Finipe logoFinipe
PlatformSuitesArchitectureRoadmap
ContactSign in
Legal · Privacy

Privacy Policy

Effective: 4 May 2026  ·  Last updated: 4 May 2026

This Privacy Policy (“Policy”) describes how Finipe Ventures Private Limited (“FINIPE Ventures”, “we”, “us”, “our”) collects, uses, discloses, retains and protects personal data in connection with the FINIPE Business Operating System, the developer sandbox, the marketing site at finipe.com, the partner portal, the mobile applications and any related products, APIs, datasets, integrations and documentation (collectively, the “Services”). It applies to every persona class — Distribution Network agents and distributors, SaaS / White-Label tenants, API Developers and Lead Partners — and to anyone visiting our marketing site or engaging with us in a pre-sales capacity.

This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021, and applicable directions of the Reserve Bank of India for regulated entities that deploy FINIPE as white-label infrastructure. Where you access the Services from a foreign jurisdiction in which FINIPE Ventures has launched (planned: UAE, Singapore, US, EU), additional local privacy notices may apply and prevail over conflicting provisions of this Policy in respect of that jurisdiction.

By accessing the Services, ticking the “I agree to the privacy policy & terms” checkbox at registration, or otherwise providing personal data to us, you acknowledge that you have read and understood this Policy. Please read it together with our Terms & Conditions.

1. Roles & identity of the Data Fiduciary

Finipe Ventures Private Limited, with its registered office at Jaipur, Rajasthan, India, is the Data Fiduciary in respect of personal data we determine the purpose and means of processing for (e.g., marketing-site visitors, prospects, registered users, partners). Where we process personal data solely on behalf of and on the documented instructions of a tenant organisation (e.g., end-customer KYC submitted via a Distribution Network operator’s workflow), we act as a Data Processor for that tenant, and the tenant is the Data Fiduciary.

All privacy questions, grievances, consent withdrawals and Data Principal requests should be addressed to our Grievance Officer / Data Protection Officer at Admin@finipe.com with subject line beginning “Privacy —”.

2. Personal data we collect

2.1 Information you provide

  • Identity & contact: name, email, mobile, designation, organisation, address.
  • Account credentials: hashed password, multi-factor seed (TOTP), session metadata.
  • Persona-specific identifiers: persona class (Distribution / SaaS / API / Lead Partner), tenant ID, role, downline tree position, employee code, business owner code.
  • Business KYC: CIN, GSTIN, PAN of entity, certificate of incorporation, MOA/AOA, board resolution, signatory ID, beneficial-owner declarations, bank-account proof.
  • Individual KYC (downline / lead / end-customer): name, date of birth, address, Aadhaar number (with masking), PAN, photo, biometric / OTP-based authentication artefacts captured by the relevant Third-Party Provider, video-KYC liveness frames where applicable.
  • Financial data: bank account number, IFSC, UPI handle, wallet balance, transaction history, commission ledger, settlement statements.
  • Loan-DSA lead inputs: borrower’s name, contact, loan type, requested amount, employer, income proxy, credit-bureau consent.
  • Support content: tickets, documents uploaded, screen captures, chat logs, voice recordings (if explicitly enabled).

2.2 Information collected automatically

  • Device & network: IP address, device fingerprint, OS, browser, locale, time zone, referrer URL.
  • Usage analytics: page views, feature interactions, session duration, click paths via first-party analytics cookies; geo-coordinates only with explicit consent (e.g., AEPS attendance).
  • Security telemetry: authentication events, IP reputation, rate-limit hits, audit-log entries, hash-chained signatures, anomaly-detection scores.

2.3 Information from third parties

  • Verification providers: UIDAI Aadhaar (via licensed AUA / KUA), NSDL PAN, GSTN GSTIN, CKYCR, Digilocker, Karza, IDfy.
  • Account-Aggregator: Setu / Finvu — only on Data Principal’s explicit, FIU-routed consent.
  • Payment & settlement partners: FingPay (AEPS), Bill Avenue (BBPS), Razorpay (Payouts & UPI VAN Collections) — transaction confirmations, dispute and chargeback events.
  • Loan-DSA aggregators: Urban Money, Ruloans, Andromeda Sales & Marketing — disbursement status and revenue-share data.
  • Bureau / underwriting: only on the borrower’s explicit consent and only in connection with the Loan DSA Lead Management module.
  • B2B contact enrichment: publicly available business contact data, used strictly for lawful B2B outreach with opt-out on first contact.

2.4 Sensitive personal data

We treat the following as sensitive and apply enhanced safeguards: Aadhaar number (always tokenised and masked at rest), biometric authentication artefacts, financial information, account passwords, sexual orientation (never collected), medical history (never collected), bureau scores (only with explicit consent for the Loan DSA module).

3. Why we process your personal data

  • Provision, operate, secure, monitor and improve the Services.
  • Authenticate users, enforce access controls, prevent fraud, detect intrusion and protect platform integrity.
  • Process commission accruals, distributions, recoveries, settlements and payouts via the ledger and commission engines.
  • Route Loan DSA leads to aggregator partners and reconcile revenue-share.
  • Issue invoices, collect fees, render tax-compliant documentation.
  • Communicate service notices, regulatory advisories, security advisories and product updates.
  • Comply with the DPDP Act, the Information Technology Act, 2000, the Prevention of Money Laundering Act, 2002, the Companies Act, 2013, the Income-Tax Act, 1961, the CGST Act, 2017, RBI master directions, NPCI scheme rules and applicable foreign law where we operate.
  • Conduct research, analytics and aggregated benchmarking — using de-identified or aggregated data wherever feasible.
  • Pursue or defend legal claims and respond to lawful requests by regulators or courts.

4. Lawful basis under the DPDP Act

We process personal data on one or more of the following lawful bases:

  • Consent — for marketing communications, optional analytics cookies, Account-Aggregator data pulls, bureau pulls and any other purpose where consent is required.
  • Performance of contract — to provide the Services to the Tenant and the Authorised User.
  • Compliance with legal obligation — KYC, AML, tax, RBI reporting, audit log retention, regulator response, sanctions screening.
  • Legitimate uses as defined in section 7 of the DPDP Act, where applicable, including (a) provision of subsidies / benefits with prior consent, (b) employment-related processing, (c) breach response, (d) fraud prevention.

Where consent is the basis, an itemised, plain-language consent notice is presented at the point of collection in compliance with section 5 of the DPDP Act. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

5. How we share personal data

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising. We disclose personal data only as set out below:

  • To the tenant organisation on whose behalf the data was collected (Distribution upline, SaaS administrator, API integrator, Lead Partner manager).
  • To Third-Party Providers (sub-processors) under data-processing agreements: cloud hosting, KYC providers, payment rails, communication gateways, observability tools, support tools — current matrix in the Annexure.
  • To regulators, courts, law enforcement in response to lawful requests, or to comply with mandatory reporting (Suspicious Transaction Reports, audit responses, breach notifications).
  • To professional advisers (auditors, lawyers, accountants) under confidentiality obligations.
  • To a successor entity in the event of a merger, acquisition, restructuring or asset sale, subject to the successor honouring this Policy.
  • With your explicit consent for any other purpose disclosed at the time of consent.

6. International data transfers

FINIPE is built as a worldwide platform with phased rollout starting in India. Personal data is primarily stored in the AWS Mumbai (ap-south-1) region. Where the Services are extended to UAE, Singapore, US or EU jurisdictions, data may be replicated to a region permissible under the DPDP Act and the destination jurisdiction’s law. Cross-border transfer is performed only where (a) the destination is not blacklisted by the Central Government under section 16 of the DPDP Act, (b) the recipient is bound by appropriate contractual safeguards, and (c) the data principal has been notified of the transfer.

7. Retention

We retain personal data only as long as necessary to fulfil the purposes described in this Policy or as required by applicable law. Indicative retention periods (subject to the Retention Policy Matrix published inside the platform):

  • Transaction ledger & audit log: ten (10) years from the date of transaction (RBI / PMLA / IT Act).
  • KYC documents: minimum five (5) years from cessation of business relationship; longer if required by law-enforcement.
  • Tax invoices & financial records: eight (8) years (Companies Act, GST, Income-Tax Act).
  • Support tickets and chat logs: three (3) years.
  • Marketing-site visitor analytics: twenty-six (26) months for cookie-based analytics; aggregated forever.
  • Account credentials & session metadata: until ninety (90) days after account closure.
  • Backups & disaster-recovery snapshots: thirty-five (35) days rolling.

Records subject to statutory retention are preserved on tamper-evident storage (S3 Object Lock or equivalent) even after a Data Principal’s erasure request, with access restricted to authorised compliance personnel.

8. Your rights as a Data Principal

Subject to the DPDP Act and applicable law, you may:

  • Obtain a summary of personal data we hold about you and the identities of recipients;
  • Request correction, completion, updating or erasure of personal data;
  • Withdraw consent previously given (without affecting prior lawful processing);
  • Nominate another individual to exercise these rights in the event of your death or incapacity;
  • Receive readily available means of grievance redressal;
  • Lodge a complaint with the Data Protection Board of India after exhausting our internal grievance process.

To exercise any of these rights, write to Admin@finipe.com with subject line beginning “Data Principal Request — ”. We will verify your identity and respond within timelines mandated under the DPDP Act (presently up to thirty (30) days for substantive responses, extendable on intimation for complex matters). Repeated, manifestly unfounded or excessive requests may be refused or charged at cost in accordance with the DPDP Act.

9. Cookies & similar technologies

We use cookies and similar storage technologies for: (a) strictly-necessary functions (authentication, session continuity, security, CSRF protection, preference persistence); (b) optional first-party analytics enabled only with consent; and (c) consent-banner state. We do not use third-party cross-context advertising cookies. You can control cookies via browser settings or via the consent banner displayed on first visit. Disabling strictly-necessary cookies will impair the Services.

10. Security measures

We implement reasonable technical and organisational security measures aligned with ISO 27001 control families and the IT Rules 2011. These include:

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest for sensitive fields and at-rest blob stores.
  • Tokenisation and masking of Aadhaar and similar high-sensitivity identifiers.
  • Role-based access control with scope-ceiling and downline-tree enforcement; multi-factor authentication for privileged roles.
  • Tamper-evident hash-chained audit log persisted to S3 Object Lock; hourly anchor verification.
  • IDOR-impossible-by-construction API layer; rate limiting; replay-protected idempotency.
  • Segregated environments (sandbox / staging / production); least-privilege CI/CD with signed deploys.
  • Vendor due diligence with executed Data Processing Agreements; periodic re-attestation.
  • Independent penetration testing prior to MVP general-availability and at least annually thereafter.
  • Continuous integrity verification at application boot.

No system is completely secure. If you believe an account has been compromised, write immediately to Admin@finipe.com with subject line beginning “Security —”.

11. Personal data breach

In the event of a personal data breach as defined under the DPDP Act and the IT Rules, we will (a) notify the Data Protection Board of India and affected Data Principals without undue delay in the form and content prescribed under applicable rules, (b) notify CERT-In within the timelines required under the CERT-In Directions of 28 April 2022, and (c) cooperate with affected Tenants and regulated counterparties to mitigate harm.

12. Children

FINIPE is a B2B platform and is not directed at, nor intended for use by, children below the age of eighteen (18). We do not knowingly collect personal data of children. If we learn that we have collected such data, we will delete it without undue delay. The DPDP Act’s additional protections applicable to children and persons with disabilities are observed where relevant (e.g., a Lead Partner’s borrower file involving a minor co-applicant).

13. Persona-specific notices

13.1 Distribution Network

End-customer KYC, transaction logs and dispute records collected by Distribution Network operators are processed by FINIPE Ventures as a Data Processor on the Tenant’s instructions and shared with the relevant rail (FingPay / Bill Avenue / Razorpay) for transaction execution. Wallet tier limits apply and structuring is monitored.

13.2 SaaS / White-label

Tenant data is isolated by tenant ID and, for White-Label Tenants, by custom subdomain. Cross-tenant access is not possible by construction. Aggregated, de-identified usage metrics may be used to improve the Services.

13.3 API Developer

API key metadata, request logs, idempotency keys and webhook delivery telemetry are retained for security and billing reconciliation. Sandbox transactions use synthetic data and are not retained beyond ninety (90) days unless escalated as a support ticket.

13.4 Lead Partner (Loan DSA)

Borrower data submitted to the Loan DSA Lead Management module is shared with one or more aggregator partners (Urban Money, Ruloans, Andromeda) for sourcing offers. Bureau pulls are performed only on the borrower’s explicit consent. Lead Partners must furnish the borrower with a copy of this Policy at the point of collection.

14. Sub-processors

We engage the categories of sub-processors below, under data-processing agreements that contain confidentiality, security and DPDP Act obligations. The current list of named sub-processors is published inside the platform under System > Provider Credentials and updated as the vendor footprint evolves.

  • Cloud hosting and storage (AWS Mumbai region primary).
  • Payment, AEPS, BBPS rails (FingPay, Bill Avenue / Euronet, Razorpay).
  • KYC and document verification (Karza, IDfy, Setu / Finvu).
  • Loan DSA aggregators (Urban Money, Ruloans, Andromeda).
  • Communications (MSG91, Twilio, SendGrid, Meta WhatsApp Business).
  • Observability and security tooling (e.g., Sentry, Datadog).
  • Internal collaboration (Slack, Google Workspace) for support and engineering.

15. Direct marketing & preferences

We send service notices, regulatory advisories and security advisories regardless of marketing preference because they are essential to the Services. Marketing emails are sent only to recipients who have opted in or who fall within a permissible legitimate-use scenario; every marketing email carries an unsubscribe link and your decision is honoured immediately.

16. Automated decision-making

Certain Services use rule-based or model-driven scoring (e.g., lead-scoring v2, anomaly detection, KYC tier-up recommendations). These are decision-support tools — final decisions are taken by humans within the Tenant organisation or the relevant rail. We do not use solely-automated decisions producing significant legal effects on a Data Principal without affording them an opportunity to be heard.

17. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified at least fifteen (15) days in advance via email to your registered address and via in-app banner. The “Last updated” date at the top of this page reflects the most recent revision. The latest version is always available at finipe.com/privacy-policy.

18. Contact & grievance redressal

For any privacy question, grievance, withdrawal of consent, Data Principal request or report of a suspected breach, write to our Grievance Officer / Data Protection Officer at Admin@finipe.com. Postal correspondence may be addressed to Finipe Ventures Private Limited, Jaipur, Rajasthan, India. Acknowledgement is sent within forty-eight (48) hours and resolution targeted within the timelines mandated by the DPDP Act. Unresolved grievances may be escalated to the Data Protection Board of India.

19. Marketplace and Supplier Data

When you list your business on FINIPE as a supplier, we collect and process:

  • Business identity information: name, address, contact, GSTIN, CIN, and applicable professional licences such as RERA registration, IRDAI agency code, DCGI licence, FSSAI registration, and Bar Council enrolment.
  • Listing performance data: view counts, lead receipt counts, conversion metrics, and response rate.
  • Transaction and fulfillment records: escrow transactions, dispute history, and settlement receipts.
  • Trust Score components: derived from audit events, KYC tier, SLA adherence, and verified review aggregates.

Supplier data is processed under the purpose "marketplace demand routing" and retained for the duration of an active listing plus three (3) years after deactivation. You may request deactivation and erasure as described in the Your Rights section above (section 8).

20. AI Memory and Cross-Vertical Profiling

FINIPE's AI assistant maintains a memory of your interactions across our service categories (for example, if you enquire about property, we may infer that a home loan recommendation is relevant). This cross-vertical profiling is stored in your account under ai_preferences.memory_enabled. You may disable this at any time from Settings & Privacy inside the FINIPE AI interface.

Life-stage tags derived from your activity (for example, considering_property_purchase or has_loan_inquiry) are stored in your account profile and are used solely to personalise AI recommendations. They are never sold to third parties. You may request their deletion via the erasure request process described in section 8 of this Policy.