Privacy Policy

General

1. https://www.quickpe.com/ ("our", "us", "we", "Website", "QuickPe", "QuickPe's mobile applications") is committed to the protection of Information provided by the users ("you", "your", "users") to us. You agree that your use of QuickPe's services or our interface implies your free, informed and clear consent to the collection, processing and use of your Information in accordance with the terms of this Privacy Policy ("Privacy Policy").
2. We take the privacy of our users seriously. We are committed to safeguarding the privacy of our users while providing a personalised and valuable service. In addition to this Privacy Policy, we have taken the following steps to further safeguard your privacy:
3. QuickPe has established a set of "Binding Corporate Rules". These Binding Corporate Rules are a commitment by QuickPe to protect your Information regardless of where the data resides. Depending upon where you live, the Binding Corporate Rules may provide additional privacy rights through your local privacy regulator or government. For more information about our Binding Corporate Rules, including information on how to contact us with any questions, write to us at legal@quickpe.com.

Information Collected

1. Traffic Data Collected

   We automatically track and collect the following categories of information when you visit our Website:

   1. IP addresses;
   2. Domain servers;
   3. Types of computers accessing the Website;
   4. Types of web browsers used to access the Website;
   5. Referring source which may have sent you to the Website; and
   6. Other information associated with the interaction of your browser and the Website (collectively "Traffic Data").

2. Information Collected from You

   In order for you to access certain areas of the Website, we may require you to provide us with certain information ("Personal Information"). Personal Information includes the following information:

   1. Your full name, address, e-mail address, telephone number, date of birth and bank or payment card details and any proof of your identity and/or address that we may request including Your Aadhaar details and any alternative virtual identity issued as an alternative to the actual Aadhaar number generated by UIDAI;
   2. Details of any transactions you carry out through our Website using your QuickPe account and of the fulfilment of your requests;
   3. Details of any bank account (including but not limited to, account holder, account name, account number, sort code, online banking PIN, Transaction Authentication Number "TAN" and password, available balance and transaction history of your bank account), ITR, TAX certificates or any other income documents as necessary by us;
   4. Biometric information such as photograph;
   5. Details of any credit, debit or other card used by you for transactions;
   6. Your participation in any promotion sponsored by us;
   7. Correspondence that you send us;
   8. Calls that we make to you or you make to us;
   9. Surveys that you complete through the Website or based on our request;
   10. Information collected through cookies. Please see Paragraph I (Cookies) of this Privacy Policy for more details;
   11. Your IP address, location details, SMS, log-in times, operating system and browser type;
   12. Your contact list information to detect fraud and assess risks; and
   13. Details of your visits to our Website including, but not limited to, Traffic Data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access whilst visiting our Website.

3. In order to fulfil our legal obligations to prevent fraud and money laundering, we will obtain information about you from third party agencies ("Third Party Information"), including your financial history, court judgements and bankruptcies, from credit reference and fraud prevention agencies when you open a QuickPe account and at any time when we feel it is necessary to prevent fraud and minimise our financial risks. Please refer to paragraph on Anti-Money Laundering Policy of this Privacy Policy for further details.

   Personal Information and Third Party Information are collectively referred to as "Information".

4. QuickPe will collect your Personal Information including Aadhaar number/virtual identity directly from the Aadhaar number holder for conducting authentication with UIDAI at the time of providing services. Virtual ID in lieu of Aadhaar number at the time of authentication may be used.

5. Provision of Aadhaar details is mandatory as an identity information for OTP based e-KYC, as per the Master Direction - Know Your Customer (KYC) Direction, 2016.

Use and Storage of Information

We collect, use and store your Information (including Aadhaar number/virtual ID) for the following purposes:

1. To operate and administer your QuickPe account and to provide services that you have requested;
2. To carry out your instructions to make and receive payments and undertake transactions using our services, including verifying that you have sufficient funds in your QuickPe wallet to make such payments;
3. To allow you to participate in interactive features of the Website;
4. To notify you about changes to our service(s);
5. To improve our internal customer training,
6. To comply with financial services regulations including retention of financial information and transactions;
7. To comply with the provisions of Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, as applicable to a requesting entity;
8. For financial and identity checks, fraud and risk assessment checks, anti-money laundering and credit checks;
9. For customer service, including answering questions and responding to feedback and complaints;
10. To enhance the security of our services;
11. To ensure that content on our Website is presented in the most effective manner for you and for your computer; and
12. To provide you with information, products or services that you request from us or which we feel may interest you or to provide you with personalised offers.

Retention of Data.

1. We are required under applicable laws to retain certain records for a period of at least 10 (ten) years after closure of your QuickPe account, which will include your personal data such as your name, contact details, customer number and transaction history, etc. ("Retained Data"). Other than the Retained Data, we will delete and destroy all Personal Information that we hold about you when you (or we) terminate your QuickPe account. We do not store your online banking login PIN, TAN and/or password
2. Please note that we will not store your credit card information.
3. Upon receiving your explicit consent, QuickPe will have access to, use, store and retain certain information including your contact list, SMS logs and data and location details.

Please note that we will never ask you to disclose your personal or security details by e-mail. If you receive any e-mail purportedly from QuickPe requesting your personal or security details, please do not respond to it ("Such E-mail"). Please forward any Such E-mail to risk@quickpe.com and thereafter delete the e-mail immediately.

Disclosure of Information

1. We do not disclose your Information to any third parties other than the Website's affiliates and the following:
   1. a prospective buyer of our business or a buyer of a substantial number of the shares in our business;
   2. the police, other lawful enforcement body, regulatory body or court if we are under a duty or required by law to disclose or share your personal data , or to protect the rights, property, or safety of ourselves or our group companies, our customers, or others;
   3. Financial institutions with whom we partner to jointly provide better services, facilities or products to you. These financial institutions may only use your information for providing to you their services and market QuickPe related products without requiring your further consent.
   4. third parties where you have expressed an interest in receiving information about their goods and services;
   5. third parties who referred you to us initially and to whom we owe a commission payment as a result of the referral. Where the commission payment is based on transaction volumes, numbers or types of transactions, we may share that information with that third party, but we will not disclose the full details of each of your transactions without your further written consent; and
   6. third parties we may occasionally use to provide you with the services that you have requested. We require these third parties to not use your personal information for any other purpose.
   7. third parties with whom we have legal and contractual obligations
   8. as may be required under Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and/or Aadhaar (Authentication) Regulations, 2016.
2. We also use Information in aggregate/anonymized form (so that no individual user is identified):
   1. To build up marketing profiles;
   2. To aid strategic development;
   3. To audit usage of the Website
3. We reserve the right to disclose Information if required to do so by law or if we believe that it is necessary to do so to protect and defend the rights, property or personal safety of the Website, or its users.
4. For the purpose of UPI and other transactions, the customer shall be bound by the Privacy Policy of the PSP Bank

Fraud and Credit Agencies.

1. When you open a QuickPe account, at intervals of up to every 3 (three) months and at any other time we feel it is necessary to do so to protect our financial interests and prevent money-laundering or fraud, we share certain information about you and your QuickPe account, financial history and transactions as part of our normal business operations with banks, payment facilitator partners, credit/debit card processing services, identity verification service providers and credit reference agencies (including, but not limited to) to identify and verify users, to limit our exposure to fraud and other criminal activities and to manage our financial risk. We can provide you with a list of the credit reference agencies we use upon your written request to QuickPe Helpdesk. When conducting identification or fraud prevention checks, the relevant parties may retain a record of our query along with your information and may share this information with other fraud prevention agencies. If you want to know what information these companies hold about you, you can write to them to request access to your information.

2. Anti-Money Laundering Policy

   In order to comply with anti-money laundering laws that exist in various jurisdictions we reserve the right to report suspicious transactions to federal, state, provincial or local authorities and law enforcement agencies within those jurisdictions. In exchange for us permitting you to participate in, use and access our Website and services you hereby grant us the right to report any transactions which we deem suspicious, as determined solely by QuickPe acting in its sole discretion. Examples of a suspicious transaction include but are not limited to use of funds suspected to be derived from illegal activities, any suspected intention to conceal or disguise funds derived from illegal activities, or suspicion that the involvement of our Website and services is in any manner intended to facilitate criminal activity. If for any reason we are of the belief or become aware of any transaction which we deem suspicious in nature, we may without prior notice or explanation to you take the following actions, which are in addition to all other rights and remedies available to us under this Privacy Policy, at law or in equity:

   1. report such transaction to the applicable central, state, provincial or local authorities and law enforcement agencies;
   2. de-activate or terminate your QuickPe account forthwith;
   3. withhold any funds held in your QuickPe wallet; and/or
   4. restrict you from registering a QuickPe account on or with our Website or any of our affiliated websites.

Communications

1. We may contact you via the e-mail address and phone number registered with your QuickPe account. You may also receive system-generated transactional e-mails such as confirmations, notification of receipt of payments, notification of password changes etc. which are necessary for the proper operation and administration of your QuickPe account. You expressly consent to receive such communications from us, irrespective of whether your phone number is registered on the National Do Not Call Registry.
2. As a QuickPe account holder, you will occasionally receive information by e-mail from us, unless you have expressly chosen not to receive such communication, about products, services and special deals which we think will be of interest to you via our newsletter. You can change whether or not you receive newsletters from us. However please note that you will still receive communication regarding your QuickPe account such as transactional e-mails or other notifications affecting the operation of your QuickPe account or our legal relationship.

Phishing

1. Phishing is the name given to attempts to steal personal details and financial account details from a website user. "Phishers" use fake or "spoof" emails to lead users to counterfeit websites where the user is tricked into entering their personal details, such as credit card numbers, user names and passwords.
2. If you receive such an e-mail or are asked for your password by anyone claiming to work for us please forward the e-mail or report the incident by e-mail to our Data Protection Officer

Links to Our Website and to Other Websites

1. Our Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own terms of use and privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. Please also note that the products and services offered on these websites may be limited to persons located or residing in only that particular jurisdiction. In addition, the content on these linked websites may not be intended for persons located or residing in jurisdictions that restrict the distribution of such content.
2. Our Website also includes social media features, such as the Facebook Like button and widgets, such as the "Share this" button or interactive mini-programs that run on our site. These features may collect your IP address, which page you are visiting on our Website, and may set a Cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Website. Your interactions with these features are governed by the privacy policy of the company providing it.
3. You must always obtain the prior written approval of QuickPe before creating a hyperlink in any form from a third party website to any webpage on the QuickPe Website. QuickPe may or may not give such approval at its absolute discretion. In normal circumstances, we may only approve a hyperlink which displays plainly our name or website address. Any use or display of our logos, trade names and trademarks as a hyperlink will not be approved unless in very exceptional circumstances and may be subject to a fee as QuickPe may determine at its absolute discretion. QuickPe is not responsible for the setup of any hyperlink from a third party website to any QuickPe website. Any links so set up shall not constitute any form of co-operation with, or endorsement by, QuickPe of such third party website. Any link to our website shall always be an active and direct link to our website and shall be made directly to the home or front page of our website only and no "framing" or "deep-linking" of any webpage of our Website or content is allowed. Please contact QuickPe Helpdesk if you wish to create a hyperlink to any page of our Website on a third party website.

Cookies

1. "Cookies" are small computer files that are transferred to your computer's hard drive that contain information such as user ID, user preferences, lists of pages visited and activities conducted while browsing the Website. At your option, expense and responsibility, you may block cookies or delete cookies from your hard drive. However, by disabling cookies, you may not have access to the entire set of features of the Website.
2. Generally, we use Cookies to customize your experience on our Website and to store your password so you do not have to re-enter it each time you visit the Website.
3. In addition, our business partners may use Cookies to provide us with anonymous data and information regarding the use of our Website. Specifically, some of our business partners use Cookies to show the Website's ads on other websites on the internet as a result of you using the Website. Such Cookies do not contain any Information. You may opt out of receiving Cookies placed by such third party vendors by visiting the opt-out page.
4. Other Cookies used by our business partners may collect other non-personally identifying information, such as the computer's IP address, type of operating system, type of internet browsing software, what web pages were viewed at what time, the geographic location of your internet service provider and demographic information, such as gender and age range. This information is used to provide the Website with more information about our user's demographics and internet behaviours. You may find out more about the information collected and how to opt-out of receiving these Cookies by visiting our partner's website.
5. We do not link the information stored in these Cookies directly to any of your Information you submit while on the Website.
6. In order to comply with legislation, we have reviewed the use of Cookies on our Website and set out the information below. This is to ensure that you are aware of these cookies and are able to give your consent for the placing of some or all of these cookies on your device when you use our Website. In summary, we use the following types of cookies:

   1. Strictly Necessary Cookies

      These are cookies which are essential for our Website to operate such as those which identify you so you can log into your QuickPe account. They allow you to move around our Website and use the services you have requested. These Cookies will be activated when you enter our Website and as you use our Website.

   2. Compliance Cookies

      These include Cookies which are necessary to assist in meeting our regulatory compliance obligations, such as anti-money laundering and anti-fraud obligations, and prevent your QuickPe account from being hijacked. These cookies will be activated when you enter our Website and as you use our Website.

   3. Performance Cookies

      These are Cookies that help us to improve how our Website works and to deliver a better service to you. For example, they will assess which pages you visit most often or if you get an error message. They also allow us to see if you have used the Website of one of our group or affiliated companies. All information collected by these Cookies is aggregated and therefore anonymous.

   4. Functionality Cookies

      These Cookies allow us to deliver a more personalised service to you and allow our Website to remember choices you have made such as the language you prefer or the region you are in. They may also be used to provide services you have requested such as being able to comment on one of our blogs.

   5. Third Party Cookies

      When you visit a page on our Website with content embedded from third parties, for example, YouTube or Twitter, Cookies may be downloaded onto your device. We do not set or control these Cookies. If you are concerned about the types of Cookies that may be downloaded you check the third party websites for more information about these Cookies.

      We may use other Cookies from time to time in accordance with this Privacy Policy. By using our Website and other online services, you acknowledge that we may use some or all of the Cookies set out in this Privacy Policy and you agree that we can place performance and functionality Cookies on your device when you use our Website. If you do not agree to this you should cease using our Website and online services or adjust your browser settings.

      You can find more information about the individual cookies we use and their purpose in the table below:

      Information stored	Technology / Type	Owner	Name
      Product usage Analytics	Cookies	Google Analytics	_ga
      Spam and Abuse protection	Local Storage	Google Recaptcha	rc::a
      Spam and Abuse protection	Session Storage	Google Recaptcha	rc::c

7. Blocking Cookies

   Should you want to continue using our services but restrict our use of Cookies, you can block Cookies by activating the setting on your browser which allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all Cookies (including Strictly Necessary and/or Compliance Cookies, as described above) you may not be able to access all or parts of our Website. Our Website may issue some of the Cookies described above as soon as you visit our Website unless you have adjusted your browser setting so that it will refuse Cookies.

Web Beacons

1. In limited circumstances we also may use "Web Beacons" to collect anonymous, non-Information about your use of our Website and the websites of selected sponsors and advertisers, and your use of e-mails, special promotions or newsletters we send to you. Web Beacons are tiny graphic image files imbedded in a web page or email that provide a presence on the web page or e-mail and send back to its home server information from the user's browser. The information collected by web beacons allows us to statistically monitor how many people are using the Website and selected sponsors' and advertisers' websites, or opening our e-mails, and for what purposes.

Website Analytics

1. We may use third party website analytics services in connection with the Website. These website analytics services do not collect information that you do not voluntarily enter into the Website. These services do not track your browsing habits across websites which do not use their services. We are using the information collected from these services to find usability problems to make the Website easier to use. The recordings will never identify you or your account.

Security Checks, Review and Releases

1. To maintain a high level of security, we reserve the right to conduct a security review at any time to validate your identity, verify your financial transactions and further document your consent to this Privacy Policy. To facilitate these security checks, you agree to provide such identification or other information or documentation as we, in our sole and unfettered discretion, deem necessary. If you fail to comply with any security request, we reserve the right to void your QuickPe account. You will be notified of such verification request by e-mail or telephone and your QuickPe account balances will be forfeited if you fail to provide us with such requested documentation and information within the time period reasonably specified by us. Such request for documentation and information may include a sworn affidavit of identity and eligibility, release of liability in favour of us and publicity authorization

User Choice

1. You may choose not to provide us with any Information while accessing the Website. In such an event, you can still access much of the Website; however you will not be able to access and use those portions of the Website that require your Information.

Confidentiality and Security

1. Except as otherwise provided in this Privacy Policy, we will keep your Information private and will not share it with third parties, unless we believe in good faith that disclosure of your Information or any other information we collect about you is necessary to:
   1. comply with a court order or other legal process;
   2. Protect the rights, property or safety of QuickPe or another party.
   3. I give consent to QuickPe to collect KYC documents from PSUs and Government agencies on my behalf.
   4. Enforce our Terms of Use or
   5. Respond to claims that any posting or other content violates the rights of third parties.

Public Information

1. Any information that you may reveal in a review posting or other online discussion or forum is intentionally open to the public and is not in any way private. You should think carefully before disclosing any personally identifiable information in any public forum. What you have written may be seen and/or collected by third parties and may be used by others in ways we are unable to control or predict.

Security

1. We are committed to ensuring that your Information is secure. To prevent unauthorised access or disclosure of Information we have physical, electronic and managerial procedures in place to keep your information safe. Once logged into your QuickPe account, all internet communication is secured using Transport Layer Security (TLS) technology and the connection is encrypted and authenticated using AES 128bit encryption key and uses Elliptic Curve Diffie-hellman key exchange (ECDHE) RSA as a key exchange mechanism.

   However, this high level of protection can only be effective if you follow certain security practices yourself. You must never share your QuickPe account or login details with anyone. If you are concerned that any of your login details have been compromised,

Updates and Changes to Privacy Policy

1. We reserve the right, at any time, to add to, change, update, or modify this Privacy Policy so please review it frequently. If we do, then we will notify you here, as well as by posting a notice on our Website and, where appropriate, a link to the modified policy so that you can review it. In all cases, use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.

Your Rights

1. You have a legal right to a copy of any Information about you held by us. You also have a right to correct any errors in that Information. As mentioned above, you have a right to request that we cease to use your Information for direct marketing purposes.
2. You have a right to obtain and request update of identity information stored with us including authentication logs, but cannot request for core biometric information.
3. You shall, at any time while availing the services or otherwise from us, also have an option to withdraw/revoke your consent given earlier to QuickPe (i.e., duly conclude/terminate your account with QuickPe in entirety) all including for storing e-KYC data and upon such revocation, QuickPe shall delete the e-KYC data in a verifiable manner and provide you an acknowledgement. You shall inform us regarding such withdrawal of the consent in writing. We reserve the right to restrict or deny the provision of our services for which we consider such information to be necessary.
4. You may also request deletion of your data in accordance with the privacy policy, provided however, We and our partners providing financial products may still retain data as required under applicable law and to the extent that any amounts are outstanding under any financial products.
5. You also have a right to lodge a complaint with the privacy officer so that processing of your Personal Information is not in contravention of law.

Restriction of Liability

1. We makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the contents of this Website and expressly disclaim liability for errors and omissions in the contents of this Website.
2. No warranty of any kind, implied, expressed or statutory, including but not limited to the warranties of non-infringement of third party rights, title, merchantability, fitness for a particular purpose and freedom from computer virus, is given with respect to the contents of the Website or its hyperlinks to other internet resources.
3. Reference in this Website to any specific commercial products, processes, or services, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favouring by us.
4. The contents of this website are under copyright and/or trademark of their original author(s) unless otherwise noted on the page itself.

If you have questions or concerns, feel free to e-mail us or to correspond at QuickPe Helpdesk and we will attempt to address your issue.

QuickPe is also a registered e-KYC user agency (KUA). Therefore, the below section/policy applies to protecting personal data/information of aadhaar number holders.

1. Definitions
   • “Aadhaar number” means an identification number issued to an individual under sub-section (3) of section 3 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
   • “Aadhaar number holder” means an individual who has been issued an Aadhaar number under the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
   • "Anonymization" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which an individual cannot be identified, which meets the standards of irreversibility.
   • “Authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such repository verifies the correctness, or the lack thereof, on the basis of information available with it.
   • “Authority” means the Unique Identification Authority of India established under sub-section (1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
   • “Biometric information” means photograph, fingerprint, iris scan, or such other biological attributes of an individual as may be specified by regulations.
   • “Central Identities Data Repository” (CIDR) means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
   • “De-identification” means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal.
   • “Demographic information” includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.
   • “Hardware Security Module (HSM)” means a device that will store the keys used for digital signing of Auth XML and decryption of e-KYC response data received from UIDAI.
   • “Identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information.
   • “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.
   • “PID Block” means the Personal Identity Data element which includes necessary demographic and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.
   • "Processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
   • “Requesting Entity” means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.
   • “Resident” means an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.
   • “Sensitive personal data or information” means such personal information which consists of information relating to — i. password; ii. financial information such as Bank account or credit card or debit card or other payment instrument details; iii. physical, physiological and mental health condition; iv. sexual orientation; v. medical records and history; vi. Biometric information; vii. any detail relating to the above clauses as provided to body corporate for providing service; and viii. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise; provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
   • “Virtual ID (VID)” means any alternative virtual identity issued as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.
2. Purpose:
   • The purpose of this policy is to provide direction to the various stakeholders and responsible personnel within QuickPe to protect personal data of Aadhaar number holders in compliance to the relevant provisions of the Aadhaar Act, 2016; the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar (Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of Information) Regulations, 2016; and the Information Technology Act, 2000, and regulations thereunder.
3. Personal Information Collection:
   • QuickPe shall collect the personal data including Aadhaar number/Virtual ID, directly from the Aadhaar number holder for conducting authentication with UIDAI at the time of providing the services.
4. Specific Purpose for collection of Personal data/Information:
   • (a) The Identity information including Aadhaar number / Virtual ID shall be collected for the purpose of authentication of Aadhaar number holder to provide e-KYC for opening of account-based relationship with QuickPe; (b) The identity information collected and processed shall only be used pursuant to applicable law and as permitted under the Aadhaar Act 2016 or its Amendment and Regulations; (c) The identity information shall not be used beyond the mentioned purpose without consent from the Aadhaar number holder and even with consent, use of such information for other purposes should be under the permissible purposes in compliance with the Aadhaar Act 2016; and (d) Process shall be implemented to ensure that Identity information is not used beyond the purposes mentioned in the notice/consent form provided to the Aadhaar number holder.
5. Notice / Disclosure of Information to Aadhaar number holder
   • a) Aadhaar number holder shall be provided relevant information prior to collection of identity information / personal data. These shall include:
     • The purpose for which personal data / identity information is being collected;
     • The information that shall be returned by UIDAI upon authentication;
     • The information that the submission of Aadhaar number or the proof of Aadhaar is mandatory or voluntary for the specified purpose and if mandatory the legal provision mandating it;
     • The alternatives to submission of identity information (if applicable);
     • Details of Section 7 notification (if applicable) by the respective department under the Aadhaar Act, 2016, which makes submission of Aadhaar number as a mandatory or necessary condition to receive subsidy, benefit or services where the expenditure incuraryed from the Consolidated Fund of India or Consolidated Fund of State. Alternate anncurle means of identification for delivery of the subsidy, benefit or service may be provided if an Aadhaar number is not assigned to an individual;
     • The information that Virtual ID can be used in lieu of Aadhaar number at the time of Authentication;
     • The name and address of QuickPe that is collecting and processing the personal data;
   • b) Aadhaar number holder shall be notified of the authentication either through the e-mail or phone or SMS at the time of authentication and QuickPe shall maintain logs of the same.
6. Obtaining Consent
   • The consent of the user shall not be valid, unless such consent is— (a) free; (b) informed; (c) specific; (d) clear; and (e) capable of being withdrawn. Consent of the user in respect of processing of any sensitive personal data shall be explicitly obtained— (a) after informing him/her the purpose of, or operation in, processing which is likely to cause significant harm to the user; (b) in clear terms without recourse to inference from conduct in a context.
   • a) Upon notice / disclosure of information to the Aadhaar number holder, consent shall be taken in writing or in electronic form on the website or mobile application or other appropriate means and QuickPe shall maintain logs of disclosure of information and Aadhaar number holder’s consent.
   • b) Legal department shall be involved in vetting the method of taking consent and logging of the same, and formal approval shall be recorded from the legal department.
7. Processing of Personal Information/Data
   • The identity information, including Aadhaar number, biometric /demographic information collected from the Aadhaar number holder by QuickPe shall only be used for the Aadhaar authentication process by submitting it to the Central Identities Data Repository (CIDR);
   • Aadhaar authentication or Aadhaar e-KYC shall be used for the specific purposes declared to UIDAI and permitted by UIDAI. Such specific purposes shall be notified to the residents / customers / Individuals at the time of authentication through disclosure of information notice;
   • QuickPe shall not use the Identity information including Aadhaar number or e-KYC for any other purposes than allowed under and informed to the resident / customers / individuals at the time of Authentication.
   • For the purpose of e-KYC, the demographic details of the individual received from UIDAI as a response shall be used for identification of the individual for the specific purposes of providing the specific services for the duration of the services,
8. Retention of Personal Information
   • The authentication transaction logs shall be stored for a period of 2 years subsequent to which the logs shall be archived for a period of 5 years or as per the regulations governing the entity, whichever is later and upon expiry of which period, barring the authentication transaction logs required to be maintained by a court order or pending dispute, the authentication transaction logs shall be deleted.
9. Sharing of Personal Information/Data
   • Identity information shall not be shared in contravention to the Aadhaar Act 2016, its Amendment, Regulations and other circulars released by UIDAI from time to time.
   • Biometric information collected shall not be transmitted over any network without creation of encrypted PID block as per Aadhaar Act and regulations;
   • QuickPe shall not require an individual to transmit the Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.
10. Data Security
    • The Aadhaar number shall be collected over a secure application, transmitted over a secure channel as per specifications of UIDAI and the identity information returned by UIDAI shall be stored securely;
    • The biometric information shall be collected, if applicable, using the registered devices specified by UIDAI. These devices encrypt the biometric information at device level and the application sends the same over a secure channel to UIDAI for authentication.
    • OTP information shall be collected in a secure application and encrypted on the client device before transmitting it over a secure channel as per UIDAI specifications;
    • Aadhaar /VID number that are submitted by the resident / customer / individual to the requesting entity and PID block hence created shall not be retained under any event and entity shall retain the parameters received in response from UIDAI;
    • e-KYC information shall be stored in an encrypted form only. Such encryption shall match UIDAI encryption standards and follow the latest Industry best practice;
    • The keys used to digitally sign the authentication request and for encryption of Aadhaar numbers in Data vault shall be stored only in HSMs in compliance to the HSM and Aadhaar Data vault circulars;
    • QuickPe shall use only Standardisation Testing and Quality Certification (STQC) / UIDAI certified biometric devices for Aadhaar authentication (if biometric authentication is used); h) All applications used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being deployed in production and after every change that impacts the processing of Identity information; The applications shall be audited on an annual basis by information systems auditor(s) certified by STQC, CERT-IN or any other UIDAI recognized body;
    • In the event of an identity information breach, the organisation shall notify UIDAI of the following: • A description and the consequences of the breach; • A description of the number of Aadhaar number holders affected and the number of records affected; • The privacy officer’s contact details; • Measures taken to mitigate the identity information breach;
    • Appropriate security and confidentiality obligations shall be implemented in the non-disclosure agreements (NDAs) with employees/contractual agencies /consultants/advisors and other personnel handling identity information;
    • Only authorized individuals shall be allowed to access Authentication application, audit logs, authentication servers, application, source code, information security infrastructure. An access control list shall be maintained and regularly updated by organisation;
    • Best practices in data privacy and data protection based on international Standards shall be adopted;
    • The response received from CIDR in the form of authentication transaction logs shall be stored with following details: • The Aadhaar number against which authentication is sought. • Specified parameters received as authentication response; • The record of disclosure of information to the Aadhaar number holder at the time of authentication; and • Record of consent of the Aadhaar number holder for authentication but shall not, in any event, retain the PID information.
    • An Information Security policy in-line with ISO27001 standard, UIDAI specific Information Security policy and Aadhaar Act 2016 shall be formulated to ensure Security of Identity information.
    • Aadhaar numbers shall only be stored in Aadhaar Data vault as per the specifications provided by UIDAI.
11. Rights of Aadhar Number Holder
    • The Aadhaar number holder has the right to obtain and request update of identity information stored with the organisation, including Authentication logs. The collection of core biometric information, storage and further sharing is protected by Section 29 of the Aadhaar Act 2016, hence the Aadhaar number holder cannot request for the core biometric information.
    • QuickPe shall provide a process for the Aadhaar number holder to view their identity information stored and request subsequent updates after authenticating the identity of the Aadhaar number holder. In case the update is required from UIDAI, same shall be informed to the Aadhaar number holder.
    • The Aadhaar number holder may, at any time, revoke consent given to QuickPe for storing his e-KYC data, and upon such revocation, QuickPe shall delete the e-KYC data in a verifiable manner and provide an acknowledgement of the same to the Aadhaar number holder.
    • The Aadhaar number holder has the right to lodge a complaint with the privacy officer who is responsible for monitoring of the identity information processing activities so that the processing is not in contravention of the law.
12. Aadhar Number Holder Access Request
    • A process shall be formulated to handle the queries and process the exercise of rights of Aadhaar number holders with respect to their identity information / personal data. As part of the process it shall be mandatory to authenticate the identity of the Aadhaar number holder before providing access to any identity information.
    • All requests from the Aadhaar number holder shall be formally recorded and responded to within a reasonable period.
    • Compliance to the relevant data protection / privacy law (s) shall be ensured.
13. Privacy by design
    • Processes shall be established to embed privacy aspects at the design stage of any new systems, products, processes and technologies involving data processing of identity information of Aadhaar number holders;
    • QuickPe, in possession of the Aadhaar number of Aadhaar number holders, shall not make public any database or records of the Aadhaar numbers unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and in electronic form;
    • Before going live with any new process that involves processing of identity information, the organisation shall ensure that Disclosure of information / Privacy notice in compliance to the Aadhaar Act 2016 is provided to the resident / customer / individual and that consent is taken and recorded in compliance to Aadhaar Act 2016.
    • Quarterly self-assessments shall be conducted to ensure compliance to disclosure of information and consent requirements.
    • Privacy enhancing organizational and technical measures like anonymization, de-identification and minimization shall be implemented to make the collection of identity information adequate, relevant, and limited to the purpose of processing.
14. Governance and accountability
    • A Privacy committee shall be established to provide strategic direction on Privacy matters
    • A person (Privacy Officer) responsible for developing, implementing, maintaining and monitoring the comprehensive, organization-wide governance and accountability shall be designated to ensure compliance with the applicable laws.
    • The name of the Privacy Officer and contact details shall be made available to UIDAI and other external agencies through appropriate channel;
    • The Privacy Officer shall be responsible to assess privacy risks of processing Identity information / personal data and mitigate the risks;
    • The Privacy Officer shall be independent and shall be involved in all the issues relating to processing of identity information;
    • The Privacy Officer shall be an expert in data protection and privacy legislations, regulations and best practices;
    • The Privacy Officer shall advise the top management on the privacy obligations;
    • The Privacy Officer shall advise on high-risk processing and the requirement of data privacy impact assessments;
    • The Privacy Officer shall act as a point of contact for UIDAI for coordination and implementation of privacy practices and other external agencies for any queries;
    • The Privacy Officer shall be responsible for managing privacy incidents and responding to the same;
    • The Privacy Officer shall also be responsible for putting in place measures to create awareness and training of staff involved in processing identity information, about the legal consequences of data breach to the reputation of the organization;
    • Privacy officer shall ensure that the Authentication operations, systems and applications are audited by CERT-IN (Indian Computer Emergency Response Team), Standardisation Testing and Quality Certification (STQC) empanelled auditors or any other UIDAI recognised body at least on an annual basis;
    • Privacy officer shall conduct internal audits (through internal audit team) on a quarterly basis and monitor compliance through these audits against Aadhaar Act 2016;
    • Privacy officer shall ensure that the front-end operators interacting with Aadhaar number holders are trained on a periodic basis to ensure they communicate the disclosure of information to the Aadhaar number holder, take consent appropriately after showing the screen to the Aadhaar number holder and ensure Security of identity information. Such trainings shall be documented for audit purposes;
    • Aadhaar specific trainings to developers, systems admins and other users shall be provided to ensure they are aware of the obligations for their respective roles; Completion of such trainings shall be documented;
    • Privacy officer shall be responsible to formally communicate this policy to all stakeholders and staff who need to comply with this policy; Any changes to the policy shall be communicated immediately;
    • Privacy Officer shall facilitate formal Privacy performance reviews with the relevant stakeholders / Privacy Committee and suggest improvements. The reviews shall consider the results of various audits, privacy incidents, privacy initiatives, UIDAI requirements etc.
15. Transfer of Identity information outside India is prohibited:
    • Identity information shall not be hosted or transferred outside the territory of India in compliance to the Aadhaar Act and its Regulations.
16. Grievance Redressal Mechanism
    • Aadhaar number holders with grievances about the processing can contact the organisation’s Privacy Officer via multiple channels like on the website, through phone, SMS, mobile application etc.
    • Reasonable measures shall be taken to inform the residents / customers / individuals about the Privacy Officer and its contact details;
    • The contact details of Privacy Officer and the format for filing the complaint shall be displayed on the organisations’ website and other such mediums that are commonly used for interaction with the residents / customers / individuals;
    • Where the medium of interaction is not electronic (such as physical), Poster / Notice board that is prominently visible shall be used to display the name of Privacy officer and contact details;
    • If any issue is not resolved through consultation with the management of QuickPe, Aadhaar number holders can seek redressal by way of mechanisms as specified in Section 33B of the Aadhaar Act, 2016.
17. Responsibility for implementation and enforcement of the policy
    • The overall responsibility of monitoring and enforcement of this policy through various mechanisms such as Audits etc. shall be with the Privacy Officer.
    • Responsibility of the implementation of controls of this policy shall be the Privacy Officer.
    • Responsibility of review of Disclosure of information notice, consent clause, method of consent, logging of consent etc. shall be with the Manager Legal.
18. Relevant Provisions of Aadhaar Act and Supreme court judgement
    • Following relevant documents shall be referred to for ensuring compliance to the Aadhar requirements:
      • Judgement of Honourable Supreme court dated September 2018
      • Aadhaar Act 2016
      • Aadhaar and Other Laws (Amendment) Act 2019
      • Aadhaar (Authentication) Regulations 2016
      • Aadhaar (Data Security) Regulations 2016
      • Aadhaar (Sharing of Information) Regulations 2016
      • Any other Regulations or notices or Circulars issued by UIDAI from time to time
19. Contact Details
    • Email: privacy.grievanceofficer@quickpe.com