(Upsy Technologies Pvt. Ltd.)
We respect your privacy and handle personal data in accordance with the law. This Privacy & Data Protection Policy explains how we collect, use, share and protect your personal data under India's laws, including the DPDP Act, 2023. Our Privacy Policy is a separate document (not part of the Terms) as required by the DPDP rules, and describes our practices in clear, user-friendly language. Transient processing through global email/communication networks may involve temporary cross-border transfer in encrypted form.
We may collect "personal data" that you consent to provide. This can include your name, email address, phone number, postal address, payment or billing details, and any other information you submit through forms (for example, account registration or contact forms). We also collect usage data (such as browser type, IP address, pages visited and cookies) to understand how the site is used and to improve performance. We process only the data necessary for legitimate purposes like providing our services, communicating with you, and improving our platform.
We use your personal data for specific, disclosed purposes. These include: providing and billing for our services; responding to your inquiries; sending updates or marketing (with your consent); and complying with legal obligations. At all times, we process data only with your "informed consent" or for other lawful purposes permitted by the DPDP Act. For example, we will inform you exactly what personal data will be processed and why, and how you can exercise your rights (as required by the DPDP Act). We will never use your data for purposes beyond what we have explicitly communicated.
In addition to the purposes stated above, we may request, collect, process, and share specific personal and financial data (such as KYC details, Aadhaar verification, PAN verification, and bank statement analysis) of the borrower; co-applicant(s); Guarantor.
a. Co-applicant is herein referred to a person who applies jointly with the primary applicant and assumes joint and several liability for the loan obligation from the inception of the agreement. The co-applicant has primary liability alongside the applicant.
b. Guarantors are herein referred to as a person who provides a secondary guarantee for the loan obligation and becomes liable only upon default by the applicant and/or co-applicant. The guarantor's obligation is contingent and secondary in nature.
This is done strictly for the purpose of enabling our Regulated Entity (RE) partners/lenders to conduct due diligence, credit assessments, and comply with applicable legal and regulatory requirements.
Where required, such data may be obtained and/or shared through licensed third-party service providers or under the RBI-regulated Account Aggregator (AA) framework, in accordance with your explicit, informed consent. We do not access, store, or use this data for any purposes beyond those necessary for facilitating the loan process as disclosed to you. When using Account Aggregator services, separate consent is obtained per RBI AA framework. AA-fetched financial data is transmitted directly to Regulated Entities and not stored on UPSY's servers beyond [30 days] for transmission verification purposes.
We rely primarily on consent for processing personal data. You give consent when you submit information (for example, when you create an account or sign up for a newsletter). You can withdraw consent at any time (see "Your Rights" below). In rare cases, we may process data without consent where allowed by law (for example, to comply with a legal obligation).
We will not sell or rent your personal data. We share personal data only with trusted third parties (such as payment processors or hosting providers) who help operate our services, and who agree to use your data only to perform their contracted services. We require all such partners to implement appropriate security measures. We may also share data if required by law or by our Regulated Entity (RE) partners/lenders (for example, in response to a court order or law enforcement request or facilitating the loan process).
We work with the following categories of service providers who may process your data on our behalf:
All such providers are contractually bound to data protection standards equivalent to this policy. A current list of active service providers is available upon written request to our Data Protection Officer.
We take reasonable precautions to protect your data from loss, unauthorised access or disclosure. We use industry-standard security technologies and procedures. However, no system is 100% secure, and we cannot guarantee absolute security. We retain your personal data only as long as necessary for the purposes it was collected. Once data is no longer needed (or if you withdraw consent), we securely delete or anonymise it as soon as reasonably possible.
In cases where notifying each affected individual is not practicable, UPSY may issue a public notification in a manner prescribed under the DPDP Act, IT Act, or directions from the Data Protection Board of India/ CERT-In / RBI. Such notification will be made in a transparent and accessible form, ensuring that affected users are adequately informed.
In the event of a data breach or cybersecurity incident affecting Personal Data or Confidential Information:
We use cookies and similar technologies to improve your experience. Cookies may store preferences, login status, or track usage patterns. You can usually manage or disable cookies through your browser settings; however, disabling cookies may limit some site functionality.
All consents, withdrawals, and consent updates shall be recorded, managed, and processed exclusively through digital means on the UPSY Platform, including but not limited to pop-up links, cookies, and secure web redirections hosted on the official UPSY website.
The DPDP Act grants you several rights regarding your personal data. In particular, you have:
These rights are exercised by contacting us (see Grievance below). Once exercised, we will act without undue delay.
In compliance with DPDP Act Section 10(2)(a), we have appointed a Data Protection Officer to oversee our data practices. The DPO (named below) can answer any questions about this policy or your rights. We have made the DPO's contact information publicly available as required.
We do not knowingly collect personal data from children under the age of 18. If we learn that we have collected data from a child without valid consent (from a parent or guardian, as required by law), we will delete that data immediately. For applicants under 18 years, consent must be obtained from parent/legal guardian. The parent/guardian acts as the primary data principal for DPDP purposes until the student reaches majority.
This Privacy Policy may be updated to reflect changes in our practices or the law. We will post the updated version on our site with an updated "last revised" date. Your continued use of the site after changes are made constitutes acceptance of the new policy.
Last Updated: October 27, 2025
© 2025 Upsy Technologies Pvt. Ltd. All rights reserved.