Back to home logo of sampark

Information Security Policy (Platform Users)

Policy Name Department Information Technology Development Department
Privacy Policy (Platform) Document No. SMP_PP_V1.1
Title: Revision No.:
Information Security Policy Date: 1/08/2023
Prepared by Date Signature
Information Technology Development Department --/--/2023
Reviewed and Approved by Date Signature
BOD --/--/2023

Versions of the document

Version No. Date Clause No. Comments / Modifications Changed By Approved By
           

TABLE OF CONTENTS

1. ABOUT THE DOCUMENT

This document presents the Privacy Policy of “Samparkfin.com” a NBFC lending platform managed by “Sampark Fin Services Pvt. Ltd. The intent of this document is to provide a standard policy framework and reference guide detailing the relevant aspect of Privacy Norms and structures. This policy is taking reference from RBI guidelines Master Direction DNBS.PPD.No.04/66.15.001/2016-17 (Information Technology Framework for the NBFC Sector). The following sections describe the purpose, objective, scope, intended audience, review and version controls of this document.

Unless specified explicitly, “company” means “Sampark Fin Services Pvt. Ltd.”, and platform means “Samparkfin.com”.

2. CONTEXT

NBFCs, lending companies are operating with the prime objective of matching credit demand with credit supply occasionally using an online platform. This process of lending is done keeping process as primary, in a fair and transparent manner. This is in context of digital originations of loans related to borrowers also gives rise to information security risk. In this context it is of prime importance to have standard information security protocol which are able to mitigate the information security risks confronted by the process participant so that any potential loss arising out of information security can be mitigated and information safety of the users of the platform can be ensured.

As NBFCs falls under the regulatory purview of RBI, the company is using Master Direction DNBS.PPD.No.04/66.15.001/2016-17 (Information Technology Framework for the NBFC Sector). As Privacy of Users is one of the most critical aspect in the NBFC business operations and users are exposed to IT platform, it is of prime importance to have a robust “Privacy Policy” which can addresses privacy and objective use of data of customer without compromising on the core values Privacy of the end user.

3. INTENDED AUDIENCE

This is an internal use document with a section on Privacy Policy which will be for public usage in the terms of use section (TOU). This Document as applicable to user is intended for all company employees and all users including the customers. The relevant portions can be shared in hard copy format on a returnable basis with company contractors, clients and vendors under the non-disclosure agreement (NDA).

As NBFCs falls under the regulatory purview of RBI, the company is using Master Direction DNBS.PPD.No.04/66.15.001/2016-17 (Information Technology Framework for the NBFC Sector). As Privacy of Users is one of the most critical aspect in the NBFC business operations and users are exposed to IT platform, it is of prime importance to have a robust “Privacy Policy” which can addresses privacy and objective use of data of customer without compromising on the core values Privacy of the end user.

4. POLICY DOCUMENT STRUCTURE

Sc. No. Section Name Description
1 Introduction Deals with policy description, approach to privacy. Users any why this policy
2 Information types which are collected This deals with the type of information and the source of information which is being collected.
3 Information Storage Deals with information storage and its processing related aspects
4 Information Sharing Deals with the aspect of Information sharing its scope and limitations
5 Information Usage Deals with how this information is used for the intended purpose .
6 Grievances Redressal in exigency Deals with the process of grievances, and issue redressal .
7 Opt-Out Process and Contact us Deals with process of information privacy when users opt out from platform services.
1) INTRODUCTION
  1. ) BACKGROUND
  2. User privacy is an unalienable right, especially in data driven world of services. In line with this though and its Information Security Vision, “Samparkfin.com” has developed a privacy policy taking reference from RBIs DNBS.PPD.No.04/66.15.001/2016-17. As Samparkfin.com will be undertaking the business modality of NBFC. This policy conveys to the user, a broader understanding of the information collection, storage usage and sharing which strictly follows the basic principle of customer privacy as paramount.

  3. ) PRIVACY POLICY STATEMENT
  4. To develop and trustworthy service platform Samparkfin.com keeps privacy and unalienable right. It values the Confidentiality, Integrity and Availability of the customer information, its partners and other stakeholders.

  5. ) SCOPE OF THE POLICY
  6. This policy is applicable to all users of the company’s service platform like Borrowers,lenders, including company employees, agents, consultants, contractors, vendors and third parties having access and usage rights to company’s Information Systems and/or Information Resources.

2) INFORMATION TYPES WHICH ARE COLLECTED
  1. ) INFORMATION DIRECTLY SOURCED
    • Name, Mobile number, e-mail, documents and identifiers under KYC Guidelines, bank account identifiers, your social media handles, personal information or any other information which is entered by the users on the platforms in prescribed fields. This also includes your permanent or current residential address, preferences when you signup/sign-in/register as any user defined (Lender, Borrower, agents, partners). This information allows us to identify you uniquely.
    • Internal user communication facility its logs content and other media. Interactions between the external user and platform (SAMPARK and its employees). Notifications originated by the users, service requests, IVR recordings, e-mail, feedbacks messages, testimony’s, user reviews or any information created by the user on the platform.
  2. ) INFORMATION INDIRECTLY SOURCED
  3. Our web site uses cookies and similar techniques to create feedback loop which creates the web page interaction data. Third party verifications based on the information provided like KYC verification. Reference data points created by other users using our referral systems. Also any other information sourced by platform for service delivery including from third party APIs and applications.

  4. ) INFORMATION BASED ON ANALYTICAL TOOLS (OWN AND THIRD PARTY)
  5. SAMPARK has its proprietary analytical tools, we may use third-party analytics tools to help platform understand the customer insights to further improve the user experience and security of information. This data can be web traffic and usage trends from the mobile application. These tools gather information provided by your browser, device, or the used mobile application, including the interaction user does or the pages visited, any add-ons, and other information that assists provide useful insight to upgrade and improve the platform. This information can be collectively used to create useful functions and tools in the platform. This information may not be tied to any particular identifiable individual User.

  6. ) SERVER SIDE INFORMATION AND LOG FILES
  7. As user interacts with the platform it creates the log of all the changes also it creates log of the server usage by the applications browsers and any other functions. This information is automatically originated and communicated by users’ device/applications/browser. These interactions are recorded every time. It can also be created when platform is running automated reconciliation function.

    At the time of usage of the platform, servers automatically record certain other log information, including your request type, Protocol ("IP") address, browser type and version, visited links and URLs, number of clicks and platform interaction with links on the application, domain names, landing pages, pages viewed, content views (video or document) partial, fractional or complete, and other such information. Platform can also collect certain information from emails sent to Users which then help us track which emails is interacted with and which links are clicked by recipients. This collected information can also be processed and efficient insights can be gained to do improvements of the application.

  8. ) IDENTIFIARS (DEVICE AND ACCESS APPLICATION)
  9. As user is on-boarded on the platform or use the platform which consist of website and mobile application and any other mechanism. Platform can be accessed from a third party application or device like any browser in a mobile device/tablet or phone or desktop or any kind of hardware to access the application. Platform may store, access, monitor, modify or delete one or more "Identifiers" these identifiers are small program/script or data files or similar code/data structures working with your applications, desktop, mobile device/any other device, which uniquely identify your access point application/device. An identifier may be a code/data stored/updated in the device taking reference from the hardware used, data supplied/stored in connection with the device's operating system or other software in that hardware/system.

    An identifier may be able to communicate information to the platform (this information can be logged for a limited time period) or to a third party partner about how user browse and interacts with the application and may help platform or other service providers to create personalized content and any other functionality. Some features of the platform application may not function properly if these identifiers are manually or automatically tampered with or disabled by using third party or any device based functionality.

    Information in case of identifiers is based on the device and hardware used and as users can use multiple devices for the using the platform/application it can be in of various log formats and can be updated over a period of time with specific time stamps.

3) INFORMATION STORAGE
  1. ) STORAGE LOCATION
  2. All the information which is collected is always maintained and processed in India. Under no circumstances information will be sent to another country deliberately. This is only applicable for Indian Citizen residing in India. This information is stored in our servers in-house or in a data center provided by vendors with in India.

  3. ) STORAGE FORMATS
  4. Data Base file like SQL, MYSQL or Oracle or mongo DB or any other data base or log file structure, used in platform for better performance of the platform. It is also very important that in data can also be in encrypted format and only available to authorized personals on a need to know basis.

  5. ) INFORMATION RESIDING TIME PERIOD
  6. SAMPARK Platform and its service providers keeps information as long as the user is on boarded on the platform and user is active or inactive. Information and data points are also archived and maintained for any regulatory audit purpose.

  7. ) SECURITY OF INFORMATION
  8. SAMPARK Platform will take utmost care to protect the customer data. This will be done with the use of viable means and technology. In this context SAMPARK is not in a position to provide absolute guarantee the security of the transmission, access, modification or deletion of information from access point to end point. SAMPARK cannot also provide security guarantee when data is saved in the local hardware for use.

  9. ) INFORMATION CLASSIFICATION FOR STORAGE AND USE
  10. Classification and associated protective controls for information should take account of business needs for sharing or restricting information and business impacts associated with such needs. All information assets shall be classified as Sensitive, Confidential, Internal, and User Specific and Public according to their level of confidentiality, sensitivity, value and criticality.

    • Sensitive: Business information that is secret e.g. platform code, customer data, business data, server logs, wireframes, mockups, solution designs physical of digital, accounting and financial information. Platform testing methods and reports, internal business policy and operations documents and Logic structures inclusive but not limited to this list.
    • Confidential: Business information, disclosure of which can adversely impact business, employees and customers. Internal communication intended for a particular user, platform code, customer data, business data, server logs, wireframes, mockups, solution designs physical of digital, accounting and financial information. Platform testing methods and reports, internal business policy and operations documents and Logic structures inclusive but not limited to this list.
    • Confidential: Internal Use: Business information that is intended strictly for use within the organization.
    • User Specific: Business information that has been explicitly approved by the organization’s management for release to the service users like lenders. Like published Borrower profile on NBFC market place (However this is only intended for Users of the Platform).
    • Public: Business information that has been explicitly approved by the organization’s management for release to the public for example Public advertisements, learning videos (excluding the material marked for specific user)
4) INFORMATION SHARING
  1. ) OBJECTIVE OF INFORMATION SHARING
  2. SAMPARK platform only shares information for the intended purpose of the user experience, information collected from users are not for direct sale or for direct rent for any other purpose.

  3. ) INFORMATION SHARING ENTITY/PARTIES
  4. We may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) to help provide, understand, and improve the application.

    We also may share your information as well as information from tools like cookies, log files, and device identifiers and location data, with third-party organizations that help us provide the application to you ("Service Providers"). Our Service Providers will be given access to your information as is reasonably necessary to provide the application under reasonable confidentiality.

    We will share the user profile data with the Credit bureaus as per mandate for the purpose of Credit underwriting process facilitation.

5) INFORMATION USAGE
  1. ) OBJECTIVE
  2. SAMPARK platform only shares information for the intended purpose of the user experience, information collected from users are not for direct sale or for direct rent for any other purpose.

  3. ) INFORMATION SHARING ENTITY/PARTIES
  4. In addition to some of the specific uses of information we describe in this Privacy Policy, platform may use information with below mentioned objectives

    • Information used to distinctly identify user by the platform and on the platform by other users for business activities as intended.
    • Information used to facilitate communication between users as required by business activity.
    • To provide specific services as a lenders or borrower which needs KYC and other assessment process. It will help lenders identify users (Borrowers) and vice a versa for credit supply purpose as this is a NBFC platform. This can be done with user information organization in a discreet manner.
    • Information used to transact on the platform for business activity
    • Information used to provide, update, improve, monitor, evaluate and test the effectiveness of our application
    • Information used in the development of new features in the application.
    • Information used to provide third party services if required.
    • Information used for diagnostic purpose of the system and services of the platform
    • Information used to comply with the requirements of the authorities and regulators.
    • Information which needs to be sent to regulators time to time.
    • Information for grievance redressal process.
6) GRIVANCES REDRESSAL
  1. ) OBJECTIVE
  2. Objective of this section is to define the policy measures with respect to any exigency arises due to unforeseen circumstances.

  3. ) PROCESS
  4. Platform shall try to resolve the privacy concern of the user as and when arises for that Company will use grievances redressal mechanism established by the company with in the specific time line. Platform will also try to update every policy change to the customer via notification.

7) CONTACT US
  1. ) PRIVACY RELATED ISSUES
  2. [email protected]

    With subject as privacy concern with registered mail ID

    Any mail related to privacy issues must be communicated with preregistered mail or mobile number.