NPCI regulatory requirements (where applicable)
  • ISO/IEC 27701:2019 (Privacy Information Management System – PIMS)
  • ISO/IEC 27001 Information Security Management practices

By using our services or interacting with our website, you acknowledge the terms of this Privacy Policy.

2. Definitions (As per DPDP Act, 2023)

  • Personal Data: Any data about an identifiable individual.
  • Data Principal: The individual to whom the personal data relates.
  • Data Fiduciary: The entity that determines the purpose and means of processing personal data.
  • Data Processor: An entity processing personal data on behalf of a Data Fiduciary.

Finacus may act as a Data Fiduciary or Data Processor depending on the nature of services provided to its customers.

3. Categories of Information We Collect

In line with DPDP Act Section 4 & Section 6 (Lawful Processing & Consent) and ISO 27701 Clause 7.2.2:

3.1 Personal Data

We may collect and process the following categories:

a) Identification Information
  • Name
  • Address
  • Email address
  • Phone number
  • Date of birth (Where required)
  • Government-issued identification (where required)
b) Financial Information
  • Bank account details
  • Transaction history
  • Payment information
c) Authentication Information
  • Username
  • Encrypted passwords
  • Access credentials
d) Technical & Device Information
  • IP address
  • Device type
  • Browser type
  • System logs

4. Lawful Basis of Processing (DPDP Act, 2023)

Personal data is processed on one or more of the following grounds:

  • Consent of the Data Principal (Section 6)
  • Legitimate uses as permitted under Section 7
  • Compliance with legal obligations
  • Performance of contractual obligations

Consent, where required, shall be:

  • Free, specific, informed, unconditional, and unambiguous
  • Capable of being withdrawn by the Data Principal

5. Purpose of Processing

As required under DPDP Act – Purpose Limitation Principle and ISO 27701 Clause 7.4.2, we process personal data for:

  • Provision and management of services
  • Transaction processing
  • Customer onboarding and account management
  • Fraud detection and prevention
  • System security and monitoring
  • Regulatory compliance
  • Customer support
  • Service improvement and analytics
  • Marketing communications (subject to consent)

Personal data is not processed beyond the stated purpose without appropriate authorization.

6. Data Minimization & Retention

In accordance with:

  • DPDP Act – Data Minimization & Storage Limitation principles
  • ISO 27701 Clause 7.4.3

We:

  • Collect only data necessary for the specified purpose
  • Retain personal data only for as long as required by law, regulatory requirements, or contractual obligations
  • Securely delete or anonymize data after retention period expires

7. Data Sharing & Disclosure

Personal data may be shared with:

7.1 Service Providers (Processors)

Third parties engaged for:

  • Infrastructure hosting
  • Security monitoring
  • Payment processing
  • Communication services

All such disclosures are governed by:

  • Data Processing Agreements (DPAs)
  • Confidentiality obligations
  • ISO-aligned security controls
7.2 Regulatory & Legal Authorities

When required by law, court order, or regulatory mandate.

7.3 Business Transfers

In case of merger, acquisition, or restructuring, subject to applicable safeguards.

We do not sell personal data.

8. Cross-Border Data Transfers

Where applicable, cross-border data transfers shall comply with:

  • DPDP Act provisions regarding notified countries
  • Contractual safeguards
  • Security controls aligned with ISO 27701

9. Rights of Data Principals (DPDP Act, 2023)

Data Principals have the right to:

  • Seek access to personal data
  • Seek correction or erasure
  • Withdraw consent
  • Grievance redressal
  • Nominate another person (as per Section 14)

Requests may be submitted to the contact details below.

10. Security Measures

In accordance with:

  • DPDP Act Section 8(5) – Reasonable Security Safeguards
  • ISO/IEC 27001 & ISO/IEC 27701 controls

We implement:

  • Encryption (data at rest & in transit)
  • Role-based access control
  • Secure key management
  • Logging & monitoring
  • Vulnerability management
  • Incident response procedures
  • Periodic audits and risk assessments

11. Personal Data Breach Management

In the event of a personal data breach:

  • We will assess impact and risk
  • Notify affected stakeholders and authorities as required under DPDP Act
  • Implement corrective and preventive measures
  • Maintain breach records

12. Privacy Governance (ISO 27701 Alignment)

Finacus maintains a Privacy Information Management System (PIMS) aligned with ISO/IEC 27701 to ensure:

  • Clear roles & responsibilities
  • Risk-based privacy controls
  • Privacy impact assessments
  • Vendor risk management
  • Continuous monitoring and improvement

13. Updates to this Policy

This Privacy Policy may be updated periodically to reflect:

  • Regulatory changes
  • Operational changes
  • Security enhancements

The latest version will be published on our website with the updated effective date.

14. Contact & Grievance Redressal

For privacy-related concerns or to exercise your rights:

Grievance Officer

Finacus Solutions Private Limited
Email: grievanceofficer@finacus.co.in