PRIVACY POLICY

PRIVACY POLICY

Term	Meaning
Personal Data	Any information that identifies or can identify a natural person.
Sensitive Personal Data or Information (SPDI)	Financial information, passwords, biometric data, health information as defined under SPDI Rules, 2011
Data Principal	The individual to whom the personal data relates (i.e., the User)
Data Fiduciary	Cashmo — the entity that determines the purpose and means of processing personal data
Processing	Any operation performed on personal data including collection, storage, use, sharing, or deletion
Third Party	Any entity other than Cashmo and the User
KYC	Know Your Customer — mandatory identity verification process
Consent	Freely given, specific, informed, and unambiguous agreement to data processing

• All registered Users of the Cashmo Platform including Retailers, Distributors, and API Partners.
• Visitors to the Cashmo website who have not registered but whose browsing data may be collected.
• Any individual whose personal data is submitted to the Platform by another User (such as a beneficiary of a money transfer).
• All personal data collected through the Platform, mobile application, customer support interactions, and offline channels.

• Full name
• Date of birth
• Gender
• Father's / Spouse's name (where required)

• Mobile number
• Email address
• Residential and business address

• Aadhaar Card number (marked as per UIDAI guidelines)
• PAN Card number
• Voter ID / Passport / Driving License
• Business registration documents (for entities)

• Bank account number and IFSC code
• UPI ID
• Transaction history and payment records
• Wallet balance and fund movement records

• Encrypted passwords and MPINs
• Security questions and answers

• Device model, operating system, and version
• Unique device identifier (Device ID)
• Mobile network information

• IP address
• Browser type and version
• Pages visited and features used
• Time and date of access
• Session duration and clickstream data

• Approximate geographic location based on IP address
• Precise location (only with Your explicit consent, for AePS and Micro ATM services)

• Transaction timestamps
• Beneficiary details (name, account, mobile)
• Transaction amounts and reference numbers
• Success/failure status of transactions

• Identity verification data from UIDAI (Aadhaar authentication)
• PAN verification data from Income Tax Department / NSDL
• Bank account verification data from banking partners and NPCI
• Credit or risk assessment data from authorized bureaus (where applicable)
• Information shared by API Partners regarding their end users, subject to applicable consent.

Purpose	Legal Basis
Account registration and KYC verification	Legal obligation / Contractual necessity
Processing financial transactions	Contractual necessity
Fraud detection and prevention	Legitimate interest / Legal obligation
AML and regulatory compliance	Legal obligation (PMLA, RBI guidelines)
Customer support and grievance resolution	Contractual necessity
Sending transactional alerts and notifications	Contractual necessity
Platform improvement and analytics	Legitimate interest
Marketing communications	Consent (opt-in only)
Legal proceedings and regulatory reporting	Legal obligation
Risk assessment and credit evaluation	Legitimate interest / Consent

• Financial information — bank account details, card details, transaction data.
• Aadhaar and biometric data — collected only to the extent permitted by UIDAI regulations.
• Passwords and authentication credentials.

• Cashmo shall disclose personal data to RBI, NPCI, FIU-IND, UIDAI, Income Tax Department, Enforcement Directorate, or any other competent government or regulatory authority when required by law, court order, or lawful direction.

• Personal data necessary for processing transactions shall be shared with banking partners, payment gateways, NPCI, and other payment infrastructure providers on a need-to-know basis.

• Identity verification data shall be shared with UIDAI, NSDL, and other authorized verification agencies strictly for KYC compliance purposes.

• Cashmo's authorized API Partners shall receive only the minimum data necessary to deliver the requested service. API Partners are contractually bound to comply with data protection obligations equivalent to those contained in this Policy.

• Personal data may be disclosed in connection with any legal claim, investigation, or proceeding to which Cashmo is a party.

• In the event of a merger, acquisition, restructuring, or sale of business assets, User data may be transferred to the acquiring entity, subject to prior notification to Users and continuation of equivalent data protection standards.

• Share only the minimum data necessary for the stated purpose.
• Require third parties to maintain appropriate security standards.
• Ensure data is used only for the disclosed purpose.

Data Category	Retention Period
KYC Documents	Minimum 5 years from account closure (as per PMLA)
Transaction Records	Minimum 5 years from the date of transaction
Account Information	Duration of account + 5 years post-closure
Communication Records	3 years from the date of communication
Device & Usage Logs	90 days rolling retention
Marketing Preferences	Until withdrawal of consent

• Encryption: All data in transit is protected using industry-standard SSL/TLS encryption. Sensitive data at rest is encrypted using AES-256 or equivalent standards.
• Access Controls: Access to personal data is strictly limited to authorized personnel on a need-to-know basis. Role-based access controls are enforced throughout the organization.
• Firewalls and Intrusion Detection: Cashmo employs multi-layered firewalls, intrusion detection systems, and continuous security monitoring.
• Security Audits: Regular security audits, vulnerability assessments, and penetration testing are conducted by qualified security professionals.
• Employee Training: All employees handling personal data are trained on data protection obligations and confidentiality requirements.
• Incident Response: In the event of a data breach, Cashmo shall:
  • Contain the breach immediately.
  • Notify affected Users within 72 hours of becoming aware of the breach.
  • Report the breach to competent authorities as required by law.
  • Take corrective measures to prevent recurrence.

• Cashmo uses cookies, web beacons, and similar tracking technologies to enhance user experience and improve platform functionality.
• The following types of cookies are used:

  Cookie Type	Purpose
  Essential Cookies	Necessary for Platform functionality and security
  Analytical Cookies	Understanding user behavior and improving Platform performance
  Preference Cookies	Remembering User settings and preferences
  Marketing Cookies	Delivering relevant promotional content (with consent only)

• You may control or disable non-essential cookies through Your browser settings. Disabling essential cookies may affect Platform functionality.
• Cashmo does not use cookies to collect SPDI or financial information.

• The Cashmo Platform is strictly intended for individuals who are 18 years of age or above.
• Cashmo does not knowingly collect, process, or store personal data of minors below the age of 18.
• If Cashmo becomes aware that personal data of a minor has been collected without proper consent, such data shall be deleted immediately.
• If You believe that a minor's data has been submitted to the Platform, please contact Us at privacy@cashmo.in immediately.

• Clicking "Unsubscribe" in any marketing email.
• Updating preferences in Your account settings.
• Contacting support at support@cashmo.in.

• The Cashmo Platform may contain links to third-party websites, applications, or services.
• Cashmo has no control over and accepts no responsibility for the privacy practices or content of such third-party platforms.
• Users are strongly advised to review the privacy policies of any third-party platform before sharing personal data.

• Cashmo stores and processes all personal data within India.
• In exceptional circumstances where cross-border data transfer is unavoidable (such as international payment routing), Cashmo shall ensure that adequate data protection safeguards equivalent to Indian standards are in place.
• No personal data shall be transferred to a foreign jurisdiction without compliance with applicable Indian law and regulatory requirements.

• Cashmo reserves the right to update or modify this Privacy Policy at any time to reflect changes in law, regulatory requirements, or business practices.
• Material changes to this Policy shall be communicated to registered Users via email or SMS at least 7 days prior to the effective date of the change.
• The updated Policy shall be published on the Platform with a revised effective date.
• Continued use of the Platform following the effective date of any amendment shall constitute Your acceptance of the revised Policy.

• Information Technology Act, 2000
• Information Technology (SPDI) Rules, 2011
• Prevention of Money Laundering Act, 2002
• RBI Master Directions on KYC, 2016 (as amended)
• Consumer Protection Act, 2019

• You have read and understood this Privacy Policy in its entirety.
• You consent to the collection, processing, and use of Your personal data as described herein.
• You are aware of Your rights as a Data Principal and the mechanisms available to exercise them.
• You understand that withdrawal of consent may affect Your ability to use certain Platform services.