Privacy & Security Policy

Last Updated: July 21, 2025

Applicable To: OnEMI Technology Solutions Limited, Kissht, and PaywithRing platforms

Overview

This Privacy & Security Policy applies to OnEMI TECHNOLOGY SOLUTIONS LIMITED ("the Company"), a company registered under the Companies Act, 2013, with registered office at 10th Floor, Tower 4, Equinox Park, LBS Marg, Kurla West, Mumbai City, Mumbai, Maharashtra, India, 400070.

This policy governs the collection, use, transfer, disclosure, and sharing of personal data through:

Website: https://kissht.com
Website: https://paywithring.com
Mobile applications: Kissht and PaywithRing
Digital lending platforms

Subsidiary Company

Si Creva Capital Services Private Limited, a wholly owned subsidiary of ONEMI Technology Solutions Limited and a non-banking financial company (NBFC), collects, stores, and processes personal information on behalf of the Company for loan disbursement purposes.

Legal Compliance Framework

This policy is published in compliance with:

Information Technology Act, 2000
Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Digital Lending Directions, 2025 issued by the Reserve Bank of India (RBI), dated May 08, 2025
All applicable laws, regulations, and guidelines provided by regulatory authorities including RBI

User Eligibility

To register and use the services:

Must be at least 18 years of age
Must be of sound mind
Must not be disqualified by law
Must be a resident of India
Use of the Service is strictly prohibited for individuals under 18 years or minors

Definitions

Personal Information

Information that identifies you, directly or indirectly, including:

Name
Address
Phone number
Mobile number
E-mail address
Postal address
Unique login name
Password and password validation
Income tax details
Marital status
Family details
Business information
Bank statements
KYC documents
Other details shared via application form, email, or any electronic/printed medium

Processing

An automated operation or set of operations performed on personal data, including:

Collection
Recording
Organization
Structuring
Storage
Adaptation
Alteration
Retrieval
Use
Alignment or combination
Indexing
Sharing
Disclosure by transmission
Dissemination
Restriction
Erasure
Destruction

Publicly Available Information

Any information or data that the Company reasonably believes is lawfully publicly available. All other information is considered non-publicly available.

User

Persons using the Company's services, website, or mobile app to whom this Policy applies. Terms "you" and "customer" are used interchangeably.

Information Collection

Required Information for Loan Applications

When applying for a loan through the platform, you must provide:

Name
E-mail address
Residential address
Mobile number
PAN number
Aadhaar Card
Other information needed to assess creditworthiness

Mandatory and optional fields are indicated where possible. You can choose not to provide information by not using a particular service or feature.

User Consent Options

You are provided with options to:

Give or deny consent for use of specific data
Restrict disclosure to third parties
Control data retention
Revoke consent already granted
Request the App to delete/forget data

Third-Party Service Providers

Si Creva engages with various third parties, service partners, and affiliates for collecting, storing, transferring, and processing information. The list of third-party service providers is available at: https://sicrevacapital.com/details-of-third-party-service-providers

Users are encouraged to review this list periodically.

Mobile App Permissions

SMS Data & Information

What is collected: Financial/transaction SMS only

Purpose:

Assess income
Track and analyze financial expenses
Determine creditworthiness during loan onboarding
Perform credit risk assessment

Collection frequency: Once during loan onboarding journey

Privacy measures:

SMS are encrypted
Assessment is automated
No personal SMS data is read or stored
Not shared with any third party

Usage:

Enabling access to platform services
Credit worthiness decisioning
Legal compliance requirements
Prevention of fraud

Location

What is collected: Current location (one-time access)

Purpose:

Verify borrower location
Check availability of services
Approve application

Collection frequency: Once during loan onboarding journey

Usage:

Enabling access to platform services
KYC compliance requirements

Phone/Device Information

What is collected:

Device hardware model
Operating system and version
Unique device identifiers
User profiles
WiFi information
Mobile network information
Phone number

Collection frequency: Once during loan onboarding journey

Purpose:

Uniquely identify devices
Protect from fraud
Prevent unauthorized devices from misrepresenting users or misusing information

Usage:

Fraud protection
Preventing unauthorized device access
Enabling communications between user and company
Legal compliance requirements

Camera

What is collected: One-time camera access

Purpose:

Take selfie
Scan and capture required KYC documents
Auto-fill relevant fields

Collection frequency: One-time access for onboarding/KYC requirements only, with explicit consent

Usage:

KYC compliance requirements
Document verification

Mobile App Technical Data

The mobile application may automatically collect:

Browser information
Internet Protocol (IP) address
Operating system
Platform type
Information collected through cookies
Information collected via pixel tags and other technologies
Demographic information
Time zone setting
Log files/cookies data (browsing data, pages visited, date and time of visit)

Consent Withdrawal

You may deny access to SMS/E-mail/Location/Call Logs/Contact from your mobile device settings at any time. Upon withdrawal of consent, the Company will not have access to your information.

Important: The platform does not access:

Personal SMS/E-mails (only financial service provider communications)
Contact list
Call logs
Telephony functions
Files & media (except for document uploads and selfie images)
Biometric data (unless allowed under statutory guidelines)

Non-Personal Information Collection

Information Collected

Operating system
Browser type
URL of previous website visited
List of third-party applications being used
Internet service provider
IP Address

Purpose of Collection

Troubleshoot connection problems
Administer the website
Analyze market trends
Gather demographic information
Understand visitor usage patterns (frequency of visits, average length, pages viewed)
Ensure compliance with applicable law
Cooperate with law enforcement activities
Improve website content and performance
Evaluate use of products/services
Ensure compliance with applicable agreements

Session Data

Automatically logged generic information about device connection to the Internet:

IP address
Operating system
Type of browser software
Activities conducted on website

This data is anonymous and not linked to personal information. It helps analyze user behavior and diagnose server problems.

Cookies

If enabled, cookies may be placed on your machine to:

Store small amounts of data about your visit
Identify pages being viewed
Track which features appeal most
Track content viewed on past visits
Analyze trends
Administer the site
Track user movements
Gather demographic information

Cookie Control: Users can control cookie use at the browser level. Rejecting cookies may limit ability to use some features.

Third-Party Cookies: Third-party vendors, including Google, may use cookies to serve ads based on website visits. Users may opt-out of interest-based advertising if the third party offers such an option.

Lawful Grounds for Processing Personal Information

Personal data is processed in compliance with applicable data privacy laws (Digital Lending Guidelines 2022, Information Technology Act 2000) based on:

Consent: You have explicitly agreed to processing for a specific reason
Performance of a Contract: Processing is necessary to perform the agreement with you
Legal Obligation: Processing is necessary for compliance with legal obligations
Legitimate Interest: Processing is necessary for legitimate interests pursued by the company

Purpose of Information Collection and Use

Primary Purposes

Establish identity and verify the same with or without third-party help
Facilitate and complete onboarding and KYC requirements for third-party lending partners
Monitor, improve, and administer the platform
Provide service (perform credit profiling for facilitating loans)
Design and offer customized products and services from third-party financial partners
Analyze platform usage, diagnose service/technical problems, maintain security
Send communication notifications and information regarding requested products/services
Process queries and applications made on the platform
Manage relationship with users and inform about other products/services
Conduct data analysis to improve services/products
Comply with country laws and regulations
Collect KYC for third-party lending partners
Enable users to take financial services from lending partners

Additional Uses

Fulfill requests for products and services
Deliver administrative notices, alerts, advice, and communications
Share information with group companies and third parties for joint marketing purposes
Provide value-added services
Market research and project planning
Troubleshoot problems
Detect and protect against error, fraud, or criminal activity
Share with third-party contractors providing services (bound by privacy restrictions)
Enforce Terms of Use

Data Analytics

Collected information may be used to carry out data analytics to:

Improve user experience
Enhance performance
Accomplish desired results

When used for data analytics, data is generally pseudonymized/anonymized to uphold privacy.

Information Sharing with Third Parties

General Sharing Practices

Explicit consent will be taken before sharing Personal Information with any third party, except where required by statutory or regulatory requirement.

Third-Party Service Provider Functions

Information may be shared with third-party service providers for:

KYC Validation: Validate and authenticate KYC details (PAN, officially valid documents, occupation, income)
Bank Account Validation: Validate preferred bank account and transfer loan amounts
E-signing: E-signing of User Loan Agreement and populating the agreement (information retained for auditing)
E-NACH Setup: Enable autopay functionality
Additional Information Gathering: Gather bank account and statement details if adequate information not provided
Collections: Manually collect sums owed to lending partners

Registered Third Parties

Information may be shared with:

Regulated financial partners for provision of services
Third-party partners for data analysis to serve users better
Analytics and marketing service providers (limited information: Device IDs, Android IDs, Page status, Location, Workflow events)

Third-Party SDK

The App links to registered third-party SDK that collects data to:

Analyze in-app actions
Serve retargeting ads
Perform location-based targeting on social media
Deliver personalized push notifications
Perform credit assessment

Privacy Protection: Personal identifiable information and Government IDs (PAN, Aadhaar Card, VID number) are not shared with these third parties. No unauthorized access to non-public personal contacts or financial transaction SMS data.

Mandatory Disclosures

Information may be disclosed without prior notice:

To comply with legal obligations or government/statutory authority orders
To enforce or apply terms of use
In course of corporate divestitures, mergers, or acquisitions
To protect rights, property, or safety of the company, users, or others
For fraud protection and credit risk reduction
To track user interaction with the platform
To perform credit checks and credit analysis (shared with Credit Bureaus or third-party data source providers)

Government Agencies

Government-issued ID numbers (PAN Number, Aadhaar Card, Virtual ID) are requested for:

Verifying creditworthiness
Completing KYC formalities

This data:

Remains completely safe and secure
Never shared with any third party
Passed to authorized third-party APIs and government websites for validation only

KYC Journey Disclosure

KYC journey data may be disclosed to relevant regulatory authorities as part of statutory audit process. Aadhaar number is never disclosed.

Confidentiality Agreements

Information shared with third parties is under confidentiality agreements restricting use only for purposes stated in this privacy policy. The company warrants no unauthorized disclosure of information shared with third parties.

User Consent for Sharing

By using the Platform, users grant consent to:

Share/disclose Personal Information to concerned third parties in connection with Services
Share with governmental authorities, quasi-governmental authorities, judicial authorities, and quasi-judicial authorities in accordance with applicable laws of India

Restricting Information Sharing

To restrict sharing of information partially or completely with third parties (other than statutory or regulatory authorities), contact: [email protected] or [email protected]

Data Retention

Storage Location

Personal information is stored only on servers located in India.

Retention Categories

Basic Personal Information (Non-Lending Services):

Name
Address
Contact information

Retained for carrying out non-lending services.

Outsourcing Services Information: Personal information collected for Partners:

Collected upon Partner instructions
Transferred to Partners upon completion of preliminary onboarding

Retention Duration

Non-Personally Identifiable Information (Non-PII) including SMS:

Stored and used for one (1) year

Other Data (name, address, contact details, etc.):

Retained for minimum period of five (5) years
Includes data collected for onboarding and operational servicing per regulatory guidelines (DLG)

General Retention Principles

Information retained:

As long as the purpose of usage exists
As required by Applicable Laws
Even after consent withdrawal (when required by Applicable Laws)
For duration of relationship with user plus:
- Period required under Applicable Laws
- Length of applicable statutory limitation period for legal claims

Compliance

Retention done in compliance with:

This policy
Applicable law/regulatory requirements in India
Arrangements with business partners

Retention continues unless consent is withdrawn by user.

Data Destruction Protocol

All data, including all copies, will be destroyed post completion of:

Business requirements
Legal requirements
Regulatory requirements

Digital Data Destruction: Secure erasure of individual folders and/or files done as per the Media Handling and Destruction Policy of the Company.

Security Practices and Procedures

Security Standards

The platform complies with:

Technology standards/requirements on cybersecurity stipulated by Reserve Bank of India (RBI)
Standards specified by other agencies
Requirements for undertaking digital lending

Encryption and Secure Communication

All communications between devices and the platform containing Personal Information are encrypted. This prevents:

Eavesdropping
Tampering
Message forgery

Data Transmission Security

Generally accepted standards used to protect Personal Information during transmission and after receipt
Secure Sockets Layers (SSL) based encryption for information transmission (current required level in India)
Strong encryption techniques adhering to current industry standards

Access Control

Physical and Administrative Safeguards:

Reasonable physical, administrative, and technical safeguards implemented
Access to Personal Information strictly restricted
Used only under specific internal procedures and safeguards
Registration information and account information access limited

Database Protection:

Databases protected from general employee access (physically and logically)
Service passwords encrypted (cannot be recovered even by the company)
All backup drives and tapes encrypted
No sensitive content allowed on unsecured machines

Employee Access:

Access to Personal Information restricted to employees, contractors, and agents who need it for processing
Subject to strict contractual confidentiality obligations
May be disciplined or terminated for failing to meet obligations

Server Security

Information maintained on servers located in India
Databases protected from general employee access (physically and logically)
Multiple security layers to defend against attacks (low-level to sophisticated)

Security Measures

Stringent security measures to protect against:

Loss of information
Misuse of information
Alteration of information
Unauthorized access
Unauthorized disclosure
Destruction of information

Security Features

Encryption to keep data private while in transit
Security features like OTP verification to protect accounts
Review of information collection, storage, and processing practices
Physical security measures to prevent unauthorized system access
Restricted access to Personal Information
Strict contractual confidentiality obligations for those with access
Regular review of Privacy Policy
Compliance with regulations and applicable laws
Aadhaar number never disclosed

Third-Party Service Provider Security

Third-party service providers required to:

Maintain confidentiality of provided information
Protect information from unauthorized access, use, and disclosure
Use industry-leading security solutions:
- Anti-virus
- Anti-malware
- Intrusion prevention systems
- Intrusion detection systems
- File integrity monitoring
- Application control solutions
Provide hosting security
Take extensive security measures to protect Personal Information against loss, misuse, or alteration

Telephone Call Recording

Telephone calls may be recorded and monitored for:

Quality checks
Staff training
Combating fraud

Cyber Security Policy

Cyber security policy implemented for handling all security breaches in compliance with applicable laws and regulations.

Information Security Breach Response

Compliance Framework

In the event of an information security breach, the Company commits to complying with guidelines from:

Indian Computer Emergency Response Team (CERT-In)
Reserve Bank of India (RBI)

Incident Management Policy Approach

Immediate Action: Contain and limit exposure of the breach
Assessment: Determine scope and impact to understand affected data and systems
Notification: Inform relevant authorities and affected parties per legal requirements and CERT-In & RBI guidelines
Investigation: Determine cause, gather evidence for potential legal action, improve future security measures
Recovery: Restore disrupted services and secure systems from future breaches
Post-Incident Analysis: Identify lessons learned and implement improvements to policies, procedures, and technologies
Reporting: Report to RBI & CERT-In within reasonable time frame with complete incident details, impact, and remedial actions

Compliance Assurance

The Incident Management Policy is designed for full compliance with:

National laws regarding cybersecurity
Data protection regulations
Rapid and effective incident response
Maintenance of company reputation and stakeholder trust

User Rights Regarding Data

Right to Access

You may request to access your data provided or processed by the company. This enables you to:

Receive a copy of personal data held about you
Check that data is being lawfully processed

How to Access: Log in to your account on the website or contact support at [email protected] or [email protected]

Right to Rectification

If any personal data is inaccurate, incomplete, or outdated, you have the right to:

Provide accurate, complete, and up-to-date data
Have the company rectify such data immediately

Users are urged to always provide accurate and correct information to ensure uninterrupted service use.

Right to Withdraw Consent

Methods to Withdraw Consent:

Uninstall the App to prevent further data sharing
Modify permissions on device for Camera or Audio access
Contact [email protected] or [email protected]

Consent Withdrawal Process:

May withdraw consent subject to legal or contractual obligations and on reasonable notice
Should contact privacy email for information regarding withdrawal implications
If choosing to proceed, give requisite notice

Impact of Withdrawal:

May limit ability to provide requested product or service
Company reserves option not to provide services or modify services if consent withdrawn

Continued Access After Withdrawal: Where permitted by law, you may be given option to give express consent to access:

Credit information from credit reporting agencies
Other agencies (NSDL, CKYC records, Digilocker, etc.)

Credit information used for:

Assessing risk
Providing quotes
Determining eligibility for premium discounts
Retrieving current credit score while remaining a customer (unless consent withdrawn)

Marketing Opt-Out

Marketing Communications: The company may send:

Emails about latest offerings and updates
Push notifications

Opt-Out Methods:

Write to the company to opt out of promotional emails
Follow unsubscribe instructions in messages
Opt out of push notifications through device settings

Impact of Opting Out:

Opting out of push notifications may impact App use
Non-promotional communications will still be sent (repayment reminders, loan approvals, etc.)

Account Closure

If you choose to close your account:

Personally identifiable information will not be used for further purposes
Information will not be sold or shared with third parties
Exceptions: fraud prevention, law enforcement assistance, as required by law or this Privacy Policy

Data Deletion/Forget Option

You are provided with an option to:

Make the App delete/forget data (as defined under RBI circular dated September 02, 2022 on "Guidelines on Digital Lending")

How to Request Deletion: Write to [email protected] or [email protected]

Other User Options

You can:

Review and edit Personal Information by logging into account or contacting support
Give or deny consent for use of specific data
Restrict disclosure to third parties
Control data retention
Revoke consent already granted to collect personal data

Google API Services Compliance

The use of information received from Google APIs will adhere to:

Google API Services User Data Policy
Limited Use requirements

Third-Party Advertising

The company may:

Use third-party advertising companies and/or ad agencies to serve ads when visiting the platform
Share information with third-party service providers or advertisers to measure effectiveness of online advertising, content, and programming
Use for other bonafide purposes as deemed fit

By using the website, you expressly permit Si Creva to access such information for one or more purposes deemed fit.

Children and Minors

The platform is not intended for use by children and minors. Parents are requested to ensure that personal information is not provided by minors.

Changes to Privacy Policy

Amendment Process

This Privacy Policy may change or be amended over time. The recent version is published on the Platform.

User Notification

Material changes to this Privacy Policy will be notified by:

Publishing on the Platform

User Responsibility

Revisit this page periodically to stay aware of changes
Continued use of Services confirms acceptance of Privacy Policy as amended
If you do not agree to amended terms, you must stop using Services and notify the company

Keeping Information Current

It is important that Personal Information held/passed to lending partners is up to date and correct. Please inform the company of any changes to Personal Information.

Policy Review

The policy will be reviewed:

At yearly intervals
As and when considered necessary by Senior Management/Board of the Company

Omnibus Clause

All extant and future master circular/directions/guidance/guidance notes issued by Regulatory Authorities and other applicable regulations will:

Be the directing force for the Privacy Policy
Supersede the contents of this policy

Contact Information

Grievance Redressal Officer

Detail	Information
Name	Reefat Shaikh
Address	10th Floor, Tower 4, Equinox Park, LBS Marg, Kurla West, Mumbai, Maharashtra 400070
Contact Number	08044745952
Email	[email protected]
Availability	10:30 a.m. to 6:00 p.m., Monday to Friday (except public holidays)

Privacy Concerns

For privacy-related concerns, write to:

Withdrawal of Consent / Deletion of Data or Account

For withdrawal of consent, deletion of data, or account deletion, write to:

Customer Service

Email: [email protected]

Phone Numbers:

080 44745884
080 62816309

Location: Mumbai, Maharashtra