Privacy Policy

1. Introduction

Datzen Tech Private Limited ("Datzen", "we", "us", or "our"), a company incorporated under the Companies Act, 2013 and having its registered office at 18/1, 4th Cross, 2nd Floor, Rahmath Nagar, R T Nagar, Bangalore North, Bangalore – 560032, Karnataka, India, is committed to protecting the privacy and security of personal data entrusted to us.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (datzen.tech) or use our payment intelligence and fraud-prevention platform. Please read this policy carefully. By accessing or using our services, you agree to the terms of this policy.

2. Applicable Law

This Policy is formulated in compliance with:

• The Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).
• The Digital Personal Data Protection Act, 2023 (DPDPA 2023) and rules framed thereunder.
• Guidelines issued by the Reserve Bank of India (RBI) on payment aggregators, data localisation, and cybersecurity.
• Any other applicable sectoral regulations issued by SEBI, IRDAI, or NPCI as relevant.

3. Information We Collect

We may collect the following categories of information:

• Identity & Contact Data: Name, email address, mobile number, organisation name, designation.
• KYC & Onboarding Data: PAN, Aadhaar (masked), GST number, CIN, or other government-issued identifiers required for merchant onboarding under RBI guidelines.
• Financial Data: Bank account details, UPI IDs, transaction history, settlement information — collected only to the extent required to provide payment services.
• Device & Technical Data: IP address, browser fingerprint, device identifiers, operating system, session tokens — used for fraud detection and risk scoring.
• Usage Data: Pages visited, features used, API call logs, clickstream data.
• Communication Data: Emails, support tickets, demo requests you submit to us.

We do not collect full card numbers (PAN/CVV) on our servers. Card data is tokenised in compliance with RBI tokenisation guidelines.

4. How We Use Your Information

We use collected data for the following purposes:

• Providing, operating, and improving our payment infrastructure and fraud-detection services.
• Merchant onboarding, KYC verification, and compliance with RBI/FEMA requirements.
• Risk scoring, fraud detection, and transaction monitoring.
• Processing payments, refunds, and settlements.
• Sending transactional notifications, service alerts, and support communications.
• Complying with legal obligations, including reporting to financial intelligence units.
• Analysing usage patterns to improve platform security and user experience.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

5. Legal Basis for Processing

Under the DPDPA 2023, we process personal data on the following grounds:

• Consent: For processing data beyond what is strictly necessary for service delivery.
• Contractual Necessity: To fulfil our obligations under merchant agreements and service contracts.
• Legal Obligation: To comply with applicable Indian laws (RBI, PMLA, FEMA, IT Act).
• Legitimate Interest: For fraud prevention, security, and platform integrity.

6. Data Localisation

In accordance with RBI's circular on storage of payment system data, all payment transaction data of Indian customers is stored exclusively within India. We do not transfer such data outside India unless expressly permitted under applicable RBI guidelines.

7. Sharing of Information

We may share your information with:

• Payment Partners & Banks: NPCI, acquiring banks, issuing banks, and payment networks for transaction processing.
• Regulatory Authorities: RBI, SEBI, Financial Intelligence Unit-India (FIU-IND), or other statutory bodies when required by law.
• Service Providers: Cloud infrastructure providers, KYC verification agencies, and analytics partners who process data only on our behalf under confidentiality obligations.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred subject to equivalent privacy protections.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law. Payment transaction records are retained for a minimum of five (5) years in accordance with RBI guidelines and the Prevention of Money Laundering Act, 2002 (PMLA). KYC records are retained for ten (10) years from the date of cessation of the business relationship.

9. Data Security

We implement industry-standard technical and organisational security measures, including:

• AES-256 encryption for data at rest, TLS 1.2+ for data in transit.
• Role-based access controls (RBAC) and least-privilege principles.
• Regular vulnerability assessments and penetration testing.
• SOC 2 Type II and ISO 27001-aligned security practices.
• Multi-factor authentication for platform access.

Despite these measures, no internet transmission is completely secure. In the event of a data breach affecting your rights, we will notify you and relevant authorities as required under applicable law.

10. Your Rights as a Data Principal

Under the DPDPA 2023, you have the right to:

• Access: Obtain a summary of personal data we hold about you and the processing activities.
• Correction: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of personal data where it is no longer necessary for the purpose collected, subject to legal retention requirements.
• Grievance Redressal: Lodge a complaint with our Grievance Officer.
• Withdrawal of Consent: Withdraw consent at any time, which will not affect lawfulness of prior processing.
• Nominate: Nominate an individual to exercise rights on your behalf in the event of death or incapacity.

To exercise any of the above rights, please contact us at privacy@datzen.tech.

11. Cookies & Tracking Technologies

We use cookies and similar tracking technologies for session management, security, analytics, and fraud detection. You may control cookie preferences through your browser settings. Disabling certain cookies may impact platform functionality. We do not use cookies for cross-site targeted advertising.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulatory requirements, or our operations. The revised policy will be posted on this page with an updated effective date. We encourage you to review this policy periodically.

14. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts in Bangalore, Karnataka, India.