2. In compliance with the DPDP Act, 2023, we have designated a Data Protection Officer (DPO) as our DPDP Compliance Officer. This officer is responsible for overseeing our data protection strategy and ensuring we meet all obligations under the Act. As required by law, the DPO's contact information is made publicly available.
Under Section 10(2)(a) of the DPDP Act, the DPO must be based in India and report to the company's Board or governing body. This officer acts as the point of contact for Data Principals (individuals whose data we process) and for the Data Protection Board of India. The DPO's responsibilities include: informing and advising us on DPDP compliance, monitoring data practices, conducting awareness and training, and cooperating with the Data Protection Board if needed.
You may contact the DPO with any questions or requests related to your personal data, this policy, and any services provided by our platform, but limited to the services and data processed directly by our platform (UPSY shall not be held responsible or liable for any issues, complaints, or data breaches that do not originate from or occur on our website. For matters occurring solely within Regulated Entity systems after data handoff, the respective entity's policies apply, though Nothing remains responsible for secure transmission.). For example, you can use the DPO's email to submit requests for data access, correction, deletion, or to report a suspected data breach. We are required to respond to such requests in a timely manner.
In addition to the DPO, the DPDP Act requires us to appoint an independent data auditor and conduct periodic data protection impact assessments. We have engaged qualified professionals to audit our compliance and evaluate data risks as mandated. These measures help ensure that we maintain high standards of data protection in line with the law. Annual data protection audits conducted by [CERT-In empaneled auditors / ISO 27001 certified firms]. Summary audit reports available upon request to the required parties and as specified by the Law.
By publishing this information, we fulfil our obligations under the DPDP Act to be transparent about our compliance framework. We will update the DPO's details here if there are any changes.
If you have any questions or comments regarding any of these policies, or need to send a grievance, you can reach our Data Protection Officer at the email address above or by mail at our registered address. We value your privacy and feedback, and we will respond as promptly as possible.
Sources: These policies have been informed by the Digital Personal Data Protection Act, 2023 and associated guidance, as well as standard practice in terms of use and privacy drafting.
1. As a technology platform and Lending Service Provider (LSP) for Regulatory Entities (REs), we adhere to RBI's Digital Lending Guidelines and Directions. We do not originate loans or handle borrower funds directly – all disbursements go from the lender's bank to the borrower, and repayments go straight back to the lender's account. In compliance with RBI rules, no fees are charged directly to borrowers by us. All loan terms (interest, fees, prepayment details, etc.) are disclosed by the Regulated Entity (RE) Partners or lenders in the standard KFS before loan agreement execution; we assist lenders by displaying and delivering these digitally-signed documents (KFS, sanction letters, or whichever Document necessary for the Loan Process or any other Document required by the Law, etc.) to borrowers via email (as registered and provided by them on the website with due consent)
Per RBI, our platform never controls borrower/Applicants funds. Loans are disbursed, settled and recovered directly to and by the borrower's verified bank account, and all repayments are made only into the lender's accounts. We comply with the RBI's mandate that no "pooling" or pass-through accounts be used.
We do not impose any direct additional charges on borrowers. Any platform fee we earn is charged to our Regulated Entity (RE) Partners (Herein after referred to as the lenders), in accordance with and pursuant to all applicable website policies. RBI expressly prohibits LSPs from charging borrowers directly, and any fees not mentioned in the KFS cannot be levied on the borrower at any time. (Fees and APR are herein referred to as Commission or charges levied for the use of our services, and Annual Percentage Rate, respectively)
Our Regulated Entity (RE) Partners provide a standardised Key Fact Statement to every borrower (as required by RBI). This KFS includes the loan's APR (all-inclusive interest/cost), exact repayment terms, the cooling-off period, and the contact details of the grievance officer handling the loan. We display links on our platform to each lender's KFS format and privacy policy per RBI guidelines.
1.3 (a) All loans facilitated through our platform include a minimum [24 hours] cooling-off period during which borrowers may cancel without penalty, as detailed in the Key Fact Statement.
We follow RBI's data rules for digital lending: all data collection on our platform is strictly need-based and done only with explicit user consent. We do not access unnecessary phone data (file/media, contacts, etc.); only minimal data (e.g., for KYC) is collected with permission. Borrowers can always refuse or revoke consent for any specific data usage, restrict data sharing, or request deletion of their data.
In accordance with RBI, we store only minimal borrower information (name, address, contact) beyond the loan's lifecycle. All data is stored on secure servers located within India. We maintain clear internal policies on data retention periods, destruction protocols, and breach procedures, all disclosed in our privacy policy. No biometric data is stored or processed by us unless legally required.
As mandated, we publish a comprehensive privacy policy (this document) on our website. This policy describes what data we collect, how we use it, and which third parties (if any) may process personal information on our behalf. We have also ensured compliance with IT Act rules that require clear, accessible privacy notices.
Upon request or consent withdrawal, we will delete or anonymize your Personal Data within fifteen (15) days, except where retention is required by law (e.g., for regulatory compliance, dispute resolution, or fraud prevention) or upon the completion of the service (If the Loan process is active or ongoing). For data held by Regulated Entities after loan disbursement, deletion timelines are governed by their respective privacy policies and regulatory requirements.
We maintain a dedicated Nodal Officer to address any borrower complaints related to digital lending. Their contact details are prominently posted on our platform and included in all loan communications (as required by RBI). Borrowers also retain the right to escalate unresolved complaints to the RBI's Complaint Management System (Ombudsman) as outlined by the RBI.
We only facilitate loans with RBI-regulated NBFC lending partners or Regulated Entities. We do not issue credit ourselves. Our Regulated Entity (RE) partners perform all credit assessments, KYC/AML checks, and ensure borrowers' eligibility. We refer customers to these lenders transparently and neutrally (e.g. "regulated NBFC partner" or "lender") and do not use any deceptive or biased selection of offers.
For the purpose of accessing lender details, loan documentation, or additional information, you may be redirected from our website to a third-party link or to the lender's official profile. Such redirections are solely for facilitating borrower access to lender-provided information in compliance with regulatory requirements. All third-party links are verified secure at time of posting. Users should verify they remain on official lender domains. Report suspicious links to legalupsy@gmail.com
The sanctioned loan amount will be disbursed through one of the following methods:
The applicable disbursement method will be specified in the loan sanction letter. In case of direct disbursement to the borrower, funds must be used solely for educational purposes.
These policies and all user agreements are governed by the laws of India. Any dispute or claim arising out of or relating to our services or these policies will be resolved by arbitration under the Arbitration and Conciliation Act 1996. The arbitration shall be conducted in English, and the seat (venue) of the arbitration shall be Pune, Maharashtra, India (where our company is headquartered). The award rendered by the arbitrator will be final and binding on the parties. All courts in Pune shall have exclusive jurisdiction to enforce any arbitration award or interim measures.
Last Updated: October 27, 2025
© 2025 Upsy Technologies Pvt. Ltd. All rights reserved.