Privacy Policy

01Information We Collect

We collect information that helps us deliver, secure and improve the Services. This includes:

Account & Identity Information

• Name, email address, phone number, designation and organization details
• Login credentials, authentication tokens and password hashes
• KYC documents where required by applicable financial regulations

Transactional & Financial Data

• EMI plan details, mandate references, repayment schedules and collection statuses
• Bank account references, UPI IDs and tokenized mandate identifiers (we do not store full card or account numbers in plaintext)
• Borrower data uploaded by you as a customer of EmiFence (processed strictly as a data processor on your behalf)

Technical & Usage Data

• IP addresses, device identifiers, browser type, operating system, time zone and language settings
• Pages visited, features used, API call logs and timestamps
• Cookies and similar technologies — see our Cookie practices below

Device Data (for EMI Locker)

• For locker-enabled devices, we collect device ID, OS version, network state and lock-status events as required to operate the EMI Locker functionality
• We do not access photos, contacts, messages, location or other personal content on locked devices

02How We Use Your Information

We use the data we collect to:

• Provide, operate and maintain the Services, including processing EMI mandates and collections
• Authenticate users, prevent fraud and secure the platform against unauthorized access
• Communicate with you about service updates, security notices, billing and support
• Generate aggregated, anonymized analytics to improve product performance
• Comply with legal, tax, audit and regulatory obligations under Indian law

03How We Share Information

We share data only in the following limited circumstances:

• Service providers: Cloud hosting (AWS / Azure regions in India), payment processors (NPCI-licensed entities), SMS and email gateways, all bound by data-protection agreements
• Regulators and law enforcement: Where required by valid legal process, court order, or applicable regulation (RBI, MeitY, Income Tax Department, etc.)
• Business transfers: In the event of a merger, acquisition or asset sale, with continued protections under this Policy
• Your customers / borrowers: Where you, as our customer, instruct us to communicate or share data on your behalf

04Data Security

We employ industry-standard safeguards to protect your information:

• AES-256 encryption at rest and TLS 1.3 in transit
• Tokenization of mandate and payment instruments
• Role-based access control, SSO, and IP allow-listing
• SOC 2 / ISO 27001-aligned operational controls
• Continuous monitoring, intrusion detection and immutable audit logs
• Regular third-party penetration testing and vulnerability assessments

While we apply these measures rigorously, no system is completely impervious. If we ever discover a breach affecting your data, we will notify affected parties and the relevant authorities within the timelines required by law.

05Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy or as required by law:

• Active account data is retained for the duration of your subscription
• Financial transaction records are retained for at least 8 years as required by Indian tax and accounting regulations
• Audit logs are retained for 7 years for compliance purposes
• Upon account closure, data is anonymized or securely destroyed within 90 days, except where retention is mandated by law

06Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete information
• Delete your data, subject to our legal retention obligations
• Restrict or object to certain types of processing
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with the relevant data protection authority

To exercise any of these rights, contact us at support@emifence.com. We respond within 30 days.

07Cookies & Tracking

We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Services are used. You can manage cookies through your browser settings; disabling certain cookies may impact functionality.

08Children's Privacy

The Services are not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

09International Data Transfers

EmiFence primarily stores data on servers located in India. Where data is transferred outside India for limited operational purposes (e.g., support tooling), we ensure equivalent safeguards through contractual measures.

10Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through an in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11Grievance Officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address your concerns: