- Purpose and Scope
Perfios Account Aggregation Services Private Limited (“Perfios-AA”) is a Non-Banking Financial Company Account Aggregator (“NBFC-AA”), set up under the licensing terms of the Reserve Bank of India (“RBI”) to provide financial information aggregation services from the visitor or a registered user of Perfios-AA’s web application <<hyperlink to be included>> (“Web Application ”) and its mobile application named ‘_____’ (“App”) (such user to be referred to as “you” or “your”), from one or more Financial Information Providers (“FIPs”) where their account(s) exist, based on the explicit consent obtained.Perfios-AA is a data fiduciary (as per proposed regulations and relevant legislation) and therefore has the obligation to manage your consent. For the purpose of providing its account aggregation services that are governed by applicable laws, regulations and guidelines of the RBI (“Account Aggregation Services”), Perfios-AA is required to fetch, consolidate and aggregate your data which received from the concerned FIPs and basis your explicit consent, Perfios-AA will present these data to the relavant Financial Information Users (“FIUs”).
2.1. “Data Protection Laws” means any law, regulation or directives or requirements of any regulatory body which relates to the protection of individuals with regard to the processing of Personally Identifiable Information (as defined below) or Sensitive Personal Data (as defined below), including but not limited to Information Technology Act, 2000 (as amended by the Information Technology Amendment Act, 2008) read with the Information Technology [Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information] Rules, 2011 (SPDI Rules).
2.2. “Consent Artefact” means a machine-readable electronic document that specifies the parameters and scope of data share that a user consents to in any data sharing transaction.
2.3. “Master Directions” means the Master Direction – Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions) 2016 (as amended from time time) and related rules, regulations and guidelines framed by the Reserve Bank of India under various Acts, Rules, Regulations, Guidelines etc. including banking issues and foreign exchange transactions.
2.4. “Personally Identifiable Information/ PII” means any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
2.5. “Sensitive Personal Data” means such personal data, which may, reveal, be related to, or constitute (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorized as sensitive personal data under Data Protection Laws.
- Information Collected by Perfios-AA
Perfios-AA may share such Personal Registration Information with third parties, for the purposes of improving the Account Aggregation Services, enhancing some of the features of the Web Application and App of Perfios -AA for and/or any other purpose as Perfios-AA may notify to you from time to time. Further, as part of the Account Aggregation Services, Perfios-AA may also share your mobile number and such other PII or SPI, with FIPs that are pre-approved by you.All activities that occur under your account created and maintained with Perfios-AA is your sole responsibility. You shall ensure to sign out from your account at the end of each session on the Web Application and App of Perfios -AA. You understand that you are responsible for maintaining the confidentiality of all Personal Registration Information provided by you while registering yourself, which includes your login identification (ID), e-mail id/phone number and the passwords/PIN for the same. All correspondences, notices and any other communication will be sent to the e-mail id/phone number furnished by you at the time of creating an account with Perfios-AA or thereafter. If you become aware of any unauthorized access or misuse of your account/ Personal Account Information, you shall notify Perfios-AA at email@example.com. Upon deletion/removal of your account from Perfios-AA’s Web Application/App, Perfios-AA will purge all Personal Registration Information belonging to you:
3.3 Additional InformationAdditionally, Perfios-AA logs information about access and use of the Perfios-AA’s services on its Web Application/App, including (i) transactions/actions conducted on its Web Application/App, including the use of internet cookies, (ii) the IP addresses, and (iii) the communications with the services and Web Application/App. To the extent permitted under applicable laws, Perfios-AA may use the following tracking technologies such as cookies, tags, and scripts, to analyze trends, administer the Web Application/App, track users’ movements around the Web Application/App, and gather demographic information about its user base as a whole.
- Privacy Principlesof Perfios-AA
Perfios-AA has implemented the following fair information privacy principles to support your rights that are associated with your Sensitive Information:
4.2 Explicit Consent.For the purpose of providing the Account Aggregation Services, Perfios-AA is required to fetch your Sensitive Information from the pre-approved FIPs and share such Sensitive Information with the pre-approved FIUs as per the explicit consent provided by you as per the applicable Master Directions in such form and manner as maybe prescribed by RBI from to time (“Consent”). Your Consent for collecting your Sensitive Information from the relevant FIP and sharing the same with concerned FIU shall be the basis upon which the Account Aggregation Services will be rendered to you by Perfios-AA and shall be recorded in line with the Consent Artefact as provided in the Web Application and the App. 4.3 Purpose of fetching Sensitive Information Please note that the sole purpose of fetching you Sensitive Information by Perfios-AA is to collect your Sensitive Information from the relevant FIP and share such Sensitive Information to the concerned FIU as per your explicit consent. It is hereby clarified that at no point will Perfios-AA have access to your Sensitive Information Limited Collection. Sensitive Information shall only be collected for the purposes identified hereunder the Privacy Principles of Perfios-AA and the Consent Artefact provided by you. 4.4 Choice of Consent You have the right to recall or pause your Consent to fetch your Sensitive Information from the relevant FIP and share the same with concerned FIU at any time. In the event such consent is recalled by you, no Sensitive Information of you will be collected or shared by Perfios-AA thereafter, unless a fresh consent (in the manner prescribed by RBI) has been initiated/created and approved by you for collecting your Sensitive Information from the relevant FIP and sharing the same with concerned FIU. In the event you pause your consent as mentioned above, no Sensitive Information of you will be collected from the pre-approved FIPs or shared with the relevant FIU by Perfios-AA unless the said consent is resumed/re-activated by you. Please note that the provision of Account Aggregation Services by Perfios-AA may be affected by your choice to opt out of providing express consent or pause such consent for collection and sharing of your Sensitive Information. 4.5 Limited Retention and Protection of Sensitive Information Perfios-AA will not have access to any of your Sensitive Information, since all such Sensitive Information which will be collected by Perfios-AA will be encrypted as per the specifications of Reserve Bank Information Technology Private Limited (ReBIT.) It is hereby clarified that your Sensitive Information is always encrypted as per the ReBIT specifications by the pre-approved FIPs and once the said Sensitive Information is transmitted to the relevant FIU, the FIU decrypts the same. Perfios-AA at no point will encrypt or decrypt your Sensitive Information for the purpose of providing you the Account Aggregation Services. Further, Perfios-AA will retain your Sensitive Information only as long as necessary including but not limited to as may be required by applicable laws including but not limited to the relevant Data Protection Laws, RBI and other regulators from time to time and/or the provision of Services as per your explicit consent. 4.6 Accuracy Perfios-AA will not be responsible for ensuring the accuracy, adequacy, reliability and liability of any Sensitive Information received from the relevant FIP as per your Consent Artefact, since Perfios-AA does not have any access to such Sensitive Information. In the event of any dispute arising out of the accuracy, adequacy, reliability and liability of any such Sensitive Information, the records maintained by the relevant FIP will be treated as conclusive evidence to verify the accuracy, adequacy, reliability and liability of your Sensitive Information. 4.7 Right to Inspect/Correction You may request access to your Sensitive Information and request amendment to such Sensitive Information if the same is believed to be inaccurate. Perfios-AA shall review and respond to requests for access and amendment in a timely manner. 4.8 Disposal of Sensitive Information Perfios-AA will not be responsible for the disposal of your Sensitive Information once the same has been transferred to the relevant FIUs, since such disposal is the responsibility of the FIUs as per applicable laws. 4.9 Breach Notification Actual or suspected breaches of Sensitive Information shall be immediately reported in accordance with Perfios-AA’s Security Incident Reporting Policy or as required under applicable laws.
4.10 De-Identified Sensitive Information
In certain cases, Perfios-AA may de-identify/anonymize your Sensitive Information based on your authorisation/request. Perfios may utilize/share your de-identified Sensitive Information only in accordance with your authorisation/requestRequests to de-identify/anonymize Sensitive Information must be submitted, in writing, to Perfios-AA who will evaluate the scope and purpose of the request and the means of de-identification to ensure a low likelihood of re-identification of Sensitive Information and that applicable legal, contractual, and industry-standard requirements are met.
- Disclosures Required by Law
Perfios-AA may use or disclose your Personal Registration Information or Sensitive Information to regulatory authorities or third parties as required by applicable laws.
- Reporting and Handling of Privacy Complaints and Incidents