Data Retention and Deletion Policy

Data Retention and Deletion Policy

1. Preamble and Scope

This Data Retention and Deletion Policy (“DRD Policy”) sets forth the principles, standards, and procedures for the retention and systematic destruction of personal data collected, stored, and processed by Billplan Fintech Private Limited ("BillCut" or the "Company"). This Policy is designed to ensure strict compliance with applicable Indian law, including the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), the principles of the Digital Lending Directions (DLD) issued by the Reserve Bank of India (RBI), and the principles of Data Minimization and Purpose Limitation inherent in modern data protection jurisprudence. This Policy applies to all data collected from customers ("Data Principals") availing BillCut's services, including credit card balance transfer facilities, where the Company acts as a Lending Service Provider (LSP) or Digital Lending App (DLA) on behalf of Regulated Entities (NBFCs/Banks).

2. Data Retention Principles

2.1. Principle of Purpose Limitation

BillCut shall retain Personal Data and Sensitive Personal Data or Information (SPDI) only for the duration necessary to fulfill the specific purpose for which the data was collected, to provide the contracted services, or as mandated by statutory, regulatory, or legal obligations. Upon the fulfillment of the purpose or the expiration of the minimum statutory retention period, all unnecessary data shall be systematically and securely destroyed.

2.2. Data Localization Mandate

Pursuant to the mandates of the RBI's Digital Lending Directions, the Company affirms that all borrower data collected by BillCut or its associated DLAs shall be stored exclusively on servers located within the territory of India. No borrower data, whether collected directly or indirectly, shall be transferred, processed, or stored outside the territorial boundaries of India, except as permitted by applicable law and with the explicit consent of the Data Principal.

3. Specific Data Retention Timelines

Notwithstanding the general principle of purpose limitation, the following specific retention timelines shall govern key categories of data:

3.1. Credit Information Report (CIR) Data

The retention of credit information, including reports pulled from Credit Information Companies (CICs) such as Experian and CRIF, is subject to strict data minimization principles:

• Deletion Timeline: All Credit Information Report (CIR) Data, obtained with the Data Principal's consent for credit assessment purposes, shall be securely deleted or anonymized upon the earlier of the following two events:
• The lapse of six (6) calendar months from the date such Report was pulled out by the Company.
• The formal withdrawal of consent for the use of such CIR Data by the Data Principal.
• Non-Prejudice Clause: The destruction of this CIR Data shall be without prejudice to the ongoing retention of other necessary user data (e.g., demographic data, audit logs) retained for statutory compliance or business-specific purposes as detailed in Clause 3.2.

3.2. Statutory and Audit Retention (Mandatory Data)

Certain categories of data must be retained for mandatory statutory audit, regulatory compliance, legal defense, and trail purposes, overriding general deletion requests:

• Audit Logs and Trails: The Company shall retain all Audit Logs, Transaction Trails, System Metadata, Records of Customer Consents given at various stages, and Customer Behavioral Data on the BillCut platform necessary to prove compliance with RBI’s DLD other mandates., including records demonstrating:
• Proof of all specific customer consents given at various stages on the BillCut website and platform
• Proof of borrower consent for data collection and Credit Bureau pull.
• Proof of delivery of the key statements and loan documents.
• Records of customer acceptance of the loan terms.
• A comprehensive trail of all digital transactions executed on the platform.
• Retention Period: These audit logs and trails shall be maintained for periods starting from the date of the last transaction or termination of the loan, or such longer period as mandated by RBI Master Directions or applicable financial laws, if any.

4. Data Deletion Procedure (Right to Erasure)

4.1. Submission of Deletion Request

The Data Principal reserves the right to request the complete deletion or erasure of their Personal Data maintained by BillCut, subject to the limitations outlined in Clause 3.2.

• Mechanism: All formal requests for the deletion of user data must be submitted in writing to the Company's dedicated support email address: help@billcut.com. The request must clearly identify the Data Principal and specify the data to be deleted.

4.2. Timeline for Execution

Upon receipt of a valid and verifiable Data Deletion request, BillCut shall initiate the deletion process and ensure the removal of all non-statutory data within a maximum timeframe of fourteen (14) calendar days.

4.4 Suspension of Data Deletion Request:

The Data Deletion request shall be suspended or rejected if the data is required:

a) To fulfill an ongoing statutory or contractual obligation, including retaining Audit Logs pursuant to Clause 3.2.b) For the establishment, exercise, or defense of a legal claim.c) If the Data Principal has an outstanding loan or debt obligation with any of BillCut's Partner Lenders.

5. Data Destruction Methodology

Data destruction shall be performed using secure methodologies to render the data irrecoverable. This includes, but is not limited to:

a) Anonymization: Data that is not required to be destroyed but is no longer needed for identification shall be irreversibly anonymized, ensuring the Data Principal cannot be re-identified.b) Cryptographic Erasure: Deleting encrypted keys to render encrypted data permanently unreadable.c) Physical Destruction: For data stored on physical media, destruction methods shall comply with industry standards for secure disposal.

6. Policy Review and Compliance

This Policy shall be subject to a systematic review at least once every twelve (12) months or whenever there is a material change in applicable Indian data protection laws, including the guidelines of the RBI and the mandates of the Ministry of Electronics and Information Technology (MeitY).

7. Force Majeure

BillCutshall not be liable for any failure or delay in performance of its obligations under this DRD Policy arising out of or caused, directly or indirectly, by circumstances beyond its reasonable control, including, acts of God; earthquakes; fires; floods; wars; civil or military disturbances; acts of terrorism; sabotage; strikes; epidemics; pandemics; riots. So as to claim the benefit of this provision shall, BillCut as soon as reasonably practicable after the occurrence of any such event, (a) provide written notice to the Data principal of the nature and extent of any such Force Majeure condition; and (b) use commercially reasonable efforts to remove any such causes and resume performance as specified under this Agreement as soon as practicable.

8. Governing Law

The interpretation, performance and enforcement of this DRD Policy will be governed by the laws of India without giving effect to any choice of law or rule that would cause the application of the laws of any jurisdiction other than the laws of India to the rights and duties of the parties. The laws of India and the courts at New Delhi, India shall alone have jurisdiction.

9. Severability

If any provision of this DRD Policy or the application thereof is held to be invalid, void or unenforceable for any reason, the remaining provisions not so declared will be construed so as to comply with the law, and will nevertheless continue in full force and effect without being impaired in any manner whatsoever.

10. Intent Be Binding

Neither party to this DRD Policy shall seek to have any term, provision, covenant, or restriction of this DRD Policy to be held invalid. This DRD Policy shall inure to the benefit of and be enforceable by the successors and assigns of BillCut, any person or entity which purchases substantially all of the assets of BillCut or with whom BillCut merges, and any subsidiary, affiliate, corporation, or operating division of such entities.

11. Amendments/Changes/Additions

BillCut reserves it's right to amend, change, add, or delete any and all clauses/terms and conditions of this DRD Policy at its discretion. Data Principal shall be required to keep a regular check and update oneself with any and all changes, additions, amendments, deletions and otherwise that BillCut shall come up with time and again to revise these DRD Policy. Data Principal voluntarily agrees and understands that there shall be no specific intimation from BillCut on such changes and revisions. As of the effective date of the revised DRD Policy, Data Principal will be considered as having consented to all changes and revisions to these DRD Policy.

12. Grievance Redressal

For any grievances, please check the Grievance Redressal mechanism as mentioned in the Privacy and Data Security Policy available at https://www.billcut.com/data-security/.

This page should be read together with our Terms & Conditions and Privacy & Data Security Policy.