Legal

Privacy Policy

Effective Date: 1st April 2026  ·  Absird Financial Technologies Private Limited (RocketPay)  ·  CIN: U72900KA2022PTC160353

1. Introduction

This Privacy Policy (“Policy”) describes how Absird Financial Technologies Private Limited, operating under the brand name “RocketPay” (“Company”, “we”, “our”, or “us”), collects, uses, stores, shares, and protects Personal Data in connection with your use of the RocketPay platform, website (rocketpay.co.in), mobile application, APIs, Tally plugin, and all associated services (collectively, the “Platform”).

Our registered office is at: Building Number 917, 1st Floor, 5th Main Rd, Sector 7, HSR Layout, Bengaluru. CIN: U72900KA2022PTC160353.

This Policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and its SPDI Rules, 2011, and other applicable Indian laws governing data privacy and protection.

If you have any questions about this Policy or wish to exercise your data rights, contact us at: support@rocketpay.co.in.

2. Who This Policy Applies To

• Customers — businesses, lenders, NBFCs, MFIs, Credit Cooperative Societies, MSMEs, distributors, manufacturers, and SaaS companies that register on and use the RocketPay Platform;
• End-Users — borrowers, debtors, subscribers, or individuals whose payment mandate is set up or whose device is subject to locking through the Platform, where RocketPay processes their data on behalf of the Customer;
• Visitors — individuals who visit our website, contact us for information, or interact with our Platform without completing a full registration.

Where RocketPay processes the Personal Data of End-Users on behalf of a Customer, the Customer is the Data Fiduciary and RocketPay acts as a Data Processor. In such cases, the Customer’s privacy policy governs the Customer’s relationship with the End-User. RocketPay’s obligations as a Data Processor are described in Section 10 below.

3. Key Definitions

Term	Meaning
Personal Data	Any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
Sensitive Personal Data	Financial data, health data, biometric data, official identifiers, and other categories specified under the SPDI Rules, 2011 and as may be notified under the DPDP Act, 2023.
Data Fiduciary	An entity that determines the purpose and means of processing Personal Data.
Data Processor	An entity that processes Personal Data on behalf of a Data Fiduciary.
Data Principal	The individual to whom Personal Data relates.
Processing	Any operation performed on Personal Data — collection, storage, use, disclosure, sharing, deletion, and more.
Consent	A free, specific, informed, and unambiguous indication of the Data Principal’s wishes by which they signify agreement to the processing of their Personal Data.
DPDP Act	The Digital Personal Data Protection Act, 2023.
UPI Autopay	The NPCI-governed recurring payment mandate framework via Unified Payments Interface.
eNACH	Electronic National Automated Clearing House — RBI-governed framework for recurring debit mandates.
Device Locking	Remote restriction of financed mobile device functionality upon payment default, via Google DLC and OEM-native locking infrastructure.

4. Personal Data We Collect

4.1 From Customers (Businesses and Lenders)

Category	Details
Business Identity	Legal name, trade name, type of entity, business registration number, GST number, CIN
Authorised Representatives	Name, designation, mobile number, email address, PAN, Aadhaar (for KYB verification)
Bank and Financial Details	Bank account number, IFSC code, account type — for settlement purposes
KYB Documents	Certificate of Incorporation, GST certificate, bank statement, authorisation letter, and other documents required for onboarding
Platform Usage	Login activity, API usage logs, dashboard actions, IP address, device information, session timestamps
Communication Data	Emails, support tickets, call records with our team

4.2 From End-Users (via Customers)

Category	Details
Identity	Name, mobile number
Financial Account	Bank account number, IFSC code, UPI ID — for mandate registration and debit execution
Mandate Data	Mandate reference number, amount, frequency, start/end date, status
Device Identifiers	IMEI number, device model, device brand — collected only for Device Locking customers; used solely to activate, manage, or deactivate device locks
Transaction Data	Debit attempt records, success/failure status, settlement reference numbers

4.3 From Website Visitors

• IP address, browser type, operating system, device type;
• Pages visited, time spent, referring URL;
• Cookie data (see Section 9 for details).

4.4 Data We Do Not Collect

We do not collect credit card or debit card numbers from End-Users. We do not collect social media credentials, messaging history, or any data unrelated to the collections and device locking use cases described above.

5. How We Use Personal Data

Purpose	Applies To
Customer onboarding and KYB verification	Customers
Mandate creation, modification, pause, and cancellation (UPI Autopay / eNACH)	Customers and End-Users
Execution of recurring debit instructions	End-Users
Device lock and unlock operations	End-Users (Device Locking customers only)
Settlement processing and reconciliation	Customers
Fraud detection and prevention	Customers and End-Users
Platform security and access control	Customers
Regulatory compliance and legal obligations (RBI, NPCI, IT Act, DPDP Act)	Customers and End-Users
Customer support and grievance resolution	Customers and End-Users
Platform analytics and service improvement (using anonymised/aggregated data)	Visitors and Customers
Transactional SMS and email alerts	Customers and End-Users
Marketing and product updates (only with explicit opt-in)	Customers

6. Lawful Basis for Processing (DPDP Act 2023)

6.1 Consent

Where we process Personal Data of End-Users (for example, for UPI Autopay or eNACH mandate registration), we rely on consent obtained through the mandate authentication flow. End-Users complete an active authentication step (UPI PIN, net banking login, or debit card authentication) that constitutes their consent to the mandate and associated data processing.

For marketing communications to Customers, we rely on explicit opt-in consent at the time of registration.

6.2 Contractual Necessity

Processing necessary to fulfil the services under our Customer Agreement or these Terms of Use — including onboarding, mandate execution, settlement, and device lock/unlock operations.

6.3 Legitimate Uses

Processing necessary to comply with Applicable Law (including RBI and NPCI requirements), prevent fraud, and maintain the security and integrity of the Platform.

7. UPI Autopay and eNACH Mandate Data

When a Customer sets up a UPI Autopay or eNACH mandate for an End-User:

• The End-User’s bank account details, UPI ID, and mandate parameters are collected solely for the purpose of executing recurring debit instructions.
• This data is shared with NPCI (for UPI Autopay), the sponsoring bank (for eNACH), and the relevant payment network as required to process the mandate.
• RocketPay does not use End-User mandate data for any purpose other than mandate management and execution on behalf of the Customer.
• Mandate reference numbers, debit status records, and settlement data are retained for the period specified in Section 11 (Data Retention).

Customers who set up mandates for End-Users are themselves Data Fiduciaries for that data. Customers must maintain their own lawful basis for sharing End-User data with RocketPay and must ensure End-Users have been informed of the mandate and the data sharing involved.

8. Device Locking Data

For Customers using the Device Locking feature (Google DLC), RocketPay collects and processes:

• IMEI number of the financed device;
• Device model, brand, and operating system version;
• Lock/unlock event logs with timestamps;
• Loan or financing reference number (as provided by the Customer).

This data is used solely to activate, manage, and deactivate device locks at the Customer’s instruction. It is shared with our DLC technology partners to the extent necessary to operate the device locking infrastructure, under applicable data processing agreements.

Device identifier data is not used for profiling, advertising, or any purpose unrelated to the device financing and recovery use case.

End-User consent to device locking and associated data collection must be obtained by the Customer as part of the financing agreement — as required under Section 7 of our Terms of Use. The Customer is the Data Fiduciary for device locking data.

9. Cookies and Tracking Technologies

Our website (rocketpay.co.in) uses cookies and similar tracking technologies to:

• Maintain session state and authentication;
• Understand how visitors use the site (page views, navigation paths, time on page);
• Improve website performance and user experience;
• Detect and prevent fraudulent or unauthorised access.

We use two types of cookies:

• Session cookies — temporary cookies that expire when you close your browser. Used to maintain your logged-in session on the Platform.
• Persistent cookies — cookies that remain on your device until you delete them or they expire. Used for analytics and platform improvement.

Third-party analytics tools (such as Google Analytics) may also set cookies on our website. These tools collect anonymised, aggregated data about site usage. They do not have access to your name, mobile number, or any other Personal Data associated with your RocketPay account.

You can disable cookies in your browser settings. Note that disabling cookies may affect the functionality of the Platform, particularly login and session management features.

We do not use cookies for targeted advertising, and we do not sell or share cookie data with advertisers.

10. Transfer and Disclosure of Personal Data

10.1 When We Share Data

We do not sell, rent, or trade your Personal Data. We share Personal Data only in the following circumstances:

Recipient	Purpose and Basis
NPCI	To register and execute UPI Autopay mandates — contractual necessity
Sponsor Banks (NACH)	To register and execute eNACH mandates — contractual necessity
DLC Technology Partners	To operate Device Locking infrastructure — contractual necessity; bound by data processing agreement
Banking Partners	For settlement processing — contractual necessity
RBI, NPCI, and Regulatory Authorities	Where required by law, regulation, or direction — legal obligation
Courts and Law Enforcement	In response to a valid court order, subpoena, or legal process — legal obligation
Auditors and Legal Counsel	For audit, compliance, or legal advice purposes — legitimate use; under confidentiality obligations
Successor Entity (in case of M&A)	If RocketPay is acquired or merges, subject to the acquirer honouring this Policy — legitimate use

10.2 RocketPay as Data Processor

• We process End-User data only on the documented instructions of the Customer;
• We do not use End-User data for any purpose beyond what is necessary to provide the Services to the Customer;
• We maintain appropriate technical and organisational security measures;
• We notify Customers promptly in the event of a Personal Data breach involving their End-User data;
• We assist Customers in responding to Data Principal rights requests where the data is within our control.

10.3 What We Never Do

• Sell Personal Data to third parties;
• Share Personal Data with advertisers or data brokers;
• Use End-User mandate or device data for any commercial purpose unrelated to the Services;
• Transfer Personal Data outside India except as described in Section 14.

11. Data Retention

We retain Personal Data for the minimum period necessary to fulfil the purpose for which it was collected, comply with legal and regulatory requirements, and resolve disputes.

Data Category	Retention Period
Customer onboarding and KYB documents	5 years after termination of the Customer relationship — as required under RBI PA/PG guidelines
UPI Autopay mandate records	5 years from the date of the last transaction on the mandate — NPCI requirement
eNACH mandate records	5 years from the date of the last transaction on the mandate — NPCI/RBI requirement
Transaction and settlement records	5 years — RBI and IT Act requirements
Device locking event logs (IMEI, lock/unlock records)	5 years from the date of the last lock/unlock event, or termination of the Customer relationship, whichever is later
Platform access and API logs	2 years — for security, audit, and fraud detection purposes
Customer support and grievance records	3 years from resolution — Consumer Protection Act requirements
Website cookies and analytics data	Up to 2 years, or as set by the relevant analytics provider

After the applicable retention period, Personal Data is securely deleted or anonymised. Anonymised data (which cannot be used to identify any individual) may be retained indefinitely for statistical and analytical purposes.

Where a Customer requests deletion of their data before the end of the retention period, we will comply to the extent permitted by Applicable Law. Statutory retention obligations (such as RBI’s requirement to retain payment records) may prevent us from deleting certain data earlier.

12. Data Security

We implement appropriate technical and organisational security measures to protect Personal Data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest;
• Role-based access controls — limiting access to Personal Data to employees and contractors who need it to perform their job functions;
• Regular security audits and vulnerability assessments;
• Multi-factor authentication for Platform access;
• Incident response and breach notification procedures.

You acknowledge that no method of transmission over the internet or electronic storage is completely secure. While we take commercially reasonable precautions, we cannot guarantee absolute security of data transmitted to or stored on our systems.

12.1 Personal Data Breach Notification

• Notify the Data Protection Board of India (once constituted) in accordance with the timelines prescribed under the DPDP Act and implementing rules;
• Notify affected Customers promptly so they can take appropriate action in relation to their End-Users;
• Take immediate steps to contain the breach and prevent further compromise.

13. Your Rights as a Data Principal (DPDP Act 2023)

13.1 Right to Access

You have the right to obtain a summary of your Personal Data that we process and information about the processing activities carried out on it. To exercise this right, write to us at support@rocketpay.co.in with your name, mobile number, and a description of the data you wish to access.

13.2 Right to Correction and Erasure

You have the right to request correction of inaccurate or incomplete Personal Data. You also have the right to request erasure of your Personal Data where:

• The purpose for which the data was collected is no longer applicable;
• You have withdrawn consent and there is no other lawful basis for processing;
• The processing was unlawful.

We will comply with erasure requests to the extent permitted by Applicable Law. Where a statutory retention obligation applies (e.g., RBI’s 5-year record-keeping requirement for payment data), we will inform you of the reason we are unable to erase the data at that time.

13.3 Right to Grievance Redressal

If you have a complaint about how we process your Personal Data, you have the right to have it addressed. See Section 18 for grievance contact details and timelines.

13.4 Right to Nominate

You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. To register a nominee, write to support@rocketpay.co.in.

13.5 How to Exercise Your Rights

Send your request to support@rocketpay.co.in with:

• Your full name and mobile number registered with us (or with the Customer, for End-Users);
• A description of the right you wish to exercise;
• Any supporting information relevant to your request.

We will acknowledge your request within 3 business days and respond substantively within 30 days. For complex requests, we may extend this period by a further 15 days with prior notice to you. We may need to verify your identity before fulfilling the request.

14. Cross-Border Data Transfers

All Personal Data collected by RocketPay is stored and processed in India on servers located in India.

RocketPay shares device identifier data (IMEI, device model) with DLC technology partners for the purpose of operating the Device Locking infrastructure. Where such partners are based outside India, the transfer is governed by data processing agreements that include appropriate contractual safeguards. RocketPay ensures that these partners process this data only as instructed and in accordance with applicable Indian data protection law.

No other Personal Data is transferred outside India. If any future service requires cross-border transfer, we will update this Policy and ensure such transfer is in compliance with DPDP Act provisions and any applicable Government of India notifications on cross-border data transfer restrictions.

15. Third-Party Links and Services

The Platform may contain links to third-party websites, payment applications (such as BHIM, Google Pay, PhonePe), or banking portals. These third-party platforms have their own privacy policies and we have no control over or responsibility for their data practices. We encourage you to review the privacy policy of any third-party platform before providing them with your Personal Data.

RocketPay is not responsible for the privacy practices or content of linked third-party websites.

16. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our services, regulatory requirements, or data practices. Material changes will be communicated to registered Customers via email or platform notification at least 30 days before the change takes effect.

For changes required by law or regulation, the revised Policy may take effect with shorter notice or immediately, as required.

Your continued use of the Platform after the effective date of an updated Policy constitutes your acceptance of the revised terms. If you do not agree to the changes, you must stop using the Platform and notify us of your intention to terminate.

The current version of this Policy is always available at rocketpay.co.in/privacypolicy.

17. Applicable Law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 and its rules, and other applicable Indian legislation. Any dispute arising out of this Policy shall be subject to the exclusive jurisdiction of the competent courts in Bengaluru, Karnataka.

18. Grievance Redressal and Data Protection Contact

18.1 General Support

• Email: support@rocketpay.co.in
• Working hours: Monday to Friday, 10:00 AM to 6:00 PM IST (excluding public holidays)

18.2 Privacy and Data Rights Requests

• Email: support@rocketpay.co.in
• Response within: 30 days of receipt (or as prescribed under DPDP Act implementing rules)

18.3 Grievance Officer

Grievance Officer	Arpit Bajpai
Designation	Compliance Officer
Company	Absird Financial Technologies Private Limited (RocketPay)
Address	Building Number 917, 1st Floor, 5th Main Rd, Sector 7, HSR Layout, Bengaluru
Email	support@rocketpay.co.in
Phone	+91 8951158001
Grievance Resolution Timeframe	30 days from receipt of complaint

18.4 Regulatory Escalation

• The Data Protection Board of India — once constituted under the DPDP Act, for complaints related to processing of your Personal Data;
• The RBI Ombudsman — for payment-related grievances;
• The National Consumer Helpline (1800-11-4000) — for consumer protection matters.

— End of Privacy Policy —
Absird Financial Technologies Private Limited | RocketPay | rocketpay.co.in