HDFC Bank Privacy Policy

This Privacy Policy outlines Apna paisa – Digital Arm of Andromeda Sales and Distribution Private Limited (“Apnapaisa”) approach to processing of Data by HDFC Bank Limited [directly or through its service providers including Apnapaisa as a Lending Service Provider (LSP) (as defined under the Reserve Bank of India’s Guidelines on Digital Lending dated September 02, 2022 as may be amended, modified or replaced from time to time) of HDFC Bank to the extent allowed by it].

Apnapaisa and HDFC Bank are committed to treating data privacy seriously. It is important that you know exactly what HDFC Bank (directly or through its service providers including us to the extent allowed by HDFC Bank) does with the personal data you and others provide to HDFC Bank, its service providers or us, why it is processed and what it means to you. Please read this Privacy Policy carefully.

Definitions

The following capitalised terms shall have the meanings assigned to them as under:

Apnapaisa” shall have the meaning as ascribed to the term in the first paragraph of this Privacy Policy.

Covered Person(s)” or “You” shall have the meaning as ascribed to the term in the ‘Applicability’ section of this Privacy Policy.

Data” shall have the meaning as ascribed to the term in the Data section of this Privacy Policy.

Derivation” shall have the meaning as ascribed to the term in the Datasection of this Privacy Policy.

Derivative Data” shall have the meaning as ascribed to the term in the Data section of this Privacy Policy.

HDFC Bank” or “Bank” shall mean HDFC Bank Limited having its registered office at Senapati Bapat Marg, Lower Parel (West), Mumbai 400013, Mumbai, India.

Non-Mandatory Data” shall have the meaning as ascribed to the term in the ‘When and how we collect Data about you?’ section of this Privacy Policy.

Non-Mandatory Purposes” shall have the meaning as ascribed to the term in the Purposes of processing Data’ section of this Privacy Policy.

Processing Entity” shall have the meaning as ascribed to the term in the ‘Who we share your Data with? section of this Privacy Policy.

Product(s)” shall mean the products and services of HDFC Bank, including where the initiation of any request, application or transaction is through us or any service provider of the Bank or through any Processing Entity or where HDFC Bank is acting as distributor or agent or acting under any referral arrangement for products or services of any other person or as an intermediary or a sponsor bank.

Specified Purposes” shall collectively mean purposes of credit assessment, risk assessment, risk analysis, obtaining credit information reports, scores, scrubs, fraud checks, fraud detections, fraud prevention, detecting and preventing crime including crime/ terror funding, detecting malpractices or discrepant documents or information, prevention of misuse, assessment of credit worthiness, financial standing, due diligence, background check, physical and other inspections, verifications, obtaining any reports for any of the above, KYC/ AML checks, customer service, monitoring, collections, default detection, default prevention, default investigation, recovery, any legal proceedings, actions, enquiries, investigations, pursuing any remedies, enforcing rights, reporting including credit reporting, KYC reporting, default reporting, filing, perfections etc., whether any of these are undertaken internally by the Bank or through any of its Processing Entities including us, as applicable, or through a combination of multiple options.

Applicability

This Privacy Policy applies to personal data of any natural person (“Covered Person(s)” or “You” or any cognate variations thereof). Please note that the Products’ terms and conditions will cover specific matters in addition to this Privacy Policy and this Privacy Policy does not limit any of those specific matters or any other consent that you may have given or may give to or for the benefit of HDFC Bank. The Privacy Policy of HDFC Bank as available at www.apnapaisa.com shall also be applicable to the Covered Persons. Therefore, please also read such specific terms and conditions in relation to the Products, such other consents, wherever applicable, and the said privacy policy.

Who we are

Throughout this document, “we”, “us”, “our” and “ours” or any cognate variations thereof refer to Apnapaisa

Website : www.apnapaisa.com

Our contact details are given at the end of this Privacy Policy.

Data


The personal data collected or received falls into various categories as under: 

  • Identity & contact information
    • Name, address, signatures, biometric data, date of birth, copies of identity cards (ID), contact details including email id and phone number, address, previous names, maiden names, marital status, relatives information, nomination, medical condition, domicile, origin, citizenship, nationality, residence, any legal or other identifiers like Permanent Account Number (PAN)/ Taxpayer Identification Number (TIN)/ National ID/ Social Security Number/ or its equivalent, Photograph and Gender.
    • Data that identifies (whether directly or indirectly) a particular individual, such as information you provide on any forms, surveys, online applications or similar online fields.
    • Demographic information that you provide and aggregated or de-identified Data.
  • Financial details/circumstances
    • Bank account details, investments history, credit/debit card details, prepaid payment instrument details, any other instrument/ modality/ function details, UPI handles, income details, history in relation to these, to the extent applicable.
    • Employment/ occupational information.
    • Residential status under banking, general and tax laws.
    • Spending/saving/investing/payments/receipts/borrowing history.
    • Risk profile, financial objectives, financial knowledge and experience, preferences and any other information to assess the suitability of the Products to you.
    • Information collected when you make or receive payments.
    • Other information such as information relating to occupation and financial situation such as employer’s name and address, if self-employed, type of account, and nature and volume of anticipated business dealings, with the conventional bank licensee, income proof, bank statements, income tax returns, salary slip, contract of employment, passbook, expenditure, assets and liabilities, source of wealth and signature.
    • Data that is collected when you make financial and non-financial transactions. Data may include information associated with the transaction such as amount sent or requested, amount paid for Products or merchant information and/or loan related information such as loan amount applied for, interest rate, tenure, repayment schedule, security etc.
  • Information you provide about others or others provide about you
    • If you give information or data about someone else (for example, information or data about a spouse or financial associate provided during the course of a joint application with that person), or someone gives information about you, may be added to any Data that is already held about you and can be used in the ways described in this Privacy Policy.
    • Your Data from third party providers: In order to enhance our ability to provide relevant marketing, offers, and services to you, Data about you is obtained from other sources with your consent, such as email service providers, public databases, joint marketing partners, social media platforms, as well as from other third parties as appropriate.
    • Information including Data from credit information companies/ credit reference agencies, risk management and fraud prevention agencies, national and government databases.
    • Information including Data from other parties and entities where we are a part of a transaction in one or more roles even though we may not be directly interfacing you.
    • Data of authorised signatories or authorised persons or representatives of non-individual applicants/ customers/ users of any services, whether direct or indirect.
  • Information from online activities.
    • Information about your internet activity is collected using technology known as cookies, which can often be controlled through internet browsers. For detailed information on the cookies used and the purposes for which they are used, see our Cookie Policy, which is available on our website.
    • Your digital and electronic devices where various checks are performed are designed to ascertain and verify your residency to ensure we meet our regulatory obligations. These checks include identifying and collecting your location (with your specific permission) and the IP address your device connects from and the collection of information about your use of the website or mobile app (including device type, operating system, screen resolution, and the way you interact with us). 
    • Information about your Internet browser, IP address, information collected through tracking technologies.
    • Unique device identifier such as International Mobile Equipment Identity (IMEI) number, technical usage data, contact lists (in some cases where specific permission is obtained), technical data about your computer and mobile device including details regarding applications and usage details.
    • Generation and storing password or PIN in encrypted form, for any of our apps/ platforms.
  • Other personal information
    • Information in relation to data access, correction, restriction, deletion, porting requests and complaints.
    • CCTV images and Data at our offices (but only for security reasons and to help prevent fraud or crime).
    • Conversations during meetings/calls/correspondences/discussions with our staff.
    • Social relationships detail such as your father’s name, spouse’s name and mother’s name.
    • Behavioural details as to how to utilise our Products, offers etc., your browsing actions, patterns and online activity.
    • Records of correspondence and other communications with you, including email, telephone conversations, live chat, instant messages and social media communications containing information concerning your grievances, complaints and dispute.
    • Any other information, Data or records which you may consent to be collected or used.

Out of the aforesaid data points, the following are ‘sensitive personal data or information’:

  1. Password for any of our apps/ platforms;
    1. financial information such as Bank Account or Credit Card or Debit Card or other payment instrument details;
    2. physical, physiological and mental health condition;
    3. sexual orientation;
    4. medical records and history; and
    5. any detail relating to the above clauses as provided by you.

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as ‘sensitive personal data or information’.

Any of the aforesaid data (whether personal data or sensitive personal data or information), information, know your customer (KYC) related data, any derivative thereof (“Derivative Data”) like any credit scores or behavioural projections, profiling, analytical results, reports (prepared by us or others) including through any algorithms, analytics, software, automations, profiling etc., and whether such derivative is from the information collected from you or in combination with any other information sourced from any other person, database or source whether by us or HDFC Bank or others, shall collectively be referred to as “Data” and any part of the process relating to arriving at the Derivative Data as above, whether through internal or external sourcing, shall be referred to as “Derivation”.

When and how your Data is collected?

We and/or HDFC Bank may collect or possess the Data through any of the following:

  • When you submit the Data including when you ask or request us or HDFC Bank (directly or through any Processing Entity) to provide you with certain Products.
    • When you use the Products.
    • During the course of transactions.
    • When you apply for the Products, make enquiries or engage with us or HDFC Bank or with any other person where we or HDFC Bank are involved for any other person in the transaction concerning you.
    • Data collected during credit assessment, risk assessment, fraud checks, fraud detections, processes undertaken for fraud prevention, detecting malpractices or discrepant documents or information, prevention of misuse, assessment of credit worthiness, evaluation of financial standing, due diligence, background check, physical and other inspections, verifications, KYC/ Anti Money Laundering (AML) checks, monitoring, collections, recovery, customer service etc.
    • When you use our website and online products/ services provided by us or HDFC Bank (including mobile applications) and visit our/ HDFC Bank’s branches, offices, stores or premises.
    • When you email or call or respond to our or HDFC Bank’s emails/phone calls or during meetings with our or HDFC Bank’s staff or service providers or representatives.
    • When you or HDFC Bank or others give the Data verbally or in writing. This Data may be on application forms, in records of your transactions with us or HDFC Bank or if you make a complaint.
    • From information publicly available about you. When you make Data about yourself publicly available on your social media accounts or where you choose to make the Data available to us or HDFC Bank through your social media account, and where it is appropriate for us or HDFC Bank to use it.
    • During or as a result of Derivation, from any person possessing the same or sourcing any Data therefor.

By accepting this Privacy Policy or by applying for or using any Product (including where the initiation of any transaction is not directly with us or HDFC Bank but is with a relevant Processing Entity), you agree that any person who submits any Data or part thereof to us or HDFC Bank or the Processing Entity or from whom such Data is sourced (including Derivation), shall be deemed to have been authorised by you to submit such Data to us or HDFC Bank and you hereby further authorise us or HDFC Bank to process any such Data for any of the purposes mentioned in this Privacy Policy. 

[Our apps may be required by you to delete/ forget the Data submitted by you on such App which is specified as ‘Non-Mandatory Data’ during the application process for a digital lending Product (“Non-Mandatory Data”) (however subject to any contrary legal/ regulatory requirements), by following the process in this regard.]  

How is your Data processed?

Whether we or HDFC Bank is/are using it to confirm your identity, to help in the processing of an application for any Product or to improve your experiences with us or HDFC Bank, your Data is always handled with care and the principles outlined in this Privacy Policy are always applied. 

Purposes of processing Data

The processing of the Data may be done by HDFC Bank (directly or through its service providers including us to the extent allowed by HDFC Bank) or any of the Processing Entities for any of the following purposes, and you agree and consent to the same:

  • To provide you with Products.
    • To process your loan application and for undertaking related processes such as loan sanction/ approval, disbursement, recovery and customer service. To manage relationships with you. For enabling your use of Products. For processing, executing transactions. For enabling any applications/ requests for any Products, for processing any such applications/ requests, for performing any contract pursuant thereto and for undertaking any Specified Purposes in relation to any of the above. To perform activities such as data analysis, audits, usage trends to determine the effectiveness of HDFC Bank’s campaigns and as input into improving Products. For credit scoring, credit analysis, risk analysis, obtaining any reports, credit scores, credit information, scrubs, for assessing and undertaking/ evaluating financial standing, fraud check, fraud probability, reference checks, due diligence, inspections, etc. including from or through any credit information companies, bureaus, fintech entities or service providers. For enabling use of our website, platforms, and online services (including mobile or web applications) and visiting our branches, offices. To contact you or to establish contact with you or your whereabouts.To allow you to utilize features on platforms/ apps by granting us access to Data from your device.For security, business continuity and risk management.For system or product development and planning, audit and administrative purposes.To personalize your platform/ app experience.To improve customer/ user experience.To inform you about important information regarding our Products, changes to terms, conditions, and policies and/or other administrative information; Where processing is necessary for the performance of a contract to which you are a party or in order to take steps prior to entering into a contract. To allow HDFC Bank to take actions that are necessary in order to provide you with the Products (performance of a contract), for example, to make and receive payments. Where processing is necessary because of a legal or regulatory obligation that applies to us or HDFC Bank.Where processing is necessary for the purposes of the legitimate interests pursued by HDFC Bank. Processing may be required by HDFC Bank or its service providers to meet HDFC Bank’s legitimate interests, for example, to understand the customer behaviour, customer expectations, to build analytical models, or to understand how customers use or respond to the Products, or to develop new Products, as well as improve the Products. This may also include sharing of your Data by HDFC Bank either as part of a sample or specifically or generally with its potential or actual service provider or consultant or vendor or third party or Processing Entity, for the purposes of testing by HDFC Bank of proof of concept, where HDFC Bank may test the utility, workability, efficacy, authenticity of any solution or service proposed or being rendered by any such person, and any such person may process such Data along with any other data it may have or source externally, for the purpose of running or pilot running or testing of the proposed solution or service and to submit the results to HDFC Bank along with the Data and any other data which such person may have or source. You agree that such sharing of Data and processing thereof and testing of proof of concept is in HDFC Bank’s legitimate interest to improve HDFC Bank’s efficiency, customer service, product delivery, to prevent frauds, etc. and ultimately is a necessary part of developing the ecosystem where its customers and potential customers including you, benefit. Subject to a specific consent (obtained separately from this Privacy Policy), to allow you to participate in surveys and other forms of market research, contests and similar promotions and to administer these activities. Some of these activities have additional rules, which may contain additional information about how Data is used and shared.To allow you to apply for Products including to pre-populate any Data during any application whether directly by us or through any service provider on any platform.Where we or HDFC Bank have your consent to do so.In connection with Products, we or HDFC Bank may also contact you or send you messages, notifications or alerts by post, telephone, text, email, through social media POS machines and other digital methods, including for example via ATMs, mobile applications or push notifications, or online banking services (and new methods that may become available in the future).For assessing, examining and/or determining by HDFC Bank, whether directly or through us (to the extent allowed by HDFC Bank), from time to time, your eligibility (including pre-eligibility), suitability or credit worthiness for any of the Products from time to time (and to undertake Specified Purposes therefor).
    • For any purposes which are incidental or necessary to any of the aforesaid purposes.  

The purposes where it has been expressly specified above that such purpose is a non-mandatory purpose, shall be referred to as “Non-Mandatory Purposes”.

Subject to what is stated in this Privacy Policy for the Non-Mandatory Purposes, you agree that HDFC Bank may engage with any Processing Entity, for any of the aforesaid purposes or part thereof for any incidental or ancillary purposes, and may accordingly share Data with any of them and allow them to further process/ share the same, for the said purposes.

Automated processing

The way HDFC Bank (directly or through its service providers including usto the extent allowed by HDFC Bank) analyses personal information in relation to the Products including applications, credit decisions, determining your eligibility for the Products, may involve automated profiling and decision making, this means that HDFC Bank may process your Data using software that is able to evaluate your personal aspects and predict risks or outcomes as also where the decision making may be automated. 


HDFC Bank may, directly or through us or through its service providers, also carry out automated anti-money laundering and sanctions checks. This means that it may automatically decide that you pose a fraud or money laundering risk if the processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

Who we share your Data with?

We may share the Data with the following persons and/or in the following circumstances:

  • With HDFC Bank in relation to or in connection with the Products.

HDFC Bank (either directly or through its service providers) may share the Data with the following persons and/or in the following circumstances:

  • With HDFC Bank’s subsidiaries and/or affiliates in an effort to bring you improved services across its family of Products, when permissible under relevant laws and regulations or with consent.
  • With HDFC Bank’s service providers, vendors, agents etc. who perform services for it or assists it/ its subsidiaries/ affiliates to operate the business or provide the Products or services (own or where it/ its subsidiaries/ affiliates distribute, refer or act as agent etc.), intermediaries or consultants.
  • Entities or persons with whom HDFC Bank has tie-ups for the co-branded services, products or programs, any rewards programs or loyalty programs, any benefits, offers, features or any similar arrangements.
  • With co-lenders, co-originators, collaborators, and persons with whom HDFC Bank may have a tie-up for any Products.
  • Other third parties to comply with legal requirements such as the demands of applicable warrants, court orders; to verify or enforce HDFC Bank’s terms of use, HDFC Bank’s other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect the rights, property or security of HDFC Bank’s customers or third parties.
  • HDFC Bank may share your Data, without obtaining your consent or without intimating you: (a) with governmental, statutory, regulatory, executive, law-enforcement, investigating or judicial/ quasi-judicial authorities, departments, instrumentalities, agencies, institutions, boards, commissions, courts, tribunals, who ask for such Data including by way of an order, direction, etc; or (b) with any person, where disclosure is necessary for compliance of any legal or regulatory obligation. Wherever the Data is shared by HDFC Bank as above, it will not have control over how such Data is further processed by such authorities, persons, etc. (both under ‘a’ and ‘b’ above).
  • With any persons involved in Derivation.

The Data may also be shared by any of the aforesaid entities/ persons (with whom the Data is shared by the Bank or on behalf of HDFC Bank), to the extent as may be allowed by HDFC Bank, with their service providers, consultants, agents, HDFC Bank’s subsidiaries, affiliates, co-brand entity/partner, distributors, selling/ marketing agents, any partners, fintech companies, other players/ intermediaries in any ecosystem of which HDFC Bank are a part, TPAPs, HDFC Bank’s collaborators, co-lenders, co-originators, merchants, aggregators, lead generators, sourcing entities, clients, customers  or other persons with whom HDFC Bank has a tie-up or contract for any products or services etc. for any of the aforesaid purposes or any purposes incidental or necessary thereto. Any person or entity with whom the Data or any part thereof is shared by HDFC Bank or on its behalf or further shared by any of them to the extent allowed by HDFC Bank, for any of purposes under this Privacy Policy, shall be referred to as a “Processing Entity”. [Wherever the Data is shared with any Processing Entity (with whom HDFC Bank has a direct contract), HDFC Bank will through such contracts restrict the processing by them of such Data for the aforesaid purposes.]

For further information, please refer to the Products’ specific terms and conditions and application form.

Period of storage of the Data

HDFC Bank (directly or through its service providers including us to the extent allowed by HDFC Bank) will keep the Data collected about you for as long as required for the purposes set out above or even beyond the expiry of HDFC Bank’s transactional or account based relationship with you: (a) as required to comply with any legal and regulatory obligations to which we are subject, or (b) for establishment, exercise or defence of legal claims, or (c) as specified in this Privacy Policy, or (d) in accordance with specific consents. Provided that you may during the application process for a Product, deny the consent for retention of Non-Mandatory Data however subject to any contrary legal/ regulatory requirements.

 [Implications of not providing Data or Withdrawing Consent


Wherever in this Privacy Policy it is specified that you may withdraw a particular consent, you may choose to withdraw such consent, but doing so may limit the products and/or services or the deliverability thereof of HDFC Bank, unless such consent is not the only legal or contractual basis for processing and there are other legal or contractual basis as well. Thus, if you withdraw such consent, it will not affect the lawfulness of processing by or for HDFC Bank based on your consent before its withdrawal or even any further processing pursuant to other legal or contractual basis, if any, which HDFC Bank may have for such processing.]

Reasonable security practices and procedures


The Company – Andromeda Sales and Distribution Private Limited is ISO 27001:13 compliant. HDFC Bank is ISO 27001:13 compliant. We and HDFC Bank seek to use reasonable organizational, technical and administrative measures to protect Data within our respective organizations. However, if you have reason to believe that your interaction with us/ HDFC Bank is no longer secure, please immediately notify us/ HDFC Bank in accordance with the How to contact us/ HDFC Bank section.

Links/ Re-direction to Other Websites/ Platforms


From time to time, our/ HDFC Bank’s website/ webpage/ platform/ apps may contain links or have a mechanism of re-direction to and from other websites/ webpages/ platforms/ apps of other networks, advertisers, affiliates and Processing Entities. If you follow a link or such re-direction to any of these websites/ webpages/ platforms/ apps, please note that these websites/ webpages/ platforms/ apps may have their own privacy notices and that HDFC Bank and we do not accept any responsibility or liability for any such notices. Please check such notices, where available, before you submit any Data to these websites/ webpages/ platforms/ apps.

Right to review

Please note that the accuracy of the Data provided is essential, among others, for the provision of Products to you. It is therefore mandatory that you ensure the accuracy and completeness of all Data disclosed or shared. Without prejudice to any rights and remedies of the Bank under any contract in this regard, you shall be able to review the Data that you had provided and correct or amend as feasible any such Data which you find to be inaccurate or deficient. You may do this by following the process prescribed by HDFC Bank in this regard. For knowing the process you may contact HDFC Bank.

Provided that HDFC Bank/ we shall not be responsible for the authenticity of the Data supplied by you to us / HDFC Bank or any other person acting on behalf of HDFC Bank.

Cookies

HDFC Bank may use cookies and similar technologies on its websites, mobile apps, and emails. Cookies are text files that get small amounts of information, which your computer or mobile device stores when you visit a website or use a mobile app. For more details in this regard, you may please refer to HDFC Bank’s Cookie Policy available on its website.

How to contact us/ HDFC Bank

You may contact our Privacy Contact at care@apnapaisa.com

You may contact HDFC Bank’s Privacy Contact at Privacy@hdfcbank.com

Changes to this Privacy Policy

HDFC Bank’s products, services, facilities, features, functionalities, and nuances thereof change constantly and this Privacy Policy may change also. You will be responsible for apprising yourself about the Privacy Policy and change, if any, on each use of the websites or Apps, platforms or while applying for or making service requests for any Product or during usage of any Product or usage of any functionality. Without limiting your responsibility to keep yourself updated as above, we/ HDFC Bank may update you that a change has been made through any channels of communication including in App notifications, general banner on website, sms, e-mail, social media messages, etc. The changed Privacy Policy shall be effective as soon as it is published/posted/hosted on the website/respective Apps/platforms. If you use the website or Apps, platforms or make any application/request for any Product or use any Product or make any service requests for or during usage of any Product or if you use any functionality provided by or for HDFC Bank, such act of any of aforesaid uses shall by itself amount to your acceptance of the Privacy Policy with change, if any.

This Privacy Policy shall be governed by the laws of India and any disputes arising out of or in relation to this Privacy Policy shall be subject to the jurisdiction of courts/ tribunals of Mumbai, India.