Privacy Policy

September 2023

Presented By
HDFC Credila Financial Services Limited
(Formerly known as HDFC Credila Financial Services Private Limited
B 301 Citi Point, Andheri Kurla Road,
Andheri (E),Mumbai 400 059, India

https://hdfccredila.com/

Document Control Information

Contents

Introduction

Definitions

Data We Collect

When and how your Data is collected?

How We Use Your Information?

Automated Processing 9

Who we share your Data with?

Website & links to Other Sites

Data Security and training

Responsibility of User

Your Choices

Retention of Information

Changes to this Policy

Introduction

At HDFC Credila Financial Services Limited (hereinafter referred to as “HDFC Credila”), we are committed to protecting your privacy and safeguarding your personal information. This Data Privacy Policy outlines how we collect, use, disclose, and protect the information you provide to us.

By using our services and interacting with our platforms, you agree to the terms outlined in this policy. This policy is applicable to all the existing customers, prospective customers and persons who visit the office/branch and/or any ‘Digital Property’ belonging HDFC Credila Limited.

The objective of this Policy is to cultivate organization-wide privacy culture to protect the rights and privacy of individuals; to comply with applicable privacy and data protection legislations as issued by the relevant regulatory authorities from time to time, by introducing and implementing privacy principles and controls into the Information Security Policy and in cooperation with the Information Security Management System. All employees should adhere to and comply with this Policy.

The Policy shall be subject to the prevailing laws and regulations in effect, as applicable and amended periodically.

This Privacy Policy of HDFC Credila (“Policy”) sets out the rules and procedures relating to the processing of Personal Data in India.

Definitions

Personal Data means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

Processing refers to any action performed on Personal Data, such as collecting, recording, organizing, storing, transferring, modifying, using, disclosing, uploading, or deleting.

Sensitive Personal Data of a person, under the Indian Information Technology Rules 2011, means such Personal Data which consists of information relating to:

• Password;
• Financial Information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric Information;
• Any other details relating to the above mentioned, provided by any person to HDFC Credila for providing services;
• Any Information received pursuant to the above mentioned by HDFC Credila for processing, or storing such Information under a lawful contract or otherwise;
• Provided that any Information that is freely available or accessible in public domain or furnished under the Right to Information Act 2005 or any other law for the time being in force will not be considered to be Sensitive Personal Data.

Data We Collect

We collect personal and non-personal Data/information to provide you with our financial products and services and improve your experience. This may include:

• Identity & contact information

• Name, address, signatures, date of birth, copies of identity cards (ID), contact details including email id and phone number, address, previous names, maiden names, marital status, relatives information, medical condition, domicile, origin, citizenship, nationality, residence, any legal or other identifiers like Permanent Account Number (PAN)/ Taxpayer Identification Number (TIN)/ truncated Aadhaar/ National ID/ Social Security Number/ or its equivalent, Photograph and Gender.
• Data that identifies (whether directly or indirectly) a particular individual, such as information you provide on any forms, surveys, online applications or similar online fields.

• Financial details/circumstances

• Bank account details, investments history, credit/debit card details, UPI handles, income details, history in relation to these.
• Employment / occupational information.
• Residential status under banking, general and tax laws.
• Spending/saving/investing/payments/receipts/borrowing history.
• Risk profile, financial objectives, financial knowledge and experience, preferences and any other information to assess the suitability of the Products to you.
• Information collected when you make or receive payments.
• Other information such as information relating to occupation and financial situation such as employer’s name and address, if self-employed, type of account, and nature and volume of anticipated business dealings, income proof, bank statements, income tax returns, salary slip, contract of employment, passbook, expenditure, assets and liabilities, source of wealth and signature.

• Information you provide about others or others provide about you

• If you give information or data about someone else (for example, information or data about a co-borrower provided during the course of a joint application with that person), or someone gives information about you, may be added to any Data that is already held about you and can be used in the ways described in this Privacy Policy.
• Your Data from third party providers: In order to enhance our ability to provide relevant marketing, offers, and services to you, Data about you is obtained from other sources with your consent, such as email service providers, public databases, joint marketing partners, social media platforms, as well as from other third parties as appropriate.
• Information including Data from credit information companies/ credit reference agencies, risk management and fraud prevention agencies, national and government databases.
• Information including Data from other parties and entities where we are a part of a transaction in one or more roles even though we may not be directly interfacing you.
• Data of authorized signatories or authorized persons or representatives

• Information from online activities.

• Information about your internet activity is collected using technology known as cookies, which can often be controlled through internet browsers.
• Your digital and electronic devices where various checks are performed are designed to ascertain and verify your residency to ensure we meet our regulatory obligations. These checks include identifying and collecting your location (with your specific permission) and the IP address your device connects from and the collection of information about your use of the website or mobile app (including device type, operating system, screen resolution, and the way you interact with us).
• Information about your Internet browser, IP address, information collected through tracking technologies.
• Unique device identifier such as International Mobile Equipment Identity (IMEI) number, technical usage data, contact lists (in some cases where specific permission is obtained), technical data about your computer and mobile device including details regarding applications and usage details.
• Information such as your fingerprint, etc. that you choose to provide to us. We will not collect your biometric information without your explicit consent.
• Generation and storing password or PIN in encrypted form.

Any of the aforesaid data (whether personal data or sensitive personal data or information), information, know your customer (KYC) related data, any derivative thereof ("Derivative Data”) like any credit scores or behavioural projections, profiling, analytical results, reports (prepared by us or others) including through any algorithms, analytics, software, automations, profiling etc., and whether such derivative is from the information collected from you or in combination with any other information sourced from any other person, database or source whether by us or others, shall collectively be referred to as “Data”

When and how your Data is collected?

Your Data may be collected or processed through any of the following:

• When you submit the Data to us including when you ask for certain Products.
• When you use the Products.
• During the course of transactions.
• When you apply for the Products, make enquiries or engage with us or with any other person where we are involved for any other person in the transaction concerning you.
• Data collected during credit assessment, risk assessment, fraud checks, fraud detections, processes undertaken for fraud prevention, detecting malpractices or discrepant documents or information, prevention of misuse, assessment of credit worthiness, evaluation of financial standing, due diligence, background check, physical and other inspections, verifications, KYC/ Anti Money Laundering (AML) checks, monitoring, collections, recovery, customer service etc.
• When you use our website and online services provided by us (including mobile applications) and visit our branches or offices.
• When you email or call or respond to our emails/phone calls or during meetings with our staff or representatives.
• When you or others give the Data verbally or in writing. This Data may be on application forms, in records of your transactions or if you make a complaint.
• From information publicly available about you. When you make Data about yourself publicly available on your social media accounts or where you choose to make the Data available through your social media account, and where it is appropriate to be used.
• During or as a result of Derivation, from any person possessing the same or sourcing any Data therefor.
• Data collected through cookies.

By accepting this Privacy Policy or by applying for or using any Product, you agree that any person who submits any Data or part thereof to us or from whom we source the same (including Derivation), shall be deemed to have been authorised by you to submit such Data to us and you hereby further authorise the processing of any such Data by us or for us, for any of the purposes mentioned in this Privacy Policy.

How We Use Your Information

How we process your Data?

Whether we’re using it to confirm your identity, to help in the processing of an application for any Products or to improve your experiences with us, your Data is always handled with care and the principles outlined in this Privacy Policy are always applied.

Purposes of processing Data

The processing of the Data may be done by us or any of the Processing Entities for any of the following purposes, and you agree and consent to the same:

• To provide you with Products.
• To manage relationships with you.
• For enabling your use of Products.
• For processing or executing transactions.
• For enabling any applications/ requests for any Products, processing any such applications/ requests, performing any contract pursuant thereto and undertaking any Specified Purposes in relation to any of the above.
• To perform activities such as data analysis, audits, usage trends to determine the effectiveness of our campaigns and as input into improving Products.
• For credit scoring, credit analysis, risk analysis, obtaining any reports, credit scores, credit information, scrubs, for assessing and undertaking/ evaluating financial standing, fraud check, fraud probability, reference checks, due diligence, inspections, etc. including from or through any credit information companies, bureaus, fintech entities or service providers.
• For enabling use of our website, platforms, and online services (including mobile or web applications) and visiting our branches or offices.
• To contact you or to establish contact with you.
• To allow you to utilize features on platforms/ apps by granting us access to Data from your device.
• For security, business continuity and risk management.
• For system or product development and planning, audit and administrative purposes.
• To personalize your platform/ app experience.
• To improve customer/ user experience.
• To inform you about important information regarding our Products, changes to terms, conditions, and policies and/or other administrative information; Where processing is necessary for the performance of a contract to which you are a party or in order to take steps prior to entering into a contract. To take actions that are necessary in order to provide you with the Products.
• Where processing is necessary because of a legal or regulatory obligation that applies to us.
• Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. Processing may be required to meet our legitimate interests, for example, to understand the customer behaviour, customer expectations, to build analytical models, or to understand how customers use or respond to the Products, or to develop new Products, as well as improve the Products we currently provide. This may also include sharing of your Data either as part of a sample or specifically or generally with any potential or actual service provider or consultant or vendor or third party or Processing Entity, for the purposes of testing of proof of concept, where the utility, workability, efficacy, authenticity of any solution or service proposed or being rendered by any such person may be tested, and any such person may process such Data along with any other data it may have or source externally, for the purpose of running or pilot running or testing of the proposed solution or service and to submit the results to us along with the Data and any other data which such person may have or source. You agree that such sharing of Data and processing thereof and testing of proof of concept is in our legitimate interest to improve our efficiency, customer service, product delivery, to prevent frauds, etc. and ultimately is a necessary part of developing the ecosystem where customers and potential customers including you, benefit.
• Where processing is necessary to protect your interests where we need to process your Data and you are not capable of providing consent (emergency situations).
• Subject to a specific consent (obtained separately from this Privacy Policy), to allow you to participate in surveys and other forms of market research, contests and similar promotions and to administer these activities. Some of these activities have additional rules, which may contain additional information about how Data is used and shared.
• To allow you to apply for Products including to pre-populate any Data during any application whether directly by us or through any service provider on any platform.
• Subject to your specific consent in this regard, to sell, cross-sell, distribute or refer to you any Products (by us or through any of the Processing Entities) and for such purpose we may assess your credit worthiness or your eligibility through such means as feasible and for such activity we may also share the Data with/ receive from third parties.
• Where we have your consent to do so.
• For any purposes which are incidental or necessary to any of the aforesaid purposes.
• You agree that HDFC Credila may engage with any third party Processing Entity, for any of the aforesaid purposes or part thereof for any incidental or ancillary purposes, and may accordingly share Data with any of them and allow them to further process/ share the same, for the said purposes.

Automated Processing

The way your personal information is analysed in relation to the Products including applications, credit decisions, determining your eligibility for the Products, may involve automated profiling and decision making, this means that your Data may be processed using software that is able to evaluate your personal aspects and predict risks or outcomes as also where the decision making may be automated.

We may also carry out automated anti-money laundering, transaction monitoring and sanctions checks. This means that we may automatically decide that you pose a fraud or money laundering risk if the processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

Who we share your Data with?

We may share the Data with the following persons and/or in the following circumstances:

• With service providers, vendors, agents etc. who perform services for us or assist us to operate the business or provide the Products or services.
• Entities or persons with whom we have tie-ups for the co-branded services, products or programs, any rewards programs, any benefits, offers, features or any similar arrangements.
• With co-originators, collaborators, and persons with whom the HDFC Credila may have a tie-up for any Products.
• Other third parties to comply with legal requirements such as the demands of applicable warrants, court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect the rights, property or security of our customers or third parties.
• We may share your Data, without obtaining your consent or without intimating you: (a) with governmental, statutory, regulatory, executive, law-enforcement, investigating or judicial/ quasi-judicial authorities, departments, instrumentalities, agencies, institutions, boards, commissions, courts, tribunals, who ask for such Data including by way of an order, direction, etc; or (b) with any person, where disclosure is necessary for compliance of any legal or regulatory obligation. Wherever the Data is shared as above, we will not have control over how such Data is further processed by such authorities, persons, etc. (both under ‘a’ and ‘b’ above).
• Credit information companies, bureaus, fintech entities or service providers for the purposes of obtaining any reports, credit scores, credit information, scrubs, financial standing, fraud check, fraud probability, reference checks, due diligence, inspections, risk analysis etc.
• With any persons involved in Derivation

The Data may also be shared by any of the aforesaid entities/ persons with their service providers, consultants, agents, subsidiaries, affiliates, co-brand entity/partner, distributors, selling/ marketing agents, any partners, fintech companies, other players/ intermediaries in any ecosystem of which we are a part, collaborators, co-lenders, co-originators, merchants, aggregators, lead generators, sourcing entities, clients, customers or other persons with whom we have a tie-up or contract for any products or services etc. for any of the aforesaid purposes or any purposes incidental or necessary thereto. Any person or entity with whom the Data or any part thereof is shared by us or further shared by any of them, for any of purposes under this Privacy Policy, shall be referred to as a “Processing Entity”. [Wherever the Data is shared with any Processing Entity (with whom we have direct contract), we will through such contracts restrict the processing by them of such Data for the aforesaid purposes.]

Cookies

Cookies are small data files that a website stores on your computer/electronic device. We and/or our affiliate entities or service providers may use cookies and similar tracking technologies to enhance your online experience, analyze usage patterns, and improve our services. You can manage your cookie preferences through your browser settings.
While cookies have unique identification nos., personal information (name, a/c no, contact nos. etc) SHALL NOT be stored on the cookies. HDFC Credila may:

a) use persistent cookies which are permanently placed on User’s computer to store non-personal (Browser, ISP, OS, Clickstream information etc) and profiling information (age, gender, income etc);
b) use Information stored in the cookies to improve User experience by throwing up relevant content where possible;
c) use the cookies to store User preferences to ease User’s navigation on the website/electronic/mobile application.

Website & links to Other Sites

HDFC Credila’s website/ electronic/mobile application may contain links to other sites. If User clicks on a third-party link, User may be directed to that site. It may be noted that such external sites are not operated by HDFC Credila and is beyond the control of HDFC Credila. Therefore, HDFC Credila strongly advises the User to review the privacy terms/policy of such external websites/electronic applications. HDFC Credila has no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Data Security and training

Securing User’s Information is of paramount importance to HDFC Credila. We implement industry-standard security measures to protect User information from unauthorized access, disclosure, alteration, or destruction. We use encryption, firewalls, and access controls to safeguard your data. Following are some of the initiatives by HDFC Credila to security privacy of the User’s Information:

a) HDFC Credila has reasonable management, technical and administrative measures in place to protect Information within the Company.
(b) un-authorized data input, disclosure, uploading, transmission/transfer of Personal Data
c) Prevent any un-authorized person from having access to any computer systems processing Personal Data, and especially: (a) un-authorized reading, copying, alteration, deletion or removal of data;
d) keep a record of which personal data have been communicated, when and to whom; Not provide any Personal Data to any third party without first consulting with their Manager or the Human Resources Department;
e) Ensure that Personal Data processed on behalf of a third party (client) can be processed only in the manner prescribed
f) Immediately, on becoming aware report and notify any vulnerabilities and privacy related breach/security breaches (including potential risks)
g) Attend mandatory and voluntary trainings on security and data privacy including e-learnings and online sessions
h) The Information Security in HDFC Credila is led by Chief Information Security Officer (CISO), while the Compliance is led by Chief Compliance Officer.
j) Sound technical controls around Information and underlying systems are in place.
k) HDFC Credila adheres to multiple regulatory and statutory requirements like RBI’s Master Direction for NBFC, guidelines for Data localization, VKYC etc.
l) The Information is processed by HDFC Credila in strict accordance with the Indian Information Technology Act, 2000, and the rules notified thereunder
n) Updates on information security position is updated at regular intervals to Board members, senior management of HDFC Credila via IT strategy committee as well as Risk Management Committee.
o) In all contractual arrangements, we require HDFC Credila employees, third party agencies/service providers to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information. Staff also undergo mandatory information security awareness training annually once and at the time of joining

We value User’s trust in providing Data/Information with HDFC Credila. Hence, HDFC Credila continuously strives to use commercially reasonable efforts in protecting such Information. However, no method of transmission, whether in physical form or over the internet, or method of electronic storage is 100% secure and may be subjected to inherent risks, due to reasons beyond the control of HDFC Credila.

Responsibility of User

It shall be the responsibility of the user to provide HDFC Credila with accurate, not misleading, updated and complete Personal Data and up-date HDFC Credila as and when such Personal Data provided earlier becomes incorrect or out of date, by providing new details.

User acknowledges the following:

a) HDFC Credila and/or its employees /agents will not contact the User directly for disclosure of any sensitive and personal information unless required for the abovementioned Purposes. Hence, User is solely responsible to exercise proper due diligence to verify the identity of the individual(s) contacting before disclosing any personal and sensitive personal data/ information by reaching out to the HDFC Credila’s nearest branch or HDFC Credila’s official customer care number/email id accessible on its website before making any disclosure.
b) HDFC Credila will not be liable / responsible for any breach of privacy owing to User’s negligence or When user make Data about themselves publicly available on their social media accounts or where they choose to make the Data available through their social media account.
c) User shall only use the official website/links of HDFC Credila for availing product/services by inputting the domain information on the address bar.
d) User is completely aware about the potential risk of data/privacy breach and User shall be solely liable for any unauthorized disclosure/ breach personal/ sensitive personal information etc. and any direct/ indirect loss suffered by User due to User’s conduct. Hence, User shall exercise utmost caution to ensure that User’s personal data/ Sensitive personal data (including but not limited to any Passwords, financial information, account details, etc.) are not shared/stored/made accessible through: any physical means with or without User’s knowledge (disclosure to any person/third-party etc.) or through any electronic means, by exercising the following precautions/ safety measures:

(1) User shall always check if “https” appears in any website’s address bar before making any online transaction, to ensure that the webpage is encrypted;
(2) User shall avoid using third- party extensions, plug-ins or add-ons on the/your web browser, as it may result in the risk of tracking or stealing of User’s personal details;
(3) User shall always type the information and not use the auto-fill option on web-browser and mobile apps to prevent the risk of storage of my personal/ sensitive personal information;
(4) User shall NOT access darknet, unauthorized/ suspicious website, suspicious online platforms, downloading information from unreliable sources;
(5) User shall ensure to disable cookies before accessing any domain/website, to ensure that User’s personal information is not tracked by any third-party, unless otherwise consciously permitted by User by accepting the same, for which, User alone will be responsible for the consequences thereof;
(6) User shall not respond to any generic emails from an unknown/ unidentified source;
(7) User shall check the Privacy Policy of website/ application to know the type of information that may be collected from User and the manner in which it may be processed by the website/ application before accepting/ proceeding/ transaction on any website/ application;
(8) User shall always verify and install authentic web/mobile applications from reliable source on User’s computer/Laptop/tab/ipad/ smart phone or any other electronic device;
(9) User shall NOT access any unidentified weblinks, bitly link or any other electronic links shared over electronic platform (such as email, sms, social media, websites);

Your Choices

Opt-Out: You can choose not to provide certain information, but this might affect our ability to provide you with some services subject to regulatory guidelines.

Communication Preferences: You can manage your communication preferences and opt-out of certain types of communication.

Access and Correction: You can request access to the personal information we hold about you for your review and request for deletion or corrections, if needed. Although in case of your choice to delete information might affect our ability to provide you with some services and is subject to regulatory guidelines.

Retention of Information

HDFC Credila may retain User’s personal information if it is required to provide services or as long as it is required for business purpose. Retention of Information will be as per applicable law/regulatory requirements in India. Information may be retained for an extended period (i) in case of requirement of any investigations under law or as part of any requirement before Courts/Tribunals/Forums/Commissions etc and (ii) to enhance / improvise the products /services of HDFC Credila (iii) for establishment, exercise or defence of legal claims, or (iv) in accordance with specific consents.

Changes to this Policy

HDFC Credila may update this policy annually to reflect changes in our practices or as required under law from time to time. Thus, User is advised to review this policy periodically for any changes, since any such changes will be effective immediately after they are updated.

Contact Us

If you have any questions, concerns, or requests related to your personal information or this privacy policy, please contact our Grievance Redressal Officer Mrs. Vaijayanti Albal Sharma at grievance@hdfccredila.com.

By using HDFC Credila's services, you acknowledge that you have read and understood this Data Privacy Policy and agree to its terms.

Education loan for students going to: