VyaparX - Privacy Policy

1. Information We Collect

We may collect the following data:

A. Personal Information

• Full name, email, mobile number, address, date of birth, ID details
• Income, employment/business details, bank statements, ITR, salary slips
• Loan preferences, and documents for consulting/profile preparation

B. Sensitive Personal Data or Information (SPDI)

• Passwords, account/card details, or biometric/health data (collected only when strictly required and through secure channels)

C. Device/Usage Data

• IP address, browser/device details, consent logs, security logs, and usage statistics

2. Legal Basis & Purposes

We process your information to:

• Deliver documentation readiness & financial consulting services
• Share your profile/documents only after explicit recorded consent with your selected DSAs/NBFCs/Banks for loan processing
• Provide customer support & grievance handling
• Meet legal, regulatory, and audit obligations
• Improve site/app performance and security, prevent fraud

3. Consent & Choice

• We do not share personal/SPDI data with third parties without your explicit, informed, recorded consent
• Consent is logged with timestamp, IP, and policy version (audit trail)
• You may withdraw consent any time for future actions via the grievance/contact methods in Section 14
• We do not sell, rent, or trade your personal data

4. Disclosures & Recipients

• With consent: Selected DSAs, NBFCs, or Banks you choose
• Vendors under contract: Cloud storage, IT services, security, communications — bound by confidentiality
• Legal purposes: Complying with laws, court orders, and regulator directions
• LSP Data Sharing: With verified Lending Service Providers (LSPs) under written agreement, strictly limited to minimal operational data as per RBI Digital Lending Directions 2025

5. Data Minimisation & Access Control

• Only collect what is necessary
• Internal role-based access, logging, and periodic reviews are enforced

6. Security Safeguards

We follow reasonable security practices under IT Act Sec. 43A & SPDI Rules:

• TLS encryption for data in transit
• AES-level encryption for stored data
• Vendor NDAs and monitoring
• Access control measures and periodic audits
• Do not share OTPs or passwords with VyaparX staff

7. Data Retention & Deletion

• We keep data only as long as needed for services, audits, or legal requirements
• After statutory retention, we delete or irreversibly anonymise data
• Users can request deletion after retention periods end, subject to legal holds
• Personal data deletion requests will be processed within 30 days of verification, subject to legal retention requirements

8. Your Rights

You may:

• Access the data we hold about you
• Request corrections
• Withdraw consent for future data sharing
• Request deletion after retention obligations
• Lodge complaints with our Grievance Officer — escalate unresolved lender-related issues to the RBI Ombudsman

9. Cookies & Tracking Technologies

We use CookieYes to manage consent for cookies and tracking.

A. Categories

• Essential Cookies: Always active – needed for security, logins, and basic functionality
• Analytics Cookies: Google Tag Manager, Google Analytics – help us improve site performance
• Marketing Cookies: Google Ads, Meta Ads – show relevant offers and measure marketing

B. Consent Model

• Non‑essential cookies (analytics, marketing, personalisation) are disabled by default and only run if you actively opt in via our CookieYes banner/preferences tool
• Banner offers Accept All, Reject All, or Customise options
• Consent is stored for 12 months unless cleared sooner
• You may update your preferences any time through the "Cookie Preferences" link in our site footer

C. Managing Cookies

• You can disable cookies in your browser or via our cookie settings tool
• Disabling essential cookies may impact functionality
• Manage ad personalisation directly at Google Ad Settings or Meta Ad Preferences

D. Third‑Party Cookies

Some cookies are set by trusted analytics/ads providers. We do not sell cookie data.

10. Children's Data

We do not knowingly collect data from users under 18.

11. International Data Transfers

Data is primarily stored/processed in India. If transferred abroad (e.g., via approved vendors), such transfers are protected under contractual safeguards to meet SPDI requirements.

12. Third‑Party Links

We are not responsible for external site privacy practices. Please review their notices separately.

13. Policy Updates

We may update this policy for operational or legal reasons. Changes will be posted with a revised "Last Updated" date.

14. Contact & Grievance Redressal