Back to HomeSavnex

Privacy Policy

Governing the collection, use, storage, sharing, and protection of your personal data

Effective Date: 1 April 2026

At a Glance — Privacy Summary

This summary is for convenience only. The full legal text below prevails in all cases.

Do we sell your data?

No. Never.

Do we serve ads?

No. The Platform is ad-free.

Do we store your Aadhaar photograph?

No. Used only during face-match KYC and discarded immediately.

Do we store your biometric data?

No. Matching on your device only. We receive only pass/fail.

Do we store your UPI PIN or bank password?

No. These never pass through our servers.

Who is the Data Fiduciary?

Savnex Private Limited (CIN: U62090PB2026PTC066988)

Who is the Privacy Officer?

Varinder Rajoria — [email protected]

Who is the Grievance Officer?

Varinder Rajoria — [email protected] — Response within 48 hours

What law governs?

DPDPA 2023, IT Act 2000, and all applicable Indian law

Where is data stored?

India only — all servers physically located within India

1. Company Identification and Data Fiduciary

Savnex Private Limited, a company incorporated under the Companies Act 2013, bearing CIN U62090PB2026PTC066988, with its registered office at F279, Industrial Area Phase 8B, Mohali, Punjab — 160071, India ('Savnex', 'we', 'us', 'our'), is the Data Fiduciary as defined under the Digital Personal Data Protection Act 2023 ('DPDPA') in respect of all personal data collected through the Savnex mobile application and associated services (collectively, the 'Platform').

Technology support: Knotsync Private Limited is an IT services company that provides development and operational support to Savnex during its startup phase. The directors of Savnex Private Limited and Knotsync Private Limited are the same individuals. Knotsync does not independently process personal data for its own purposes; any data access is strictly in its capacity as a technical service provider to Savnex under a data processing arrangement.

Regulated service providers: UPI payments and PPI wallet services are provided by Zwitch, an RBI-regulated payment infrastructure provider. BBPS bill settlement services are provided by Setu, an RBI-authorised BBPS aggregator. All regulated financial activity flows exclusively through these licensed partners.

Role	Details
Privacy Officer	Varinder Rajoria \| [email protected] \| Mon–Fri, 10:00–18:00 IST
Grievance Officer	Varinder Rajoria \| [email protected] \| Acknowledge 48 hrs, resolve 30 days
Legal Notices	[email protected]
General Support	[email protected]
Postal	Varinder Rajoria, Savnex Private Limited, F279, Industrial Area Phase 8B, Mohali, Punjab — 160071, India

2. Scope and Applicability

This Privacy Policy applies to:

All individuals who register a personal account on the Platform, whether in LIGHT state (phone + OTP only) or FULL_KYC state.
All merchants and business account holders, including persons holding OWNER, MANAGER, CASHIER, or VIEW_ONLY roles.
All visitors to any Savnex website, support portal, or other touchpoint operated by Savnex.
All data processors, sub-processors, and third-party partners who process personal data on Savnex's behalf under a Data Processing Agreement.

This Policy does not apply to third-party websites, applications, or services that may be linked from the Platform.

This Policy is to be read alongside Terms and Conditions, Financial Disclaimer, which together constitute the complete legal framework governing your relationship with Savnex.

3. Personal Data We Collect

3.1 Data You Provide

Category	Specific Data	Purpose	Legal Basis
Account Registration	Mobile number, full name, preferred language	Account creation, authentication	Consent
Personal eKYC	PAN, Aadhaar (last 4 digits stored), DOB, gender, address, bank account, IFSC, face liveness result	RBI-mandated KYC; fraud prevention	Legal obligation + Consent
Business eKYC / KYB	Business name, entity type, CIN, GSTIN, Udyam number, registered address, business bank account	Merchant onboarding, KYB compliance	Legal obligation + Consent
Payment Data	UPI VPA, transaction amounts, merchant/customer IDs, BBPS consumer numbers	Processing payments; regulatory reporting	Contract + Legal obligation
Support Communications	Messages, complaint details, feedback	Customer support; grievance redressal	Legitimate use + Consent

3.2 Data Collected Automatically

Device identifiers (device ID, OS version, app version) — for security and crash resolution.
IP address and approximate location (city/region level, not precise GPS) — for fraud detection and regulatory compliance.
In-app event logs — for internal analytics and product improvement.
Firebase FCM token — for push notification delivery.
Session data (login time, duration, method, logout) — for security monitoring.

3.3 Data We Expressly Do NOT Collect or Store

The following data is never collected, transmitted to, or stored on Savnex servers:

Aadhaar photograph — used only transiently during face-match; discarded immediately.
Full Aadhaar number — only last 4 digits stored.
UPI PIN or bank passwords — never pass through our servers.
Biometric raw data— matching occurs on your device's secure enclave only.
Precise GPS location — only city/region for fraud detection.

4. How We Use Your Personal Data

Purpose	Data Used	Legal Basis
Account creation and OTP authentication	Mobile number, name, device ID	Contract + Consent
KYC / eKYC verification	PAN, Aadhaar OTP eKYC data, liveness result, face match score	Legal obligation (RBI KYC Master Directions)
Processing UPI payments	UPI VPA, transaction amount, merchant ID	Contract + Legal obligation
Bilateral ledger operations	Entry data, acknowledgment timestamps, user IDs	Contract + Legal obligation
Fraud detection	Device ID, IP, transaction patterns, session data	Legitimate use + Legal obligation
Regulatory compliance and audit	All financial transaction data, KYC records	Legal obligation (PMLA, RBI, IT Act, DPDPA)
Product analytics	Anonymised/aggregated event data	Legitimate use

5. Data Sharing and Disclosure

Savnex does not sell personal data. Savnex does not allow advertising networks to collect data from the Platform. Data is shared only as set out below.

Category	Provider / Partner	Purpose	Safeguard
KYC / eKYC Provider	Third-party eKYC provider (disclosed at go-live)	PAN verification, Aadhaar OTP eKYC, liveness check	DPDPA-compliant DPA; UIDAI-licensed AUA/KUA
UPI payments and PPI Wallet	Zwitch (RBI-regulated)	UPI QR generation, payment processing, PPI wallet management, vault virtual accounts	DPA in place; operates under PSS Act 2007 licences
BBPS bill settlement	Setu (RBI-authorised BBPS aggregator)	Biller fetch, bill payment initiation, payment status webhooks	DPA in place; operates under NPCI BBPS framework
Technology / operational support	Knotsync Private Limited	Development support, technical infrastructure — no independent data processing for own purposes	Internal data processing arrangement; same director oversight
Cloud Infrastructure	Cloud provider (India region)	Server hosting, database, backup	India data residency; encryption at rest and in transit

5.2 Regulatory Disclosure

We may disclose personal data without your prior consent where required by law, including to RBI, FIU-IND (PMLA), CERT-In, and NPCI.

6. Data Retention

Financial records: 8 years (Companies Act Section 128).
KYC records: 5 years after account closure (RBI KYC Master Directions).
Server logs: 180 days (CERT-In Directions 2022).
Analytics data: Anonymised and aggregated; retained indefinitely.

7. Data Security

AES-256 encryption at rest for all personal data.
TLS 1.2 / 1.3 for all data in transit.
Mandatory CERT-In breach notification within 6 hours of confirmed breach.
Periodic vulnerability assessments and penetration testing.

8. Your Rights (DPDPA)

Access: Request a copy of your personal data.
Correction: Request correction of inaccurate data.
Erasure: Request deletion, subject to legal retention obligations.
Consent Withdrawal: Withdraw consent at any time via [email protected].
Grievance: File a grievance with our Grievance Officer. If unresolved within 30 days, escalate to the Data Protection Board of India.

9. Consent Framework

By registering on the Platform, you provide specific, informed, and unambiguous consent to the processing of your personal data as described in this Policy. KYC data is processed under legal obligation. You may withdraw consent at any time by contacting [email protected]. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

10. Children's Privacy

The Platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it promptly. If you believe a child has provided personal data, contact [email protected].

11. Cross-Border Transfers

All personal data is stored in India. We do not transfer personal data outside India. If future operations require cross-border transfer, it will be done only in compliance with DPDPA provisions and RBI data localisation requirements.

12. Updates to this Policy

We may update this Policy from time to time. Material changes will be notified via in-app notification and SMS 30 days before the effective date of the updated Policy. Continued use of the Platform after the effective date constitutes acceptance.

13. Grievance Redressal

Grievance Officer: Varinder Rajoria | [email protected] | Acknowledge within 48 hours, resolve within 30 days. If unresolved, you may approach the Data Protection Board of India.

Last updated: 1 April 2026 | Version 2.0

Savnex Private Limited | CIN: U62090PB2026PTC066988