Shatabdi

1. Purpose

This Privacy policy is framed by Ayaan Finserve India Private Limited (SHATABDI/Company) to safeguard the personal information of its customers. It sets out outlines the principles and procedures for the collection, retention and secure deletion of customer and operational data in compliance with the Reserve Bank of India's (Digital Lending) Directions, 2025, the Information Technology Act, 2000, and other applicable legal and regulatory requirements.

Section

2. Scope

This policy applies to all data collected, stored, processed, and deleted by SHATABDI Loans, its Lending Service Providers (LSPs), Digital Lending Apps (DLAs), and associated partners throughout the digital lending lifecycle.

3. Definition

The terms ascribed here shall have the same meaning as defined in the Reserve Bank of India (Digital Lending) Directions, 2025, Regulatory Reference.

4. Regulatory Reference

This policy is framed in compliance with the Reserve Bank of India as outlined in RBI Master Direction, Reserve Bank of India (Digital Lending) Directions, 2025 No. RBI/2025-26/36 (DOR.STR.REC.19/21.07.001/2025-26) issued dated May 8, 2025.

5. Key Principles

Consent and Control w.r.t data Collection and Sharing:
- Personal Data is collected only with explicit consent of the customer.
- Customers have the right to give or deny consent for the collection and use of specific data.
- Customers may revoke previously given consent at any time.
- Customers may request deletion or restriction of their personal data.
- Personal data will not be shared with any third party without the customer's explicit consent, except as required under statutory or regulatory obligations.
Data Minimization: Only necessary data relevant to the lending process will be collected.
Purpose Limitation: Data will be used only for the purposes explicitly stated at the time of collection.
Storage Limitation: Data will not be retained beyond the period necessary for the purpose.

6. Data Retention Periods

Type of Data	Retention Period	Remarks
KYC Documents	10 years 6 month from account	As per PMLA guidelines
Lead, Disbursed and Rejection Data	10 years 6 month from account closure	For audit and regulatory reviews
Loan Application Data	8 years 6 month from loan closure	For audit and regulatory reviews
Consent Logs	8 years 6 month from consent date	Must be auditable
Payment & Transactional Data	8 years 6 month from transaction	As per RBI/IT Act requirements
Communication Records (Email/SMS)	5 years 6 month from last interaction	Includes promotional and transactional mails
Behavioral/Device/App Data	6 months from collection	Must be deleted post loan disbursal

7. Data Deletion Guidelines

Automatic Deletion: Systems will trigger automatic deletion of expired records through scheduled jobs.
Manual Deletion Requests: Customers may request deletion of non-mandatory data. Such requests will be honored within 30 days post-verification.
Deletion Confirmation: Audit trail and confirmation of deletion will be recorded and archived.

8. Storage and Security

All data will be stored within servers located in India, as mandated by RBI.
Data will be retained only for as long as necessary to fulfill the stated purposes or as required by applicable law
Encryption at rest and in transit must be ensured.
Access to data is restricted based on roles and responsibilities under a strict need-to-know basis.
No biometric data is stored/ collected unless allowed under extant statutory guidelines
Currently, the Company has not engaged any Lending Service Provider (LSP). However, if an LSP is engaged in the future, the Company shall ensure that no customer personal information, except for basic details such as name, address, and contact information necessary for the LSP to perform its functions as per the Company-LSP agreement, is stored or retained by the LSP.

9. Responsibilities

Chief Information Security Officer (CISO)

Name: Kumar Saurabh

Responsible for overseeing compliance with this policy, ensuring that all information security practices are in place and adhered to across the organization.

Data Protection Officer (DPO)

Name: Kumar Saurabh

Ensures timely deletion of customer data as per regulatory norms and addresses customer grievances related to data protection and privacy.

IT Team

Implements and monitors technical processes to maintain system security, data integrity, and compliance with internal policies.

Legal Team

Name: Pankaj Walia

Monitors changes in legal and regulatory frameworks, ensuring that the policy is regularly reviewed and updated to reflect the latest requirements.

10. Audit & Monitoring

Annual data audits to ensure compliance with RBI norms.
Third-party cybersecurity audit every financial year.
Maintenance of deletion logs and retention registry for 10 years for audit purposes.

11. Policy Review and Updates

This policy will be reviewed annually or earlier if:

Applicable or Relevant RBI or Government regulations are amended, or.
There is a significant change in company's data processing practices.

Approved by: LEAPROFIN PRIVATE LIMITED Board

Privacy Policy