Privacy Policy

PRIVACY POLICY

Janseva Admin App (Internal Operations Platform)

1. Introduction and Scope

Saikhlearn & Scholar Nexus Private Limited (hereinafter referred to as 'the Company', 'We', 'Us', or 'Our'), incorporated under the Companies Act, 2013 bearing CIN U85500PN2025PTC236810, is the technology operator of the FivoPay Core Banking Software (CBS) platform, operating as a pure Technology Service Provider (TSP).

The Janseva Admin App ('Admin App' or 'Platform') is a restricted-access internal operations tool made available exclusively to duly authorized personnel of Janseva Multi-Purpose Cooperative Credit Society ('Client Society' or 'Janseva MCCS'). The Company does not operate, manage, or control the financial affairs of Janseva MCCS. All financial activities, member relationships, lending decisions, and regulatory compliance obligations vest solely with Janseva MCCS.

This Privacy Policy governs the collection, processing, storage, sharing, and protection of data by the Company through the Admin App in its capacity as a TSP. It is applicable to all users of the Admin App, including but not limited to: Chairman, Board Members, Managers, Officers, Collection Agents, Branch Staff, and any other authorized personnel.

This policy is in compliance with:

• The Information Technology Act, 2000 and IT (Amendment) Act, 2008

• The Digital Personal Data Protection Act, 2023 (DPDP Act)

• IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

• Prevention of Money Laundering Act, 2002 (PMLA) and its Rules

• Guidelines issued by Maharashtra Cooperative Societies Act, 1960

• Applicable RBI circulars and guidelines on IT outsourcing and data security

• Prevention of Terrorism Act and applicable Financial Action Task Force (FATF) recommendations

2. Nature of the Company — Technology Service Provider (TSP) Disclaimer

CRITICAL DISCLAIMER: Saikhlearn & Scholar Nexus Private Limited / FivoPay operates strictly as a Technology Service Provider (TSP). We do NOT: hold, pool, collect, accept, transfer, or process any funds; act as a payment aggregator, payment gateway, bank, NBFC, wallet operator, or financial institution; make or influence lending, credit, or financial decisions; hold any member or customer funds in any capacity.

All financial transactions visible within the Admin App are processed exclusively through RBI-licensed and/or Government-authorized payment gateway partners including but not limited to Razorpay, PayU, CCAvenue, Cashfree, BillDesk, or similar licensed entities as may be applicable from time to time. The Company merely integrates with such licensed entities as a software layer and bears no liability for fund movement, settlement failures, or payment processing errors.

The Company is not a 'reporting entity' under PMLA in its own capacity as a TSP; however, it provides the technological infrastructure to enable Janseva MCCS to fulfil its own regulatory obligations as a cooperative financial institution.

3. Data We Collect and Process

3.1 Personal Information of Admin Users

• Full legal name, designation, and employee/member identification number

• Mobile phone number and official email address

• Biometric data (fingerprint/face ID) if enabled for device-level authentication

• Government-issued identification numbers for onboarding verification (Aadhaar, PAN — securely masked)

• Login credentials stored in encrypted, hashed form (never in plain text)

• Profile photograph (if uploaded by the institution)

3.2 Operational and Financial Data

• Loan records, disbursement data, EMI schedules, and recovery information

• Member KYC records and financial profiles (as entered by the client institution)

• Deposit, savings, and fixed deposit account information

• Collection data, field visit logs, and repayment tracking records

• Internal reports, dashboards, MIS data, and financial statements

• Transaction logs and payment confirmation records

• Insurance-linked data if integrated modules are active

3.3 Device, Network, and Usage Data

• IP address, device identifier (IMEI/MAC/UUID), and device model

• Operating system version and app version

• Login timestamps, session duration, and logout records

• GPS/location data at login (for geo-fencing and fraud prevention — only with institutional consent)

• Full audit trail of all actions performed within the platform (immutable logs)

• API call logs, error logs, and system event logs

4. Purposes of Data Processing

Data is collected and processed strictly for the following legitimate purposes:

• Providing core banking software services to Janseva MCCS as contracted

• Role-based access control (RBAC) to ensure users access only what they are authorized for

• Loan origination, underwriting support, disbursement, and recovery management

• Financial reconciliation, ledger maintenance, and audit support

• Fraud detection, anomaly detection, and security incident response

• Compliance with PMLA, FATF, and applicable KYC/AML/CFT norms as required by the client institution

• System monitoring, uptime maintenance, and performance optimization

• Regulatory and statutory reporting as instructed by the client institution

• Legal obligation fulfilment upon valid court order or regulatory directive

5. Lawful Basis for Processing

The Company processes personal data under the following lawful bases as recognized under the Digital Personal Data Protection Act, 2023:

• Consent: Explicit informed consent obtained at onboarding of admin users

• Contractual necessity: Processing necessary to fulfil the Technology Services Agreement with Janseva MCCS

• Legal obligation: Processing mandated by applicable laws including PMLA, IT Act, and cooperative society regulations

• Legitimate interests: Fraud prevention, security monitoring, and audit trail maintenance

6. Data Storage, Security, and Infrastructure

The Company adopts enterprise-grade security controls for all data stored and processed through the Admin App:

• Data is hosted on secure cloud infrastructure (preferably India-located data centres compliant with Indian data localization norms)

• AES-256 bit encryption for data at rest; TLS 1.2/1.3 for data in transit

• Multi-Factor Authentication (MFA) mandatory for all admin accounts

• Role-Based Access Control (RBAC) with principle of least privilege

• Immutable, tamper-evident audit logs for all data access and modification events

• Regular Vulnerability Assessment and Penetration Testing (VAPT) by certified agencies

• ISO 27001-aligned information security management framework

• Automated threat detection and real-time alerting

• Physical and logical data segregation between client institutions

• Secure data backup with defined RPO (Recovery Point Objective) and RTO (Recovery Time Objective)

• No data is stored on user devices beyond session cache; remote wipe capability available

7. Data Sharing and Third-Party Disclosure

The Company does NOT sell, rent, trade, or commercially exploit any personal or operational data. Data sharing occurs only as described below under strict conditions.

Data may be shared only with the following categories of parties and only to the extent strictly necessary:

• Janseva MCCS (the contracting client institution): Full access to their own data as the Data Fiduciary

• RBI-licensed/Government-authorized payment gateway partners: Solely for payment processing; only tokenized/masked references are shared

• Insurance partners: Only if the client institution activates insurance modules and with member consent

• Cloud infrastructure providers: Under strict data processing agreements with confidentiality obligations

• Technology sub-processors: Under NDA and data processing agreements, for platform maintenance only

• Law enforcement, courts, regulatory authorities: Only upon receipt of valid legal process, court order, or regulatory directive

• No overseas transfer of sensitive financial data without explicit regulatory approval

8. Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Policy

8.1 AML Compliance Framework

The Company, as a TSP, provides the Client Society with technological infrastructure to support its AML/KYC compliance obligations under the Prevention of Money Laundering Act, 2002 (PMLA) and the Financial Intelligence Unit — India (FIU-IND) guidelines. The Admin App includes functionality to support:

• Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) workflows

• Transaction monitoring and flagging of suspicious patterns

• Politically Exposed Persons (PEP) screening and watchlist matching infrastructure

• Suspicious Transaction Report (STR) and Cash Transaction Report (CTR) preparation support

• Record-keeping as required under PMLA for the prescribed periods

8.2 Counter-Terrorism Financing Clause

ZERO TOLERANCE POLICY: The Company maintains an absolute zero-tolerance policy towards terrorism financing, proliferation financing, or any activity that directly or indirectly supports terrorist organizations, designated entities, or individuals on OFAC, UNSC, or Government of India sanctions lists.

The Company shall:

• Immediately suspend platform access upon credible information linking any user or member to designated terrorist entities

• Report such instances to relevant authorities including FIU-IND, Intelligence Bureau, and law enforcement

• Cooperate fully and without delay with any lawful investigation by security or intelligence agencies

• Not process or facilitate any transaction where there is reason to suspect terrorism financing, irrespective of value

The Client Society (Janseva MCCS) is solely responsible for conducting sanctions screening and KYC of its members. The Company provides the platform infrastructure; responsibility for compliance decisions vests with the Client Society.

9. Audit Trails and Immutable Logging

The Admin App maintains comprehensive, immutable audit logs for all activities including:

• Every login and logout event with timestamp and IP address

• All data access, viewing, editing, creation, and deletion events

• All financial transaction approvals, rejections, and modifications

• Report generation and data export events

• Configuration changes and permission modifications

• API integrations and external data exchanges

Audit logs are tamper-proof and cannot be modified, deleted, or overridden by any user, including system administrators. Logs are retained for a minimum period as prescribed by applicable law or the client agreement, whichever is longer.

10. Data Retention Policy

• Active user account data: Retained for the duration of the employment/authorization period and for 7 years post-cessation

• Financial and transactional records: Minimum 10 years as required under PMLA and cooperative society regulations

• Audit logs: Minimum 5 years, or as mandated by regulatory requirements

• KYC records: Minimum 5 years from the date of last transaction

• System logs and access records: Minimum 2 years

• Upon termination of the Technology Services Agreement, data is returned to the Client Society and purged from our systems within the contractually agreed timeframe

11. User Rights and Obligations

11.1 Admin User Responsibilities

• Maintain strict confidentiality of login credentials; never share credentials with any person

• Log out from the platform after every session

• Immediately report to the institution's IT/Admin point of contact any suspected unauthorized access

• Use the platform only for authorized institutional purposes

• Not download, export, screenshot, or transmit any member data outside authorized channels

• Comply with the institution's internal data governance policy

11.2 Data Rights (applicable to admin users as data subjects)

• Right to access: Request confirmation of what personal data is processed

• Right to correction: Request correction of inaccurate personal data

• Right to grievance: Lodge complaints with the Company's Data Protection Officer

• Note: Certain rights may be limited where their exercise would conflict with legal obligations or audit requirements

12. Data Breach Response Protocol

In the event of a personal data breach, the Company shall:

• Immediately contain the breach and prevent further unauthorized access

• Conduct an internal root cause analysis within 24 hours

• Notify Janseva MCCS (Data Fiduciary) within 72 hours of becoming aware of the breach

• Cooperate with CERT-In reporting obligations if the breach meets the threshold under the IT Act

• Document all breach-related actions in the incident log

• Implement remedial technical and organizational measures to prevent recurrence

The Company shall not be liable for breaches arising from misuse by authorized users, failure of the Client Society to implement recommended security controls, or force majeure events.

13. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts at Pune, Maharashtra.

14. Grievance Officer / Data Protection Officer

For privacy-related complaints or requests, contact:

Data Protection Officer | Saikhlearn & Scholar Nexus Private Limited

Address: Viman Nagar, Pune, Maharashtra, India

Email:info@fivopay.com

Response timeline: Within 30 days of receipt of grievance

15. Updates to This Policy

This Privacy Policy may be updated periodically to reflect changes in law, technology, or business practices. Continued use of the Admin App following notification of updates constitutes acceptance of the revised Policy. Material changes will be communicated to users through the App or registered contact details.