Kaleidofin capital privacy policy

This Privacy Policy (“Policy”) outlines Kaleidofin Capital Private Limited’s (“Kaleidofin Capital”, “us”, “we” and “our”) approach to privacy of user data and to fulfil its obligations under applicable privacy laws in India. For the purposes of this Policy, the terms “you”, “your” and “user” shall mean any natural person accessing or using the services provided by Kaleidofin Capital, who is competent to enter into binding contracts, as per the provisions of the Indian Contract Act, 1872.
‍
By visiting the website/applications, you agree to be bound by the terms and conditions of this Policy, and consent to Kaleidofin Capital’s use and disclosure of your information in accordance with this Policy. The provisions of this Policy are not applicable to collection/processing of data by the websites/applications of any of our franchisees, partners, etc. and are restricted only to use of Kaleidofin Capital’s website/applications. We will not be responsible for the protection of any information that you submit to such third parties. Kindly ensure that you read the privacy policy and terms of use (as may be applicable) of such third parties before submitting your details.

This Policy is published in compliance with and is subject to the applicable privacy and data protection laws of India, as may be amended from time to time, including the following:

• Information Technology Act, 2000, read with the rules framed thereunder including the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011;
• Digital Personal Data Protection Act, 2023;
• Digital Personal Data Protection Rules, 2025; and
• Reserve Bank of India (Digital Lending) Directions, 2025.

This Policy may be further updated from time to time at the discretion of Kaleidofin Capital and to ensure compliance with all applicable laws with respect to data privacy and protection, as may be applicable and notified by the relevant authorities from time to time.

Kaleidofin Capital is committed to keeping your Personal Data private. This Policy applies to all your Personal Data processed by us, whether in physical or electronic mode. We process any Personal Data we collect from you in accordance with the applicable laws and regulations mentioned hereinabove and the provisions of this Policy. Please read the following carefully to understand our views and practices regarding your Personal Data and how we treat it.  

For the purposes of this Policy, “Personal Data” shall mean data about an individual or a natural person who is directly or indirectly identifiable by or in relation to such data. It is hereby clarified that the provisions of data protection and privacy as envisaged under this Policy will not relate to data that: (a) is, was or will be irreversibly anonymized or aggregated so that we cannot identify you through it, even in conjunction with other information available to us; or (b) is or will be publicly available.

For the purpose of this Policy, “Lending Service Providers” shall mean an agent either appointed by us or another regulated entity who carries out one or more of regulated entity’s digital lending functions, or part thereof, in customer acquisition, services incidental to underwriting and pricing, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of regulated entity in conformity with existing outsourcing guidelines issued by the Reserve Bank of India.  

Please note that this Policy is applicable to all instances where we play the role of a Data Fiduciary of your Personal Data, when we collect and process personal data about you for offering our products or services. There may be instances where we play the role of a Data Processor too, when we process Personal Data on behalf of another organization. In that case, the privacy policy and terms of use (if any) of that organization becomes applicable to your Personal Data and the provisions of this Policy shall not apply.

WHAT PERSONAL DATA DO WE COLLECT & PROCESS?

Categories of Personal Data that we collect, and process are in digital form and non-digital form, with subsequently digitised and specific categories of the Personal Data are as follows:

• Demographic & identity data (for e.g., name, email address, contact number, date of birth)
• Financial data (for e.g., account details, payment details, invoice details, annual income, net worth, credit/ debit card details, details of your assets and liabilities)  
• Online identifiers and other technical data (for e.g., IP address, transaction logs, device details)
• Health data (for e.g. Blood group)
• Aadhar details (with your specific consent)
• Other KYC related information (including but not limited to PAN Card and other identification details)

STORAGE OF DATA

We ensure that the Lending Service Provider engaged by us does not store or retain any personal information of customers, except for such minimal data as may be necessary to provide services in accordance with the inter se agreement with the Lending Service Provider. Such minimal data is limited to basic details such as name, address, and contact information, strictly to the extent required for carrying out operations or services within the agreed scope.

All customer data will be stored only on servers located within India, and in compliance with applicable statutory and regulatory requirements. In cases where data processing is undertaken outside India, such data will be deleted from servers located outside India and transferred back to servers within India within 24 (twenty-four) hours of processing.

WHERE DO WE OBTAIN YOUR PERSONAL DATA FROM? 

Most of the Personal Data we process is provided by you voluntarily and/or directly to us when you use our products and/or services. This also includes the Personal Data collected automatically and in the background by us when you use our website and application(s). We collect and process Personal Data within India, and may also collect it from outside India if it relates to our services.

We may also receive Personal Data about you from third parties such as our clients, business partners, credit bureaus and financial services providers, KYC registration agencies, social media websites, Aadhaar ecosystem, account aggregator, Lending Service Providers and other third party entities inter alia providing identity verification and fraud prevention services and other services as and when required by us.

HOW DO WE USE YOUR PERSONAL DATA?

We use your Personal Data for the following purposes:

• To verify your identity;
• To share it with third parties, including not limited to lenders, insurance companies, banks, mutual fund companies and their RTAs for the purpose of providing our services and fulfilling our other obligations;
• To communicate with you regarding existing services availed by you, including notifications of any alerts or updates;
• To evaluate, develop and improve our products and services and/or gather information such as source of traffic to the website / application, time spent on each page or the interface, understand which parts of the website / application are visited and how frequently;
• For market and product analysis and market research;
• To send you information about our other products or services which may be of interest to you;
• To handle enquiries and complaints;
• To send it to service providers for the purpose of validation and to comply with legal or regulatory requirements;
• To validate KYC information shared by you, such as validation of PAN number details, physical verification of proof of address, validation of bank account information and KYC records with the banks;
• To investigate, prevent, or take action regarding illegal activities, suspected fraud and situations involving potential threats to the safety of any person;
• For employment purposes;
• To regulators, tax authorities & law enforcement agencies;
• For assessing your creditworthiness before extending any loan; and/or
• For any other purposes as may be permitted under applicable laws.

LAWFUL BASES OF PROCESSING YOUR PERSONAL DATA

We process your Personal Data by relying on one or more of the following lawful bases:

• You have explicitly agreed to/consented to us processing your Personal Data for  (i) validation of such Personal Data as provided by you; (ii) sending it to third parties for the purpose of validation of such data; (iii) verification of your identity; (iv) and in relation to the services provided by us; and (v) for sharing it with third parties to enable us to provide our services as provided under any other agreement executed between us for specific purposes;
• The processing is necessary for employment purposes;
• The processing is necessary for compliance with a legal obligation we have; and/or
• The processing is necessary for other reasonable or legitimate purposes.

We will use, store, collect, process, share, analyse, transfer or otherwise handle your Personal Data: (a) for legitimate business; or (b) for compliance purposes; or (c) if you have provided consent to the same or any relevant basis as defined by the applicable laws or regulations; (d) when it is necessary for the performance of a contract to which you are a party; or (e) to improve the visitor experience on the site and make subsequent offers to the visitor on products which may be of interest to him/ her.

By using the website, availing our services or by giving us your Personal Data, you are deemed to have: (a) read and accepted the terms set out hereunder, and (b) provided your informed consent to us collecting, storing, processing, transferring and sharing your Personal Data as set out in this Policy. However, you have the option of not providing us with your Personal Data and may also withdraw your consent by contacting us with a written request to the contact details specified below in the ‘Contact Us’ section.

Please note that (a) if you do not provide the Personal Data that we need; or (b) on withdrawal of your consent; or (c) on amendment of any of your choices in this regard, we reserve the option to immediately and without prior notification to you, terminate your access to the website and cease providing services or modify the services provided to you for which such Personal Data was sought.  

Any withdrawal of consent as set out above, will not affect the lawfulness of our use and processing of your information on the basis of your consent previously provided in terms of this Policy, where such consent was required, and the right to have the Personal Data transferred to a third party in terms of this Policy, before your consent is withdrawn.
‍
Please note that while we make reasonable efforts to comply with any requests for deletion of your Personal Dara, deletion does not ensure complete and comprehensive removal of such data from all systems and shall be subject to the terms contained herein.

WHEN DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?

We may use third parties for or in relation to the provision of our products and services to you. We may share your Personal Data with such third parties subject to your explicit consent, except for cases where such sharing is required as per any applicable law. We have appropriate contracts in place with all such third parties. This means that they are not permitted to do anything with your Personal Data which is outside of the scope specified by us. They are committed to hold your Personal Data securely and retain it only for the period required or as may be specified in our contracts with them.

• 1) Reasons for sharing your Personal Data with third parties:

We may disclose your Personal Data to third parties only where it is lawful to do so. This includes instances where we or they:

• need to provide you with products or services as stipulated under any agreement executed between us for specific purposes;
• have asked you for your consent to share it, and you have agreed;
• have a legitimate business reason for doing so;
• have a legal obligation to do so. For e.g., to assist with detecting and preventing fraud;
• have a requirement in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;

We may also disclose your Personal Data to appropriate authorities if we believe that it is reasonably necessary to comply with a law, regulation, legal process; protect the safety of any person; address fraud, security, or technical issues; or protect our rights or the rights of those who use our products & services.

• 2) With whom your Personal Data may be shared:

We may disclose your Personal Data to third parties inter alia for the following purposes:

• - any sub-contractors, agents or service providers (including but not limited to auditors, lawyers and other such professionals providing us specialised services) who work for us or provide services or products to us;
• - any third party institutions for research purposes/projects in collaboration with other institutions;
• - law enforcement authorities, statutory and regulatory bodies, government authorities, courts, dispute resolution bodies,  auditors, investigating agencies and any party appointed or requested by applicable regulators to carry out investigations or audits of our activities and before whom  it is mandatory to disclose Personal Data as per the applicable law, courts, judicial and quasi-judicial authorities and tribunals, arbitrators and arbitration tribunals.
  ‍
  Any third party to whom such Personal Data is divulged, is subject to a duty of confidentiality, and required to comply with and take appropriate security measures to protect your Personal Data in line with this Policy.

CROSS-BORDER DATA TRANSFER 

Subject to the provisions of applicable laws (including the laws mentioned hereinabove), Personal Data we hold about you may be transferred to other countries outside your residential country for any of the purposes described in this Policy.
‍
Please note that these countries may have differing privacy laws and that Personal Data can become subject to the laws and disclosure requirements of such countries, including disclosure to governmental bodies, regulatory agencies and private persons, as a result of applicable governmental or regulatory inquiry, court order or other similar process.

USE OF COOKIES AND OTHER TRACKING MECHANISMS

We may use cookies and other tracking mechanisms on our website and other digital properties to collect data about you. You hereby acknowledge, accept and expressly authorize the placement of cookies. We recommend that you clear the cookies stored from time to time. With respect to the “cookies” or other similar functions that are placed by third parties, we hereby clarify that we do not control the use of cookies by such third parties. You have the ability to accept or decline such cookies.
‍
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information about your actions to the owners of the website. Most web browsers allow you some control of cookies through browser settings.
‍
Outlined below are the categories of cookies along with a description of what they are used for.

- Strictly Necessary Cookies - These cookies are needed to run our website, to keep it secure and to comply with regulations that apply to us.

- Functional Cookies – We may use functional cookies on our website. These cookies allow us to remember information you enter or choices you make (such as your username, language, or your region) and provide you with enhanced, more personalised features.
‍
Performance/Analytics Cookies – We may use performance/analytics cookies on our website. These cookies collect information about how visitors use our website and services, including which pages visitors go to most often and if they receive error messages from certain pages. It is used to improve how our website functions and performs. However, we do not use trackers for behavioural monitoring of children or targeted advertising directed at children.
‍
We may also use trackers (such as web beacons, tags, pixels) on our website and other digital properties to collect data about you.

We may also collect Personal Data about you via our mobile app(s) as well as the web app(s) via permissions in such app(s), as may be developed from time to time. This is primarily used to enhance the functionality of the app and to analyse it to serve you better. 

HOW DO WE SECURE YOUR PERSONAL DATA?

We are committed to protecting your Personal Data in our custody. We take reasonable steps to ensure appropriate physical, technical and managerial safeguards are in place to protect your Personal Data from unauthorized access, alteration, transmission, and deletion. We ensure that the third parties who provide services to us under appropriate contracts take appropriate security measures to protect your Personal Data in line with our policies. We ensure that any collection of your data by our mobile app(s) as well as web app(s) or the mobile app(s) as well as web app(s) of our Lending Service Providers is need-based and with your explicit consent. We also ensure that ours as well as our Lending Service Provider’s app(s) desist from accessing mobile phone resource like file and media, contact list, call logs, telephony functions, etc. Only for the purpose of onboarding a one-time access of the camera, location, microphone or any other necessary facility will be taken with your explicit consent.  

We adhere to stringent security best practices, including compliance with ISO 27001 and ISO 9001 standards, to maintain the highest levels of data security and quality management. We ensure that the personal data is secured by the following means as well:  

a) hrough encryption, obfuscation, masking or the use of virtual tokens mapped to that personal data;

b) a controlled access to the computer resources used by us or a third party appointed by us, as and when required;

c) visibility on the accessing of Personal Data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;

d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, such as by way of data-backups;

e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and Personal Data for a period of 1 (one) year, unless compliance with any law for the time being in force requires otherwise; and

f) appropriate provision in the contract entered into any third party appointed by us, wherever applicable, for taking reasonable security safeguards.

However, while we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, by using this Website, our mobile app(s) and web app(s) you agree that we will have no liability for disclosure of your Personal Data due to errors in transmission, infrastructure failures by us or any intermediary (including telecom and internet service providers), or unauthorized acts of third parties.  

We shall not be liable for any loss or damage, including but not limited to any direct, indirect, special, economic, incidental, or consequential damages, losses or expenses arising in connection with the use of (or inability to use) our website, mobile app(s) and web app(s), or in connection with any failure of performance, error, omission, interruption, defect, delay in operation or transmission, computer virus or line or system failure, even we have been advised of the possibility of such damages, losses or expenses.

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We keep the Personal Data we collect about you for as long as it is required for the purposes set out in this Policy and for legal or regulatory reasons. We take reasonable steps to delete or permanently de-identify your Personal Data that is no longer needed. However, this shall not apply if it is necessary to retain your Personal Data for the specified purpose or for compliance with any law for the time being in force.

CHILDREN’S PRIVACY 

We do not knowingly collect Personal Data from children. If you are a parent or guardian and aware that your Child has provided us with Personal Data, please contact us using the details in the ‘Contact us’ section of this Policy. Further, we do not process the Personal Data pertaining to children without proper consent of the guardian.

CONTACT US

For any further queries and complaints related to privacy, or exercising your rights, you could reach us via Kaleido-care centre or write to the Grievance Redressal Officer (GRO). The Contact details are provided in Annexure A.

NOTIFICATION OF CHANGES

We regularly review and update our Policy to ensure it is up-to-date and accurate. Any changes we may make to this Policy in future will be posted on this page. Please review the Policy uploaded from time to time to make sure you are aware of any changes. If you do not agree with any such revised terms, please refrain from using our services and accessing our website and/or digital properties. In such case, kindly contact our grievance redressal officer.

YOUR PRIVACY RIGHTS & DUTIES

If you are an Indian resident, you have the following rights and we commit to provide you with the same:

• You have the right to get confirmation and access to your Personal Data that is with us along with other supporting information regarding the usage of the same. Moreover, you will receive the digitally signed documents such as underlying documents of our products, link to this policy among others which pertains to storage and usage of your data, etc., on your email address/SMS upon execution of the products offered by us.
• You have the right, in accordance with applicable laws, to access and review your Personal Data that is provided to us and ask us to rectify your Personal Data that is with us that you think is inaccurate. You also have the right to ask us to update your Personal Data that you think is incomplete or out-of-date. We will make good faith efforts to make the requested changes in our active databases as soon as reasonably practicable. However, you acknowledge that there may be circumstances where we will not be able to amend or update your Personal Data, including where the Personal Data: (a) is opinion data that is kept solely for evaluative purposes; (b) is in documents related to a prosecution if all proceedings relating to the prosecution have not been completed; and (c) has already been processed in de-identified form.
  Please note that if you provide any information that is untrue, inaccurate, out of date, or incomplete (or subsequently becomes untrue, inaccurate, out of date or incomplete), or we have reasonable grounds to suspect or if we become aware that the information provided by you is untrue, inaccurate, out of date or incomplete, we may, without prejudice to any other right and at our sole discretion, discontinue your access to our website, applications, platform and/or the provision of the services to you (wholly or in part). We will not be responsible for the authenticity, sufficiency or correctness of the information (including Personal Data) supplied by you but will be entitled to take all reasonable measures as required by applicable laws and regulations, to ensure that the Personal Data processed is accurate for the intended purpose.
• You have the right to withdraw your consent provided to us for processing and sharing of your Personal Data. Upon your request of such withdrawal, we shall promptly return/delete/de-identify (as may be feasible) all your Personal Data belonging with us. However, we shall no longer be able to provide you our products/services upon withdrawal of such consent by you. As stated above, kindly note that we will make reasonable efforts to comply with any requests for deletion of your Personal Data, unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. Notwithstanding anything to the contrary, any withdrawal of your consent hereunder, will not affect the lawfulness of our use and processing of your information on the basis of your consent previously provided in terms of this Policy, where such consent was required, and the right to have the Personal Data transferred to a third party in terms of this Policy, before your consent is withdrawn.
• Under the IT rules we are obliged to provide you with a readable copy of the Personal Data you have provided us. If you would like a copy, do get in touch with us at help@kaleidofincapital.com
• You will be entitled, in accordance with applicable laws, to nominate any other individual, who may, in the unfortunate event of your death or incapacity, exercise the rights bestowed upon you under this Policy, in relation to the Personal Data shared by you.

To the extent that information is being shared by you, you will adhere to the following:

• You will comply with the provisions of all applicable laws for the time being in force.
• You will not impersonate another person while providing their Personal Data for a specified purpose and not suppress any material information while providing such information.
• You will not register a false or frivolous grievance or complaint against us or the third parties with whom we share your information.
• You will furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of applicable laws for the time being in force.