Privacy Policy

  1. DEFINITIONS

    For the purpose of this Privacy Policy (hereinafter referred to as the “Policy”), wherever the context so requires:

    1. The term ‘Company’ shall mean ‘Sqrrl Fintech Private Limited’ a private limited company limited by shares and registered under the Companies Act, 2013 and having its registered office at 33, Commercial Shopping Complex, Anand Niketan, New Delhi-110021. The Company is the exclusive licensee of the website and App in Indian Territory.
    2. The term (i) ‘Website’ shall mean www.13karat.in, owned and operated by the Company; (ii) “App” shall mean 13Karat mobile application platform, and any other application or software run under the brand name “13Karat” (collectively “Platform”).
    3. The term ‘You’, ‘Your’ & ‘User’ shall mean any current and former user accessing or using the Platform in any manner or capacity.
    4. The terms ‘We’, ‘Us’& ‘Our’ shall mean the Company or Platform as the context so requires. 
    5. By accessing or using Our Platform or by otherwise giving Us Your information, You confirm that You have the capacity to enter into a legally binding contract and have read, understood and agreed to the practices and policies outlined in this Policy. You hereby consent to our collection, use, sharing, and disclosure of Your information as described in this Privacy Policy.
  2. GENERAL
    1. We are committed to safeguarding Your privacy and ensuring that You continue to trust us with Your personal data. When You interact with us You may share personal information with us which allows identification of You as an individual. This is known as personal data.
    2. This document is an electronic record in terms of Information Technology Act, 2000 and rules there under as applicable and the amended provisions pertaining to electronic records in various statutes as amended by the Information Technology Act, 2000 (“IT Act”). This electronic record is generated by a computer system and does not require any physical or digital signatures. This document is published in accordance with the provisions of Section 43A of the IT Act; Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT RSP Rules”) Rule 3 (1) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”) that require publishing the rules and regulations, privacy Policy and Terms of Use for access or usage of the Platform. We confirm that our privacy Policy is compliant with applicable laws, associated regulations and RBI guidelines. 
    3. This Policy deals with information We collect in relation to our Platform and explains: 
      1. what information We collect; 
      2. how We collect and use that information; 
      3. how You can provide information selectively, and how You can access and update this information; and 
      4. how We process, share and protect Your information.
    4. Various non-banking financial institutions are responsible for the facilities provided through the Platform. You acknowledge that such non-banking financial institutions, as per the Reserve Bank of India’s (“RBI”) guidelines, will be responsible for their respective contents displayed on the Platform and other facilities offered. The Company reserves the right, subject to prevailing RBI guidelines, in its sole discretion to remove any content or data, information or material from the Platform from time to time.
    5. You shall not host, display, upload, modify, publish, transmit, store, update or share any information on the Platform: (i) belongs to another person and to which the user does not have any right; (ii) is defamatory, obscene, pornographic, pedophile, invasive of other’s privacy including bodily privacy, insulting or harassing on the basis of gender, libelous, racially or ethnically objectionable, relating or encouraging money laundering or gambling, or otherwise inconsistent with or contrary to the laws in force; (iii) is harmful to child; (iv) infringes any patent, trademark, copyright or other proprietary rights; (v) violates any law for the time being in force; (vi) deceives or misleads the addressee about the origin of the message or knowingly and intentionally communicates any information which is patently false or misleading in nature but may reasonably be perceived as a fact; (vii) impersonates another person; (viii) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting other nation; (ix) contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource; (x) is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person. 
  3. SCOPE AND ACCEPTANCE OF THIS PRIVACY POLICY
    1. This Policy applies to the personal data and the sensitive personal data that We collect about You for the purposes of providing You with our services. Personal data or information as used in this Policy shall include sensitive personal data or information, as applicable which is defined under the IT RSP Rules. This Policy is formulated under the IT Act, the IT (RSP) Rules (defined hereinafter). 
    2. By using this website or by giving us Your personal data and sensitive personal data, You accept the practices described in this Policy, its contents, and have provided Your informed consent to us collecting, storing, processing, transferring and sharing Your Personal Information with lenders, partners, service providers for the purposes set out in this Policy. If You do not agree to this Privacy Policy, please do not use this website or give us any personal data or sensitive personal data.
    3. We reserve the right to change, modify, add or delete content from this Policy without prior notice. We encourage You to regularly review this Policy to ensure that You are aware of any changes and how Your personal data may be used. 
    4. A one-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of on-boarding/KYC requirements only, with the explicit consent of the User.
  4. DATA COLLECTED BY US

    To create an account on the Platform, You must provide us with the basic details and information required as part of our customer identification process and You agree to our User Terms and Conditions and this Privacy Policy, which governs how We treat Your information. 

    Type of information collected.Platform collects basic information required to provide customized services including Your name, mailing address, postal code, phone number, PAN No., age, declarations, Your description and details in Your account, financial information such as bank account etc. Such data is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    You will register with us using Your Facebook or LinkedIn account or Google identity or any other third-party website mentioned on our Platform (“Third Party Sites”). You understand that, by creating an account or by registering through Third Party Sites, We and others will be able to identify You by Your profile. We will also not be liable for the photographs and data that the users might upload, which are not in accordance with applicable law. We will ask for Your bank account details only for the service provided by us. Such data is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    Storage of information.We hereby confirm that We do not store Your personal information, except the following personal information provided in Clause 5 of the Policy which is necessary to carry out our business operations which may be shared with third parties. The Platform does not store personal information of users except some basic minimal data (viz., name, address, contact details of the customer, etc.) that may be required to carry out business operations.

    We may collect data about You from a variety of sources, including through:

    1. Online and electronic interactions with us, including via Platform, text messaging programs or through our pages on third party social networks.
    2. Your interaction with online targeted content (such as advertisements) that We or service providers on our behalf provide to You via third party websites and/or applications.

    Usage of information. Without prejudice to any use cases of information detailed in above, the Company retains the right to use the User’s information for the following purposes:

    • Making available relevant content based on Your interest for an improved experience;
    • Assessing and determining the creditworthiness of Users;
    • Respond to Your questions or comments;
    • Analyze and understand our audience, improve our services (including our User interface experiences), and optimize content selection, recommendation algorithms and delivery;
    • Conduct analysis and research to improve our Platform;
    • Advertise Users to participate in interactive features offered through the services;
    • Notify Users about the change in terms of service; and
    • Send You updates on relevant services.

    However, any personal information provided by You will not be considered as sensitive if it is freely available and/or accessible in the public domain like any comments, messages, blog posts or scribbles, etc. available on social media Platform like Facebook, Twitter etc. Any information posted/ uploaded/ conveyed/ communicated by Users on the public sections of the Platform becomes published content. In addition, the Company may collect information regarding the domain and host from which the visitor accesses the internet, the internet protocol address of the computer or internet service provider, browsing history, and anonymous website or application statistical data. The Platform uses cookie and tracking technology depending on the features offered which are text files collected by a User’s web browser.

  5. DATA THAT YOU PROVIDE US DIRECTLY

    This includes the types of personal or sensitive personal data that You provide us, in addition to the data mentioned in Clause 4 above, with Your consent for a specified purpose of providing You the services as mentioned on the Platform.

    Some of these may be regarded as sensitive personal data or information under Rule 3 of the IT RSP Rules. 

    Purpose of collection of information.We shall use the information collected by us only for the purpose for which it has been collected, for a specified purpose of providing You the services as mentioned in the Platform.

    1. Personal contact information, including any information allowing us to contact You in person. It would include, but is not limited to, users’ KYC details of users etc.
    2. Demographic information, including date of birth, age, gender, location. We may also collect the location data, if enabled by You to do so. Geolocation includes country of access, IP address, etc.
    3. User image, for us to cross check and verify the authenticity of the User and for prevention of fraud.
    4. Account login information including any information that is required for You to establish a user account with us. (e.g. login ID/ email, user name, password and security question/answer);
    5. Consumer feedback, including information that You share with us about Your experience in using our services (e.g. Your comments and suggestions, testimonials and other feedback)
    6. We may collect the Usage data, including but not limited to access date and time, platform features and/or pages viewed, type of browser, hardware models, operating systems and versions, software, mobile network data, etc.
    7. The data collected, as mentioned above, is solely restricted to the above-mentioned activities and will not be in further used for any other purpose. In case we use the data for any other purpose, explicit consent shall be taken from the customers.
    8. We will desist from accessing mobile phone resources like file and media, contact list, call logs, telephony functions from user phone resources.
    9. We will ensure that access to camera, microphone, location or any other facility necessary for the purpose of on-boarding/ KYC requirements and only with the explicit consent of the user.
    10. We will ensure that biometric data is stored/collected in the systems, only in accordance with applicable law and the IT RSP Rules.
    11. We will ensure that all data is stored only in servers located within India, while ensuring compliance with statutory obligations/ regulatory instructions.
    12. You are provided with an option to give or deny consent for use of specific data, restrict disclosure to third parties, data retention, revoke consent already granted to collect personal data. In case of withdrawal or modification of Your consent or Your amendment of any of Your choices in this regard, We  reserve the option not to provide the services or modify the services provided to You for which such information was sought.
  6. DATA WE COLLECT WHEN YOU VISIT OUR PLATFORM

    APP Permissions 

    SMS Permission: We will request permission to view SMS messages relating to financial transactions only in order to determine Your income and expense profile. The App will only access financial SMSs sent by 6- digit alphanumeric senders from the inbox which helps us identify the various accounts held by the user and to help perform an optimal ‘credit risk assessment’ of the user.

    The data is accessed by our machine learning models only. We will only access those messages that are relevant for the purpose of sharing such information with our partners and in furtherance of our business operations and will not read / store/share irrelevant or personal messages in any form or manner. The permission is voluntary and can be revoked at any time. However, denying access may lead to an inaccurate assessment of the user’s credit assessment on the platform. The data accessed by the said permission is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    Phone Permission: Collect and monitor specific information about Your device including Your hardware model, operating system and version, unique device identifiers like IMEI and serial number, user profile information and mobile network information to uniquely identify the devices and ensure that unauthorized devices are not able to act on Your behalf to prevent frauds. The data accessed by the said permission is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    Contact: We do not collect or store contact information. However, we request the users to provide us with contact references for the purpose of filling the reference details screen during the loan application stage. The data accessed by the said permission is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    Location Permission: The App will request permission to capture the user’s location for verification, risk analysis and operational purposes. The user’s location will enable us to verify addresses, determine serviceability and expedite the KYC process. The data accessed by the said permission is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    Apps Permission: Collect and monitor a list of installed apps on Your device for credit profile enrichment Accounts Permissions Collect and monitor the list of accounts on Your device for credit profile enrichment. The data accessed by the said permission is stored in our systems in accordance with Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

  7. SECURITY PRACTICES

    We value Your trust in providing us Your Personal Information, thus We endeavour to maintain physical, technical and procedural safeguards that are appropriate to protect Your information. 

    You can access Your personal identity details on our Platform through Your login and password. We recommend that You do not share Your password with anyone. In addition, Your personal details are stored on a secure server located in India that only selected personnel contractors and authorised Agencies have access to on a need- to- know basis. We encrypt certain sensitive information using Secure Socket Layer (SSL) technology to ensure that Your personal details are safe as it is transmitted to us.

    Protection of Your privacy and Your data security is a top priority for us. We encrypt Your data and store it in multiple databases. There are security group and firewall checks to control the APIs with multi-level authentication, authorisation and verifications.

    However, You understand and accept no data transmission over the internet can be guaranteed to be completely secure. We cannot ensure or warrant the security of any information that You transmit to us and You do so at Your own risk. Data pilferage due to unauthorized hacking, virus attacks, technical is possible and We take no liabilities or responsibilities for it, except to the extent permitted in law. In case such security breach happens, We take the following steps as mentioned in Para 8 & 9 of this Policy.

  8. DATA SECURITY

    In order to keep Your personal data secure, We have implemented a number of security measures including:

    We value Your Personal Information, and protect it on the Platform against loss, misuse or alteration by taking extensive security measures. In order to protect Your Personal Information against any loss, misuse, copying, damage or modification and unauthorized access or disclosure, We have implemented adequate technology and will update these measures as new technology becomes available, as appropriate. All Personal Information is securely stored on a secure cloud setup and all communication happens via secure SSL communication channels. 

    You are responsible for all actions that take place under Your User Account. If You choose to share Your User Account details and password or any Personal Information with third parties, You are solely responsible for the same. If You lose control of Your User Account, You may lose substantial control over Your Personal Information and may be subject to legally binding actions. 

    No data collected and allowed to be stored by us shall be stored in any server which is not located in India.

    Standards for handling security breach:

    1. All suspected or reported security breaches or violations shall be logged and tracked from initiation of the preliminary analysis to determine whether there was a security breach or violation till completion of actions taken.
    2. Appropriate contacts with relevant authorities shall be maintained to escalate to respective authorities as required, including the local cyber cell information.
    3. Below mentioned are the steps for handling security breach:
      • Move quickly to secure the systems and fix vulnerabilities that may have caused the breach.
      • Switch off the servers and change the access code to prevent additional data loss.
      • Mobilize the breach response team right away to prevent additional data loss.
      • Additional security required will be placed.
      • Securely delete personally identifiable information (PII) and other sensitive data when it no longer needed for business purposes.
    4. if any security breach comes to our knowledge, then We may take all steps required to protect misuse of such information and may attempt to notify You electronically so that You can take appropriate steps.
    5. As per the Indian Computer Emergency Response Team (“CERT-In”) cyber-security directions under Section 70B (6) of the Information Technology Act, 2000 (CERT Directions), We shall report cyber incidents (as mentioned in Annexure I of the CERT Directions) within 6 (six) hours of noticing such incidents or being brought to notice about such incidents. For incidents not covered herein, We shall report cyber security incidents within a reasonable time of occurrence or noticing the incident to have scope for timely action under Rule 12(1)(a) of the CERT Rules, any entity affected by cyber-security incidents should. We shall report the cyber security incidents if they arise to: CERT- In via an email (incident@cert- in.org.in), Phone (1800-11-4949) and Fax (1800-116969). We shall comply with the Information Technology Act 2000 and the rules thereunder with respect to the applicable cyber security standards. 
  9. RETENTION & DATA PURGING

    We will only retain Your personal data for as long as it is necessary for the stated purpose, taking into account also our need to answer queries or resolve problems, provide improved and new services, and comply with legal requirements under applicable laws. This means that We may retain Your personal data for a reasonable period after Your last interaction with us. Kindly note that We do not sell Your personal data to any third party and the use of Your personal data is strictly restricted to the services provided by us, as mentioned herein. Your data will be stored in our systems in accordance with the IT Act, Rule 3(h) of the Intermediary Rules and the IT RSP Rules.

    When there is no longer a business, legal, or regulatory requirement to keep the data, then the data will be purged in a secure manner. 

    Data Destruction Protocol: All the data, including all the copies thereof will be destroyed post the completion of the business, legal or regulatory requirement. In case the data are stored in physical form, that is, CDs, DVDs, Pen Drive, tapes, etc., then the physical device storage shall be destroyed. In case the data are stored in digital form, then secure erasure of individual folders and/or files will be done.

    Users are permitted to request the deletion of their accounts from the application by initiating an account deletion request. However, such requests will not be considered if the customer falls under any of the following criteria:

    • The customer has an active investment i.e. an investment that has not been withdrawn.

    We will delete the user data associated with the user’s account in accordance with our retention policy and the following conditions:

    Data shall be retained for an extended period of time:

    • In cases where investigations are required by law or mandated by courts, tribunals, forums, commissions, or similar authorities.
    • If the user account has been classified as a fraud/defaulter.
    • To enhance or improve the products and services provided by us.

    The customer account shall be deleted within the 30th day from the date of submission of request for data deletion. If the user logs in to the app post the deletion of their account, he/she shall be treated as a new customer.

    Scope of Data Deletion & Retention

    When a user’s account deletion request is successfully submitted, the following details shall be deleted from our database:

    • All stored passwords, access tokens, refresh tokens and any other authentication credentials associated with the user’s account.
    • Any active session data will be cleared, and users will be logged out from all devices and platforms.
    • All permissions previously granted to the App/Web platform will be revoked.
    • The user shall be opted out of all communication channels.

    However, for regulatory and legal compliance reasons, other details related to the user’s account, including user-submitted data, transaction history, investment history, KYC and any other data shall be retained as per regulatory guidelines.

  10. INFORMATION COLLECTION AND USE

    For a better experience, while using our service, We may require You to provide us with certain personally identifiable information, including but not limited to User info. The information that We request will be retained by us and used as described in this privacy Policy.

    The app does use third party services that may collect information used to identify You.

    Certain third-party providers’ services are used by the Platform including the following:  

    (i) Google; (ii) Facebook; (iii) IOs/ Apple, (iv) LinkedIn etc.

  11. USE OF PERSONAL INFORMATION

    We and our affiliated partners may use the personal information submitted by You to contact You in relation to the services offered.

  12. SERVICE PROVIDERS

    We may employ third-party companies and individuals due to the following reasons:

    • To facilitate our service.
    • To provide the service on our behalf.
    • To perform service-related services; or
    • To assist us in analyzing how our service is used.

    We want to inform users of this service that these third parties have access to Your personal information. The reason is to perform the tasks assigned to them on our behalf. However, they are obligated not to disclose or use the information for any other purpose.

  13. COOKIES

    Cookies are files with a small amount of data that are commonly used as anonymous unique identifiers. These are sent to Your browser from the websites that You visit and are stored on Your device’s internal memory.

    We may set cookies to track Your usage on our Platform. We use data collection devices such as “cookies” on certain pages of the Platform to help analyze our web page flow, measure promotional effectiveness, and promote trust and safety.

    These are used to enhance Your experience with our Platform. We use cookies to help us identify who You are, so Your login experience is smooth each time. Cookies also allow us to collect Non-Personally Identifiable Information from You, like which pages You visited and what links You clicked on. Use of this information helps us to create a more user-friendly experience for all visitors.  In addition, We may use Third Party Advertising Companies to display advertisements on our Platform. By using the Platform, You signify Your consent to our use of cookies. 

    Please note that if You decline or delete these cookies, some parts of the Platform may not work properly.

  14. DISCLOSURE/SHARING OF PERSONAL INFORMATION
    1. We may share Your personal information with other corporate entities, Partners and affiliates to help detect and prevent identity theft, fraud and other potentially illegal acts; correlate related or multiple accounts to prevent abuse of our services, to facilitate joint or co-branded services, where such services are provided by more than one corporate entity, or if required to do so in course of our business operations. The third parties to whom Your data may be disclosed shall not disclose the data further.
    2. We may disclose personal information if required to do so by law or if We in good faith believe that such disclosure is reasonably necessary to respond to subpoenas, court-orders, or other legal processes.
    3. If We are involved in a merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of Your personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy. Business Transfers: As We continue to develop our business, We might sell or buy business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any preexisting Privacy Policy (unless, of course, the customer consents otherwise). Also, in the unlikely event that the Company’s India’s assets or substantially all of its assets are acquired, customer information maybe one of the transferred assets.
    4. Third party service providers: We may employ other companies and individuals, call centres, payment gateways, banks to perform functions on our behalf. Examples include delivering e-mail, analyzing data, providing marketing assistance, providing search results and links (including paid listings and links) and providing customer service. They have access to personal information needed to perform their functions but may not use it for other purposes. Further, they must process the personal information in accordance with this Privacy Policy and as permitted by applicable law.
    5. Protection of Platform: We release personal information when We believe, release is appropriate to comply with the law; enforce or apply our User Terms and Conditions and other agreements; or protect the rights, property or safety of Platform, our users or others. This includes exchanging information with other companies, organizations, government or regulatory authorities for fraud protection and credit risk reduction.
    6. We will not share Your personal information and/or sensitive personal information with any third parties, other than as expressly provided herein, without Your prior consent except as required under applicable law.
  15. USE OF PERSONAL INFORMATION

    We and our affiliated partners may use the personal information submitted by You to contact You in relation to the services offered. This shall override any calling preferences, which You may have registered in the National Do Not Call Registry.

  16. SECURITY

    Transactions on the Website are secure and protected. Any information entered by the User when transacting on the Website is encrypted to protect the User against unintentional disclosure to third parties. The User’s credit and debit card information is not received, stored by or retained by the Company / Website in any manner. This information is supplied by the User directly to the relevant payment gateway, which is authorized to handle the information provided, and is compliant with the regulations and requirements of various banks and institutions and payment franchisees that it is associated with.

  17. GRIEVANCE REDRESSAL OFFICER

    If You have any complaint under the Privacy Policy or wish to report a breach of the Privacy Policy or any complaints/issues, the contact details of the Grievance Redressal Officer are provided below.

    The Grievance Redressal Officer should acknowledge the complaint within 24 (twenty-four) hours and dispose of such complaint within a period of 15 (fifteen) days from the date of its receipt.

    Ms. Anvesha Gupta
    5th Floor, Paville House, Twin Towers Lane,
    Off Veer Savarkar Marg, Prabhadevi, Mumbai-400025.
    E-Mail ID: grievance@13karat.in

  18. TERMINATION

    Notwithstanding anything contained herein, the Company reserves the right, without notice and in its sole discretion, to terminate Your account and/or to block Your use of the Platform.

  19. YOUR RIGHTS

    As per the applicable data protection law, Your principal rights are as follows. Please read this in in conjunction with the Policy, specifically Clause 5:

    Right to withdraw consent: You have the option, at any time while availing our Services or otherwise, to withdraw Your consent given to us, for processing Your data. In case of withdrawal of Your consent, We reserve the option not to provide the Services for which such information was sought. In case the Services are already availed and then You raise a request to withdraw consent, then We have the right to retain to stop the provision of the Services.

    You have the right to exercise any of the above rights by contacting our Grievance Redressal Officer(“GRO”) as mentioned under Clause 17 of this Policy. Once We receive Your request and verify the same satisfactorily, We shall proceed with assisting You on Your request.

  20. APPLICABLE LAWS & DISPUTE RESOLUTION

    Any controversy or claim arising out of or relating to this Policy shall be decided by Arbitration in accordance with the Arbitration and Conciliation Act 1996 and the governing law shall be the laws of India. The Arbitral Tribunal shall consist of one arbitrator who shall be appointed in accordance with the Arbitration and Conciliation Act 1996. Any such controversy or claim shall be arbitrated on an individual basis and shall not be consolidated in any arbitration with any claim or controversy of any other party. The proceedings shall be conducted in English. The seat and the venue of arbitration shall be Mumbai.

    Any other dispute or disagreement of a legal nature will also be decided in accordance with the laws of India, and the Courts at Mumbai shall have exclusive jurisdiction in all such cases, subject to the foregoing.

  21. REGULAR REVIEW OF PRIVACY POLICY

    We keep our Policy under regular review and may update the same to reflect changes to our information related practices. We encourage You to periodically review this page for the latest information on our privacy practices, Your continued use and access of our platform will be taken as acceptance of the updated policy.