Privacy & Security Policy - OnEMI Technology Solutions Limited

Last Updated: July 21, 2025

Overview

This Privacy & Security Policy applies to OnEMI TECHNOLOGY SOLUTIONS LIMITED and its digital lending applications Kissht and PaywithRing. The policy governs the collection, use, transfer, disclosure, and sharing of personal data through websites, digital lending applications, mobile applications, and platforms operated by the company.

Company Information

Legal Entity: OnEMI TECHNOLOGY SOLUTIONS LIMITED

Registration: Company registered under the Companies Act, 2013

Registered Office Address:

• 10th Floor, Tower 4, Equinox Park
• LBS Marg, Kurla West
• Mumbai City, Mumbai
• Maharashtra, India, 400070

Subsidiary Entity

Si Creva Capital Services Private Limited - A wholly owned subsidiary of OnEMI Technology Solutions Limited, operating as a non-banking financial company (NBFC) for loan disbursement.

Platform Information

Digital Lending Applications:

• Kissht
• PaywithRing

Websites:

• https://kissht.com
• https://paywithring.com

1. Preamble

This data Privacy Policy sets forth the modes of collection, use, transfer, disclosure and sharing minimal amount of personal data or information gathered through any website, digital lending application, mobile application, platform or otherwise used by the company.

The policy applies to:

• Personal information collected on the platform/website
• Information collected by the company in other ways
• Visitors to the website, digital lending application, mobile application, and platform
• Existing and future customers/prospects/applicants

This Privacy Policy shall be read in conjunction with the terms of use agreed by users while registering with Si Creva for availing its services.

Legal Compliance Framework

This document is prepared and published in compliance with:

1. Information Technology Act, 2000 and Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

2. Digital Lending Directions, 2025 issued by the Reserve Bank of India (RBI), dated May 08, 2025

3. Other applicable acts, regulations and rules which require the publishing of a privacy policy for handling of or dealing in personal information including sensitive personal data or information and all applicable laws, regulations, guidelines provided by applicable regulatory authorities including but not limited to the RBI

User Consent

By continuing to use the services, users agree to this policy. If users do not agree to this policy or any part thereof, they should not use, access, download, or install the app or any part thereof.

2. Applicability

Service Categories

The Policy is applicable for the collection of information for the following categories of services:

Information for Digital Lending Services

1. Information collected by/through the Platform by Si Creva Capital Services Private Limited (a non-banking financial company), subsidiary company of ONEMI TECHNOLOGY SOLUTIONS PRIVATE LIMITED, for disbursement of loans

2. Information collected by the Platform provided to the other lending partners and the business partners

User Authorization

Users authorize the company to collect, store, authenticate, verify and distribute Personal Information as may be required to sanction the loan or provide services on the applications or website. Personal information may be collected through application forms.

Data Protection Commitment

The company is committed to:

• Maintaining the confidentiality, integrity and security of all personal information of users
• Keeping personal information secure
• Using personal information solely for activities related to company's business
• Taking adequate measures aimed at protecting personal information entrusted and disclosed to the company

Age and Eligibility Requirements

To register with the company, users must:

• Be at least 18 (eighteen) years of age
• Be of sound mind
• Not be disqualified by law
• Be a resident of India

Use of the Service is strictly prohibited for individuals under the age of 18 (eighteen) years or minors.

3. Definitions

Personal Information

For purposes of this Policy, "Personal Information" means information including Sensitive Personal Information that identifies a user, directly or indirectly, such as:

• Name
• Address
• Phone number
• Mobile number
• E-mail address
• Postal address
• Unique login name
• Password
• Password validation
• Income tax details
• Marital status
• Family details
• Business information
• Bank statements
• KYC documents
• Other details shared via application form, email, or any other electronic medium or printed form

All Personally Identifiable Information and Service Information shall be collectively known as "Information."

User Contact Authorization

By providing a phone number at the platform, users authorize the company and its representatives to:

• Contact and offer services for the product opted for
• Impart product knowledge
• Offer promotional offers running on the website
• Contact about other services and products offered by the company and/or authorized third party service partners/affiliates

Data Processing Activities

By submitting Information to the platform, users expressly acknowledge and consent to use such Information and to process the same in a manner deemed fit, which may involve:

• Conducting data analysis
• Research based on reviews about deals
• Transfer of Information to third party experts for the purpose of services offered
• Transfer of Information to third parties/service partners for providing services offered by such third parties and service partners

Data Retention

Retention of information is done as per this policy and in compliance with applicable law/regulatory requirements in India and as mandated in arrangements with business partners to provide services, unless such consent is withdrawn by the user.

Processing

"Processing" in relation to personal data or information means an automated operation or set of operations performed on personal data, and may include operations such as:

• Collection
• Recording
• Organization
• Structuring
• Storage
• Adaptation
• Alteration
• Retrieval
• Use
• Alignment or combination
• Indexing
• Sharing
• Disclosure by transmission
• Dissemination or otherwise making available
• Restriction
• Erasure or destruction

Publicly Available Information

"Publicly available information" shall mean any information or data of the user which the company reasonably believes is lawfully publicly available. All other information or data which is not publicly available shall be non-publicly available information for the purpose of this Policy.

User

"User" shall mean such persons who are using the company's services or the company's website or the company's mobile app and to whom this Policy is applicable. The terms "you" and "customer" are used interchangeably with "User" in this Policy.

4. The Policy

4.1 Collecting Information of Users

Information Required for Loan Applications

If users intend to avail a loan by using the platform from any lending partners, they would be required to provide details like:

• Name
• E-mail address
• Residential address
• Mobile number
• PAN number
• Aadhaar Card
• Other information needed to assess creditworthiness

Wherever possible, the company indicates the mandatory and optional fields. Users always have the option to not provide any information by choosing not to use a particular Service or feature on the Platform.

User Consent Options

Users shall be provided with an option to:

• Give or deny consent for use of specific data
• Restrict disclosure to third parties
• Control data retention
• Revoke consent already granted to collect personal data
• Make the App delete/forget the data (if required)

Third-Party Service Providers

Si Creva engages with various third parties, service partners, and affiliates for the purpose of collecting, storing, transferring, and processing user information as required for its business operations.

List of Third-Party Service Providers: Available at https://sicrevacapital.com/details-of-third-party-service-providers/

The company encourages users to review this list periodically to stay informed about the entities handling their information.

Data Usage Restrictions

The data collected, as stated in this Policy, is solely restricted to the mentioned activities and will not be used for any other purpose. In case the company uses the data for any other purpose, explicit consent shall be taken.

SMS Data Collection

The company collects and monitors financial/transaction SMS only, to determine the creditworthiness for the purpose of loan applications. No personal SMS data is read or stored.

The company may use information collected from users/mobile devices to:

• Carry out data analytics to improve the user experience
• Enhance performance
• Accomplish desired results

When the company uses data to carry out data analytics, it generally pseudonymizes/anonymizes the data to uphold user privacy.

Biometric Data

No biometric data is stored/collected in the systems, unless allowed under extant statutory guidelines.

Technology Standards Compliance

The company's systems comply with various technology standards/requirements on cybersecurity stipulated by:

• Reserve Bank of India (RBI)
• Other agencies, or as may be specified from time to time, for undertaking digital lending

Platform Permissions

The Platform accesses the following information solely for the purpose of onboarding journey:

• SMS (to assess the income, financial expenses etc.) - one time
• Location - one time
• Device and phone number information:
  • Device hardware model
  • Operating system and version
  • Unique device identifiers
  • User profiles
  • WiFi information
  • Mobile network information

Access Restrictions

Access to user information is strictly restricted:

• Registration information
• Account information
• Any other Personal Information provided

Access is used only under specific internal procedures and safeguards governing access, to operate, develop or improve the Service.

Third-Party Service Providers for Operations

The company may use third-party service providers to help provide the Service, such as:

• Sending e-mail messages or SMS on behalf of the company
• Hosting and operating a particular feature or functionality of the Service

The company requires such third parties to maintain the confidentiality of the information provided to them.

Call Recording

If users telephone the company, calls may be recorded and monitored for:

• Quality checks
• Staff training
• Combating fraud

4.2 Lawful Grounds for Processing Personal Information

The company will process personal data in compliance with applicable data privacy laws such as:

• Digital Lending Guidelines, 2022 (as regulated by RBI and amended from time to time)
• Information Technology Act, 2000

Processing is based on one or more of the following lawful grounds:

Consent

User has explicitly agreed to processing for a specific reason

Performance of a Contract

The processing is necessary to perform the agreement that the lender will have with the user

Legal Obligation

The processing is necessary for compliance with legal obligations under certain laws

Legitimate Interest

The processing is necessary for the purposes of a legitimate interest pursued by the company

4.3 Mode of Collecting Information

In order to provide seamless approval and determine instant creditworthiness of customers, the company requests certain permissions with explicit consent of users to complete the signup process which shall be passed on with the lender for relevant onboarding process of the loan.

SMS Data & Information

What is Collected: The platform collects, accesses, stores financial/transaction SMS to assess the income, track and analyze financial expenses and determine the creditworthiness once during the loan onboarding journey.

Purpose: This data is used for the purpose of performing credit risk assessment. The assessment is automated, and the SMS are encrypted.

Privacy Protection: The platform does not read or store any personal SMS data. It does not share SMS with any third party.

How This Data is Used:

• For enabling the access to the services provided on platform
• For Credit worthiness Decisioning
• For Legal Compliance and Requirements
• For Prevention of Fraud

Location

What is Collected: The platform accesses the current location only once during the loan onboarding journey.

Purpose:

• To verify the location of the borrower
• To check the availability of services
• To approve the application

How This Data is Used:

• For enabling the access to Services provided on platform
• For KYC compliance Requirements

Phone

What is Collected: The platform collects the device location of the borrower and phone number information, such as:

• Device hardware model
• Operating system and version
• Unique device identifiers
• User profiles
• WiFi information
• Mobile network information

Collection Frequency: Only once during loan onboarding journey

Purpose: The platform assesses these to uniquely identify devices and protect users from fraud by preventing unauthorized devices from misrepresenting users or misusing their information.

How This Data is Used:

• For uniquely identifying devices and protecting from fraud
• For preventing unauthorized devices from misrepresenting users or misusing information
• For Enabling Communications Between Users and the Company
• For Legal Compliance and Requirements

Additional Consent-Based Access

In addition to the Information made available, the company may seek explicit consent and request one-time access to:

• SMS
• E-mail
• Location
• Call Logs
• Contact

Important Clarifications:

• The company only reads SMS/Emails from financial service providers
• Does not open, read, or access any personal SMS/E-mails
• Does not access any other personal Information on SMS/E-mail

Withdrawing Consent: Upon granting consent for access, if at any time users wish to deny access to the above-mentioned consent in future, they may do so from the settings of their mobile device. In case users withdraw given consents, the company assures that it shall not have any access to user Information.

Mobile Phone Resources

The company does not access mobile phone resources such as:

• Contact list
• Call logs
• Telephony functions
• Files & media (except as disclosed above in order to enable users to upload documents and selfie image)

Biometric Data: The company does not collect biometric data.

Camera

What is Required: One time camera access

Purpose:

• To take selfie
• Scan and capture the required KYC documents
• Allowing the company to auto-fill relevant fields

Access Type: A one-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of on-boarding/KYC requirements only, with the explicit consent of the borrower.

How This Data is Used:

• For enabling camera access to take selfie, scan and capture the required KYC documents thereby allowing auto-fill of relevant fields
• For KYC compliance Requirements

Mobile App

The company may collect and use technical data and related information, including but not limited to, technical information about user devices, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services related to Mobile Applications.

Mobile Device Information Collected:

When users use the Mobile Application, the Mobile Application may automatically collect and store some or all of the following information from mobile devices ("Mobile Device Information"), in addition to the Device Information:

1. Browser information
2. Internet Protocol (IP)
3. Operating system
4. Platform type
5. Information collected through cookies
6. Information collected via pixel tags and other technologies
7. Demographic information
8. Time zone setting
9. Log files/cookies data (implicitly includes browsing data, such as pages visited, date and time of visit, etc.)

Non-Personal Information

The company also collects certain other information from users on their visit to the Website such as:

• Information about operating system
• Browser type
• The URL of the previous website visited
• List of third-party applications being used
• Internet service provider
• IP Address (Non-personal Information)

This information cannot be easily used to personally identify users.

Use of Non-Personal Information:

The company uses Non-personal Information for purposes including but not limited to:

• Troubleshoot connection problems
• Administer the Website
• Analyze trends in the market
• Gather demographic information
• Ascertain how visitors use the Website, including information relating to:
  • Frequency of visits to the Website
  • Average length of visits
  • Pages viewed during a visit
• Ensuring compliance with the applicable law
• Co-operating with law enforcement activities
• Improve the Website content and performance

Usage Statistics:

Users agree that the company may gather usage statistics and usage data from use of the Website to:

• Evaluate use of products/services
• Improve products/services
• Improve Website content
• Ensure compliance with the terms of the applicable agreements between users and Si Creva and other lending partners

The statistics and data collected may or may not be aggregated. These statistics contain no information that can distinctly identify users.

Third-Party Advertising:

The company may use third-party advertising companies and/or ad agencies to serve ads when users visit the platform.

The company may in future also share this information with third party service providers or third party advertisers to measure the overall effectiveness of online advertising, content, programming and for other bonafide purposes, as the company may desire.

By usage of the Website, users expressly permit Si Creva to access such information for one or more purposes deemed fit by Si Creva.

Session Data

The company automatically logs generic information about device connections to the Internet, which is called "session data", that is anonymous and not linked to any personal information.

Session Data Consists Of:

• IP address
• Operating system
• Type of browser software being used
• Activities conducted on the Website

What is an IP Address: An IP address is a number that lets devices attached to the Internet, such as web servers, know where to send data back to the user, such as the pages of the site the user wishes to view.

Why Session Data is Collected:

The company collects session data because it helps:

• Analyze items visitors are likely to click on most
• Understand the manner in which visitors click preferences on the Website
• Track number of visitors surfing to various pages on the Website
• Measure time spent by visitors on the Website
• Understand frequency of visits
• Diagnose problems with servers
• Better administer systems

Although such information does not identify any visitor personally, it is possible to determine from an IP address a visitor's Internet Service Provider (ISP), and the approximate geographic location of his or her point of connectivity.

Cookies

If enabled, the company may place cookies on user machines that store small amounts of data on computers about visits to any of the pages of this website.

What Cookies Do: Cookies can identify the pages that are being viewed, and this can assist in:

• Tracking which features appeal the most to users
• Understanding what content users may have viewed on past visits

Cookie Technologies Used For:

• Analyzing trends
• Administering the Site
• Tracking users' movements around the Site
• Gathering demographic information about the user base as a whole

Third-Party Cookies:

Third-party vendors, including www.google.com ("Google"), may use cookies to serve ads based on visits to this Website. Users may visit the website of the third party and choose to opt-out of the use of cookies for interest-based advertising if the third party offers such an option.

User Control Over Cookies:

The company uses cookies on the website to personalize Service to users. Users can control the use of cookies at the individual browser level.

• If users reject cookies, they may still use the Site, but ability to use some features or areas of the Site may be limited
• Users may refuse to accept cookies by activating the setting on their browser, which allows them to reject the setting of cookies
• Unless users have adjusted browser settings to reject cookies, the system will issue cookies when users log on to the website

Information Sharing with Third Parties

The company may use third-party advertising companies and/or ad agencies to serve ads when users visit the website. These companies may use information (excluding name, address, e-mail address, or telephone number) about visits to websites to provide advertisements on this Site and other sites about goods and services that may be of interest to users.

Consent Requirements:

Explicit consent will be taken from users before sharing Personal Information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement.

Third-Party Products and Services:

If users choose to apply for separate products or services, disclose information to the providers, or grant them permission to collect information, then the use of user information is governed by their privacy policies. Users should evaluate the practices of these external service providers before deciding to use their services. The company is not responsible for their privacy practices.

Restricting Information Sharing:

In case users wish to restrict sharing of information partially or completely with third party (other than statutory or regulatory authorities), they may reach out to:

• [email protected]
• [email protected]

3rd Party Service Providers

The company works with third-party service providers to execute various functionalities of the App and may share user information with such service providers to help provide the App.

Functionalities Include:

1. KYC Validation:

   • To facilitate the validation and authentication of the KYC details such as PAN, officially valid documents (OVDS, PAN), occupation, income, etc. provided by users

2. Bank Account Validation:

   • To facilitate the validation of preferred bank account
   • Transferring the loan amounts to users

3. E-Signing:

   • E-signing of the User Loan Agreement
   • Populating the User Loan Agreement
   • The information shared with these service providers is retained for auditing of the agreements

4. E-NACH Setup:

   • e-NACH set-up to enable autopay

5. Additional Bank Information:

   • Gathering of additional information regarding bank account and statement details in case adequate information has not been provided by users or through the other service providers the company works with

6. Collections:

   • For manually collecting any sums owed by users to lending partners

Third-Party Privacy Policies:

Usage of such third-party services is subject to their privacy policies and not within the company's control. The company recommends that users have a look at their privacy policies before agreeing to use their services.

Consent for Third-Party Sharing:

Explicit consent will be taken from users before sharing personal information with any third party, except for cases where such sharing is required as per statutory or regulatory requirement.

Link to Third-Party Software Development Kit (SDK)

The App has a link to a registered third party SDK which collects data on behalf of the company and data is stored to a secured server to perform a variety of services such as:

• Analyzing in-app actions
• Serving retargeting ads
• Location based targeting on social media accounts
• Delivering personalized push notifications
• Performing credit assessment based on user information

Information Shared with SDK:

The company shares limited information such as:

• Device IDs
• Android IDs
• Page status
• Location
• Workflow events

This information is shared with analytics and marketing service providers who may use it to serve targeted, contextual ads to users.

Security Measures:

The company ensures that third party service providers take extensive security measures in order to protect Personal Information against loss, misuse or alteration of the data.

Data Protection During Transmission:

The company follows generally accepted standards to protect the Personal Information submitted, both during transmission and once received, using secure cryptographic techniques over HTTPS APIs.

Security Measures:

The company uses a combination of:

• Firewalls
• Encryption techniques
• Authentication procedures

These measures are used to maintain the security of online sessions and to protect https://paywithring.com/ https://kissht.com accounts and systems from unauthorized access.

Security Limitations:

No Internet website can fully eliminate security risks. The company implements cyber security policy for handling all security breaches in compliance with applicable laws and regulations.

Hosting Security:

The registered third party service provider provides hosting security using:

• Industry-leading anti-virus
• Anti-malware
• Intrusion prevention systems
• Intrusion detection systems
• File integrity monitoring
• Application control solutions

Data Usage Policy:

The company does not sell or misuse user data. The company does not share personal identifiable information and Government IDs such as PAN, Aadhaar Card, VID number with these 3rd parties. The company also doesn't allow unauthorized access to non-public personal contacts or financial transaction SMS data with any 3rd party.

Other

The company may from time to time add or enhance products/services available on the Website. To the extent these products/services are provided to and used by users, the company will use the information provided in this regard to facilitate the products/service requested.

Example: If users email the company with a question, the company will use email address, name, nature of the question, etc. to respond to the question. The company may also store and publish such information to assist in making the Website better and easier to use.

Google API Services:

The use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Government Agencies

To verify creditworthiness and complete the KYC formalities, the company requests users to enter few government-issued ID numbers such as:

• PAN Number
• Aadhaar Card
• Virtual ID (VID) number

Data Security:

This data remains completely safe and secure with the company and is never shared with any 3rd party. However, user information is passed to the authorized 3rd party APIs and government websites for users to fill up the information and help the company validate KYC credentials.

4.4 Purpose of Collection and Use of Personal Information

The company collects and uses the minimal financial information and other minimal personal information.

Information is Collected and Used:

1. To fulfill user requests for products and services offered and subscribed and accepted by users

2. To deliver to users any administrative notices, alerts, advice and communications relevant to use of the Service

3. To share user information with group companies and other third parties in so far as required for joint marketing purposes and/or to provide users with similar value-added services

4. For market research, project planning, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity

5. To third-party contractors that provide services to Si Creva and are bound by these same privacy restrictions

6. To enforce Terms of Use

Intended Purpose of Collecting Information:

1. Establish identity and verify the same with or without help of third party(ies)

2. To facilitate and complete onboarding and KYC requirements for third party lending partners

3. Monitor, improve and administer the Platform

4. To facilitate and provide service i.e. perform credit profiling for the purpose of facilitating loans to users

5. Design and offer customized products and services offered by third party financial partners

6. Analyze how the Platform is used, diagnose service or technical problems and maintain security

7. Send communication notifications, information regarding the products or services requested by users or process queries and applications that users have made on the Platform

8. Manage relationship with users and inform users about other products or services the company thinks users might find of some use

9. Conduct data analysis in order to improve the Services/Products provided to the User

10. Use the User information in order to comply with country laws and regulations

11. Collect KYC for third party lending partners based on the information shared by the User

12. Use the User information in other ways permitted by law to enable users to take financial services from lending partners

4.5 Retention of Information

Data Storage Location

OnEMI stores user personal information only at servers located in India.

Basic Personal Information Retention

The company shall only retain basic personal information such as:

• Name
• Address
• Contact information

These are required to be stored for carrying out non-lending services.

Outsourcing Services Data

For other personal information collected as part of outsourcing services being provided to Partners:

• The company shall collect such information upon the instructions of the Partners
• Thereafter transfer the same to the Partners upon the completion of the preliminary onboarding

Retention Compliance

Retention of information is done as per this policy and in compliance with:

• Applicable law/regulatory requirements in India
• As mandated in arrangements with business partners to provide services to users
• Unless such consent is withdrawn by users

Retention After Consent Withdrawal

The company retains Information as long as the purpose of its usage exists, after which the same is archived or purged or deleted, except in case where the retention is required as per Applicable Laws.

The company informs users that it retains Information even after users withdraw consent partially or wholly, for longer period of time, when necessary or required to be retained under various Applicable Laws.

Retention Periods

Non-Personally Identifiable Information (Non-PII) including SMS:

• Will be stored and used for a period of one (1) year

Other Data: All other data such as name, address, contact details, etc. permitted in pursuant to regulatory guidelines, including DLG and such other data collected for the purpose of onboarding and operational servicing:

• Will be retained for a minimum period of five (5) years

General Retention Terms

In general terms, user Information will be kept for:

1. The duration of the relationship with users

2. The period required under Applicable Laws

3. As long as it is necessary for users to be able to bring a claim against the company and for the company to be able to defend itself against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under Applicable Laws

4.6 Data Destruction Protocol

All the data, including all the copies thereof will be destroyed post the completion of the business, legal or regulatory requirement.

Digital Data Destruction:

In case the data are stored in digital form, then secure erasure of individual folders and/or files will be done as per the Media handling and Destruction Policy of the Company.

4.7 Disclosure of Personal Information

The personal information collected by the Company shall not be disclosed to any other organization except:

Permitted Disclosures

1. Contractual Agreement:

   • Where the disclosure has been agreed in a written contract or otherwise

2. Need-to-Know Basis:

   • Disclosure is required to the third party on a need-to-know basis, provided that in such case, the company shall also inform the third parties of the confidential nature of the personal information and shall ensure that the same standards of information/data security are maintained

3. Legal Requirements:

   • Disclosure to any governmental authority or law enforcement officers if they request or require any information and the company thinks disclosure is required or appropriate in order to comply with laws, regulations, or a legal process

User Authorization for Information Exchange

The user authorizes the Company to exchange, share, part with all information related to the details and transaction history of the User to:

• Its affiliates
• Banks
• Financial institutions
• Credit bureaus
• Agencies
• Participation in any telecommunication or electronic clearing networks

This exchange may be required by:

• Law
• Customary practice
• Credit reporting
• Statistical analysis and credit scoring
• Verification or risk management
• Any of the aforesaid purposes

Users shall hold the Company liable for use or disclosure of this information.

4.8 Revocation of Consent and Deletion of Data

Consent Requirements

Consent is required before the company may collect, use or disclose personal information, except in situations permitted by the law, such as:

• During a fraud investigation
• Where the company is required to disclose information by court order

Implied Consent

Users may also provide implied consent for the collection, use, and disclosure of personal information necessary for the Identified Purposes.

Express Consent for Sensitive Information

While the company may rely on implied consent in certain circumstances, the company will not collect, use or disclose the following without express written or verbal consent:

• Medical and health information
• Employment and income information
• Banking, credit or financial information

Withdrawing Consent

Users may withdraw consent, subject to legal or contractual obligations and on reasonable notice, but this may limit the company's ability to provide the requested product or service.

To Withdraw Consent:

Users should contact:

• [email protected]
• [email protected]

The company will provide information regarding the implications of withdrawal, and then if users choose to proceed, users should give the requisite notice.

Credit Information Access

Where permitted by law, users may be given the option to give express consent to the company to access credit information from:

• A credit reporting agency
• Other agencies such as NSDL, CKYC records, Digilocker, etc.

Purpose of Credit Information:

The company will use this credit information for the purpose of:

• Assessing risk
• Providing users with a quote
• Determining eligibility for a premium discount

The company may continue to retrieve current credit scores from time to time, while users remain customers, unless users withdraw consent for the company to do this.

4.9 Reasonable Security Practices and Procedures

1. Data Security

The company follows generally accepted standards to protect the Personal Information submitted, both during transmission and once received. However, no Internet website can fully eliminate security risks. The company implements cyber security policy for handling all security breaches in compliance with applicable laws and regulations.

Security Measures:

The company uses a combination of:

• Firewalls
• Strong encryption techniques
• Authentication procedures that adhere to current industry standards

These measures maintain the safety and security of user data.

Industry Standard Security:

The company employs industry standard security measures to protect personal information:

• During online sessions
• During transmission and storage
• To protect https://paywithring.com/ https://kissht.com accounts and systems from unauthorized access

2. Database Protection

The company maintains user information on servers located in India.

Database Security:

• Databases are protected from general employee access, both physically and logically
• Service passwords are encrypted so that passwords cannot be recovered, even by the company
• All backup drives and tapes are also encrypted
• No employee may put any sensitive content on any unsecured machine (i.e., nothing can be taken from the database and put on an insecure laptop)

Information Security Breach Response

In the event of an information security breach, the Company is committed to complying with the guidelines set forth by:

• Indian Computer Emergency Response Team (CERT-In)
• Reserve Bank of India (RBI)

This adherence is in accordance with the Company's Incident Management Policy, which outlines the structured approach to be followed when handling such incidents.

Incident Response Approach:

1. Immediate Action:

   • Contain and limit the exposure of the breach

2. Assessment:

   • Assess the scope and impact of the breach to understand the data and systems affected

3. Notification:

   • Notification procedures, where relevant authorities and affected parties will be informed as per the legal requirements, CERT-In & RBI guidelines

4. Investigation:

   • Investigation of the breach to determine the cause and to gather evidence for potential legal action and to improve future security measures

5. Recovery:

   • Recovery steps to restore any services that were disrupted and to secure systems from future breaches

6. Post-Incident Analysis:

   • Post-incident analysis to identify lessons learned and to implement improvements to policies, procedures, and technologies

7. Reporting:

   • Reporting to RBI & CERT-In within a reasonable time frame as specified in their guidelines, with a complete rundown of the incident's details, impact, and the remedial actions taken

Policy Compliance:

The Company's Incident Management Policy is designed to be in full compliance with national laws and regulations regarding cybersecurity and data protection. This ensures not only a rapid and effective response to incidents but also maintains the Company's reputation and the trust of its customers and partners.

3. Encryption and Secure Communication

All communications between user computers, tablets, mobile devices and the platform that contain any Personal Information are encrypted. This enables client and server applications to communicate in a way that is designed to prevent:

• Eavesdropping
• Tampering
• Message forgery

4. Login ID and Password Confidentiality

Users are responsible for maintaining the security of their Login ID and Password, and may not provide these credentials to any third party.

If Credentials are Compromised:

If users believe credentials have been stolen or been made known to others, users must contact the company immediately at:

• [email protected]
• [email protected]

The company is not responsible if someone else accesses user accounts through Registration Information they have obtained from users or through a violation by users of this Privacy Policy or the Terms of this policy.

5. Others

Account Management:

Users can review and edit Personal Information at any time by:

• Logging in to account on the Website
• Contacting the PaywithRing/Kissht support team on:
  • [email protected]
  • [email protected]

Account Closure:

If users choose to close accounts, personally identifiable information will not be used by the company for any further purposes, nor sold or shared with third parties, except as necessary to:

• Prevent fraud and assist law enforcement
• As required by law or under this Privacy Policy

Non-Confidential Information:

All other information shall be treated as non-confidential and non-proprietary and PaywithRing/Kissht shall be under no obligation of any kind concerning such information and shall be free to:

• Reproduce, use, disclose, and distribute the information to others without limitation
• Use any ideas, concepts, know-how, or techniques contained in such information for any purpose whatsoever, including, but not limited to, developing or marketing services incorporating such information

Information Sharing with Third Parties:

The company may share collected information with only registered third parties including regulated financial partners for provision of Services on the Website/App wherever feasible.

Third-Party Sharing Scenarios:

1. Financial Service Providers:

   • The company may disclose and share information with the financial service providers, banks or NBFCs and third-party partners for facilitation of a loan or facility

2. Data Analysis:

   • The company may share information with third-party partners in order to conduct data analysis in order to serve users better and provide Services on the Platform

3. Legal Obligations:

   • The company may disclose information, without prior notice, if under a duty to do so in order to comply with any legal obligation or an order from the government and/or a statutory authority, or in order to enforce or apply terms of use, or assign such information in the course of corporate divestitures, mergers, or to protect the rights, property, or safety of the company, users, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction

4. Technology Partners:

   • The company will disclose the data/information provided by a User with other technology partners to track how the User interacts with the Platform on behalf of the company

5. Business Transactions:

   • The company and its affiliates may share information with another business entity should the company (or its assets) merge with, or be acquired by that business entity, or undergo re-organization, amalgamation, or restructuring of business for continuity of business. Should such a transaction occur, any business entity (or the new combined entity) receiving any such information from the company shall be bound by this Policy with respect to user information

6. Credit Checks:

   • The company will disclose the information to third-party technology and credit partners to perform credit checks and credit analysis, such as Credit Bureaus or third-party data source providers

7. Confidentiality Agreements:

   • The company will share information under a confidentiality agreement with the third parties and restrict use of the said Information by third parties only for the purposes as per the said privacy policy. The company warrants that there will be no unauthorized disclosure of information shared with third parties

8. User Consent for Disclosure:

   • By using the Platform, users hereby grant consent to the Company to share/disclose Personal Information:
     • (i) to the concerned third parties in connection with the Services
     • (ii) with the governmental authorities, quasi-governmental authorities, judicial authorities, and quasi-judicial authorities, in accordance with applicable laws of India

9. Regulatory Disclosure:

   • The company shall disclose KYC journey or any data with respect to the same to the relevant regulatory authorities as a part of statutory audit process. Please note that Aadhaar number shall never be disclosed.

Data Usage Limitation:

The data stored on the company's server shall be utilized only for the purpose and to the extent stated in the policy. In case the company uses or discloses information for any purpose not specified above, the company will take explicit consent.

4.10 Security Precautions

The Platform intends to protect user information and to maintain its accuracy as confirmed by users. The company implements reasonable physical, administrative and technical safeguards to help protect information from unauthorized access, use and disclosure.

Example Security Measures:

• The company encrypts all information when transmitting over the internet
• The company requires that registered third party service providers protect such information from unauthorized access, use and disclosure

Stringent Security Measures:

The Platform has stringent security measures in place to protect the loss, misuse and alteration of information under control. The company endeavours to safeguard and ensure the security of the information provided by users.

Encryption Standards:

The company uses Secure Sockets Layers (SSL) based encryption, for the transmission of the information, which is currently the required level of encryption in India as per applicable law.

Multi-Layer Security:

The company blends security at multiple steps within products with the state of the art technology to ensure systems maintain strong security measures and the overall data and privacy security design allows the company to defend systems ranging from low hanging issues up to sophisticated attacks.

Protection Measures:

The company aims to protect from unauthorized access, alteration, disclosure or destruction of information held, including:

1. Encryption:

   • The company uses encryption to keep data private while in transit

2. Security Features:

   • The company offers security features like an OTP verification to help users protect accounts

3. Physical Security:

   • The company reviews information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to systems

4. Access Restrictions:

   • The company restricts access to Personal Information to employees, contractors, and agents who need that information in order to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations

5. Compliance & Cooperation:

   • Compliance & Cooperation with Regulations and applicable laws

6. Policy Review:

   • The company regularly reviews this Privacy Policy and makes sure that it processes information in ways that comply with it

7. Data Transfers:

   • The company ensures data transfers comply with applicable laws

8. Aadhaar Protection:

   • The company ensures that Aadhaar number is not disclosed in any manner

Data Location and Protection:

The company or its affiliates maintain user information on servers located in India. Data protection laws vary among countries, with some providing more protection than others.

The company also complies with certain legal frameworks relating to the transfer of data as mentioned and required under:

• Information Technology Act, 2000
• Digital Lending Guidelines, 2022 (as regulated by RBI)
• Rules made thereunder

Complaint Resolution:

When the company receives formal written complaints, the company responds by contacting the person who made the complaint. The company works with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of data that the company cannot resolve with users directly.

4.11 Your Rights Regarding the Data

Right to Access

Users may request to access data provided by them (or) processed by the company. This enables users to receive a copy of the personal data the company holds about them and to check that the company is lawfully processing it.

Right to Rectification

In the event that any personal data provided by users is inaccurate, incomplete or outdated then users shall have the right to provide the company with the accurate, complete and up to date data and have the company rectify such data at its end immediately.

The company urges users to ensure that they always provide accurate and correct information/data to ensure use of Services is uninterrupted.

Right to Withdraw Consent

To prevent further sharing of data, users can also uninstall the App. User devices may have controls that determine what information the company collects. For example, users can modify permissions on Android devices for access to Camera or Audio permissions.

Marketing Opt-Out

The company may email or send push notifications to users from time to time about latest offerings and updates.

Opting Out:

Users may opt out of receiving such promotional emails from the company by:

• Writing to the company
• Following the unsubscribe instructions in those messages

Non-Promotional Communications:

However, even if users have opted out of receiving information from the company, the company will still send non-promotional communications, such as:

• Repayment reminders
• Loan approvals messages
• Etc.

Push Notifications:

Users can opt out of receiving push notifications through device settings. Please note that opting out of receiving push notifications may impact use of the App.

Others

Users are provided with an option to:

• Give or deny consent for use of specific data
• Restrict disclosure to third parties
• Control data retention
• Revoke consent already granted to collect personal data
• If required, make the App delete/forget the data (as defined under the RBI circular dated September 02, 2022 on "Guidelines on Digital Lending")

Impact of Consent Withdrawal:

In case of withdrawal or modification of consent or amendment of any choices in this regard, the company reserves the option not to provide the services or modify the services provided to users for which such information was sought.

Children and Minors:

The platform is not intended for use by children and minors. Parents are requested to ensure that personal information is not provided by minors.

5. Contact Information

In accordance with the relevant provisions of the Information Technology Act, 2000 and Rules and RBI Guidelines on Digital Lending dated Sep 02, 2022, made thereunder, the name and contact details of the Grievance Officer who can be contacted with respect to any complaints or concerns including those pertaining to breach of Si Creva's Privacy Policy, Terms & Conditions/Terms of Use and other policies or questions are published as under:

Grievance Redressal Officer Contact Details

Detail	Information
Name	Reefat Shaikh
Address	10th Floor, Tower 4, Equinox Park, LBS Marg, Kurla West, Mumbai, Maharashtra 400070
Contact Number	08044745952
Email	[email protected]
Availability	10:30 a.m. to 6:00 p.m., Monday to Friday (except public holidays)

Privacy-Related Concerns

For any privacy related concerns, kindly write to:

• [email protected]
• [email protected]

Withdrawal of Consent / Deletion of Data or Account

For withdrawal of consent, deletion of data or account, kindly write to:

• [email protected]
• [email protected]

6. Changes to Privacy Statement and Your Duty to Inform Us of Changes

Policy Updates

This Privacy Statement may change or be amended over time. The recent version of this Privacy Statement is published on the Platform, as the case may be.

Staying Informed:

Please revisit this page periodically to stay aware of any changes to this Privacy Statement.

Notification of Material Changes

The company will notify users of any material changes to this Privacy Statement by publishing the same on the Platform, as applicable.

Continued Use Constitutes Acceptance

Users' continued use of Services confirms acceptance of this Privacy Statement, as amended. If users do not agree to the terms and conditions as contained in the Privacy Statement, as amended, users must stop using Services and notify the company.

Keeping Information Up to Date

It is very important that any Personal Information the company holds/passes on to lending partners about users is up to date and correct. Please inform the company of any changes to Personal Information.

7. Review of Policy

The policy will be reviewed at yearly intervals or as and when considered necessary by the Senior Management / Board of the Company.

8. Omnibus Clause

All extant & future master circular/directions/guidance/guidance notes issued by Regulatory Authorities and other applicable regulations from time to time would be the directing force for the Privacy Policy and will supersede the contents of this policy.

---

Summary of Key Points

Data Collection

The company collects minimal personal information necessary for:

• Loan application processing
• KYC verification
• Credit assessment
• Service delivery

User Rights

Users have the right to:

• Access their data
• Rectify inaccurate information
• Withdraw consent
• Request data deletion
• Opt-out of marketing communications

Data Security

The company implements:

• Industry-standard encryption
• Secure servers located in India
• Multi-layer security measures
• Regular security audits
• Incident response protocols

Third-Party Sharing

Explicit consent is required before sharing personal information with third parties, except where required by statutory or regulatory requirements.

Contact for Privacy Concerns

Email:

• [email protected]
• [email protected]

Grievance Officer:

• Reefat Shaikh
• [email protected]
• 08044745952