SUPPORT SFLC.IN

SFLC.in analyzes Policies of FinTech Apps

Posts

Recently, India has emerged as a major player in the global FinTech landscape, hosting 10,200 FinTech companies and holding the third-highest spot globally. One of the key pillars of this monumental shift has been the development and implementation of Unified Payments Interface (“UPI”). UPI is a system that merges several banking features across multiple banks and allows seamless fund routing and merchant payments into a single application. As of December 2024, over 16.73 billion transactions have been conducted through UPI. This has been one of the key initiatives that has facilitated India’s shift to a cashless economy.

Simultaneously, India’s financial technology boom has also led to newer forms of cyber crimes and frauds, ranging from digital arrest scams to KYC and UPI frauds. This has alarmed members of the general public and regulatory authorities alike, presenting a unique threat to cybersecurity and privacy of Indians across the country. In this blog post, we analyze the privacy policies of some of the most prominently used financial technology applications in India, to better understand how data privacy and security of customers’ data is managed.

METHODOLOGY

We evaluate the privacy policies across five key parameters:

  1. Categories of Data Collected: This section outlines the types of data an app collects from users and its legitimacy under the privacy policy.
  2. Third Party App/Devices the App Can Access: Some apps request permission to access data from other applications on the user’s device. We analyse whether the privacy policy clarifies why this access is needed and whether users can control these permissions.
  3. Third Party Access : We analyse whether the app shares user data with external parties, whether these parties are specified, what data is shared and if users can opt out.
  4. Rights under the Digital Personal Data Protection Act, 2023 (DPDPA) : We analyse whether the privacy policy mentions the rights available to data principles as provided in DPDPA, such as  Right to Withdraw Consent, Right to Access, Right to Erasure, Right to Correction and Right to Grievance Redressal.
  5. Plain Language and Readability : We analyse whether the privacy policy is written in clear, simple language that is easy for users to understand.
  6. Data Protection Score: For the Data Protection Score, we assess apps based on the seven data protection principles. We further score them out of 7. The 7 Data Protection Principles are as follows:
    1. Lawfulness, transparency and fairness : Whether apps are collecting and processing data in compliance with law, if there is a legal basis for collection (e.g., consent, contract, legitimate interest, legal obligation), whether the policy clearly specifies what data is collected, why it’s used, and informs users of their rights, whether data collection is proportionate, non-deceptive, and non-exploitative or harmful and whether opt-out options are available.
    2. Storage limitation: How long does the app keep your data, do they mention r what purposes they store it for, and why they may need to store it indefinitely (if specified)?
    3. Purpose limitation: Does the privacy policy mention why they need your data, and for what reasons they need the different kinds of your personal data ?
    4. Data minimisation: Do the apps collect an adequate amount of personal data that would be relevant for their service? Or do they collect personal data beyond what is necessary for performing their service?
    5. Accuracy: Do the privacy policies mention that they expect users to have provided reasonably accurate personal information, and not to provide misleading information? Do they tell you how you can correct it?
    6. Integrity and confidentiality: Does the policy mention if reasonable data security measures are implemented to protect and secure your data? Do they specify encryption, access controls, or other safeguards to ensure data protection?
    7. Accountability: Do the apps have policies in place that would explain these principles (terms of use, privacy policy, any other records/measures they mention)

If the data protection principle is complied with, the checkbox is accordingly ticked. You’ll see that we’ve left some boxes empty- We have done that where the policy was unclear or we don’t have enough information to determine whether the principle was complied with.

Google Pay

In India, Google Pay (also known as GPay) is an Unified Payments Interface-based payment app that uses an Indian bank account and phone number for instant money transfers, bill payments, mobile recharges, and in-store payments via QR codes. Users can  download the app from the Google Play Store or App Store.

A. Categories of Data Collected:



Data Collected as per the Privacy Policy based on User Input



Data collected as per the Privacy Policy (automatically)
  • Name
  • Gender
  • Phone number
  • Email Address
  • Date of Birth
  • Billing Information  
  • Payment Information
  • Credit or debit card number and card expiry date
  • Bank account number and expiry date
  • Address
  • National insurance number or taxpayer identification number (or other government-issued identification numbers)
  • For sellers or businesses specifically, your business category and certain information about your sales or transaction volume
  • PAN
  • Marital status
  • Father’s & mother’s
  • IFSC number.

Transaction Data: When you use Google Pay to conduct a transaction, Google may collect information about the transaction, including:-

  • The date, time and amount of the transaction
  • The merchant’s location and description
  • A description provided by the seller of the goods or services purchased
  • Any photo that you choose to associate with the transaction
  • The names and email addresses of the seller and buyer (or sender and recipient)
  • The type of payment method used
  • Your description of the reason for the transaction and the offer associated with the transaction, if any
  • Location Data: GPS data, IP address, Wi-Fi access points, cell towers, and Bluetooth-enabled devices

Device and Service Interactions:

  • Activity on Google services, including search history and labeled places (e.g., home/work)
  • App, browser, and device interactions with Google services (including crash reports, system activity, IP address, request timestamps, and referrer URLs)
  • Call and message log information (e.g., phone numbers, call duration, sender/recipient details)

User Activity Tracking:

  • Voice and audio data
  • Purchase activity
  • Communication and content sharing patterns
  • Activity on third-party sites and apps using Google services
  • Synced Chrome browsing history

(Table 1)

Data/Applications that can be accessed:

  • Camera
  • Photos
  • Contacts

C. Third Party Access:

As per Google Pay’s Terms of Service, Google may share your payments related information, including UPI Transaction Data, with Merchants, Banks, Third Party Providers and service providers as required for the purpose of operations, settlement payment processing, and promoting Google Pay Services. Google Pay may use third party Bill Payment Account Information on an ongoing basis and access the bill details from the respective Biller, on behalf of the third party for the purpose of Google Pay providing Bill Payment Services. However, this can only be done if the user provides permission for the same.

The UPI Transaction Data will not be used for any monetisation purpose (eg. for advertisements) by any entity other than Google (in other words, Google India Digital Services Private Limited).

D. Rights under DPDPA :

Google’s Privacy Policy does not explicitly outline the rights of users regarding their data.

E.Plain Language and Readability

 The Privacy Notice remains relatively readable and accessible to the average user.

Observations: 

  1. Lawfulness, transparency and fairness: Google’s Privacy Policy fails to provide any information to the user on how they collect and process data based on user consent, legal obligations, and legitimate interests. However, it could be clearer about the specific legal basis for all data processing activities. Surprisingly there is no mention of any data protection laws in the Privacy Policy. The policy also does not clearly specify what data is collected, why it is used, and in some cases, the reasons for sharing it. However, the lack of a clear and easily accessible opt-out option for all data collected and shared  remains a concern
  2. Storage limitation: Neither does Google Payments’ Privacy Notice nor the Privacy Policy clearly define the term/duration  in which user data will be retained. Furthermore, some data is kept for extended periods due to legal, financial, and security considerations, such as fraud prevention, regulatory compliance, and financial record-keeping. This raises concerns about indefinite retention for some categories of data. 
  3. Purpose limitation: Google lists several reasons for collecting data but does not provide enough detail about the specific uses of different types of personal data, especially in the context of third-party sharing.
  4. Data minimisation: Google collects a broad range of personal data. The policy does not clearly state whether all this data is necessary for the functioning of the app or if some of it is excessive for the purposes outlined. For example, it remains unclear whether all collected data is truly necessary for services like Google Payments.
  5. Accuracy:  Google’s umbrella Privacy Policy emphasizes the importance of data accuracy by allowing users to access, modify, correct, erase, and update their personal data. However, the Privacy Notice does not refer to any mechanisms that would allow the users to take such actions in relation to their personal data.
  6. Integrity and Confidentiality:Google employs strong security measures to protect user data, including encryption during data transmission, security tools like Safe Browsing and Two-Step Verification, and internal security reviews to prevent unauthorized access. Further only authorized employees, contractors, and agents can access personal data, and they are bound by strict confidentiality agreements. Violation of these obligations may result in disciplinary action or termination.
  7. Accountability:  Google’s Privacy Policy does provide a general explanation of its data handling practices. However, several key aspects such as grievance redressal, purposes of data processing and data deletion are spread across multiple links, which may require an exhaustive perusal from a user. The absence of specific details about the grievance redressal process or data protection officers limits the privacy policy’s ability to hold Google accountable.

Data Protection Score : 1/7

Paytm

Founded in 2010, Paytm offers mobile payment services to consumers and enables merchants to receive payments through QR codes, Soundbox, Android-based-payment terminal, and online payment gateway. In partnership with financial institutions, Paytm also offers financial services such as microcredit and buy now, pay later options to its consumers and merchants.

Paytm’s Privacy Policy and Terms & Conditions were perused to analyse Paytm’s data protection practices.

A. Categories of Data Collected: 



Data Collected as per the Privacy Policy based on User Input



Data collected as per the Privacy Policy (automatically)
  • Name
  • Home address
  • Mailing address
  • Phone number
  • Email Address
  • Date of Birth
  • Cardholder name
  • Credit card number and card expiry date
  • Bank account number and expiry date

Paytm may also collect information on

  •  Mobile phone
  • DTH service
  • Data card
  • Electricity connection
  • Smart Tags

Paytm may collect the following information on its users once they start browsing on the Paytm app –

  • Mobile/ tab device details
  • Domain and host from which you access the internet
  • IP address of the computer
  • Internet service provider [ISP]
  • Anonymous site statistical data
  • Transaction and Financial Details: Transaction history, payment details and financial details, such as income, expenses, and/ or credit history needed as part of availing some of our products/ services.
  • Audio and Visuals; Images of documents or photos required to avail any of our products/ services and voice recordings of your conversations with our customer care agent(s) to address your queries and/ or grievances.
  • Employment Details: Occupation, designation, employment history, salary and/or benefits, as part of our record retention.
  • Signature: Specimen signature(s) for processing of your instructions received by us through our various payment and delivery channels.
  • Surveys- Opinions provided by users by way of feedback or responses to surveys.
  • Mobile Device Information: Information obtained from your mobile device by way of using the Paytm application, like device location, communication information including phone number, SIM Serial Number, contacts and call logs, device information (including storage, model, IMEI, Network Carrier information), transactional and promotional SMS/app notifications
  • In-app Functionalities-
    • Access to mobile camera device for the functioning of many in-app functionalities for recording video including, but not limited to video KYC process, scan & pay etc.
    • Access to the microphone to record audio for carrying out video KYC process, voice typing etc.
    • Access to files stored in mobile devices such as audio, video files for the functioning of many in-app functionalities including, but not limited to in-app chat.

Other access-

  • Access to Wi-Fi details through SSID information from your device, to notify users about the security of the Wi-Fi network.
  • Access to the Near field Communication (NFC) chip on device to enable tap to pay functionality

(Table 2)

B. Data/Applications that can be accessed:

  • Camera
  • Photos
  • Contacts
  • Location

C. Third Party Access:

As per Paytm’s Privacy Policy, they reserve the right to communicate their users’ personal information to any third party that makes a legally-compliant request for its disclosure.

As per its Terms of Service, it only shares the data on a “need-to-know” basis to designated personnel or third-parties, affiliates or subsidiaries in their business and operational processes.

For instance, when a user purchases something through the Paytm Platform, Paytm may collect and store information about the user to process their requests and auto populate forms for future transactions. This information may be shared with third parties which assist in processing and fulfilling your requests, including but not limited to Payment Card Industry (PCI) compliant payment gateway processors, and for providing them with products/ services to better serve their needs and interests.

Paytm may process, store, and retain your Personal Data on its servers where the data centres are located, and/ or on the servers of third parties having contractual relationships with it. Paytm does not transfer any personal data to such a country or territory outside India as restricted by the Government.

D. Rights under DPDPA

Neither Paytm’s Privacy Policy nor Terms of Service explicitly outlines the rights of users regarding their data. 

E. Plain Language and Readability:

The TNCs and the Privacy Policy is not drafted in a manner that would be accessible and readable to the average user. In fact, users may encounter some difficulty in fully understanding the terms and the policy.

Observations: 

  1. Lawfulness, transparency and fairness: The Privacy Policy fails to outline what kind of personal data is collected, how it is used and the purposes for which it is collected. Users will have to peruse Paytm’s Terms of Service to understand these modalities. Additionally, Paytm provides users with no option but to consent to their TNCs and Privacy Policy, if they would like to access their services.
  2. Storage Limitation: The privacy policy does not clearly state how long user data is retained. Furthermore, some data is kept for extended periods due to legal, financial, and security considerations, such as fraud prevention, regulatory compliance, and financial record-keeping. This raises concerns about   indefinite retention for some categories of data. 
  3. Purpose limitation: The Privacy Policy lists several reasons for collecting data but does not provide enough detail about the specific uses of different types of personal data that is collected
  4. Data minimisation: Both the TNCs and the Privacy Policy fail to outline whether such data collection is necessary for the purposes stated
  5. Accuracy: Neither the Privacy Policy nor the Terms & Conditions provide clear mechanisms for users to access, modify, correct, erase, and update their personal data.
  6. Integrity and Confidentiality: Paytm takes reasonable security safeguards to protect your Personal Data from misuse, loss, unauthorised access, modification, or disclosure and uses the latest secure server layers encryption and access control on its systems. Among the other things, we use the following measures-
    1. When you submit credit or payment card information, Paytm encrypts the data in compliance with PCI data security standards.
    2. Paytm provides multiple levels of security to safeguard users’ Paytm Application by login/ logout option, and app lock feature for payments, that may be enabled by the user themselves
    3. Paytm makes sure that once a user logs in, they cannot use the same account on a different device without extra security like additional authentication/ OTP. While Paytm implements reasonable security measures, they do not guarantee absolute protection for personal data due to factors beyond their control, such as hacking, virus, dissemination, force majeure events, breach of firewall etc.
  7. Accountability: Unlike its TNCs, Paytm’s Privacy Policy fails to provide adequate information to its users on how their personal data is handled. Apart from prescribing a two-tier grievance redressal mechanism, Paytm’s TNC provides far more informat

Data Protection Score: 2/7

PhonePe

PhonePe is an Indian digital payments and financial services company headquartered in Bengaluru, Karnataka, India. It was founded in December 2015. The PhonePe app is based on the UPI and was released in August 2016. Accessible in 11 Indian languages, it enables users to perform various financial transactions such as sending and receiving money, recharging mobile and DTH, making utility payments, and conducting in-store payments.

A. Categories of Data Collected:


Data collected as per Privacy Policy based on User Input


Data collected from third parties


Data collected as per the Privacy Policy (automatically)
  • Name
  • Age
  • Photo
  • Gender
  • Phone number
  • Email Address
  • Date of Birth
  • Billing Information  
  • Payment Information
  • Credit or debit card number and card expiry date
  • Bank account number and expiry date
  • Address
  • National insurance number or taxpayer identification number (or other government-issued identification numbers)
  • For sellers or businesses specifically, your business category and certain information about your sales or transaction volume
  • PAN
  • Marital status
  • Father’s & mother’s
  • IFSC number.
  • Aadhaar information (not mandatory)
  • Voter ID/Driving License Information
  • Health and lifestyle-related information, including your physical activity, when a user opts for health-tracking services
  • Financial history 
  • Vehicle-related information
  • Employment and educational qualifications your resume
  • Demographic and photo information including but not limited to Aadhaar number, address, gender, and date of birth as a response received from UIDAI upon successful Aadhaar e-KYC
  • KYC-related information such as PAN, income details, your business-related information, videos or other online/ offline verification documents as mandated by relevant regulatory authorities.
  • Financial data – Balance including broker ledger balance or margins, transaction history and value, wallet balance, investment details and transactions, income range, expense range, investment goals, service or transaction related communication, order details, service fulfilment details
  • Your device details such as device identifier, internet bandwidth, mobile device model, browser plug-ins, and cookies or similar technologies that may identify your browser/PhonePe Applications and plug-ins, and time spent, IP address and location
  • SMSes stored on user’s devices
  • Videos, photos, audio and location video, photo, audio, and location, based on your explicit consent through your app permissions (camera, microphone, location) when you opt for a product whose core functionality can be delivered only after accessing your app permissions, or where access is as per regulatory requirements, e.g., video-based KYC, self-inspection of your vehicle, and onboarding

(Table 3)

B. Data/Applications that can be accessed:

  • Camera
  • Photos
  • Contacts
  • Location

D. Rights under DPDPA

D. Plain Language and Readability:

PhonePe’s Privacy Policy can read like a legal document despite being structured. This could reduce its accessibility and readability for users who may not be well-versed with legal English.

Observations:

  1. Lawfulness, transparency and fairness:PhonePe’s Privacy Policy provides extensive information to users on its data handling practices. It provides details on the kind of personal information that is collected (albeit in a non-exhaustive sense) and the purposes for which such information is collected. Users can revoke consent to the storage of their e-KYC information, however, this may result in loss of access to the service altogether.
  2. Storage Limitation: PhonePe’s privacy policy does not define a data retention period. If necessary, PhonePe may choose to retain personal data for extended periods due to legal requirements, pendency of legal/regulatory proceedings or owing to a legal/regulatory direction. This raises concerns about   indefinite retention for some categories of data.
  3. Purpose limitation:PhonePe lists several reasons for collecting data but does not provide enough detail about the specific uses of different types of personal data
  4. Data minimisation: PhonePe collects a broad range of personal data. The policy does not clearly state whether it is necessary to collect this data for the purposes outlined.
  5. Accuracy:  PhonePe’s Privacy Policy emphasizes the importance of data accuracy by allowing users to access, modify, correct, erase, and update their personal data. They can do so by writing to PhonePe’s Data Protection Officer at https://support.phonepe.com.
  6. Integrity and Confidentiality: PhonePe deploys administrative, technical, and physical security measures to safeguard user’s personal data and sensitive personal data. User’s Aadhaar information is safeguarded as per applicable security control given under the Aadhaar Regulations. However, PhonePe does provide a caveat to users by stating that no security system is impenetrable. They also undergo strict internal and external reviews to ensure appropriate information security encryption or controls are placed for both data in motion and data at rest within our network and servers respectively. The database is stored on servers secured behind a firewall; access to the servers is password-protected and is strictly limited.
    Further, PhonePe cautions users to maintain the confidentiality and security of their personal data like Login ID, password and OTP. PhonePe shifts the responsibility of intimation in relation to any actual or suspected leak of user’s personal data onto the customers using their platform. This would not be aligned with the provisions of India’s Digital Personal Data Protection Act of 2023, which requires Data Fiduciaries to also inform the users in case their personal data is compromised in the event of a breach.
  7. Accountability: PhonePe’s Privacy Policy does provide a general explanation of its data handling practices. Users can also have their grievances resolved by contacting the in-house Privacy Officer. Users can also access a Grievance Policy to address any payment-related, merchant redressal or Aadhaar e-KYC related issues. However, PhonePe data has been reportedly subject to a data leak (even though they insisted that their data remains safe), raising questions on whether such mechanisms will continue to be effective in the future.

Data Protection Score : 2/7

CRED

Founded in 2018, CRED is a reward-based credit card payments app that allows users to make house rent payments and provides short-term credit.

A. Categories of Data Collected: 


Data Collected as per the Privacy Policy based on User Input 


Data collected from third partie


Data collected as per the Privacy Policy (automatically)

For registration purposes,CRED may collect personal details such as –

  • Name
  • Mobile number
  • Email ID
  • Date of Birth
  • Permanent Account Number

For providing certain services, CRED may require supplementary information, including but not limited to –

  • Residential address
  • Financial details
  • Credit score
  • Credit/debit card details
  • Any other official valid documentation

CRED may retain, retriever and use data sourced through device permissions such as –

  • Contact list
  • Photos 
  • Location
  • SMS 
  • Phone calls
  • NFC

To verify a user’s eligibility to use the CRED application, users will have to provide consent for procuring of their credit information from CRED’s bureau partners during the onboarding process. CRED’s bureau partners are credit information companies registered under the Credit Information Companies (Regulation) Act 2005.

To access CRED Mint, CRED Cash, CRED Wallet, or CRED Garage services, CRED nad its partners may collect KYC data on its users from one or more KYC registries.

In order to fulfil a financial transaction, CRED may share financial information such as –

  • Credit card details
  • Tokens
  • Payment mode

to authorized third parties, for instance, our business associates, financial institutions, or government authorities involved in the fulfillment of the said transactions.

To access certain CRED Garage services, CRED may provide –

  • Name
  • Phone number
  • Financial information

to their authorised third parties, who may access information about users and their vehicles (such as challan details, insurance details, etc.) from government sources.

To access CRED Wallet, CRED may use the assistance of authorised third parties, to procure user’s KYC details, for their affiliate PPI issuer to be able to open a CRED Wallet for users.

Following data is collected while using the the CRED application –

  • User’s interactions with the application
  • Rewards claimed
  • Transactional details relating to usage of CRED’s services or the services offered through their partners. This encompasses – 
    1. Types of service request
    2. Chosen method of payment
    3. Amount
    4. Other related transactional and financial data
    5. Data generated through customer support instances

CRED logs specific information such as –

  • IP address
  • Browser type
  • Mobile operating system
  • Manufacturer
  • Model of your mobile device
  • Geolocation
  • Preferred language
  • Access time
  • Duration of usage

(Table 4)

B. Data/Applications that can be accessed:

  • Camera
  • Photos
  • Contacts
  • Location

C. Third Party Access : 

Several CRED products are offered in association with other commercial partners of CRED.  For availing or enabling the availability of such products or services, CRED may share the data collected from the usage of the application with the respective third parties. However, the caveat is that third-party’s usage of this data will be governed by their terms and conditions and privacy policy, including sharing with their subcontractors, if any.

CRED may need to disclose users’ personal data to the relevant regulatory authorities, in order to comply with relevant legal frameworks. Especially for its UPI related services, after obtaining user consent, CRED may share users’ location data to comply with NPCI guidelines or any other regulatory guidelines or directives.

Upon obtaining users’ consent, CRED may disclose certain information created in the course of usage of the application to their group entities and partners.

Third parties may sponsor or co-brand for the purposes of reward promotions/campaigns/programs/related events. Users’ personal data may be collected and shared such third-parties; if they opt-in for the same. CRED advises users to familiarize themselves with their privacy policies to understand how they will handle their data.

CRED may display targeted or non-targeted third-party online advertisements on their app. They also may engage in collaborations with other website/app operators. They advise users to familiarize themselves with their advertising practices, including the types of information they may collect. No personal data is shared with any third-party online advertiser. CRED does not provide any information about their usage of the CRED application to such third party online advertisers.

Data Sharing with Sub-Contractors for offering Credit Products Data Sharing with Sub-Contractors for Lender’s Collections/Recovery Services
  • Amazon Web Services (Indian servers)
  • Khosla Labs Private Limited
  • Dreamplug Paytech Solutions Private Limited
  • Razorpay Software Private Limited
  • Cashfree Payment India Private Limited
  • Hyperverge Technologies Private Limited
  • Ozonetel Communication Private Limited
  • Sumeru Enterprise Tiger Business Solutions Private Limited
  • Signzy Technologies Private Limited
  • Adept Guild
  • Adwaith Associates
  • AGPO Management Services Private Limited
  • Buzzworks Business Services Private Limited
  • Captris Management Services LLP
  • Catch Services Inc
  • Cedar Business Solution
  • Cimmons Integrated Services Private Limited
  • Citi Enterprises
  • Credit Solution
  • Debt Care Enterprise Private Limited
  • Epoch Pride
  • Guru Kripa Inc
  • ICollect India Private Limited
  • Janavi Business Solutions
  • Jay Ambey Debt Management Private Limited
  • OM SAI Enterprises
  • Orange Fintech India Private Limited
  • Procollect Services Private Limited
  • Rajasthan Marketing & Services
  • RKS Infra Solutions
  • RMS Financial Services
  • Samavesh Marketing India Private Limited
  • Sarga Associates
  • Saviiour Agency
  • SES Financials
  • Shrey Associates
  • Srinithya Financial Services
  • SRS Associates
  • Swaraj Associates
  • Synergy Consultants
  • The One Associate
  • Treline Advisory Private Limited
  • Vcatch Services
  • White Stone

D. Rights under the Digital Personal Data Protection Act, 2023 (DPDPA)

E. Plain Language and Readability:

CRED attempts to increase accessibility by offering a long-form of their privacy policy as well as a “highlights” version that summarizes its key facets. A perusal of the Privacy Policy exhibits that CRED has attempted to make it as readable and accessible to the average user.

F. Data Protection Score;

  1. Lawfulness, transparency and fairness:  While CRED’s Privacy Policy does provide information to users on how it collects data and with whom it shares the same, consent is implied upon the usage of CRED’s products and services. Limited opt-out mechanisms are available with respect to the access of devices/data housed within the users’ phone
  2. Storage Limitation: CRED fails to outline the specific duration for which it will store personal data of its users.
  3. Purpose limitation: The Privacy Policy provides a fair amount of information on the kinds of personal data being collected, how it is being collected and the underlying purposes for such collection
  4. Data minimisation: As per the information provided in the Privacy Policy, it is likely that the data collected by CRED is necessary to fulfil the purposes outlined and do not exceed its intended scope.
  5. Accuracy: Users can request for access, rectification and deletion of their personal
  6. Integrity and Confidentiality:CRED adopts reasonable physical, administrative, and technical safeguards to protect users’ personal data from unauthorized access, use, and disclosure. For instance, sensitive personal data such as credit card information, is encrypted when transmitted over the internet. CRED also ensures that its commercial partners or vendors deploy safeguards to protect such data. They ensure that security measures are integrated on multiple levels within their systems. 
  7. Accountability: CRED’s Privacy Policy provides users with clear information on how they can access their various rights as users as well as the grievance redressal mechanism available to them.

Data Protection Score – 5/7

Simpl

In March 2016, ‘Simpl’ was launched as an online payment platform that allows a consumer to buy now and settle for the purchase at a more convenient time. 

A. Categories of Data Collected: 


Data collected as per Privacy Policy based on User Input


Data collected as per the Privacy Policy (automatically)
  • Name
  • Address
  • Email ID
  • Phone number
  • Pictures
  • Contact details
  • General Log Information

Simpl collects log information about the usage of its services, including the type of browser used, access times, pages viewed, IP address, and the page visited before navigating to its services.

  • Device Information:

Simpl collects information about the users’ computer or mobile device used to access their services, including the hardware model, operating system and version, unique device identifiers, and mobile network information.

(Table 5)

B. Data/Applications that can be accessed:

  • Camera
  • Photos
  • Contacts
  • Location

C. Third Party Access

Simpl may disclose personal data of its users to the following forms of third-parties –

  • Business affiliates and financial Partners where certain content or service are jointly offered by Simpl
  • Simpl’s third party services providers who provide services such as contact information verification, payment processing, order fulfilment, customer service, website hosting, data analysis, marketing assistance, infrastructure provision, IT services, auditing services and other similar services to enable them to provide the services.
  • Business transfers such as a merger, acquisition or any form of sale of some or all of Simpl’s assets may result in disclosure of Simpl’s users’ personal data, as it shall be transferred to the other entity as a business asset. 
  • Simpl may believe to be necessary or appropriate to disclose personal data to comply with applicable laws and legal processes, to respond to requests from public and government authorities, to protect Simpl’s operations or those of any of Simpl’s affiliates; This includes disclosing users personal data to other companies and organizations for the purpose of fraud protection and credit risk reduction However, Simpl commits that it will not be selling, renting, sharing or otherwise disclosing personal data for commercial purposes.

D. Rights under the DPDPA:

E. Plain Language and Readability:

Simp’s Privacy Policy reads like a legal document despite being structured. This could reduce its accessibility and readability for users who may not be well-versed with legal English.

F. Data Protection Score;

  1. Lawfulness, transparency and fairness: While Simpl’s Privacy Policy does provide information to users on how it collects data and with what kind of third-parties it shares the same, consent is implied upon the usage of CRED’s products and services.
  2. Storage Limitation:  Simpl fails to outline the specific duration for which it will store personal data of its users.
  3. Purpose limitation:  The Privacy Policy provides a fair amount of information on the kinds of personal data being collected, how it is being collected and the underlying purposes for such collection.
  4. Data minimisation: As per the information provided in the Privacy Policy, it is likely that the data collected by Simpl is necessary to fulfil the purposes outlined and do not exceed its intended scope.
  5. Accuracy: The Privacy Policy claims that users can request for access, rectification and deletion of their personal data. However, it remains unclear how such actions can be undertaken by the users.
  6. Integrity and Confidentiality: Simpl adopts reasonable safeguards to preserve the integrity and security of users’ personal data against loss, theft, unauthorised access, disclosure, reproduction, use or amendment
  7. Accountability : Simpl’s Privacy Policy fails to provide users with clear information on how they can access their various rights as users as well as the grievance redressal mechanism available to them. 

TAKEAWAYS

In our analysis, it was observed that all FinTech applications collect several streams of personal data across a broad and interconnected range of services. While a user might not personally object against processing of their personal data, it remains critical that one is fully aware of whether such processing is necessary to fulfil the use cases of the application. Therefore, users can choose to be more mindful of their digital privacy by considering the following factors –

  • Necessity Evaluation: Users can review the privacy policies provided by companies for their information to understand how, for what and why their personal data is being processed. This might involve a significant amount of effort before a user can start using a product or an application but it will also inform the user of the possible risks and benefits of such usage.
  • Greater Privacy Controls: Depending on such perusal, users can then assess which product/service provides them with a greater amount of control over data sharing from applications/hardware within a device as well as with other users and third-parties. Choose a product/service that provides you with a greater amount of control over your personal data and makes it convenient to exercise such control.
  • Prioritize Data Security is greater than Convenience: Without adequate technical safeguards, your personal data could be in jeopardy. Users must consider and understand the nature of security protocols that a company deploys to protect personal data like your financial information. This is even more critical given the increase in cyber frauds and OTP related scams in India.
  • Ensuring Accountability: It is strongly advised that users use apps with designated teams for data protection and cybersecurity. Importantly, users should be provided with a clear line of contact with such teams to ensure that their grievances are acknowledged and resolved within a reasonable amount of time.

PrintLinkedIn

Privacy Policy Analysis of Messaging Applications

Security and Privacy Features Analysis of Messaging Applications (Arattai, Whatsapp, Signal, Prav and Element) 

Bill Do, Number No! Use This Template Letter to Protect Your Data from Businesses