Finshell Pay Privacy Notice

Last Updated: 2nd April, 2021

Thank you for choosing Finshell Pay (hereinafter referred to as “Finshell Pay” or “this APP”)! Finshell Pay is operated by M-Kash India Financial Solutions Private Limited (hereinafter referred to as “we” or “us” or “our”) and is a product that provides you with mutual funds, insurance and access to other third-party services. We will collect and use your personal information and sensitive personal data and information, as defined under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 including its amendments from time to time, (hereinafter referred to as ‘personal data’) when you use our website, this APP and/ or products and services made available on the App, either by us or through any of our partners.

In this Privacy Notice, we will explain to you about the purposes, method and scope of the collection and use of your personal data by this APP, your rights to your personal data, and the security measures we take to protect it.

Before using this APP, please read this Privacy Notice carefully to learn our practices for the protection of users’ personal data. If you do not agree with the terms of this Privacy Notice, you can turn off Finshell Pay by clicking “Exit APP” and we will not be able to provide you with the services related to this APP. If you click “Agree to the above”, it means that you fully and clearly understand the following terms regarding, amongst other things mentioned herein, data collection and usage, your rights to your personal data, etc.

This Privacy Notice will help you understand the following:

  1. How and What Types of Personal Data We Process

  2. How We Retain Your Personal Data

  3. How We Share Your Personal Data

  4. How We Protect Your Personal Data

  5. Your Rights to Your Personal Data

  6. How We Process Children's Personal Data

  7. Third-Party Service Providers and Their Services

  8. How This Privacy Notice Is Updated

  9. Contact Us

I. How and What Types of Personal Data We Process

We collect personal data for providing you with the service(s) made available on this APP, more efficient operation(s) and to try and improve and evolve user experience. Our channels to collect personal data include: (1) data directly provided by you to us; (2) we obtain relevant data during your use of this APP; and/or (3) we obtain personal data about you from third parties. The data we collect depends on the products and services you want to apply, avail or use, the environment in which you interact with us, the choices you make, including permissions and the products and features you use. However, we will not collect, store, use, process, transfer and/ or disclose your transaction information/ data and/ or your Personal Data in the manner in which we are prohibited by the NPCI, RBI and other regulations and laws which are applicable to us.

1. What Types of Personal Data We Process

  1. To use Finshell Pay, you need to first sign up for a HeyTap Account, which is provided by BRAVO UNICORN PTE. LTD. ("Bravo"), and then sign in to Finshell Pay with your HeyTap Account. During the sign-up process, please carefully read the HeyTap Account User Agreement and Account Privacy Statement before creating HeyTap account and signing in to Finshell Pay with your HeyTap Account. To associate your HeyTap Account with your actions performed in Finshell Pay, when you sign in to this APP using your HeyTap Account, we will collect your HeyTap Account information from Bravo, including the account ID, nickname and avatar. We collect this information for the purpose of providing you with the sign-in service, protecting the security of your account. If you do not provide this information to HeyTap and permit HeyTap to provide such information to us then you will not be able to sign in to Finshell Pay.

  2. You can use the insurance services, which are provided by HDFC Life Insurance Company Limited (“HDFC”). To enable you to purchase insurance, we need to collect following information: last name, first name, email, address, gender, birth day, phone number of policyholders, and last name, first name, email, address, gender, birth day, phone number of beneficiaries. Meanwhile, we will also collect insurance policy details such as policy reference number and details from HDFC for user’s query.

  3. You can use the loan services, which are provided by Whaletech Solutions Private Limited in association with Kalpavitta Finance Private Limited and Cashbee Technology India Private Limited (herein individually referred to as “Whaletech”/“Loanflix” and “Cashbee” respectively and collectively referred to ‘Lenders’). In order for you to avail and/ or apply for lending services from the Lenders and easily check or obtain your credit lines, we need to collect and centrally manage parts or all of the personal information that you provide to us, including your full name, Aadhaar number, PAN number, date of birth, gender, email, primary language, relationship status, number of children, educational attainment, father’s name, pin code of home address, home address, length of residence, residence type, backup phone number, PAN card with QR code, Aadhaar card front and back photos, company name, work email, employment status, job title, profession, work experience, salary, payday, pin code of workplace, work address, work phone number, full name and phone number of the contact person, relationship with the contact person, IFSC, bank details including account number, use of the loan, and selfie pictures. In addition, we may collect your application list and the information you add to your contact information for risk control purposes and your GPS information for anti-fraud purposes. The information and document provided by you shall be used for the purposes of verification, assessment and credit worthiness and will be shared with our partners and the Lenders who will review your application/ qualifications for loans, check and review your credit health, scores and other information from credit information companies, solvency and for risk management and anti-fraud purposes. Based on this information, the Lenders will either approve or reject your loan applications, perform pre and post-disbursement loan management, and, either independently or in collaboration with third parties, build a risk control model. If you do not provide this information, we will not be able to evaluate your qualifications, credit score and health, and solvency, nor can we decide whether to provide you with the services you need. Before providing the information about relevant contacts, you shall inform them and obtain their consent, as required by laws and regulations.

  4. To use the services of UPI payments you agree to permit us to read your SIM, read your SMSs and send SMSs from your phone using your SIM which you want to use for UPI payments. You may be required to provide us with your personal data including your SIM card mobile number and serial number, the details of your bank account and debit card which you want to link with the UPI payments. You permit us and our UPI and other partners including NPCI (National Payment Corporation of India), HDFC Bank Limited and Mindgate Solutions pvt. Limited which assist and co-ordinate with each other to enable you to avail UPI services to collect, store, share, process and use your Personal Data including your device data, location, UPI ID, beneficiary UPI ID and all other registration, authentication and transaction related information as may be required under the law, rules and regulations for providing UPI services.

  5. When you use Help and Feedback, we need to collect your personal data and/ or you may be required to provide us with your query, feedback, contact details, log record and any other information, data or details.

  6. When providing customer support for you, we may ask you to provide and collect your personal data, such as IMEI and other device data, your name, mobile phone number, email address, address, etc., and we may record the call between you and our customer service.

  7. To provide you with notification and push functions, we may collect your device information including your device name, device model, IMEI number, mobile phone model, Mac address, serial number, Internet Protocol (IP) address, operating system version, etc. The Notification and Push services include App update and installation, sales and promotion data, etc. You can stop receiving data though “Settings” on your device.

  8. If you would like to participate in promotional or marketing activities organized by us or our business partners, fill out questionnaires, or participate in a user forum or blog hosted by us or our business partners, you may be required to provide us with your name, mobile number, email address, address in order for us to contact you and issue you a reward, where and if applicable.

  9. In order to fulfill the cyber security protection obligations, to ensure the normal operation of this APP and your account security, but also to improve and optimize your service experience, we may collect data about your device and how you and your device interact with this APP, such as device brand, device model, IMEI number or OpenID, OTA version, language, IP address, operating system version, APP version and other device data. We will also record the operational behaviors of your account after login (including changing the password, modifying the bound mobile phone number/email address, complaints record, etc.), time and duration of your use of this APP, search query terms entered through the service, and software event data (such as reboots, upgrades, errors, crashes, etc.).

2. How We Process Your Personal Data

1. We will process your personal data for the following information:

2. When we want to use the personal data for other purposes not described in the Privacy Notice, we will inform you about that and ensure that the use of your personal data complies with the local legal requirements.

II. How We Retain Your Personal Data

Your personal information that is collected or generated in India will be stored on our server located within India.

The retention period of the personal data we collect is the minimum amount of time required to achieve the purposes of collection stated in this Privacy Notice, unless otherwise required by laws or regulations.

If we stop operating some or all of our products or services for special reasons, we will promptly inform you and stop the collection and processing of personal data by the related products or services, and we will delete or anonymize the personal data we hold that is related to the said products or services, unless required for migration/ transfer purposes or otherwise required by laws and regulations.

III. How We Share Your Personal Data

We may, from time to time, share and transfer some personal data with our associated companies and the strategic partners that work with us to provide products and services, in order to provide the products or services you request.

  1. Affiliates: We may share your personal data with our affiliates in India. We will only share necessary personal data, and we will do so only for the purposes stated in this Privacy Notice. If we or our affiliates change the use and processing purpose of personal data, we will ask for your authorization again.

  2. Sharing with Authorized Partners: Some of our services will be provided by our authorized partners solely for the purposes stated in this Privacy Notice. We may share some of your personal data with our partners to provide services and to improve user experience. To be specific:

    1. Some products or services may be provided by third parties or jointly provided by us and third parties. With your consent, provided herein, we will have to provide your personal data and information to provide you with such services to the relevant service providers. However, you shall be bound by the terms and conditions and privacy policies of such third parties while availing services from such parties, specifically:

      1. Insurance partners: HDFC Life Insurance Company Limited

      2. Lending platform partners: Whaletech Solutions Private Limited in association with Kalpavitta Finance Private Limited

      3. UPI Payment Partners: National Payment Corporation of India, HDFC Bank Limited, Mindgate Solutions Pvt. Limited;

    2. In some cases, we will entrust a third party to process your personal data on our behalf. For example, companies that send text messages or emails and provide technical support on behalf of us. These companies can use your personal data solely to provide services to you on our behalf.

  3. Purchasers and third parties in connection with a business transaction: When we are in a process of a merger, acquisition or bankruptcy liquidation, and if such process requires a transfer of your personal data, we will require the new company or organization that hold your personal data to continue to be bound by this Privacy Notice, otherwise we will require this company or organization to ask your consent again. If it does not involve the transfer of personal data, we will fully inform you and delete or anonymize all personal data under our control.

  4. Law enforcement, regulators and other parties for legal reasons: We may also disclose your personal data with third parties as required by law or if we reasonably believe that such action is necessary (a) to comply with a subpoena or other legal proceedings, legal actions or government agencies’ requests, (b) when we believe in good faith that a disclosure is necessary to comply with the law and the reasonable requests of law enforcement, (c) to protect and exercise our legal claims, rights and property, (d) to protect your rights, property or personal safety or the one of others, (e) to investigate fraud and (f) to protect the security or integrity of our services.

  5. Otherwise with your consent: After obtaining your explicit consent we disclose the personal data you have authorized with other certain third parties.

IV. How We Protect Your Personal Data

1. We have taken reasonable and feasible technical security and organizational measures to protect the data collected in relation to the services. We have adopted security measures to protect the personal data you provide, and to prevent unauthorized access, public disclosure, use, modification, damage or loss of the data. We will take all reasonable and practical steps to protect your personal data, including:

  1. We will use SSL and other mainstream security technologies to encrypt many of our services. We will examine our practice of data collection, storage, and processing (including physical security measures) on a regular basis to prevent unauthorized access to or tampering with various systems.

  2. We will strictly control the access to personal data, and only allow our representatives who need to know the personal data to help us process such data, and personnel of companies authorized to handle the services on our behalf to access such personal data. These employees and personnel are required to fulfill strict contractual confidentiality obligations. Should they fail to fulfill these obligations, they may be held accountable for legal liabilities or their relationship with us may be terminated. Access logs of personal data will be kept and periodically audited.

  3. The security of your data is of great importance to us. Therefore, we will continue our efforts to protect your personal data and implement safeguard measures, such as providing full encryption for data storage and transmission, to prevent your data from unauthorized access, usage or disclosure. For certain specific contents of encrypted data, no one but the user has the right to access them.

  4. We will adopt encryption and other security measures to transmit and store your personal data of particular types; and we will use technical measures to process your personal biometric data before storing it, e.g., we will only store the abstracts of such personal biometric data.

  5. We will adopt reasonable standards to protect your personal data and actively pass relevant security and privacy protection certifications.

However, please note that while we have taken reasonable steps to protect your data, no website, Internet transmission, computer system, or wireless connection is absolutely secure. In the event of a personal data security incident, we will act in accordance with the requirements of relevant laws and regulations. Should we be required to do so, we will timely inform you of the relevant situation of the event by either email, letter, telephone, in app notification or push notification. When it is difficult to inform the personal data subjects individually, we will issue an announcement in a reasonable and effective manner.

V. Your Rights to Your Personal Data

We respect your rights to your personal data. Subject to the applicable law in your jurisdiction, you may have specific rights regarding your personal data. This may include the following rights:

1. Right to Be Informed

We will inform you of how we process your personal data by publishing this Privacy Notice. We are committed to being open and transparent about how we use your personal data. You can keep track of the collection and use of your personal data by periodically reviewing this Privacy Notice and contacting us in the manner disclosed in this Privacy Notice.

2. Right to Access

You can directly query or access your personal data on our product or service interface, such as you can log into your account through the product page at any time to access your account related personal data. In more details:

If you are unable to query or access your personal data on your own, or if you encounter any problems while exercising your right to access data, you may contact us and request access to your personal data in the manner disclosed in this Privacy Notice.

3. Right to Correct

When you find that the personal data we processed about you is inaccurate or incomplete, you have the right to have it rectified or completed by us. For parts of your personal data, you can directly correct and modify it on the relevant function page of the product or service. In more details:

For personal data that has not been made available for your own modification, you may contact us and request corrections or additions to your personal data in the manner disclosed in this Privacy Notice.

4. Right to Delete

You may choose to delete some of the personal data you have submitted to us provided that the processing of your personal data violates relevant laws, administrative regulations or this Privacy Policy. For some of your personal data, you can delete them directly on the relevant function pages of the products or services.

You may request that we delete your personal data by contacting us in the manner disclosed in this Privacy Notice if we have not yet provided you with a channel for the deletion of your personal data, or if we violate our agreement with you in the collection and use of your personal data, you may contact us and request the deletion in the manner disclosed in this Privacy Notice.

5. Right to Cancel Account

You have the right to cancel your Finshell Pay account and HeyTap account.

6. Right to Withdraw Consent

To function properly, each service requires some basic personal data. You may change the scope of your authorization to us to continue processing personal data, or withdraw your authorization by deleting data, disabling device permission settings, changing related product or function settings pages, canceling your account, etc. In more details:

If you withdraw your consent, we will no longer be able to provide you with the corresponding service for which you have withdrawn your consent. Once you have withdrawn your consent, we will no longer process the corresponding personal data. But your decision to withdraw your consent will not affect the processing of personal data based on your previous consent prior to the withdrawal.

7. Right to Complain

You have the right to contact us and file service complaints in the manner disclosed in this Privacy Notice.

Please note that, due to security reasons, we may verify your identity before processing your request. In principle, we do not charge any fees if your request is reasonable. However, based on the actual situation, we may impose a certain fee to cover our costs for repeated requests or requests that extend beyond reasonable limits. We may reject requests that are manifestly unfounded, unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), may be detrimental to the legal rights and interests of others, or are very impractical. In addition, we may not be able to respond to your request if your request is directly related to matters involving national security, national defense, public health, criminal investigation and other public interests, or if the request may severely impair the legitimate rights and interests of yours or those of other individuals and organizations.

VI. How We Process Children’s Personal Data

Our products are mainly adult-oriented. Pursuant to the relevant laws and regulations, if you are a child, before using the relevant products or services, you shall obtain consent from your parents or legal guardians. If you are the child’s guardian, you should read this Privacy Notice carefully before you assist the child with registration or usage of the products or services. We treat anyone under the 18 years old (or equivalent minimum age for full legal capacity in relevant jurisdiction) or under the age of 21 years for whom a legal guardian has been appointed as a child.

If you are a child, a parent or legal guardian of a child, or if you otherwise find out that we collect, store or use data that may include personal data of children, you may contact us promptly in the manner disclosed in this Privacy Notice and we will take steps to delete the relevant data as soon as possible. If the local law has additional regulations on the age of minors, the local law shall prevail.

VII. Third-party Service Providers and Their Services

Our websites, products, applications, and services may contain links to third-party websites, products, and services. You can choose whether to visit or accept websites, products, and services offered by third parties.

We have no control over third-party privacy and data protection policies as such third parties are not bound by this Privacy Notice. Before you submit personal data to third parties, please refer to their privacy policies.

Here are third party privacy policies that apply when you use their specific products or services:

Insurance partners:

Mutual fund service:

Lending platform partners:

Other service:

VIII. How This Privacy Notice Is Updated

This Privacy Notice is subject to updates or revisions from time to time. We will -as appropriate- send you notifications of material updates to this Privacy Notice in a form we deem appropriate and we will update the last updated date mentioned in the beginning of this Privacy Notice.

This Privacy Notice allows adjustments. However, without your express consent, we will not diminish your rights under this Privacy Notice.

This Privacy Notice shall come into force as of the date of update.

IX. Contact Us

If you have any questions or concerns about our Privacy Notice or related practice, please contact us at the following address:

Grievance Officer: Raj Gajbiye

M-Kash India Financial Solutions Private CIN: (U65990MH2019PTC328222)

Registered Address: Embassy 247, Unit no.901, 9th Floor, B-Wing, Hindustan Bus Stop, LBS Road, Vikhroli West, Mumbai, MH 400 083

Email id: [email protected]