Privacy Policy

Last updated: March 5, 2026

This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable RBI guidelines on data handling for payment intermediaries.

1. Who We Are

FYNBIT operates as the Data Fiduciary under the DPDP Act, 2023. We determine the purpose and means of processing personal data collected through our platform.

For all privacy-related concerns, contact us at: privacy@fynbit.com

2. Data We Collect

From Merchants (you):

  • Full name, email address, phone number
  • PAN card (individual or entity)
  • GST registration number (if applicable)
  • Bank account details (account number, IFSC, cancelled cheque)
  • Business registration documents (Certificate of Incorporation, LLP Agreement, etc.) for KYC
  • Director / partner identity and address proof

From End Customers (via merchant checkouts):

  • Name, email address, phone number
  • Payment method details (processed and tokenized by our payment aggregator — we do not store raw card data)

Customer data is collected solely to execute the payment transaction and comply with applicable regulations.

Technical data:

  • IP addresses, browser type, device identifiers
  • Platform usage logs and request metadata

3. Why We Collect It

  • Merchant identity verification and KYC compliance (legal obligation under RBI guidelines and PMLA)
  • Payment processing and settlement to your bank account
  • Fraud detection and risk management
  • Customer support and dispute resolution
  • Regulatory reporting and compliance
  • Platform security and abuse prevention
  • Communication about your account, service updates, and billing
  • Aggregated, anonymized analytics to improve the platform

4. Legal Basis for Processing

We process your data on the following grounds:

  • Consent: Provided by you at registration
  • Contractual necessity: To deliver the Service you signed up for
  • Legal obligation: RBI guidelines, PMLA, DPDP Act, and other applicable Indian financial regulations
  • Legitimate interests: Fraud prevention, platform security, and improving service quality

5. Who We Share Your Data With

We share data only in the following limited circumstances:

  • Payment Aggregators (e.g., Razorpay): For processing transactions and settlements, subject to their own privacy policies
  • KYC Verification Partners: Third-party KYC service providers for identity verification (cKYC, DigiLocker integrations where applicable)
  • Cloud & Infrastructure Providers: Hosting, storage, and email service providers under strict data processing agreements
  • Regulatory & Legal Authorities: RBI, enforcement agencies, or courts when legally required

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

6. Data Retention

Merchant KYC documents and transaction records are retained for a minimum of 5 years from the date of the last transaction, as required by the Prevention of Money Laundering Act (PMLA), 2002.

After the mandatory retention period, data is securely deleted or anonymized. You may request early deletion of non-regulated personal data by writing to us.

7. Your Rights Under the DPDP Act, 2023

As a Data Principal, you have the following rights:

  • Right to Access: Request a summary of personal data we hold about you and how it is being used
  • Right to Correction: Request correction of inaccurate or outdated data
  • Right to Erasure: Request deletion of personal data not subject to mandatory legal retention
  • Right to Grievance Redressal: File a complaint with our Grievance Officer
  • Right to Nominate: Nominate a person to exercise your rights in the event of death or incapacity
  • Right to Withdraw Consent: Withdraw consent for non-mandatory data processing (note: this may affect your ability to use the Service)

To exercise any of these rights, email privacy@fynbit.com. We will respond within 30 days.

8. Data Security

We implement the following security measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption at rest for sensitive fields
  • Role-based access controls limiting who can access what
  • Regular security reviews and vulnerability assessments
  • Incident response plan with mandatory breach notification

We do not store raw card numbers. All payment card data is tokenized by our licensed payment aggregator partners, who are PCI-DSS certified.

9. Cookies

We use essential cookies for authentication and session management — these cannot be disabled without affecting your ability to use the platform.

We may use analytics cookies (opt-in) to understand usage patterns and improve the product. You can control cookie preferences via your browser settings.

10. Cross-Border Data Transfers

Your data is primarily stored and processed in India. Any transfer of data outside India is conducted in compliance with the DPDP Act and only to jurisdictions with adequate data protection standards or under appropriate contractual safeguards.

11. Grievance Officer

For privacy complaints or unresolved concerns, contact our Grievance Officer:

Email: privacy@fynbit.com

Response time: Within 30 days of receiving the complaint

If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India once it is constituted under the DPDP Act, 2023.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you via email or platform notification before any material changes take effect. Continued use of the Service after the effective date indicates your acceptance of the revised policy.