Home Privacy Policy

Privacy Policy

Last updated: July 06, 2026  |  Effective: July 06, 2026

This Privacy Policy is in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable RBI and NPCI data protection guidelines. We are committed to protecting your personal data and being transparent about how we use it.

1 Overview

Mythri DigiTech ("we", "us", "our") operates the Credit Wallet platform. We are committed to protecting your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all applicable RBI and NPCI directives.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights under Indian law as a Data Principal.

2 Data We Collect

Account & Identity Data

  • Full name, email address, mobile number
  • Date of birth (for KYC eligibility verification)
  • Profile information and account preferences

KYC & Verification Data

  • Aadhaar number (masked as per UIDAI guidelines)
  • PAN card number
  • Address details (from DigiLocker-verified documents)
  • DigiLocker verification session tokens

Financial Transaction Data

  • Wallet balance and transaction history
  • Bill payment records (biller ID, consumer number, amount)
  • Payment gateway references (Razorpay/Cashfree order IDs)
  • Bank account details (for withdrawal processing)

Technical & Usage Data

  • IP address, browser type, device information
  • Session timestamps and access logs
  • Platform usage patterns for fraud prevention
  • Error logs and performance metrics

3 How We Use Your Data

We process your personal data for the following lawful purposes under the DPDP Act:

  • Service Delivery: To operate the wallet, process bill payments, and manage your account.
  • Legal Compliance: To comply with RBI KYC norms, PMLA, NPCI guidelines, and applicable Indian laws.
  • Fraud Prevention: To detect, investigate, and prevent fraudulent transactions and money laundering.
  • Customer Support: To respond to queries, resolve complaints, and process refunds.
  • Platform Improvement: To analyze usage patterns and improve our Services (using aggregated, non-identifiable data).
  • Communication: To send transaction notifications, security alerts, and policy updates.
  • Regulatory Reporting: To file mandatory reports with NPCI, RBI, and financial intelligence units as required by law.

4 KYC Data Handling

KYC verification is conducted through the DigiLocker platform authorized by the Government of India. We handle your identity documents as follows:

  • Aadhaar data is processed in compliance with UIDAI guidelines. We do not store raw Aadhaar numbers — only masked identifiers as permitted.
  • PAN data is collected for tax compliance and identity verification only.
  • KYC documents are stored with AES-256 encryption and access is restricted on a need-to-know basis.
  • KYC data will be retained for a minimum of 5 years as required by PMLA and RBI guidelines, even after account closure.
  • Your KYC data may be shared with authorized regulated entities for compliance purposes.

5 Payment Data

Payment processing is handled by licensed payment service providers (Razorpay, Cashfree). We do not store full card numbers or UPI credentials. All payment data is tokenized and handled in accordance with PCI-DSS standards by our gateway partners.

Bank account details provided for withdrawals are stored in encrypted form and are accessible only for settlement processing. We do not share your bank account details with third parties except as required for settlement.

6 Data Sharing & Third Parties

We share your personal data only in the following circumstances:

  • Service Providers: Razorpay, Cashfree (payment gateways), DigiLocker (KYC), BillAvenue (BBPS), and cloud infrastructure providers — all bound by strict data processing agreements.
  • Legal Requirements: Regulatory bodies including RBI, NPCI, UIDAI, and law enforcement agencies when required by applicable law.
  • Financial Intelligence: The Financial Intelligence Unit India (FIU-IND) as required under PMLA for suspicious transaction reporting.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred subject to equivalent privacy protections.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

7 Data Retention

Data Category Retention Period Basis
Account data Duration of account + 2 years Contractual
KYC documents Minimum 5 years post-closure PMLA / RBI
Transaction records 10 years NPCI / RBI
Technical logs 90 days Security

8 Security Measures

We implement industry-standard and regulatory-mandated security measures to protect your personal data, including:

  • AES-256 encryption for all sensitive data at rest.
  • TLS 1.3 encryption for all data in transit.
  • Role-based access controls with audit trails.
  • Real-time fraud detection and anomaly monitoring.
  • Regular security audits and penetration testing.
  • Multi-factor authentication for administrative access.

While we implement robust security measures, no system is completely immune to breaches. In the event of a data breach affecting your rights, we will notify affected users and regulatory authorities as required by the DPDP Act within prescribed timelines.

9 Your Rights Under the DPDP Act, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access

Request a summary of personal data we hold about you and how it is being processed.

Right to Correction

Request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of personal data when the purpose of processing is fulfilled, subject to legal retention obligations.

Right to Grievance Redressal

Raise concerns with our Data Protection Officer. Unresolved complaints can be escalated to the Data Protection Board of India.

Right to Withdraw Consent

Withdraw consent for non-mandatory data processing. Note: withdrawal of consent for mandatory processing (KYC, compliance) may result in service restrictions.

Right to Nominate

Nominate a person to exercise your data rights in the event of your death or incapacity, as per the DPDP Act.

10 Cookies & Tracking

We use the following types of cookies on our platform:

  • Essential Cookies: Required for session management, security (CSRF protection), and authentication. Cannot be disabled.
  • Functional Cookies: Store your preferences such as theme (dark/light mode) and language. These are non-tracking.
  • Analytics: We use aggregated, anonymized analytics to understand platform usage. No personally identifiable information is shared with analytics providers.

We do not use third-party advertising cookies or behavioral tracking cookies on our platform.

11 Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. If you believe a minor has provided data to us, please contact our DPO.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or regulatory guidelines. We will notify you of material changes via email or in-app notification at least 15 days before they take effect. The "Last updated" date at the top of this page reflects when the policy was last revised.

13 Contact & Data Protection Officer

For privacy-related queries, data access requests, or complaints, contact our Data Protection Officer:

Data Protection Officer — Mythri DigiTech

Email: info@mythridigitech.com

Platform: mythridigitech.com

We will acknowledge your request within 48 hours and respond fully within 30 days as mandated by the DPDP Act, 2023. Unresolved complaints may be escalated to the Data Protection Board of India.