Privacy Policy

FIVOLINK

PRIVACY POLICY

Effective Date: 01 May 2025

Published by Saikhlearn & Scholar Nexus Private Limited

Office No. 123, 10 Biz Park, Viman Nagar, Pune – 411014, Maharashtra, India

1. INTRODUCTION AND SCOPE

Saikhlearn & Scholar Nexus Private Limited ("Company", "we", "us", or "our"), the developer and operator of the FivoLink mobile application ("App") under the FivoPay brand, is committed to protecting the privacy and personal data of every individual who uses the App. This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect your personal data in connection with your use of FivoLink.

This Policy applies to all Users of the App and is intended to comply with the Digital Personal Data Protection Act, 2023 (DPDPA 2023), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and all other applicable Indian data protection laws and regulations.

By downloading, installing, or using the App, you consent to the collection and use of your personal data as described in this Policy. If you do not agree with this Policy, please do not install or use the App.

2. DATA FIDUCIARY IDENTITY

For the purposes of the DPDPA 2023, the Data Fiduciary in respect of personal data collected through the App is:

Entity: Saikhlearn & Scholar Nexus Private Limited

Brand: FivoPay / FivoLink

Registered Address: Office No. 123, 10 Biz Park, Viman Nagar, Pune – 411014, Maharashtra, India

Contact Email: legal@fivopay.in

Where the App is deployed by a cooperative Institution on behalf of its members, the Institution may also act as a Data Fiduciary in respect of its own member data. In such cases, data processing by the Company on the Institution's behalf is conducted in the Company's capacity as a Data Processor pursuant to a data processing agreement.

3. CATEGORIES OF DATA COLLECTED

3.1 Data You Provide Directly

When you register for and use the App, you may provide:

• Full name, date of birth, gender, and nationality.

• Residential address and contact information (mobile number, email address).

• Government-issued identification details (Aadhaar number, PAN, Voter ID, Passport, or Driving Licence number) for KYC verification purposes.

• Financial information such as bank account details submitted for processing within your Institution.

• Photographs and biometric data (such as a selfie or live photograph) required for video KYC or eKYC compliance.

• Communications submitted by you through in-app support, feedback forms, or grievance submission mechanisms.

3.2 Data Collected Automatically

When you use the App, the following data may be collected automatically:

• Device information: device model, operating system version, unique device identifiers (IMEI, ANDROID_ID, or equivalent).

• App usage data: features accessed, session duration, timestamps, and interaction logs for security and analytics.

• Network information: IP address, mobile network operator, and connection type.

• Crash and diagnostic logs for the purpose of identifying and resolving technical issues.

3.3 Location Data

The App may request access to your device location for fraud prevention, branch locator, or regulatory geo-tagging purposes where required by the Institution or applicable law. Location data is collected only with your explicit consent and only to the extent required for the stated purpose. You may withdraw consent by adjusting your device settings, subject to limited functionality.

3.4 Data Collected from Third Parties

The Company may receive personal data about you from:

• The Institution (your cooperative bank, credit society, or NGO) in order to pre-populate your account and verify your membership.

• KYC/AML verification providers, including UIDAI-authorised entities, credit bureaus, or government databases, to verify your identity and ensure regulatory compliance.

• Integrated payment rails or financial infrastructure providers where applicable.

4. PURPOSES OF DATA PROCESSING

We process your personal data for the following specified, lawful purposes only:

• Account creation, authentication, and access control to the App and associated Institution services.

• Know Your Customer (KYC) verification and Anti-Money Laundering (AML) compliance obligations under PMLA 2002, RBI Master Directions, and other applicable regulations.

• Providing member-facing features of the App including transaction viewing, loan applications, deposit requests, and notifications.

• Fraud detection, risk management, and security monitoring to protect Users and the Company.

• Sending transactional notifications, service alerts, and regulatory communications.

• Technical support, bug resolution, and service improvement through aggregate analytics.

• Compliance with legal obligations, court orders, regulatory directives, or law enforcement requests under applicable Indian law.

• Grievance redressal and dispute resolution.

We do not process your personal data for any purpose other than those listed above without your prior explicit consent.

5. LEGAL BASIS FOR PROCESSING

Under the DPDPA 2023, we process your personal data on the following legal bases:

• Consent: Where you have provided free, specific, informed, unconditional, and unambiguous consent, including for KYC and biometric data.

• Legitimate Uses: Where processing is necessary to comply with a legal obligation, a court order, or for the performance of functions under any law in India.

• Contractual Necessity: Where processing is required to provide you access to services pursuant to the Institution's agreement with us and your membership with the Institution.

You have the right to withdraw your consent at any time. Withdrawal of consent may affect your ability to use certain features of the App. To withdraw consent, please contact us at legal@fivopay.in.

6. SENSITIVE PERSONAL DATA

The following categories of data are treated as Sensitive Personal Data or Information (SPDI) under the SPDI Rules, 2011:

• Biometric data including facial photographs collected for eKYC.

• Financial information including bank account numbers and financial history.

• Aadhaar numbers and PAN, handled strictly in accordance with UIDAI regulations and the Income Tax Act, 1961.

Sensitive personal data is processed only with your explicit written consent, stored with enhanced encryption, and is not shared with any third party except as required for KYC compliance or as mandated by applicable law. The Company does not store raw Aadhaar numbers; authentication is performed via the designated UIDAI API and only the verification result is retained.

7. DATA SHARING AND DISCLOSURE

7.1 With Your Institution

Your personal and transactional data is shared with the Institution of which you are a member. This sharing is inherent to the operation of the App and is performed pursuant to the Institution's contractual agreement with the Company. The Institution is independently responsible for its own data protection obligations toward you.

7.2 With Technology and Service Partners

We engage trusted third-party technology partners for the delivery of specific services, including KYC providers, eSign platforms, cloud hosting services, and push notification providers. These partners process data solely on the Company's instructions and are contractually bound to maintain confidentiality and security standards consistent with this Policy.

7.3 Legal and Regulatory Disclosures

We may disclose your personal data where required by law, including:

• In response to a court order, regulatory directive, or lawful request from a government authority.

• To comply with obligations under the PMLA 2002, DPDPA 2023, Income Tax Act, or other applicable Indian legislation.

• To protect the rights, property, or safety of the Company, Users, or the public.

7.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the successor entity, subject to the successor assuming the obligations of this Policy.

7.5 No Sale of Data

The Company does not sell, rent, lease, or otherwise commercially exploit your personal data to any third party for marketing, advertising, or any other commercial purpose.

8. DATA RETENTION

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, tax, and audit obligations. Specifically:

• KYC and identity verification data is retained for a minimum of five (5) years from the date of the last transaction or account closure, as required under PMLA 2002.

• Transaction records and account data are retained for a period mandated by applicable regulatory guidelines.

• App usage logs and technical data are retained for up to twelve (12) months unless required longer for security investigation purposes.

• Data subject to active legal proceedings or regulatory inquiries shall be retained until the final resolution of such proceedings.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents re-identification.

9. DATA SECURITY

The Company implements appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• End-to-end encryption for data in transit using TLS 1.2 or higher.

• Encryption of data at rest using AES-256 or equivalent standards.

• Multi-factor authentication for administrative access to systems.

• Role-based access controls limiting personnel access to data on a need-to-know basis.

• Regular security audits, Vulnerability Assessment and Penetration Testing (VAPT), and code reviews.

• Incident response and breach notification procedures aligned with DPDPA 2023 and CERT-In requirements.

Notwithstanding the above, no method of transmission over the internet or electronic storage is completely secure. While we endeavour to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach that is likely to result in harm to you, we shall notify the affected Data Principals and the Data Protection Board of India in accordance with applicable law.

10. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDPA 2023, you have the following rights in relation to your personal data:

• Right to Access: You have the right to obtain confirmation of whether the Company processes your personal data and to receive a summary of such data.

• Right to Correction and Erasure: You have the right to correct inaccurate or incomplete personal data and to request erasure of data no longer necessary for the purposes for which it was collected, subject to legal retention obligations.

• Right to Grievance Redressal: You have the right to have your grievances relating to data processing addressed by the Company within the timelines prescribed by law.

• Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

• Right to Withdraw Consent: You may withdraw consent for any processing activity based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, please submit a written request to legal@fivopay.in. We will acknowledge your request within 72 hours and respond within the period prescribed under the DPDPA 2023. We may require identity verification before processing your request.

11. CHILDREN'S PRIVACY

The App is not directed at children under the age of 18 years. The Company does not knowingly collect or process personal data of children without verifiable parental or guardian consent. If you are a parent or guardian and believe that your child has provided personal data without consent, please contact us immediately at legal@fivopay.in and we will take appropriate steps to delete such data. Accounts of minors must be managed by a parent or legal guardian who accepts these terms on the minor's behalf.

12. CROSS-BORDER DATA TRANSFERS

The Company primarily processes and stores personal data within India. To the extent any personal data is transferred outside India (for example, through cloud infrastructure providers with international nodes), such transfers are conducted in compliance with Section 16 of the DPDPA 2023 and any applicable restrictions or notifications issued by the Government of India. The Company shall not transfer personal data to any country or territory notified as restricted by the Central Government.

13. COOKIES AND TRACKING TECHNOLOGIES

The App (being a mobile application) does not use browser cookies. However, the App may use device-based identifiers and in-app analytics SDKs for session management, crash reporting, and aggregate usage analytics. These do not track you across third-party applications or websites. You may limit certain data collection through your device's privacy settings.

14. THIRD-PARTY LINKS AND INTEGRATIONS

The App may contain links to third-party websites, services, or platforms. This Policy does not apply to such third-party services. The Company is not responsible for the privacy practices or content of third-party platforms. You are advised to review the privacy policies of any third-party service you access through the App.

15. CHANGES TO THIS POLICY

The Company reserves the right to update, modify, or replace this Policy at any time to reflect changes in our practices, legal requirements, or regulatory obligations. Material changes will be notified through in-app notification or registered communication channels at least 15 days before taking effect. The revised Policy will carry an updated effective date.

Your continued use of the App after the effective date of any revised Policy constitutes your acceptance of the revised terms. If you do not agree with any change, you must stop using the App and request deletion of your data.

16. GRIEVANCE OFFICER

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDPA 2023, the Company has designated a Grievance Officer for data protection matters:

Organisation: Saikhlearn & Scholar Nexus Private Limited

Email: info@fivopay.com

Address: Office No. 123, 10 Biz Park, Viman Nagar, Pune – 411014, Maharashtra, India

Your grievance will be acknowledged within 24 hours and resolved within 15 working days of receipt. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India upon its establishment under the DPDPA 2023.

17. CONTACT US

For any queries, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:

Email: info@fivopay.com

Postal Address: Office No. 123, 10 Biz Park, Viman Nagar, Pune – 411014, Maharashtra, India