Features Products Contact
Home Privacy Policy

Privacy Policy

How Cardifye collects, uses, stores, and protects your personal and financial information — in full compliance with the DPDP Act 2023, RBI Master Directions, and applicable Indian laws.

📅 Effective: 1 January 2025
🔄 Last Updated: 1 June 2025
✅ DPDP Act 2023 Compliant
🔒 RBI Compliant
Section 01

Overview & Who We Are

Cardifye ("Cardifye", "we", "our", or "us"), CIN: U65999DL2023PTC000000, is a registered fintech company operating a digital finance distribution platform. We are registered as a corporate agent and DSA aggregator with the Reserve Bank of India (RBI).

This Privacy Policy applies to all users of our website (cardifye.com), mobile application, partner portal, and any related services (collectively, "Services"). By accessing or using our Services, you consent to the practices described in this Policy.

ℹ️

Governing Law: This Policy is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures) Rules, 2011, RBI guidelines on data localisation, and other applicable Indian laws and regulations.

Section 02

Personal Data We Collect

We collect only data that is necessary and proportionate to deliver our Services. The categories include:

CategoryData PointsSource
IdentityFull name, PAN, Aadhaar number (last 4 digits), date of birth, genderYou / DigiLocker
ContactMobile number, email address, residential and business addressYou
FinancialBank account details, IFSC, income details, credit score, loan/credit historyYou / Credit Bureaus / Banks
ProfessionalEmployment type, organisation, GST number, business registration detailsYou
KYC DocumentsPhotographs, address proof, identity documents uploaded for verificationYou / UIDAI / MCA
Device & UsageIP address, browser type, OS, app usage logs, click data, session durationAutomatically
LocationCity / state inferred from IP; precise GPS location (only if app permission granted)Automatically / You

⚠️ Sensitive Personal Data: Financial information, biometric data (if any), and government identifiers are classified as Sensitive Personal Data or Information (SPDI) under IT Rules 2011 and are protected with heightened security controls. We never store full Aadhaar numbers.

Section 03

Purpose of Processing

We process your personal data only for specific, lawful purposes:

  • Partner onboarding, KYC verification, and account creation
  • Processing loan applications, credit card applications, and insurance proposals submitted through our platform
  • Communicating application status updates, payout notifications, and service-related alerts via SMS, email, and WhatsApp
  • Computing, crediting, and disbursing partner commissions
  • Fraud detection, credit risk assessment, and regulatory compliance
  • Improving our products and platform through anonymised analytics
  • Responding to customer service queries and grievances
  • Marketing communications about new financial products — only with your explicit consent, which can be withdrawn at any time
  • Complying with RBI, SEBI, IRDAI, and other regulatory reporting obligations

We process personal data under one or more of the following legal bases: (a) performance of a contract; (b) legitimate interests; (c) compliance with legal obligations; (d) your explicit consent (where required under DPDP Act, 2023).

Section 04

Data Sharing & Disclosure

We do not sell your personal data. We share data only as described below:

RecipientPurposeSafeguards
Banks & NBFCs (30+ partners)Processing loan/credit card applications; credit decisioningData Processing Agreements (DPAs)
Insurance CompaniesPolicy issuance and KYC verificationDPAs; IRDAI compliance
Credit Bureaus (CIBIL, Experian, CRIF)Credit score checks; bureau reporting as mandated by RBIRBI-regulated entities
KYC / DigiLockerIdentity and document verificationUIDAI / MeitY regulated
Payment GatewaysProcessing partner payouts and fund transfersPCI-DSS certified; DPAs
Technology Service ProvidersCloud hosting, CRM, analytics, communicationsContractual data protection obligations; India data localisation
Regulatory AuthoritiesRBI, SEBI, IRDAI, Income Tax Dept., law enforcement when required by lawOnly as legally mandated

All third parties are bound by contractual obligations requiring them to use your data only for the specified purpose and to maintain security standards equivalent to or exceeding our own.

Section 05

Data Retention

We retain personal data for as long as necessary to fulfil the purpose for which it was collected, and thereafter only as required by law:

  • Active partner accounts: Duration of relationship + 8 years (as per RBI KYC Master Direction 2016)
  • Loan / credit application records: Minimum 8 years from the date of last transaction (RBI requirement)
  • Insurance records: As per IRDAI guidelines (minimum 3 years post-policy expiry)
  • Marketing consent records: 3 years from the date of consent or withdrawal
  • Website usage & analytics data: 26 months in anonymised form
  • Deactivated accounts: 8 years post-deactivation for regulatory purposes, then securely deleted

Upon expiry of the applicable retention period, data is securely deleted or anonymised in a manner that makes re-identification impossible.

Section 06

Security Measures

Cardifye implements technical and organisational security measures consistent with ISO 27001 standards and RBI guidelines on IT frameworks:

  • 256-bit AES encryption for data at rest; TLS 1.3 for data in transit
  • Multi-factor authentication (MFA) for all partner and admin accounts
  • Role-based access controls (RBAC) with least-privilege principles
  • Continuous intrusion detection and security monitoring (SIEM)
  • Annual third-party penetration testing and vulnerability assessments
  • All data stored on servers located within India (data localisation — RBI compliant)
  • Secure data destruction procedures for decommissioned media
  • Regular security awareness training for all employees with data access
🔔

Breach Notification: In the event of a personal data breach that is likely to cause harm, we will notify affected individuals and the Data Protection Board of India within the timelines prescribed under the DPDP Act, 2023.

Section 07

Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, you have the following rights as a "Data Principal":

  • Right to Access: Request a summary of personal data we hold about you and how it is being processed
  • Right to Correction: Request correction of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your data when it is no longer needed for the original purpose (subject to legal retention obligations)
  • Right to Withdraw Consent: Withdraw consent for processing at any time for consent-based activities (e.g., marketing communications)
  • Right to Grievance Redressal: Raise concerns with our Grievance Officer; escalate to the Data Protection Board of India if unresolved
  • Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of incapacity

To exercise any of these rights, email privacy@cardifye.com or write to our registered office. We will acknowledge your request within 48 hours and respond within 30 days.

Section 08

Cookies & Tracking Technologies

We use cookies and similar technologies to improve your experience on our platform:

Cookie TypePurposeDuration
EssentialLogin sessions, security tokens, platform functionalitySession / 30 days
FunctionalLanguage, display preferences, dashboard settings1 year
AnalyticsAnonymised usage tracking via privacy-safe analytics tools26 months
MarketingInterest-based ad targeting (only with consent)90 days

You can manage cookie preferences through your browser settings or our Cookie Preference Centre accessible at the bottom of our website. Withdrawing consent for non-essential cookies will not affect your access to core Services.

Section 09

Minors' Data

Our Services are not directed at individuals below the age of 18 years. We do not knowingly collect personal data from minors. Under the DPDP Act, 2023, processing of personal data of a child requires verifiable parental consent.

If we discover that we have inadvertently collected personal data from a minor without appropriate consent, we will delete such data promptly. If you believe a minor's data has been submitted to us, please contact privacy@cardifye.com immediately.

Section 10

Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, we have appointed a Grievance Officer for data-related concerns:

Grievance Officer — Data Privacy

You can reach our designated Grievance Officer through any of the channels below. We are committed to resolving all grievances within 30 days.

👤
Mr. Ankit Verma — Data Protection Officer
📧
grievance@cardifye.com
📞
+91 11 4567 8900 (Mon–Fri, 10am–6pm IST)
📍
Cardifye Financial Technologies Pvt. Ltd., 4th Floor, Tower B, DLF Cyber Park, Sector 20, Gurugram, Haryana – 122002

If your grievance is not resolved to your satisfaction within 30 days, you may escalate the matter to the Data Protection Board of India once constituted under the DPDP Act, 2023.

Section 11

Policy Changes

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy
  • Send an in-app notification and email to registered partners at least 14 days before the changes take effect
  • Where required by law, seek fresh consent for any new processing purposes

Continued use of our Services after the effective date of any updated Policy constitutes your acceptance of the revised terms, to the extent permitted under applicable law.

Previous versions of this Policy are available upon written request to privacy@cardifye.com.