Last update: Jun 12, 2026

Privacy Policy

Introduction

Padmalaya Finserve Private Limited ("Company", "we", "us", or "our"), a Non-Banking Financial Company registered with the Reserve Bank of India (CIN: U65990GJ2019PTC106031), takes your privacy seriously and is committed to protecting your personal data. This Privacy Policy sets out the manner in which the Company collects, uses, stores, shares, discloses, transfers, and disposes of your personal information when you use our website (www.padmalayafinserve.com) or any of our digital platforms, including mobile applications used for digital lending and other financial services (collectively, "Digital Platforms"). 1. Account Registration

This Privacy Policy is published in accordance with:

  • The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")

  • The Digital Personal Data Protection Act, 2023 ("DPDPA") and the rules framed thereunder; 

  • The Reserve Bank of India's Guidelines on Digital Lending (2022) ("RBI DLG"); and 

  • The Reserve Bank of India's Fair Practices Code for Non-Banking Financial Companies. 

You are advised to read this Privacy Policy carefully before using our Digital Platforms. By accessing or using our Digital Platforms, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. 

Our Digital Platforms may contain links to third-party websites. This Privacy Policy does not apply to such third-party websites, and we encourage you to review the privacy policies of any third-party websites you visit. 


2. COLLECTION AND USE OF PERSONAL DATA 

2.1 Personal Data Collected 

The Company collects personal data on a need-to-know basis, limited to what is necessary for the purpose for which it is collected. The categories of personal data we may collect include: 

  • Identity data: full name, date of birth, gender, photographs; 

  • Contact data: residential address, email address, mobile number; 

  • Financial data: income details, bank account information, credit history, repayment behaviour, employment details; 

  • KYC data: PAN, Aadhaar number (masked), Voter ID, Passport, Driving Licence, or any other government-issued identification; 

  • Device and usage data: IP address, browser type, operating system, device identifiers, pages visited, time spent, click-stream data; 

  • Location data: approximate location inferred from IP address; and 

  • Communication data: records of correspondence between you and the Company. 

2.2 Mobile Application Permissions 

Our mobile applications may request one-time access to the following device resources solely for the purpose of on-boarding and KYC verification: 

  • Camera: for document capture and live photograph for KYC; 

  • Microphone: where required for video-based KYC; and 

  • Location: for identity verification and fraud prevention purposes. 

Such access will only be sought after obtaining your explicit consent. The Company expressly confirms that its applications and those of its third-party vendors shall not access or store the following resources on your mobile device:

  • Contact list; 

  • Call logs; 

  • File and media storage; and 

  • Telephony functions. 

Biometric information shall not be collected or stored in the Company's systems or those of its third-party vendors unless expressly permitted under applicable law and with your explicit consent. 

2.3 Consent 

The Company will obtain your free, informed, specific, and unambiguous consent prior to collecting and processing your personal data, except where processing is required under a legal obligation or for the performance of a contract to which you are a party. A Consent Artefact recording the details of your consent, including the purpose and date of consent, shall be maintained by the Company. 

You have the right to withdraw your consent at any time by contacting the Data Protection Officer at the details provided in this Policy. Please note that: 

  • Withdrawal of consent shall not affect the lawfulness of processing already carried out prior to such withdrawal; 

  • Certain processing activities, including credit bureau reporting, regulatory filings, and statutory record-keeping, are carried out on the basis of a legal obligation independent of consent and shall continue notwithstanding withdrawal of consent; and 

  • Withdrawal of consent may result in the Company being unable to provide you with certain products or services. 

2.4 Purposes of Processing

The Company processes your personal data for the following purposes: 

  • To evaluate, process, and administer your loan application and any loan facility extended to you; 

  • To carry out identity verification and KYC checks in compliance with applicable regulatory requirements; 

  • To assess your creditworthiness, including by obtaining and reviewing your credit bureau report; 

  • To disburse loan amounts and facilitate repayment; 

  • To communicate with you regarding your account, loan facility, and any related matters; 

  • To comply with legal and regulatory obligations applicable to the Company; 

  • For fraud detection, prevention, and security purposes; 

  • To conduct internal record-keeping, audit, and risk management; 

  • To carry out market research and improve our products, services, and Digital Platforms; and 

  • To send you marketing communications about products and services that may be of interest to you, subject to your consent where required. 

The Company shall not use your personal data for any purpose other than those stated above without obtaining your prior consent, except where required by law. 

2.5 Sensitive Personal Data 

The Company collects sensitive personal data, including PAN, Aadhaar, and bank account details, exclusively through secure, encrypted channels within its Digital Platforms. Such data is stored with restricted access and is never solicited by the Company or any of its representatives through phone calls, SMS, or email. If you receive any communication purporting to be from the Company requesting sensitive personal data through such channels, you should disregard it and report it to the Data Protection Officer immediately. 


3. SHARING OF PERSONAL DATA 

The Company may share your personal data with the following categories of recipients, subject to your consent where required, and in all cases only to the extent necessary for the stated purpose: 

  • Lending Service Providers (LSPs) and Digital Lending Applications (DLAs): Third-party entities engaged by the Company to facilitate loan origination, underwriting, collection, and recovery. A list of authorised LSPs and DLAs is available here https://padmalayafin.framer.website/#our-partners. These entities are contractually bound to process your personal data only for the purposes for which it was shared and in compliance with applicable law. 

  • Credit Information Companies: Your credit information may be shared with and obtained from licensed credit bureaus (such as CIBIL, Experian, CRIF Highmark, or Equifax) for credit assessment purposes. 

  • Co-lending partners and banks: Where your loan is originated under a co-lending arrangement, relevant personal data may be shared with the co-lending partner. 

  • Technology and service providers: Third-party vendors providing technology infrastructure, payment processing, KYC verification, fraud detection, and other services necessary for the operation of our Digital Platforms. 

  • Regulatory and law enforcement authorities: Where required by law, court order, or upon a valid request by a regulatory or law enforcement authority following due legal process. 

  • Auditors and legal advisors: Internal and external auditors and legal advisors, subject to appropriate confidentiality obligations. 

The Company shall not sell, rent, or trade your personal data to any third party for commercial purposes.

All third-party vendors and LSPs with whom personal data is shared are required to enter into a data processing agreement with the Company, which shall include obligations relating to data security, purpose limitation, and compliance with applicable law. The Company, as the Data Fiduciary, remains responsible for ensuring that such third parties process your personal data in accordance with the terms of this Privacy Policy and applicable law. 


4. RETENTION OF PERSONAL DATA 

The Company shall retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following indicative retention periods apply: 

  1. KYC and identity data: Duration of the customer relationship plus five (5) years from the date of closure of the account, in accordance with the Prevention of Money Laundering Act, 2002. 

  2. Loan records and financial data: Eight (8) years from the date of closure of the loan account, in accordance with applicable RBI guidelines. 

  3. Marketing and communication data: Until you withdraw your consent or opt out of marketing communications, whichever is earlier. 

  4. Website and usage data: Twenty-four (24) months from the date of collection, unless required for ongoing fraud investigation or legal proceedings. 

  5. Consent records: Duration of the customer relationship plus five (5) years, to enable audit and regulatory compliance.

Upon expiry of the applicable retention period, personal data shall be securely disposed of using industry-standard destruction mechanisms. All data is stored on servers located within the territory of India, in compliance with applicable data localisation requirements. 


5. COOKIES AND TRACKING TECHNOLOGIES 

The Company uses cookies and similar tracking technologies on its website to enhance your browsing experience and to analyse usage patterns. Cookies are small text files stored on your device by your browser. 

The Company uses the following categories of cookies: 

  1. Strictly Necessary Cookies: Essential for the operation of our website and Digital Platforms. These cookies cannot be disabled. 

  2. Analytics Cookies: Used to understand how visitors interact with our Digital Platforms. These are enabled only with your consent and may be withdrawn at any time. 

  3. Marketing Cookies: Used to deliver relevant advertisements and track the effectiveness of marketing campaigns. These are enabled only with your explicit consent and may be withdrawn at any time. 

You may manage your cookie preferences through the cookie preference centre available on our website, or by adjusting the settings in your browser. Please note that disabling certain cookies may affect the functionality of our Digital Platforms. 

The following information is automatically collected when you visit our website: 

  • The domain name and IP address used to access the internet; 

  • The date, time, and duration of your visit; 

  • The pages visited and links clicked; 

  • The referring website from which you arrived; and 

  • Browser type, version, plug-ins, and operating system. 

This information is used for statistical and analytical purposes only and is not used to identify you personally unless combined with other personal data you have provided. 


6. SECURITY AND SAFEGUARDING OF PERSONAL DATA 

The Company implements appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include: 

  • Encryption of personal data in transit and at rest; 

  • Role-based access controls restricting access to personal data to authorised personnel only; 

  • Regular security assessments and vulnerability testing of our Digital Platforms; 

  • Staff training on data protection and information security; and 

  • Contractual security obligations imposed on all third-party vendors processing personal data on our behalf. 

Notwithstanding the foregoing, no method of transmission over the internet or electronic storage is completely secure. While the Company takes all reasonable precautions, it cannot guarantee the absolute security of your personal data. 

6.1 Personal Data Breach Notification 

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, the Company shall: 

  • Notify the Data Protection Board of India in accordance with the timelines and manner prescribed under the DPDPA and applicable rules; 

  • Notify affected Data Principals within seventy-two (72) hours of becoming aware of the breach, or within such period as may be prescribed, providing details of the nature of the breach, the data affected, the likely consequences, and the remedial measures taken or proposed; and 

  • Maintain a record of all personal data breaches, including those not required to be notified, for internal audit and regulatory review. 

The Company's incident management processes are designed to detect, investigate, and remediate personal data breaches promptly. 


7. YOUR RIGHTS AS A DATA PRINCIPAL 

In accordance with the DPDPA and applicable law, you have the following rights in relation to your personal data: 

  1. Right of Access: You have the right to obtain confirmation as to whether the Company is processing your personal data, and to receive a summary of the personal data held about you and the processing activities undertaken. 

  2. Right to Correction: You have the right to request correction of inaccurate or incomplete personal data held about you. 

  3. Right to Erasure: You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to any overriding legal obligation to retain such data. 

  4. Right to Grievance Redressal: You have the right to have your grievances relating to personal data processing redressed in accordance of this Policy. 

  5. Right to Nominate: You have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights under the DPDPA. 

  6. Right to Withdraw Consent: You have the right to withdraw consent previously provided for processing of your personal data, subject to the consequences described in Section 3.3 above. 

To exercise any of the above rights, please contact the Data Protection Officer at the details shared below. The Company shall respond to your request within thirty (30) days of receipt. The Company may require verification of your identity before acting on any request.


8. DO NOT DISTURB (DND) 

If you do not wish to receive marketing communications from the Company, you may: 

  • Opt out by clicking the unsubscribe link in any marketing email sent to you; 

  • Register your preference on the Do Not Disturb registry at care@padmalayafinserve.com


9. GRIEVANCE REDRESSAL AND DATA PROTECTION OFFICER 

In accordance with the DPDPA, the IT Act, and the RBI's Fair Practices Code, the Company has appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy and to address your data-related grievances. 

Data Protection Officer 

Name: Kundan Kumar 

Address: 115, Sunday Hub Shopping Center, Near Ankur Vidhyalay, Surat, Gujarat, India - 395004 

Email: Kundan@padmalyafinserve.com 

Phone: 8287212984 

Hours: Monday to Friday, 10:00 AM to 6:00 PM (IST), excluding public holidays 

The Company shall acknowledge receipt of your grievance within forty-eight (48) hours and endeavour to resolve it within thirty (30) days of receipt. In the event your grievance is not resolved to your satisfaction within thirty (30) days, you may escalate the matter to: 

  • The Data Protection Board of India, once constituted and operational under the DPDPA; 

  • The Reserve Bank of India's Integrated Ombudsman Scheme at https://cms.rbi.org.in, for complaints relating to loan products or services; or 

  • The Sachet portal at https://sachet.rbi.org.in, for complaints relating to unauthorised or unregulated financial activities. 


10. GOVERNING LAW

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any dispute arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts at Surat, Gujarat, India. 


11. CHANGES TO THIS PRIVACY POLICY 

The Company reserves the right to amend this Privacy Policy from time to time to reflect changes in applicable law, regulatory requirements, or our data processing practices. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.