Legal

Privacy Policy

Effective date: April 2026. Last updated: May 2026.

ADVIJJ FINTECH PRIVATE LIMITED (CIN U70200HR2026PTC145066, “payd24”, “we”, “our”, “us”) collects and processes your personal data to provide credit advisory and Lending Service Provider (LSP) services. This Privacy Policy is aligned with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and its rules, and the Reserve Bank of India Digital Lending Guidelines, 2022.

1. Data we collect

• Identifiers: mobile number (for OTP login), full name, email, date of birth, gender, residential address, and PAN (for bureau pulls and tax compliance).
• KYC artefacts: Aadhaar last-4 digits and a salted one-way hash (we never store the full Aadhaar number); selfie + face-match score (used only for identity verification, encrypted at rest, deleted after KYC closes for non-disbursed applicants).
• Financial information: credit bureau report (CIBIL / Experian / Equifax / CRIF), bank-statement features pulled via the Account Aggregator framework (only when you grant AA consent), existing loan obligations.
• Transactional: loan applications, repayments, eSign artefacts, mandate registrations, payment records.
• Operational: consents you grant, your interactions with our website / app, IP address, device fingerprint (used solely for fraud detection and audit logs).

2. Data we do NOT collect or store

• Your full Aadhaar number — masked last-4 only.
• Your card numbers, CVV, or UPI PIN — these are handled by our PCI-DSS-compliant payment aggregator partner directly; we never see them.
• Your Aadhaar OTP — issued and validated by UIDAI / our licensed eKYC partner.
• Your contact list, SMS inbox, photo gallery, or location — we do not request these permissions.

3. How we use your data

• To verify your identity (KYC) and to prevent fraud.
• To pull your credit bureau report (with your explicit consent).
• To facilitate loan applications, eSign of loan agreements, mandate registration, and repayment processing for our NBFC partner lenders.
• To deliver Credit Assist reports, consultations, and settlement services.
• To communicate with you on WhatsApp, SMS, email, and phone for service updates and regulatory disclosures.
• To comply with our regulatory obligations (RBI, GST, IT Act, PMLA / AML).
• To improve service quality, build aggregated analytics (no personally identifiable data leaves the platform), and prevent fraud.

4. Lawful basis

We process your data on the following lawful bases under the DPDP Act:

• Consent — for credit bureau pulls, AA consent, marketing communications.
• Legitimate use — for performance of the contract you entered into with us.
• Compliance with law — for KYC, AML, fraud prevention, regulator-mandated reporting and retention.

5. Sharing your data

We share your data only with:

• RBI-licensed NBFC partners — the lender of record for any loan you take, for the purpose of issuing and servicing that loan;
• Credit Information Companies (CIBIL, Experian, Equifax, CRIF) — for credit assessment and post-disbursement reporting as required by RBI;
• Payment aggregator partners (Razorpay or equivalent) — for collecting payments and disbursing refunds;
• Licensed eKYC and eSign partners — for identity verification and Aadhaar-based digital signatures;
• Account Aggregator partners (Sahamati-empanelled) — only when you grant explicit AA consent;
• Chartered Accountants on our empanelled list — only for the Settlement product, only after you eSign the limited Power of Attorney;
• Regulatory and law-enforcement authorities — only where compelled by valid legal process.

We do not sell, rent, or trade your personal data with any third party for advertising or other commercial purposes.

6. International transfers

Your data is stored on cloud infrastructure located in India (Mumbai region — AWS ap-south-1). We do not transfer your personal data outside India except where required by law or by a regulator-permitted exception.

7. Your rights under the DPDP Act

• Right to access: request a copy of your personal data via your account dashboard or by emailing dpo@payd24.com.
• Right to correction and erasure: request correction of inaccurate data; request erasure subject to lawful retention (e.g., RBI requires extended retention for active loan records and audit trails).
• Right to grievance redressal: see our Grievance Redressal page.
• Right to nominate: nominate a person to exercise your rights in the event of incapacity or death.
• Right to withdraw consent: withdraw any previously granted consent at any time. Withdrawal does not affect lawful processing already performed and may affect our ability to deliver the Services.

8. Retention

• Loan records: 7 years post-closure (RBI requirement).
• Credit Assist orders (advisory, not lending): 3 years post last interaction.
• KYC artefacts for disbursed loans: 8 years (PMLA requirement).
• KYC artefacts for non-disbursed applicants: deleted after 90 days.
• Audit logs: 7 years.
• Marketing-only data: deleted within 30 days of consent withdrawal.

9. Security

• TLS 1.2+ on all customer traffic.
• PAN encrypted at rest using AES-256 with key rotation.
• Database hosted in a private VPC subnet with no public access.
• Role-based access for staff; every privileged action is logged for at least 7 years.
• Annual third-party security audit.

10. Cookies

We use strictly necessary cookies for session management (HttpOnly, Secure, SameSite-Lax). We do not use third-party advertising or tracking cookies. We may use first-party analytics cookies that do not identify you individually.

11. Children

Our Services are not directed to persons under 18. We do not knowingly collect data of minors. If you believe we hold data of a minor, please write to dpo@payd24.com and we will erase it promptly.

12. Data Protection Officer

Email: dpo@payd24.com.
Postal address: ADVIJJ FINTECH PRIVATE LIMITED, 4185, Third Floor, Ansal Versalia, Sector 67, Gurugram, Haryana 122101, India.
CIN: U70200HR2026PTC145066.

13. Breach notification

In the unlikely event of a personal data breach affecting you, we will notify the Data Protection Board of India within 72 hours and you within a reasonable time thereafter, in line with the DPDP Act and applicable sectoral guidance.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and in-app banner at least 14 days before they take effect.

Last updated: May 2026.