1. Purpose and Scope

1.1  Agya Technologies Private Limited (operating with the brand name 'Setu AA'), a company incorporated under the Companies Act, 2013 and having its registered office at Third Floor, No. 2/1, Embassy Icon Annexe, Infantry Road, Bangalore Urban - 560001. (“Agya”, “we”, “us”) is a Non-Banking Financial Company Account Aggregator (“NBFC-AA”), licensed by the Reserve Bank of India (“RBI”). We are licensed to perform financial aggregation services (“Services”) on the request of a registered user (“you”, “your”) accessing this website (“the Website”) and our application, Setu AA. (“Application”) (operated by Agya Technologies), collectively known as Platform.

1.2  Agya is licensed to fetch, aggregate and process data received from one or more Financial Information Providers (“FIPs”) with your explicit consent and share this data with Financial Information Users (“FIUs”).

1.3   This privacy policy (“Policy”)is published in accordance with the provisions of Rule 4 (1) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 3 (1) of the Information Technology (Intermediaries Guidelines) Rules, 2021 and the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 that require publishing the rules and regulations, privacy policy and Terms & Conditions for access or usage of the Application and/or Website.

1.4   At Agya, we are committed to protecting your personal data and respecting your privacy. Please read the following terms of the Policy carefully to understand our practices regarding your personal data, and how we will treat it. This Policy sets out the basis on which any personal data we collect from you or about you, or that you provide to us, will be processed by us.

1.5   We request you to go through this Policy and the Terms & Conditions carefully before you decide to access the Platform . Capitalised words in the Policy shall have the same meaning ascribed to them in the Terms and Conditions (“Terms”). Please read this Policy in consonance with the Terms.

1.6  By accessing the Platform, you also confirm that you are above 18 years of age.

1.7   You understand that the Platform is meant for usage and access within the territory of the Republic of India, and cannot be accessed outside the territory of India. Agya is only bound by applicable laws of India and is not liable under any foreign laws.

2. Information Collected

2.1   For Registration:, We may collect your Personally Identifiable Information (“PII”), at the time of your registration on the Application, including:

a. Your name,
b. Your mobile number,
c. Your email address,
d. Your photograph (should you opt to update your profile information with one).

2.2   For Communication: You understand that your registered email id and phone number may be used for (a) generation of a one time password at the time of login, and (b) for any communications to you for provision of the Services. You understand that you may not be able to opt-out of essential communications to you which are necessary for provision of the Services.

2.3  For provision of the Services: For the purposes of providing the Services, we will collect both your PII and financial information which is classified as Sensitive Personal Information (“SPI”) under applicable laws. Your SPI is only used for the purpose of collecting your information from the relevant FIP pre-approved by you and sharing the same information with the FIU approved by you. Please note that in accordance with applicable laws, we do not store or use any financial data that you choose to share with third parties or otherwise transmit through our Services (“Financial Data”). You may use our Services to transmit and share Financial Data with third parties; however, we will not have access to such data. For more information on how your Financial Data is transmitted through our Services, please review our Terms.

2.4  We may collect, use, store and transfer different kinds of personal data about you to provide you with, or in connection with, the Services. Such personal data includes:

a. Data pertaining to your identity and related data, such as your first and last name, username or similar identifiers, gender, title, passwords, identity document and proof of addresses, purchases or orders of or through our Services, feedback, survey responses, etc.;
b. Contact data, including email addresses, phone numbers, delivery addresses, business addresses, etc.;
c. Data we collect in connection with our KYC processes when you choose to access certain features of our Services, including documents issued by the government such as Aadhaar, driving licences, PAN cards, voter ID cards, ration cards, etc.;
d. Data about your device, including but not limited to:
e. Location – location data recorded on your device; and
f. Device Information – including hardware model, operating system and version, IMEI and serial numbers, user profile information, IP addresses, browser types and versions, time zone settings, and Wi-Fi and mobile networks.
g. Usage data, including information about how you use our Services.

2.5  Additional information: We may log certain non-personally identifiable information such as session information, user ids and audit trails of consent handles and communications, during usage of the Application. During usage of the Website, we may log usage of cookies as well.

2.6  Other purposes: Your PII may be collected for the following additional purposes:

a. To observe, improve and administer the quality of Services,
b. To analyse how the Application is used, diagnose technical problems,
c. Remember the basic information provided by you for effective access,
d. To notify you about any changes to the Application,
e. To enable us to comply with our legal and regulatory obligations,
f. For the purpose of sending administrative notices, Service-related alerts and other similar communication with a view to optimising the efficiency of the Application,
g. Doing market research, troubleshooting, protection against error, project planning, fraud and other criminal activity, and
h. To reinforce our Terms and Conditions.

2.7  No access: We explicitly clarify that at no time will Agya have access to any of your SPI, and your SPI is encrypted as per the ReBIT standards prescribed by the RBI. SPI which is encrypted by FIPs is then only decrypted by the FIU. At no point will we decrypt your SPI.

2.8  Purpose limitation: Agya follows a strict policy of purpose limitation. Your PII or SPI is only used for the purposes specified herein and any additional purposes will be duly notified to you.

3. Authenticity of Information

3.1  We have taken all reasonable steps to ensure that the information on the Platform is authentic.

3.2  You agree that the personal data you provide us with is true, correct, and accurate. We shall not be liable for any incorrect or false information or personal data that you might provide.

4. Consent Artefact

4.1   A consent artefact is a machine-readable electronic document that specifies the parameters and scope of data share that a user consents to in any data sharing transaction. You understand that Agya creates a consent artefact as per applicable laws which allow Agya to retrieve, share and transfer your financial information from the FIP to the FIU.

4.2  You will be informed of the attributes contained in the consent artefact at the time of collection of your explicit consent, and you will have the ability to modify this information and duration of consent provided. An indicative list of your information contained in the consent artefact is as follows:

a. identity of the user and optional contact information,
b. the nature of the financial information requested,
c. purpose of collecting information,
d. the identity of the recipients of the information, if any,
e. URL or other address to which notification needs to be sent every time the consent artefact is used to access information,
f. consent creation date, expiry date, identity and signature/ digital signature of the account aggregator, and
g. any other attribute as may be required by Agya as prescribed by the Regulator or applicable law.

4.3  You will have the ability to revoke your consent at any time, pause, or resume provision of consent through our platform. If you choose to revoke your consent, your SPI will not be fetched from the FIP or shared with the FIU until a fresh consent is either initiated or resumed by you. Please note that provision of the Services may be affected by your choice to pause or revoke consent.

5. Disclosure

5.1   Agya will not have access to, sell or otherwise commercially exploit your PII or SPI.

5.2  Disclosures of your information will only be limited to mandatory disclosures required by law.

6. Accuracy of information and disposal

You understand that you are responsible for accuracy of information provided by you to the FIP, and that Agya is not responsible for disposal of this information. Only the FIU is responsible for disposal of your information. In the event of discrepancies in your information, the records of the FIP will be treated as the most accurate version of the same.

7. How we will use you personal data and for what purpose

7.1  We will only use your personal data as the law allows us to. Most commonly, we will use your personal data to provide you with the Services, or where we need to comply with a legal obligation.

7.2  You understand that when you consent to providing us with your personal data, you also consent to us sharing such data with third parties. However such personal data will be shared with third parties only for the purpose of providing you the Services. You are aware that by using our Services on the Platform, you authorise us, our associate partners, and affiliates to contact you via email, phone, or otherwise. This is to ensure that you are aware of all the features of the Services.

7.3  You are aware that any and all information pertaining to you, whether or not you directly provide it to us (via the Services or otherwise), including but not limited to personal correspondence such as emails, instructions from you etc., may be collected, compiled, and shared by us in order to provide the Services to you and you expressly authorise us to do so. This may include but not be limited to storage providers, marketing partners, data analytics providers, consultants, lawyers, and auditors. We may also share this information with our subsidiaries, affiliates, or any of their holding companies.

7.4  You agree and acknowledge that we may share data without your consent, when it is required by law or by any court or government agency or authority to disclose such information. Such disclosures are made in good faith and belief that it is reasonably necessary to do so for enforcing this Policy or the terms of the arrangement we have with you, or in order to comply with any applicable laws and regulations.

7.5  In general, we will not disclose personal data except in accordance with the following purpose/activity:

a.  to register you as a user of the Platform;
b.  to deliver Services;
c.  to manage our relationship with you including notifying you of changes to any Services;
d.  to administer and protect our business and the Services including troubleshooting, data analysis and system testing;
e.  to deliver content and advertisements to you;
f.  to measure and analyse the effectiveness of the advertising we serve you through means which include surveys, contests and promotions;
g.  to monitor trends so we can improve the Services;
h.  to perform our obligations that arise out of the arrangement we are about to enter or have entered with you;
i.  to enforce the terms of the arrangements we have with you;
j.  where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
k.  to comply with a legal or regulatory obligation.

8. Cookies

8.1  Agya may use "cookies" as required on the Platform.

8.2  Cookies themselves do not personally identify You, but it identifies Your device. Generally, cookies work by assigning a unique number to the computer that does not have a meaning beyond the assigning site.

8.3  Agya cannot control the use of cookies or the resulting information by advertisers or third parties hosting data on Agya’s Platform. If You do not want information collected through the use of cookies, they may change the settings in the browsers that allow them to deny or accept the cookie feature as per Your discretion and in the manner agreed by them.

9. Rights

9.1  With regard to your SPI, you have the right to:

a. be informed about the SPI that we collect from you,
b. access and review your SPI,
c. have your SPI corrected if it is inaccurate or incomplete at any time,
d. request the deletion or removal of your SPI at any time, and
e. withdraw the consent that you have provided to collect, use or store your SPI at any time.

9.2  Please note that in the event you exercise your right to withdraw your consent to processing of your information, restrict or limit our right to process your SPI or object to processing of your SPI, such exercise of rights may adversely impact the provision of the Services by us. In this context, we reserve the right to discontinue the provision of some or all of the Services or provide the Services in a limited manner should you choose to exercise any of the aforesaid rights.

9.3  You may exercise these rights by contacting us by email at legal@agya.co.

9.4  You may request for anonymisation of your SPI by sending us an email at support@agya.co. We will consider each such request on a case by case basis and approve such requests in compliance with our legal obligations.

10. Security

10.1   The information that is collected from you may be transferred to and stored in a cloud server. The physical location of the server(s) will be located within India. By submitting information on the Application, you agree to this transfer, storing and/or processing. Agya will take such steps as it considers reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Policy.

10.2  We will implement certain security measures including encryption and firewalls to protect your personal information from unauthorised access and such security measures are in compliance with the security practices and procedures as prescribed under the Information Technology Act, 2000 and the applicable rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011).

10.3  We use standard, industry-wide, commercially reasonable security practices such as encryption, firewalls and SSL (Secure Socket Layers) for protecting your information. Agya is compliant with the data security standards such as ISO 27001. However, as effective as encryption technology is, no security system is impenetrable.

10.4  We use commercially reasonable precautions to preserve the integrity and security of your information against loss, theft, unauthorised access, disclosure, reproduction, use or amendment. Agya assumes no liability for any disclosure of information due to errors in transmission, unauthorised third party access or other acts of third parties, or acts or omissions beyond its reasonable control and you agree not to hold Agya responsible for any breach of security. You agree and acknowledge that the above-mentioned measures do not guarantee absolute protection to the personal information, and by accessing the Services, you agree to assume all risks associated with the disclosure of personal information arising due to breach of firewalls and secure server software.

10.5  In the event Agya becomes aware of any breach of the security of your information, we will promptly notify you and take appropriate action to the best of its ability to remedy such a breach in compliance with applicable laws. In this event, Agya will need to disclose the details of such a breach to the relevant regulatory authorities.

11. Data Retention

11.1   Your financial information and SPI are never stored by Agya. Your PII provided at the time of registration on the Application will be retained only for as long as required for provision of the Services.

11.2  You may delete your account and request for the erasure of your data through the Application, in which event your PII and SPI will be purged. Provided that Agya has the right to retain and disclose any information required by the RBI or other regulators to comply with its obligations under law.

11.3  Agya may be required to retain certain non-personally identifiable information such as session information for time periods prescribed under the ReBIT standards, as an NBFC-AA.

12. Amendments and review of privacy policy

12.1  We may update this Policy at any time, with or without advance notice. In the event there are significant changes in the way we treat your PII, or in the Policy document itself, we will display a notice on the Application or send you an email informing you of such changes, so that you may review the changed terms prior to continuing to use the Application. Your continued usage of the Website and Application will constitute consent to the amended terms.

12.2  As per applicable laws, we are required to notify you of the terms of this Policy on an annual basis. You understand that you will receive communication from us on your registered email and you will not be able to opt out of such essential communication.