Effective Date: 04/10/2025 | Last Updated: 24/11/2025
Truepay Finance Private Limited (“we”, “us”, “our”, or the “Company”) is a non-banking financial company (NBFC) registered in India. Our services are delivered through our mobile application under the name Truepay Finance and website https://truepay.co.in/ (collectively referred to as the “Platform”). We respect your fundamental right to privacy and are committed to ensuring that all Personal Data collected from individuals who use or interact with our Platform (“you”, “user”, “Customer”, or “Data Principal”) is handled responsibly and transparently. This Privacy Policy describes in clear and detailed terms the types of Personal Data we collect, the reasons we collect and process such data, the manner in which we store, use, disclose, transfer, and protect it, the rights that you hold under applicable law, and the channels through which you may exercise those rights. This Policy applies to all Personal Data that we process in connection with our lending services, customer support activities, marketing operations, and any other interactions you have with the Company.Truepay Finance Private Limited or use our services.
This Privacy Policy applies to every individual whose Personal Data is processed by the Company in connection with any of our lending activities or the operation of our digital Platform. This includes individuals who apply for or avail unsecured personal loans, loans against mutual funds, or any other credit products offered directly by the Company or facilitated through business correspondents, lending service providers (LSPs), partner lenders, or other authorised intermediaries. It also extends to borrowers with active or past loans, and end users who engage with our digital services, as well as any visitor who accesses or interacts with our Platform, or any affiliated digital interface. This privacy policy does not apply to information collected by the Company in other ways, including information collected offline. This Policy is intended to supplement, and not replace, the terms of any agreements, consent forms, disclosures, or contractual documents executed between you and the Company or its authorised partners. In the event of any inconsistency between this Policy and the express terms of such contractual arrangements, the terms of the contract shall prevail to the extent allowed by applicable law, while the remaining provisions of this Privacy Policy shall continue to apply in full force.
Our Processing of Personal Data is conducted strictly in accordance with the legal and regulatory framework applicable in India and the specific requirements governing digital lending ecosystems. This includes full compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Digital Personal Data Protection Rules, 2025 notified on 14 November 2025, and all subsidiary rules, notifications, and directions issued thereunder. We also adhere to the provisions of the Information Technology Act, 2000 and its allied rules relating to data security and reasonable security practices. In addition, our operations comply with all applicable Reserve Bank of India (RBI) regulations, circulars, and guidelines, including those governing digital lending, outsourcing of financial services, the roles and responsibilities of regulated entities, Lending Service Providers (LSPs), Business Correspondents (BCs), KYC and Anti-Money Laundering (AML) norms, Fair Practices Code requirements, credit reporting obligations, and the Scale Based Regulations applicable to NBFCs, as amended from time to time. Where applicable, we also comply with payment and settlement system laws, consumer protection laws, industry standards, and any other statutory or regulatory obligations that may apply to the Company or to our partner entities involved in the lending journey. Depending on the purpose and nature of Processing, we rely on various lawful bases recognised under applicable law. These include obtaining your consent for specific Processing operations, performing or entering into a contract to provide the services you have requested, complying with legal or regulatory obligations imposed on us as a regulated financial institution, protecting your vital interests or the interests of others, or pursuing any other legitimate ground that is expressly permitted under the DPDP Act and other applicable laws. Our Processing activities are designed to ensure lawful, fair, and transparent handling of Personal Data within the digital lending ecosystem, whether such data is processed directly by us or through authorised and regulated third-party partners.
For the purpose of this Privacy Policy, the following terms carry the meanings described below. These definitions are intended to provide clarity and ensure that you fully understand how your Personal Data is handled when you interact with our Platform. a. “Personal Data” or “Personal Information” refers to any information that directly or indirectly relates to an identified or identifiable natural person. This includes details such as your name, identification numbers, contact information, financial details, device identifiers, transactional data, behavioural data, or any other piece of information that can reasonably be used to identify you, either by itself or in combination with other data available to us. b. “Sensitive Personal Data” or “Sensitive Data” includes specific categories of information that, due to their nature, require enhanced protection under applicable Indian laws. This includes financial information such as bank account numbers, income details, credit history, repayment behaviour, credit scores, authentication data (including biometric identifiers, if ever collected), and any additional categories designated as sensitive by regulatory authorities or applicable laws. Such data is handled with heightened security controls and is processed strictly in accordance with regulatory requirements. c. “Processing” refers to any operation or set of operations performed on Personal Data, whether automated or manual. This includes collecting, receiving, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, transmitting, sharing, publishing, disclosing by any means, restricting, erasing, destroying, anonymising, or profiling Personal Data. Processing also includes any technical or operational action taken to support these activities. d. “Data Principal” refers to the individual to whom the Personal Data relates.
We process your Personal Data only when we have a lawful and valid basis to do so, and strictly within the limits permitted under applicable law. Each Processing activity is anchored in one or more recognised legal grounds, which may include:
We collect a wide range of Personal Data because the nature of digital lending requires detailed information to establish identity, verify authenticity, assess creditworthiness, detect fraud, and fulfil regulatory obligations.
We process each category of Personal Data only for specific, lawful and clearly defined purposes. Your information is primarily used to evaluate your loan application, verify your identity, carry out underwriting and credit assessments, and ensure that the details you provide are accurate and complete. We rely on your data to disburse and service loans, manage repayments, generate account statements, remind you of upcoming due dates, and support you with customer assistance, risk reviews, portfolio monitoring, collections, recoveries, and the enforcement of our contractual rights. It also enables us to address your queries, resolve grievances, and manage any disputes that may arise. Your data further supports us in ensuring the safety and integrity of our Platform. This includes preventing fraud, carrying out anti-money laundering (AML) and counter-terrorist financing (CTF) checks, identifying unusual or suspicious activity, verifying device authenticity, and maintaining overall system security. We also process your information to meet legal and regulatory obligations, such as reporting requirements before the RBI and other authorities, responding to directions from judicial or quasi-judicial bodies, cooperating with law-enforcement agencies, fulfilling KYC norms, interacting with credit information companies, and complying with audit or statutory review processes. This also includes complying with court orders, subpoenas, legal processes, or taking necessary steps to protect the rights, property or safety of the Company, our customers, or the public. In addition, your data helps us strengthen our internal operations by enabling audits, improving efficiency, studying platform usage trends, refining our algorithms, developing new features, and carrying out research, analytics, and training-related activities. From time to time, certain information may also be used to support service-related outreach and communication activities facilitated through trusted partners who assist us in operational processes linked to customer engagement and repayment management. Where required, and only with your prior consent, we may also use your information to send you marketing or promotional messages.
We collect Personal Data from a variety of sources to ensure that the information we process is accurate, complete and relevant for the services we provide.
All Personal Data obtained from third parties is collected strictly in accordance with applicable laws, contractual obligations and regulatory requirements. Where necessary, and whenever required under law, such collection or access will be clearly stated in the notices provided to you or will be undertaken with your consent.
Our digital lending model relies on advanced automated systems that assess your creditworthiness and determine your loan eligibility by analysing a combination of factors for quick disbursal of loan. These may include your financial information, credit bureau reports, repayment history, behavioural patterns, device-level indicators, and other relevant data points necessary for making an initial credit decision. These automated systems are designed to provide a fair, consistent, and efficient evaluation based on established risk and underwriting criteria. Although our technology enables largely automated assessments, there may be instances where the system is unable to complete its evaluation or where additional verification becomes necessary. In such situations, your application may be routed for a manual review by authorised members of our credit risk, or verification teams. This manual review is an internal safeguard intended to ensure accuracy, regulatory compliance, and responsible lending, and is conducted strictly at the Company’s discretion. It is important to understand that the automated assessment process, or the use of manual review as part of our internal workflows, does not create any entitlement for you to demand human intervention, request disclosure of proprietary assessment logic, or seek a reconsideration of decisions unless such rights are expressly granted under applicable law. Any further review, verification, or assessment, whether automated or manual is undertaken in accordance with our internal policies, regulatory guidelines, and operational protocols that govern responsible credit decision-making.
By submitting a loan application, you expressly consent to the Lender accessing, collecting, and using your PAN, credit bureau information, and other verification data strictly for purposes of assessing your creditworthiness, evaluating eligibility, preventing fraud, and complying with applicable legal and regulatory obligations. The Lender may share such information with authorised third-party service providers, regulated financial partners, credit information companies, and verification agencies solely for Processing your application or servicing your loan. Your credit information may be refreshed or re-evaluated periodically, as permitted by law, for ongoing risk monitoring, portfolio management, repayment assessment, and offering improved or updated credit products where eligible. All such access will be conducted in accordance with applicable RBI regulations, the DPDP Act, and any other governing laws.
We may share your Personal Data with a limited and carefully selected set of recipients, strictly for purposes that are necessary, lawful, and consistent with this Privacy Policy. Such sharing is carried out on a need-to-know basis and always governed by appropriate contractual, technical, and organisational safeguards. We may disclose information to:
In all other situations, Personal Data is shared only with your explicit consent and in accordance with applicable legal requirements. We require that all third-party processing data on our behalf does so in compliance with applicable laws, maintains confidentiality, and implements appropriate security measures, and such third parties act as independent entities and remain solely responsible for their own independent actions. Further, with your specific consent, we may share, distribute limited Personal Data to carefully selected partner entities who offer debt advisory, financial assistance, credit improvement services, or other related solutions or refer similar products to you. All such entities act independently and are responsible for their own processing activities. The partner entity will process your Personal Data in accordance with its own privacy policy and service terms. We do not control or take responsibility for how the partner offers or delivers its services once the data is shared. You are under no obligation to engage with the partner, and you may decline or withdraw your consent at any time without affecting your relationship with us or your ability to apply for loans in the future.
We collect and verify your mobile number to ensure that the registered number is active on the device being used, which helps prevent impersonation, unauthorised access, and fraudulent transactions. Mobile number verification forms an integral part of KYC compliance, user authentication, and secure account access in digital lending services. Your mobile number functions as a primary identifier and communication channel for loan-related alerts, verification codes, security notifications, and transactional updates. Accordingly, mobile number verification is mandatory to enable safe and uninterrupted access to our services.
As of the current date, all Personal Data is stored and processed within India. However, depending on our business, operational or technological requirements, we may in the future engage trusted third party service providers located outside India to support functions such as storage, Processing, analytics, platform maintenance, or technical support. Any such transfer will be carried out strictly in accordance with the Digital Personal Data Protection Act, 2023, the applicable Rules, and any sector specific guidance issued by the RBI or other regulators. Where required, we will implement appropriate safeguards, including contractual protections, encryption, access controls, standard contractual clauses, or any additional measures prescribed under law, to ensure that the level of protection afforded to your data remains consistent with Indian legal requirements. If any data-localisation obligations apply under Indian law, such as sector-specific requirements, RBI guidelines, or other regulatory directives, we will store, maintain and handle such categories of data within India to the extent mandated. In such cases, any cross-border transfer will be limited or restricted in compliance with the applicable localisation requirements.
We retain Personal Data only for the period necessary to fulfil the purposes set out in this Policy and to meet our contractual, operational, legal, regulatory, taxation, audit and litigation-related obligations. Certain categories of information such as KYC records, loan documentation, financial data and transaction-related information are retained for a minimum period of ten (10) years from the date of closure of the loan account or completion of the relevant transaction, or for such longer period as may be mandated under applicable laws and regulatory directions issued by the RBI or other authorities. After the expiry of the applicable retention period, or once the data is no longer required for the purposes for which it was collected, we will securely delete, irreversibly anonymise, or otherwise dispose of the data in accordance with our internal retention schedules and legal requirements. Anonymisation, where applied, is performed in a manner that ensures the data can no longer be used to identify any individual.
We have established and maintain a robust information security framework designed to safeguard Personal Data against unauthorised access, disclosure, alteration, and destruction. Our security programme incorporates a comprehensive combination of organisational, technical, administrative, and physical controls consistent with applicable law, RBI guidelines, and recognised industry standards. These measures include without limitation role-based access controls; multi-factor authentication for administrative and privileged access; encryption of Sensitive Data in transit and at rest; secure cryptographic key-management practices; OTP verification; endpoint and network security controls; firewalls and intrusion detection/prevention systems; secure software development methodologies; and continuous logging, monitoring, and alerting across our technology environment. We conduct regular vulnerability assessments, penetration testing, security hardening, and periodic internal and external audits to evaluate the effectiveness of these measures. We also apply timely security patching, enforce data-minimisation principles, and provide mandatory training to personnel on information-security and data-protection obligations. We regularly review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems. Our Platform has stringent security measures in place to protect the loss, misuse and alteration of information under control. We endeavour to safeguard and ensure the security of the information provided by you. We use Secure Sockets Layers (SSL) based encryption, for the transmission of the information, which is currently the required level of encryption in India as per applicable law. We maintain documented incident-response and breach-management procedures to address security events in a structured and timely manner. In the event of a personal-data breach, we will initiate all required containment and mitigation steps and notify affected Data Principals and the relevant regulatory authorities in accordance with applicable legal and regulatory requirements. We blend security at multiple steps within our products with the state-of-the-art technology to ensure our systems maintain strong security measures and the overall data and privacy security design allow us to defend our systems ranging from low hanging issue up to sophisticated attacks. In addition, the Website and App have been certified for the following security certifications:
In the event of a confirmed Personal Data breach that is likely to result in a risk of harm to a Data Principal, we will activate our incident-response protocols, investigate the event, take immediate steps to contain and mitigate the breach, and notify the competent authorities and affected individuals in accordance with applicable legal and regulatory requirements. Any notification issued by us will outline the nature of the breach, the categories of data involved, the potential impact, the measures taken or proposed to mitigate the associated risks, and the contact details through which affected individuals may seek further information or assistance. Where specific statutory timelines for breach reporting are prescribed under the DPDP Act, the DPDP Rules, or any other applicable law or regulatory direction, we will ensure compliance with such timelines.
We use cookies, software development kits (SDKs), and similar tracking technologies to operate, secure, analyse, and optimise our Platform, enhance user experience, and support certain functionality. These technologies help us understand usage patterns, maintain session integrity, improve performance, and detect fraudulent or unauthorised activity. You may manage or disable cookies through your browser or device settings; however, certain features of the Platform may not function properly if cookies are restricted.
Payment card information, bank account details, and other sensitive financial data are handled in strict accordance with applicable laws, RBI directions, and recognised payment-industry standards. Where card information is stored or processed, it is tokenised and maintained exclusively through PCI-DSS compliant service providers. We do not store sensitive payment credentials beyond what is legally permitted and operationally necessary, and we implement appropriate security controls to protect such data during transmission and Processing. For your safety, we strongly advise that you do not share banking passwords, OTPs, card PINs, CVV numbers, or any other sensitive authentication credentials through unsecured channels or with unauthorised individuals.
Our services are intended solely for individuals who are legally competent to enter into a contract under Indian law. We do not knowingly collect or process Personal Data of children or minors who do not meet the age of majority. If we become aware that Personal Data relating to a minor has been collected without the requisite consent of a parent or lawful guardian, we will take appropriate steps to delete such data in a timely manner and prevent any further Processing of it.
Subject to applicable law, verification of identity, and certain limitations, you may exercise the following rights in relation to your Personal Data:
Where data-portability or restriction of Processing is mandated under specific laws or regulatory frameworks, such rights will be facilitated in accordance with those requirements. Requests may be submitted using the contact details provided in Section 21. We may seek additional information to verify your identity or validate the request. We will respond within the timelines prescribed under applicable law.
We have designated a Grievance Officer to address any questions, concerns, or complaints relating to the Processing of your Personal Data. You may contact the Officer using the details provided below, and we will review and respond to your grievance in accordance with the timelines prescribed under applicable law.
Principal Nodal Officer Email: info@truepay.co.in
Address: Office No. 604, 6th Floor, Fortune Business Hub, Nr. Satyamev Elysiym, Sola, Ahmedabad, Daskroi, Gujarat, India, 380060 [Mon - Sat (10:00 - 19:00)]
Our Platform may contain links to third-party websites, services, plug-ins, or applications that operate independently of us. Please note that we do not control and are not responsible for the privacy practices, content, or security standards adopted by these third parties. Their handling of your Personal Data will be governed by their own privacy policies. We encourage you to review the applicable third-party privacy notices before accessing their services or sharing any Personal Data.
We engage third-party service providers and processors under written agreements that require them to maintain appropriate confidentiality, security, and compliance standards. These agreements restrict any unauthorised use or disclosure of Personal Data and require Processing only in accordance with our instructions and applicable law. We conduct due diligence before onboarding such providers and periodically assess their adherence to contractual, technical, and organisational security obligations to ensure continued protection of Personal Data.
We maintain records of our data-Processing activities in accordance with applicable legal and regulatory requirements and cooperate with any audits, inspections, or compliance reviews initiated by competent authorities. We also conduct periodic internal and external audits to evaluate the effectiveness of our privacy and security controls. This Policy is reviewed and updated from time to time to reflect changes in law, regulatory guidance, technological advancements, and our operational practices.
While we employ reasonable and appropriate organisational, technical, and physical measures to safeguard Personal Data, no system of data transmission or storage can be guaranteed to be completely secure. To the extent permitted under applicable law, we disclaim liability for any unauthorised access, disclosure, loss, or alteration of Personal Data that occurs despite the implementation of reasonable security safeguards. Nothing in this section limits any mandatory statutory obligations or liabilities imposed on us under applicable law.
You are solely responsible for maintaining the confidentiality of your login credentials, device access, and any other means used to access your account. You agree to ensure that no unauthorised person gains access to your account or the services provided. All activities carried out through your account shall be deemed to have been undertaken by you, and the Lender shall not be liable for any loss, claim, or dispute arising from misuse, unauthorised access, negligence, or failure to secure your account credentials. You agree to immediately inform the Lender of any suspected compromise, unauthorised access, or misuse of your account so that necessary protective actions may be taken. The Lender reserves the right to accept, decline, suspend, or terminate your registration or access to the platform at its sole discretion and without obligation to provide prior notice or explanation, subject to applicable law.
We may offer additional services such as chat rooms, blogs, and review sections as part of our platform. Any communication or content shared by you through these services (including text, images, audio, financial information, and feedback) will be considered non-confidential, subject to applicable laws. We are not obligated to refrain from reproducing, publishing, or using such content for any purpose. You are solely responsible for the accuracy and truthfulness of the content you share. By submitting feedback, you assign us all worldwide rights, titles, and interests in any associated copyrights or intellectual property. We may use your feedback in any manner we deem appropriate.
We may restrict, suspend, or terminate your access to the Platform or certain features where required by law, due to discontinuation of services, operational reasons, compliance requirements, or in circumstances where your account becomes inactive or your engagement with the lending services concludes. Uninstallation of the App or discontinuation of Platform use does not affect our right to retain, process, or use Personal Data as necessary for fulfilling legal, regulatory, contractual, or operational obligations, including but not limited to repayment of Outstanding Amount(s), recovery activities, fraud prevention, audit requirements, or compliance with directions issued by regulatory or law-enforcement authorities. Even after access to the Platform ends, we may continue to process your Personal Data for purposes permitted under this Privacy Policy, such as maintaining necessary records, monitoring repayment obligations, responding to legal or regulatory requests, enforcing our rights, and meeting mandatory retention requirements. Any rights or permissions granted to you to use the Platform shall cease upon termination, but your obligations, including repayment of dues and cooperation with legally permitted recovery processes continue until fully discharged.
Special Offers and Updates: We may send you promotional communications regarding products, services, special deals, or company newsletters. You have the option to unsubscribe via the provided mechanism in each communication or by emailing us at info@truepay.co.in. Service Announcements: Certain service-related announcements may be required by law or platform operations. These are non-promotional in nature, and you may not opt out of receiving them. Customer Service: We regularly engage with customers about their accounts and service requests via email or phone, depending on their preferred communication method.
To the extent permitted by applicable law, you agree to indemnify and hold the Company, its affiliates, directors, officers, employees, and service providers harmless from and against any and all claims, liabilities, losses, damages, or expenses (including reasonable legal fees) arising out of or in connection with:
To the maximum extent permitted under applicable law, the Company shall not be liable for any indirect, incidental, consequential, special, or exemplary damages arising out of or relating to the use of the Platform or the Processing of Personal Data under this Privacy Policy. This includes, without limitation, loss of data, loss of profits, loss of reputation, business interruption, or any harm resulting from unauthorised access, alteration, disclosure, or destruction of Personal Data, except where such liability cannot be disclaimed under law. Nothing in this Policy limits any statutory rights you may have under the Digital Personal Data Protection Act, RBI regulations, or other applicable laws, or excludes liability for any act or omission for which limitation is not permitted by law.
This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, and, where applicable, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. All Processing of Personal Data is carried out in compliance with these requirements. You retain control over the permissions and data you choose to share with us. Device-level settings allow you to manage or revoke access to features such as camera, storage, location, notifications, or other app permissions. You may request deletion of your account, correction of Personal Data, or removal of specific content from our systems in accordance with applicable laws and the rights described in this Policy by contacting our Support or Grievance Officer. Any disputes arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Ahmedabad, Gujarat, India. This Privacy Policy does not limit any statutory rights available to you under applicable law, nor does it expand liability beyond what is permitted by law.
We shall not be responsible for any failure or delay in fulfilling our obligations under this Privacy Policy where such failure results from circumstances beyond our reasonable control. These may include natural disasters, acts of government or regulatory authorities, pandemics, network or internet failures, cyberattacks, system outages, war, civil disturbances, strikes, or any other unforeseen disruptions that materially impact our operations. During such events, we will take reasonable steps to restore affected services and maintain data protection safeguards to the extent feasible.
By accessing or using our Platform, submitting an application, or otherwise providing your Personal Data, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, Processing, and disclosure of your Personal Data as described herein for the purpose of availing or facilitating any lending-related service offered through the Platform. These services may include, without limitation, unsecured credit products, loan-against-securities or mutual funds, co lending arrangements, services provided in the capacity of a Business Correspondent (BC), services facilitated through a Loan Service Provider (LSP), and any other credit, verification, or financial assistance product provided directly by us or in partnership with regulated financial entities. You agree to comply with the responsibilities, terms, conditions, and privacy practices governing such services, as applicable to your engagement with us. To the extent permitted by law, your continued use of the Platform constitutes your acceptance of any revisions or updates to this Policy, where such acceptance is legally valid. By agreeing to this Privacy Policy, you also consent to receive marketing and promotional communications. These may include calls, SMS, emails, WhatsApp, RCS messages, etc. informing you about online and offline offers, products, services, and updates.
As of the current date, all Personal Data is stored and processed within India. However, depending on our business, operational or technological requirements, we may in the future engage trusted third party service providers located outside India to support functions such as storage, Processing, analytics, platform maintenance, or technical support. Any such transfer will be carried out strictly in accordance with the Digital Personal Data Protection Act, 2023, the applicable Rules, and any sector specific guidance issued by the RBI or other regulators. Where required, we will implement appropriate safeguards, including contractual protections, encryption, access controls, standard contractual clauses, or any additional measures prescribed under law, to ensure that the level of protection afforded to your data remains consistent with Indian legal requirements. If any data-localisation obligations apply under Indian law, such as sector-specific requirements, RBI guidelines, or other regulatory directives, we will store, maintain and handle such categories of data within India to the extent mandated. In such cases, any cross-border transfer will be limited or restricted in compliance with the applicable localisation requirements.
The board may amend, alter, revise, update or modify any or all the clauses of this Privacy Policy from time to time, to reflect changes in applicable laws, regulatory requirements, industry practices, or our operational and security measures. Any such changes shall be published on the Platform and shall become effective upon posting, unless stated otherwise. Users are advised to periodically review this Privacy Policy for updates. Continued access to or use of the Services after such publication shall constitute acceptance of the revised Privacy Policy.
For inquiries or data-related requests, contact our Data Protection Officer at Info@trupay.co.in.
