Privacy Policy

RUPITAP – PRIVACY POLICY

This Privacy Policy of Surfin Creatives Private Limited, a company incorporated under the provisions of the Companies Act, 2013, having its registered office at StartupHuts 2nd Floor, Unit-2, #109, 27th Main Road, Sector-2, HSR Layout, Bangalore, Karnataka, India, 560102 (hereinafter referred to as “Surfin Creatives”, “Company”, “we”, “our” or “us”), is an electronic record in the form of an electronic contract formed under the Information Technology Act, 2000 and the rules made thereunder, including the amended provisions pertaining to electronic documents and records in various statutes, as amended from time to time.

The terms “you”, “user”, “customer”, or “borrower” refer to any individual who accesses or avails the services offered by the Company through its mobile application “Rupitap” or through any other digital or physical mode, as applicable. Rupitap is operated as a Lending Service Provider (LSP) and facilitates lending-related services in partnership with Regulated Entities (RE) such as banks and/or Non-Banking Financial Companies (NBFCs), in accordance with applicable laws and regulatory guidelines.

This Privacy Policy does not require any physical, electronic, or digital signature and shall be deemed to be accepted by the user upon access to or use of the Rupitap application or related services.

This Privacy Policy constitutes a legally binding agreement between you and Surfin Creatives Private Limited (“Surfin Creatives”, “Company”, “we”, “our” or “us”). The terms of this Privacy Policy shall become effective upon your acceptance of the same, which shall be deemed to have occurred when you access, register on, or avail any services through the Company’s platform.

This Privacy Policy sets out the terms governing the collection, use, storage, processing, disclosure, and protection of personal information of users (hereinafter referred to as the “Users”) who access or use the Company’s lending service platform through its mobile/smartphone application named “Rupitap”, or through any other mode as may be made available by the Company from time to time.

We recognize that Users entrust us with certain personal and sensitive information for the purpose of facilitating lending-related services as a Lending Service Provider (LSP). In consideration of such trust, the Company is committed to handling all such information in a confidential, secure, and lawful manner, with due care and in strict accordance with the terms of this Privacy Policy and applicable laws and regulatory guidelines.

This Privacy Policy describes the policies and procedures adopted by Surfin Creatives Private Limited (“Surfin Creatives”, “Company”, “we”, “our” or “us”) with respect to the collection, usage, storage, processing, disclosure, transfer, and deletion of personal information and other data obtained from you when you register for, access, or use the Rupitap mobile application and related services by creating a user account (“Account”), interact with other users, or access third-party websites, platforms, or services integrated with the Rupitap application.

This Privacy Policy is published in compliance with the provisions of the Digital Persona Data Protection Act, 2023, and its rules thereof, Information Technology Act, 2000, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and such other applicable laws, rules, regulations, and guidelines that require the publication of a privacy policy for the purpose of governing the collection, use, storage, disclosure, transfer, and other processing of personal and sensitive personal data or information.

Please read this Privacy Policy carefully. By accessing or using the Rupitap website and/or mobile application, you acknowledge that you have read, understood, and agreed to be bound by the terms of this Privacy Policy and you consent to the collection, use, processing, storage, disclosure, and transfer of your information in accordance with the terms hereof. If you do not agree with the terms of this Privacy Policy, please refrain from accessing or using the Rupitap website or mobile application.

You hereby provide your free, informed, specific, and unconditional consent as required under Section 43A and Section 72A of the Information Technology Act, 2000, and applicable rules framed thereunder.

Surfin Creatives Private Limited complies with all applicable laws, rules, regulations, and regulatory guidelines relating to the protection of personal information, including those applicable to lending service providers and digital lending platforms in India.

We acknowledge the importance of “Personal Information” and “Sensitive Personal Data or Information” provided by individuals pursuant to a lawful relationship or contractual arrangement. The Company undertakes to implement reasonable security practices and procedures to safeguard such information and to maintain its confidentiality. Such information may be shared with the Company’s affiliates, partner regulated entities, service providers, and other third parties strictly on a need-to-know basis, under appropriate contractual and technical safeguards, and in accordance with applicable laws, regulatory requirements, and this Privacy Policy.

We respect your privacy and are committed to protecting it through strict adherence to the principles and obligations set out in this Privacy Policy.

This Privacy Policy describes:

• the categories of information that the Company may collect from you when you access or use the Company’s website(s) or the Rupitap mobile application (collectively, the “Platform”); and
• the Company’s practices and procedures relating to the collection, receipt, storage, processing, usage, maintenance, protection, disclosure, sharing, transfer, retention, and deletion of such information.

Your Acknowledgement and Consent

By accessing or using the Company’s website(s) or the Rupitap mobile application (collectively, the “Platform”), you agree to be bound by the terms and conditions of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, you must not access or use the Platform. By mere access to or use of the Platform, you expressly and unconditionally acknowledge, agree, and consent to the collection, receipt, storage, processing, usage, sharing, transfer, and handling of your personal information and sensitive personal data in accordance with the terms set out herein.

This Privacy Policy applies solely to the information collected by the Company through the Platform, including through emails, text messages, and other electronic communications exchanged through or in connection with the Platform (collectively referred to as “User Information”). When you submit any User Information on the Platform, it shall be deemed that you have voluntarily and consensually provided such information and granted the Company the right to collect, store, process, use, disclose, transfer, and otherwise handle such User Information in accordance with this Privacy Policy, as amended from time to time, and applicable laws.

By downloading, accessing, or using the Rupitap application, including for the purpose of availing lending-related services, you expressly consent to the collection, use, storage, disclosure, and transfer of your User Information as described in this Privacy Policy and as required for facilitating such services in compliance with applicable laws and regulatory guidelines. You are advised to read this Privacy Policy carefully to understand the Company’s policies and practices regarding your information and how such information is treated.

The Personal Information Policy of the services of Surfin Creatives Private Limited is as follows:

A. Definitions

For the purposes of this Privacy Policy, unless the context otherwise requires:

“Account” means the unique user account created by a User on the Platform to access the Services.

“Application” means the mobile or digital application operated by the Company, namely “Rupitap”, through which lending-related services are facilitated.

“Company”, “Surfin Creatives”, “we”, “us”, or “our” means Surfin Creatives Private Limited, a company incorporated under the Companies Act, 2013, acting in the capacity of a Lending Service Provider (LSP).

“Country” means the Republic of India.

“Device” means any electronic device, including a mobile phone, smartphone, tablet, computer, or similar device, through which the Platform or Services are accessed.

“Digital Lending” shall have the meaning ascribed to it under the Reserve Bank of India Digital Lending Guidelines and refers to lending activities carried out through digital platforms involving a Regulated Entity and one or more Lending Service Providers.

“Lending Service Provider” or “LSP” means an agent of a Regulated Entity who carries out one or more of the lender’s functions, including customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery support, or other lending-related services, but does not undertake lending on its own balance sheet, as per RBI Digital Lending Guidelines.

“Regulated Entity” or “RE” means a bank or a Non-Banking Financial Company (NBFC) regulated by the Reserve Bank of India, which undertakes lending and, on whose behalf, digital lending services are facilitated through the Platform.

“Lending Partner” means the Regulated Entity with whom the Company has entered a contractual arrangement for facilitating digital lending services through the Platform.

“Loan” means the credit facility or lending product sanctioned by a Regulated Entity to a borrower, pursuant to a Loan Application made through the Platform, on terms and conditions determined solely by the Regulated Entity.

“Loan Application” means the digital application submitted by a User through the Platform for the purpose of availing a Loan from a Regulated Entity.

“Personal Data” means any data about an individual who is identifiable by or in relation to such data, whether directly or indirectly, as defined under the Digital Personal Data Protection Act, 2023.

“Service” means the technology-enabled services provided by the Company as an LSP, including facilitation of digital lending, customer onboarding, data processing, communication, and support services, in accordance with RBI Digital Lending Guidelines.

“Service Provider” means any third party engaged by the Company to process Personal Data on its behalf or to support the provision of Services, subject to contractual, technical, and regulatory safeguards as mandated by RBI.

“Usage Data” means data collected automatically in the course of accessing or using the Platform, including technical information such as device details, IP address, timestamps, pages visited, and duration of usage.

“User”, “You”, or “Borrower” means any individual who accesses or uses the Platform or applies for a Loan through the Platform, or any legal entity acting through an authorized individual, as applicable.

B. Type of Personal Information collected and Purpose and Use of collection

Types of Data Collected Personal Data

While accessing or using the Services through the Platform, the Company may collect or request certain personally identifiable information from you, subject to your free, informed, specific, and explicit consent, which may be used to identify or contact you and to facilitate the provision of Services.

Such Personal Data shall be collected and used solely for purposes related to providing the Services, including facilitation of lending services, compliance with legal and regulatory obligations, fraud prevention, and improvement of user experience. Any change in the purpose of collection or use of Personal Data shall be undertaken only with prior notice and consent, where required under applicable laws.

In accordance with the Reserve Bank of India (Non-Banking Financial Companies – Credit Facilities) Directions, 2025, the Company shall ensure that any collection and storage of borrower’s Personal Data by it, is need-based, with explicit borrower’s consent, and that the Company does not store Personal Data of the borrower except minimal data which may include name, address and contact details necessary to carry out their operations or services within the scope of the agreement.

Personally identifiable information collected for the purposes of this Privacy Policy may include, but is not limited to, the following:

a) Identity and profile-related data

This includes your first and last name, mobile phone number, Pan No., email ID & date of birth, country of origin, username or similar identifiers, password, gender, title, and any information voluntarily provided by you such as feedback or profile-related details.

b) User Correspondence details

This includes your email address, registered mobile number, residential or correspondence address, and records of communications exchanged with the Company through the Platform or other channels.

c) Location Data

This includes information relating to the approximate or coarse location of your Device, such as city or pin-code level location, collected solely for limited purposes including serviceability assessment, fraud prevention, regulatory compliance, and customer onboarding in connection with a Loan Application, only if required by the lending partner

The Company does not collect precise or continuous real-time location data, except where expressly permitted under applicable law and with your explicit consent.

d) KYC Data

This includes identification information and documents issued by government or statutory authorities for the purpose of customer identification and verification, as prescribed under applicable RBI KYC and digital lending requirements. This including Officially Valid Documents (OVDs), such as Driving Licence, Voter Identity Card, NREGA Job Card, Passport, Aadhaar Card, and Permanent Account Number (PAN).

For digital onboarding and KYC verification, the Rupitap application may seek one-time access to the Device camera, strictly limited to capturing documents or images required for such KYC processes.

e) Transaction Data

This includes details of transactions undertaken through or in connection with the Platform and Services, including information relating to services requested.

f) Financial Data

This includes financial information required for assessing eligibility and facilitating lending services, such as credit history, income details and loan details collected only in connection with a Loan Application and strictly in accordance with applicable laws, regulatory requirements, and the instructions of the relevant Regulated Entity.

g) Marketing and Communication Data

This includes your preferences regarding receipt of notifications, service communications, and marketing messages from the Company and/or its partners, and your communication preferences across various channels, subject to applicable consent requirements.

h) Usage and Device Data

This includes information relating to how you access and use the Platform and Services, such as IP address, browser type and version, pages visited, date and time of access, duration of visits, unique device identifiers, operating system details, and application version information.

When you access the Platform through a mobile device, certain information may be collected automatically, including mobile device type, device identifiers, operating system, crash logs, diagnostic data, and app performance statistics (such as application launch time), solely for purposes of security, fraud prevention, system integrity, regulatory compliance, and improvement of user experience.

We do not currently collect information regarding other applications installed on the user’s device.

i) Media & Document Data

The Rupitap application does not access your Device storage or media files. However, the Company may request a one-time access from you to select and upload specific images or documents that are necessary for grievance redressal, or any other purpose as mentioned at the time of taking consent.

Information from Third Parties

The Company may receive Personal Data about you from third-party sources, such as business partners, regulated entities, or service providers, strictly in connection with the Services and in accordance with applicable laws. Such information shall be processed in accordance with this Privacy Policy, however any request for withdrawal of consent or any grievance shall be made to the third party where you have provided your consent.

Data Sharing for Lending Services

As a Lending Service Provider (LSP), the Company may share relevant Personal Data with its partner Regulated Entities (banks and/or NBFCs) and their authorized service providers solely for the purpose of processing Loan Applications, complying with regulatory requirements, and providing Services, in accordance with this Privacy Policy and the respective privacy policies of such Regulated Entities.

C. Term of Retention and Use of Personal Information

Retention of Your Personal Data and Identification Records

The Company shall retain your Personal Data only for such period as is reasonably necessary to fulfil the purposes for which it is collected, including for the provision of Services, compliance with applicable laws and regulatory requirements, resolution of disputes, and enforcement of contractual and legal rights.

Personal Data may be retained for longer periods were required to comply with statutory, regulatory, accounting, or reporting obligations, including requirements prescribed by the Reserve Bank of India (RBI), or where such retention is necessary for the establishment, exercise, or defence of legal claims.

The Company shall retain records relating to the identification of borrowers and their addresses, obtained at the time of onboarding and during the course of the business relationship, for a minimum period of five (5) years after the termination of the business relationship, or such longer period as may be required under applicable laws or regulatory directions, in accordance with the Reserve Bank of India (Non-Banking Financial Companies – Know Your Customer) Directions, 2025 (Record Management requirements).

Usage Data is retained for internal analysis and system improvement purposes and is generally retained for a shorter duration, except where such data is required to enhance security, prevent fraud, improve functionality of the Services, or where retention is mandated by applicable law.

You may submit a request to the Company for deletion or removal of your Personal Data by writing to the designated contact details provided in this Privacy Policy. The Company shall take reasonable steps to comply with such requests, subject to legal, regulatory, or contractual obligations that require continued retention of certain information.

Use of Your Personal Data

The Company may use your Personal Data for the following purposes:

(a) To manage your Account

To create, administer, and manage your registration as a user of the Platform, and to enable you to access and use various functionalities and features of the Services available to registered users.

(b) For enabling services in relation to loan facilitation

To enable, operate, and administer technology and support services for Regulated Entities (REs) in connection with loan facilitation, including processing of Loan Applications, customer onboarding, servicing, and support, strictly in its capacity as a Loan Service Provider (LSP) and in accordance with applicable laws and regulatory guidelines. Rupitap does not enter into any loan or credit contract with the Borrower.

(c) To communicate with you

To contact you through email, telephone calls, SMS, in-app notifications, or other electronic communication modes, including push notifications, for purposes such as service-related communications, regulatory disclosures, transactional updates, security alerts, and other information necessary for the effective provision of the Services.

(d) For marketing and informational communications

To provide you, subject to your consent where required, with information about products, services, offers, updates, and general information relating to the Services or similar offerings that you may have previously availed of or enquired about. You may opt out of such communications at any time, in accordance with applicable laws.

(e) To manage user requests and support

To receive, process, respond to, and manage your queries, complaints, feedback, and support requests, including grievance redressal, in accordance with applicable laws and regulatory requirements.

(f) For business transfers

The Company may use and disclose your Personal Data in connection with evaluating or effecting a merger, amalgamation, divestiture, restructuring, reorganization, dissolution, or sale or transfer of its business or assets. In such circumstances, your Personal Data may be shared with:

• the proposed or actual transferee entity or successor entity,
• Regulated Entities (REs) with whom the Company operates as a Loan Service Provider (LSP),
• legal, financial, and compliance advisors engaged for such transaction,
• auditors and due diligence agencies,
• statutory and regulatory authorities, where required,

strictly on a need-to-know basis and subject to appropriate confidentiality, security safeguards, and compliance with applicable laws. Such sharing shall not create any contractual relationship between the Borrower and the Company in relation to any loan or credit facility.

(g) To improve the Platform and Services

To analyse user behaviour, feedback, and usage patterns in order to operate, maintain, improve, and enhance the functionality, performance, security, and user experience of the Platform and Services.

(h) For service-related communications and compliance

To use your email address, contact details, and contact information linked to KYC records to communicate with you for legitimate service-related purposes, including responding to queries, addressing requests or complaints, sending service communications, and facilitating repayment reminders or notifications strictly on behalf of the Regulated Entity (RE) for whom the Company acts as a Loan Service Provider (LSP), in accordance with applicable laws and regulatory guidelines.

(i) For analytics, fraud prevention, and risk management

To conduct data analytics, identify usage trends, detect and prevent fraud, manage risk, ensure platform security, assess effectiveness of communications, and evaluate and improve the Company’s Services, subject to applicable laws and regulatory guidelines.

(j) With your consent

To use your Personal Data for any other purpose only with your prior, explicit consent, where such consent is required under applicable laws. You may withdraw such consent at any time, subject to legal or regulatory limitations.

D. Storage, Transfer and Disclosure of Personal Data

1. Storage and Processing of Personal Data

Your Personal Data is processed at the Company’s operational offices and by authorised employees, service providers, and technology partners strictly on a need-to-know basis. The Company processes such data solely in its capacity as a Loan Service Provider (LSP) for Regulated Entities (REs). The Company ensures that all Personal Data collected through the Rupitap application is stored and processed on servers located within India, in compliance with the Reserve Bank of India’s data localisation requirements and other applicable regulatory and legal obligations.

2. Data Security and Safeguards

The Company implements reasonable security practices and procedures, including administrative, technical, and physical safeguards, to protect your Personal Data against unauthorised access, alteration, disclosure, loss, or destruction.

No transfer of Personal Data shall take place unless the Company is satisfied that adequate data protection, confidentiality, and cybersecurity controls are in place, in line with RBI-prescribed technology and cybersecurity standards and industry best practices.

3. Sharing of Personal Data

The Company shall disclose or share your Personal Data only in the manner and for the purposes expressly stated in this Privacy Policy, and only on a need-to-know basis.

Your consent to this Privacy Policy, followed by submission of information, constitutes your consent to such processing and sharing, subject to your rights to restrict or withdraw consent, as permitted under applicable law.

4. Disclosure to Service Providers

The Company may share Personal Data with third-party service providers engaged for purposes such as technology support, data analytics, communication services, customer support, fraud monitoring, compliance, or operational assistance.

Such service providers shall process Personal Data solely on behalf of the Company, in accordance with documented instructions, applicable law, and contractual obligations that ensure data protection standards no less stringent than those followed by the Company.

5. Disclosure to Lending Partners and Regulated Entities

In the event you apply for a loan through the Rupitap Platform, relevant Personal Data shall be shared with:

• Banks, Non-Banking Financial Companies (NBFCs), or other Reserve Bank of India regulated entities (“Lending Partners”); and
• Their authorised lending service providers, credit bureaus, and verification agencies,

strictly for the purposes of credit appraisal, underwriting, loan processing, disbursement, servicing, recovery, regulatory reporting, and fraud prevention.

Such data sharing shall be governed by:

• This Privacy Policy;
• The privacy policies of the respective Lending Partners; and
• Applicable RBI regulations and contractual arrangements.

You retain the right to withdraw or restrict consent for further data sharing; however, such withdrawal may impact the processing or continuation of your loan application or services.

6. Disclosure to Business Partners and Affiliates

The Company may share Personal Data with its affiliates, group companies, and trusted business partners, who are bound by confidentiality and data protection obligations, solely for lawful purposes including platform operations, customer support, technology services, analytics, or regulatory compliance.

Marketing communications, if any, shall be carried out only in accordance with your consent preferences and applicable law.

7. Payment Processing

For enabling payments through the Platform, the Company may engage authorised payment gateways, banks, card networks, and other payment service providers.

Limited Personal Data may be shared strictly to facilitate payment processing and transaction authorisation. Storage and processing of payment information is governed by the respective payment service providers’ policies and applicable regulatory standards, including PCI-DSS requirements.

8. Disclosure to Government and Regulatory Authorities

The Company may disclose Personal Data to government authorities, regulators, courts, or law enforcement agencies where such disclosure is required under applicable law, regulatory directions, judicial orders, or for investigation and prevention of fraud or unlawful activities.

Such disclosures shall be lawful, proportionate, and limited to the extent necessary.

9. Business Transfers

In the event of a merger, acquisition, restructuring, financing, or transfer of business assets, Personal Data may be transferred to the relevant successor entity, subject to continued compliance with applicable data protection laws and this Privacy Policy.

10. Public Information

Any information that is lawfully available in the public domain or disclosed under the Right to Information Act, 2005, or any other applicable law, shall not be treated as sensitive personal data for the purposes of this Privacy Policy.

11. Withdrawal of Consent

You may withdraw your consent for processing of Personal Data at any time by contacting the Company as specified in the “Contact Us” section. Upon withdrawal, the Company may be unable to provide certain services and shall retain such data as is required to comply with legal, regulatory, or contractual obligations.

E. Security of Personal Data

The security of your Personal Data is of paramount importance to the Company. The Company implements reasonable security practices and procedures in accordance with applicable laws, RBI guidelines, and industry standards. In accordance with the RBI (Non-Banking Financial Companies – Credit Facilities) Directions, 2025, the Company, acting as a Lending Service Provider (LSP), does not store borrower Personal Data except minimal data such as name, address, contact details etc., as may be required strictly for operational purposes within the scope of its agreement with the Regulated Entity (RE).

All sensitive borrower data including KYC records, Aadhaar information, financial information, bank details, credit history, loan data, and underwriting data is stored, processed, and controlled only by the respective Regulated Entity (bank/NBFC) on its secure systems.

To safeguard your Personal Data, the Company has implemented reasonable security practices and procedures, including:

1. Technical Safeguards

The Company has deployed appropriate technical and organisational security measures, which include, but are not limited to:

• Network security controls such as firewalls, Web Application Firewalls (WAF), intrusion detection and prevention systems;
• Encryption of data at rest and in transit, where applicable;
• Secure authentication mechanisms, access controls, and password protection;
• Security Operations Centre (SOC) monitoring and log reviews;
• Anti-virus, anti-malware, and endpoint protection solutions.

2. Administrative and Management Controls

The Company maintains internal policies and governance frameworks to ensure data security, including:

• Role-based access controls and least-privilege access;
• Periodic access reviews and audit trails;
• Confidentiality and non-disclosure obligations for employees and service providers;
• Regular internal reviews of data collection, storage, processing, and security practices.

3. Aadhaar, KYC, and Financial Data Handling

The Company does not store:

• Aadhaar numbers or Aadhaar images;
• KYC documents or OVD copies;
• Bank statements, bank account details, or financial documents;
• Credit bureau information;
• Loan application or underwriting records.

Such data, where collected through the Platform, is transmitted securely and stored only with the Regulated Entity in accordance with RBI regulations.

Where Aadhaar is used for verification, only masked or reference information as permitted by law is handled transiently and not stored by the Company.

4. Payment Data Protection

The Company does not store card details, including card number, CVV, or card validity, on its servers. Only the last four digits of the card number may be stored, strictly in accordance with RBI’s card tokenisation and payment security guidelines. However, in future the Company may collect such data and an explicit consent from the customer will be taken in this regard.

In compliance with UIDAI guidelines, the Company does not store Aadhaar numbers. Where Aadhaar is used for identity verification, only the Aadhaar reference number or masked information, as permitted by law, may be retained. However, in future the Company may collect such data and an explicit consent from the customer will be taken in this regard.

F. Children’s Privacy

The Services offered through the Platform are not intended for use by individuals under the age of eighteen (18) years.

The Company does not knowingly collect or process Personal Data of any person under the age of 18. If you are a parent or legal guardian and believe that a minor has provided Personal Data to the Company, you may contact us using the details provided in the “Contact Us” section.

Upon becoming aware that Personal Data of a minor has been collected without appropriate consent or legal authority, the Company shall take reasonable steps to delete such information, unless retention is required under applicable law.

Where consent is relied upon as a lawful basis for processing Personal Data and applicable law requires parental or guardian consent, the Company shall seek and verify such consent prior to processing the data.

G. Method of Disposal of Personal Information

Retention and Disposal

The Company shall retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, or as required to comply with applicable laws, regulatory requirements, contractual obligations, or legitimate business purposes.

Upon completion of the purpose of processing, or upon expiry of the applicable retention period, Personal Data shall be securely deleted, anonymised, or otherwise disposed of, unless continued retention is required under applicable law, including but not limited to RBI guidelines, KYC Directions, tax laws, or legal proceedings.

Personal Data shall not be used for any purpose other than those stated in this Privacy Policy, except as permitted or required by law.

User Rights: Access, Correction, Deletion and Withdrawal of Consent

You have the right, subject to applicable laws, to:

• request access to your Personal Data;
• request correction or updating of inaccurate or incomplete Personal Data;
• request deletion of your Personal Data;
• withdraw consent previously provided for processing of Personal Data;
• revoke permissions granted to the Application through your device settings.

You may exercise these rights by logging into your Account (where available) and using the relevant account settings, or by contacting the Company through the details provided in the “Contact Us” section.

Please note that:

• Information verified through government or statutory authorities during KYC processes cannot be altered without initiating a fresh or updated KYC process, as required under applicable regulations.

Methods of Disposal

The Company follows secure disposal practices appropriate to the nature of the Personal Data:

Physical records containing Personal Data are disposed of through secure methods such as shredding or incineration.

Electronic or digital records are securely deleted, anonymised, or rendered irrecoverable using appropriate technological measures designed to prevent reconstruction or retrieval.

H. Administrator Responsible for Management of Personal Information

The Company has designated a responsible official to oversee compliance with this Privacy Policy and the management of Users’ Personal Data, in accordance with applicable laws.

You may contact the designated administrator for any queries, grievances, or requests relating to your Personal Data at the following coordinates:

Address: StartupHuts 2nd Floor, Unit – 2, #109, 27th Main Road, Sector-2, HSR Layout, Bangalore, Bangalore South, Karnataka, India – 560102

Email: grievance@rupitap.in

I. Cookies and Tracking Technologies

The Platform may use cookies or similar tracking technologies to enhance user experience, improve functionality, analyse usage patterns, and ensure platform security. Cookies are used strictly for operational, security, and analytical purposes and do not store sensitive borrower information such as KYC, financial, or loan data.

Information collected through cookies may be aggregated and anonymised and may be shared with third-party analytics or service providers, in accordance with applicable laws.

You may control or disable cookies through your browser or device settings. However, disabling cookies may affect certain features or functionality of the Platform.

J. Consent

By accessing or using the Platform and submitting your Personal Data, you provide your free, informed, specific, and unambiguous consent to the collection, processing, storage, use, and disclosure of such data in accordance with this Privacy Policy and applicable laws.

Where Personal Data or KYC information is collected to facilitate lending services, you expressly consent that certain operational data may be retained by the Company (LSP), while all sensitive borrower information, including KYC documents, financial, and loan details, shall be stored and controlled only by the Regulated Entity (RE).

You retain the right to withdraw or modify your consent at any time, subject to applicable legal and regulatory requirements. Withdrawal of consent may result in the Company being unable to continue providing certain Services.

K. Third-Party Websites and Services

The Platform may contain links to third-party websites, applications, or services, including payment gateways and external service providers. Such third-party platforms are governed by their own privacy policies and terms.

The Company does not control and is not responsible for the privacy practices, content, or security of third-party websites or services. Users are advised to review the privacy policies of such third parties before providing any information.

Any Personal Data shared directly with authorized third-party service providers, Lending Partners, or Regulated Entities, the Company ensures that such parties are contractually bound to comply with applicable laws, including RBI Digital Lending Directions 2025 and DPDP Act 2023, for confidentiality, data protection, and cybersecurity obligations.

L. Governing Law and Dispute Resolution

This Privacy Policy shall be governed by and construed in accordance with the laws of India.

Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts at Bangalore, Karnataka, subject to the arbitration clause below.

Where applicable, disputes shall be referred to arbitration in accordance with the Arbitration and Conciliation Act, 1996, as amended. The arbitration shall be conducted by a sole arbitrator, mutually appointed, the seat of arbitration shall be Bangalore, Karnataka, India, and the language of arbitration shall be English.

Nothing in this clause shall restrict a user’s right to approach statutory or regulatory authorities, including grievance redressal forums prescribed under applicable laws.

M. Rights of Users

Subject to applicable laws, Users have the right to:

• confirm whether their Personal Data is being processed;
• access and review their Personal Data;
• request correction or updating of inaccurate or incomplete Personal Data;
• request deletion or anonymisation of Personal Data;
• withdraw consent for processing;
• restrict or object to certain processing activities.

Requests may be made by contacting the Company through the details provided in the “Contact Us” section. Certain rights may be limited where processing or retention is required under applicable law or RBI Digital Lending Directions 2025, including retention of sensitive data by the Regulated Entity.

The Platform does not currently respond to “Do Not Track” signals. Users are encouraged to review the privacy practices of third-party services used on the Platform.

N. Amendments to the Privacy Policy

The Company may amend or update this Privacy Policy from time to time to reflect changes in legal, regulatory, operational, or business requirements.

Any material changes shall be notified through the Platform or website by publishing the updated Privacy Policy along with the effective date, however the customer shall be responsible for reading the same and then only proving their acceptance. Continued use of the Platform after such updates constitutes acceptance of the revised Privacy Policy.

O. Disclaimer, Force Majeure and Indemnity

The Services are provided on an “as is” and “as available” basis, subject to applicable laws. Nothing in this Privacy Policy limits or excludes liability where such exclusion is not permitted under law.

The Company shall not be liable for failure or delay in performance caused by events beyond its reasonable control, including natural disasters, acts of government, cyber incidents, power failures, or other force majeure events, provided reasonable safeguards were in place.

Users agree to indemnify the Company against losses arising from unlawful use of the Platform or violation of this Privacy Policy, subject to applicable laws. The Company is not responsible for data stored or processed by the Regulated Entity or third parties.

P. Grievance Redressal

In accordance with the Information Technology Act, 2000, DPDP Act, 2023, RBI Digital Lending Guidelines, and other applicable rules and regulations, the Company has established a grievance redressal mechanism.

Any complaints, concerns, or requests relating to Personal Data or privacy may be addressed to the Grievance Redressal Officer as detailed in the Company’s Customer Grievance Redressal Policy, available on the Platform or website.

Complaints shall be acknowledged and resolved within timelines prescribed under applicable laws and regulatory guidelines. Where necessary, complaints may also be escalated to the relevant Regulated Entity in accordance with RBI Digital Lending Guidelines.