Privacy Policy

1

Overview

This Privacy Policy ("Policy") governs the collection, processing, storage, and use of personal data by Techpaylogic Technologies Pvt Ltd ("Paylogic", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, having its registered office at 20th Floor, Oberoi Commerz II, International Business Park, Oberoi Garden City, Goregaon East, Mumbai – 400063, Maharashtra, India.

This Policy applies to all users ("you", "your", "User") who access or use Paylogic's website, mobile applications, APIs, dashboards, and related fintech services (collectively, the "Platform").

Our Commitment

We are committed to protecting your personal information in compliance with the Information Technology Act, 2000, the Digital Personal Data Protection Act (DPDP), 2023, the Reserve Bank of India (RBI) guidelines, and applicable provisions of the GDPR where relevant. By using the Platform, you acknowledge and agree to the practices described in this Policy.

2

Data We Collect

We collect information necessary to provide, improve, and personalise our financial services. The categories of data we collect include:

2.1 Identity & Account Information

Full name and date of birth
Email address and mobile number
Business name, type, and registration details (for merchant accounts)
Government-issued ID — PAN card, Aadhaar number (masked), GST number, CIN
Director and beneficial owner details for corporate KYC compliance

2.2 Financial & Transaction Data

Bank account details — account number, IFSC code, account holder name
UPI IDs and VPAs used on our platform
Transaction history — amounts, timestamps, references, status
Settlement records and payout disbursement details
Refund and chargeback records

2.3 Technical & Usage Data

IP address, browser type, device type, and operating system
API request logs, integration events, and error logs
Session data and access timestamps
Dashboard navigation patterns and feature usage analytics
Cookies and tracking technologies (see Section 7)

2.4 Communication Data

Messages sent to our support team via email, chat, or phone
Survey responses and feedback submitted through the Platform
KYC-related document uploads and correspondence

Sensitive Data

We never store full debit/credit card numbers on our servers. All card data is handled in accordance with PCI DSS Level 1 standards. Aadhaar numbers are processed only in compliance with UIDAI guidelines and are masked after verification.

3

How We Use Your Data

We use the information we collect for the following purposes, relying on legitimate legal bases under applicable data protection laws:

Purpose	Legal Basis	Data Used
Account creation and onboarding	Contractual necessity	Identity, KYC documents
Processing payments and payouts	Contractual necessity	Financial, transaction data
Regulatory KYC / AML compliance	Legal obligation (RBI, PMLA)	PAN, Aadhaar, GST, bank details
Fraud detection and risk management	Legitimate interests	Transaction patterns, IP, device
Customer support and dispute resolution	Contractual necessity	Communication, transaction data
Product improvement and analytics	Legitimate interests	Usage, technical data (anonymised)
Marketing and product updates	Consent	Email, name (opt-out available)
Legal and regulatory reporting	Legal obligation	Transaction, identity data

We will not use your personal data for any purpose incompatible with those listed above without your explicit consent.

4

Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for commercial gain. However, we may share your data in the following limited circumstances:

4.1 With Banking & Financial Partners

We share transaction and identity data with our banking partners, payment networks (NPCI, Visa, Mastercard), and acquiring banks solely to process and settle your payments as instructed by you.

4.2 With Regulated KYC/AML Service Providers

We engage UIDAI-authorised KYC bureaus, credit bureaus, and AML screening providers to complete mandatory due diligence. These partners are bound by strict confidentiality and regulatory obligations.

4.3 With Technology & Cloud Service Providers

We use trusted third-party service providers for cloud hosting, data analytics, communication, and security monitoring. These providers process data only on our behalf under Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.

4.4 With Regulatory Authorities

We may disclose your data to the Reserve Bank of India, Financial Intelligence Unit (FIU-IND), UIDAI, GST authorities, or law enforcement agencies when required by law, court order, or regulatory directive.

4.5 With Your Merchants / Customers

In payment gateway transactions, necessary transaction references are shared with the merchant you transact with. No sensitive financial credentials are ever shared.

4.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquirer, subject to equivalent privacy protections and advance notice to affected users.

5

Data Storage & Retention

All personal and financial data processed by Paylogic is stored exclusively within India, in compliance with the RBI's data localisation requirements and the DPDP Act, 2023.

We retain your data for the following periods:

KYC and identity documents — 5 years after account closure (as mandated by PMLA, 2002)
Transaction records — 8 years for regulatory audit purposes
Communication and support logs — 3 years from date of interaction
Marketing preferences — Until you opt out or request deletion
Technical logs (IP, device, API) — 1 year for security and fraud monitoring

Upon expiry of the retention period, data is securely deleted or anonymised in a manner that prevents re-identification.

6

Security Measures

Paylogic implements industry-leading technical, organisational, and operational security controls to protect your personal data against unauthorised access, disclosure, alteration, or destruction.

256-bit TLS/SSL encryption for all data in transit
AES-256 encryption for all sensitive data at rest
PCI DSS Level 1 certification — the highest global standard for cardholder data security
ISO 27001 certified Information Security Management System
Multi-factor authentication (MFA) for all platform access
Tokenisation of sensitive payment instruments
24/7 security monitoring and intrusion detection systems
Regular penetration testing by certified third-party security firms
Role-based access control (RBAC) with least-privilege principles

Breach Notification

In the unlikely event of a data breach that affects your personal data, we will notify you and the relevant regulatory authority within the timeframe prescribed by applicable law — within 72 hours for GDPR-relevant data or as required by DPDP Act rules.

7

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, secure sessions, and understand how the Platform is used. Below is a summary of the cookies we deploy:

Cookie Type	Purpose	Duration
Essential / Session	Login sessions, CSRF protection, secure authentication tokens	Session / 24 hours
Functional	Remembering your preferences, dashboard layout, language settings	Up to 1 year
Analytics	Aggregated usage statistics (anonymised) via privacy-compliant tools	Up to 2 years
Security	Fraud detection signals, device fingerprinting (partial), IP reputation	Up to 90 days

You can control cookies through your browser settings. Note that disabling essential cookies may impact your ability to use the Platform. Analytics cookies can be opted out of at any time via our Cookie Preferences centre.

We do not use cookies for behavioural advertising or sell cookie data to advertising networks.

8

Your Privacy Rights

Under applicable data protection law, including the DPDP Act, 2023 and GDPR (where applicable), you have the following rights regarding your personal data:

Right to Access — Request a copy of the personal data we hold about you.
Right to Correction — Request correction of inaccurate or incomplete data.
Right to Erasure — Request deletion of your data where there is no overriding legal basis for continued processing.
Right to Data Portability — Receive your data in a structured, machine-readable format.
Right to Restrict Processing — Request that we limit how we use your data in certain circumstances.
Right to Object — Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent — Withdraw previously given consent at any time without affecting past processing.
Right to Lodge a Complaint — File a complaint with the Data Protection Board of India or relevant supervisory authority.

How to Exercise Your Rights

To exercise any of the above rights, email us at letstalk@paylogic.in with the subject line "Privacy Request – [Your Right]". We will respond within 30 days. Identity verification will be required before processing any data access or deletion request.

Please note that some rights may be limited where we are required by law to retain data (e.g., KYC and transaction records under PMLA/RBI regulations).

9

Third-Party Links & Services

The Paylogic Platform may contain links to third-party websites, payment networks, or partner portals. These third-party services have their own privacy policies, and we encourage you to review them.

Paylogic is not responsible for the privacy practices or content of third-party websites. Clicking on external links takes you outside our Platform, and this Policy ceases to apply to data collected by those third parties.

For our API integrations, merchants and developers who integrate Paylogic's payment APIs are independently responsible for their own privacy obligations to their end customers.

10

Children's Privacy

Paylogic's services are intended solely for individuals who are at least 18 years of age. Our Platform is a financial services platform and is not directed at, and does not knowingly collect personal information from, children under the age of 18.

If we become aware that a child under 18 has provided us with personal data, we will take immediate steps to delete such information. If you believe a minor has provided us with personal data, please contact us immediately at letstalk@paylogic.in.

11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, business practices, or applicable laws. When we make material changes, we will:

Update the "Last Updated" date at the top of this Policy
Send you an email notification (if you have a registered account with us)
Display a prominent notice on our Platform dashboard for 30 days after the change

Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the revised terms. If you do not agree with any changes, you must discontinue use of our services and may request account closure.

12

Contact Our Privacy Team

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our designated Privacy & Compliance Team:

Data Protection Officer — Paylogic

Techpaylogic Technologies Pvt Ltd

20th Floor, Oberoi Commerz II, International Business Park, Oberoi Garden City, Goregaon East, Mumbai – 400063, Maharashtra

letstalk@paylogic.in

+91 848 485 3305

We aim to respond to all privacy requests within 30 calendar days.

For escalated grievances, you may also contact the Data Protection Board of India once operational, or the Ministry of Electronics and Information Technology (MeitY).