Privacy Notice

Read this Privacy Notice if you want to know how Unlimint India gather, process and store your personal data.
The purpose of this Notice is to tell you which personal data we process including how, why and for how long your personal data is processed. It is important for Unlimint India that you know your rights regarding your personal data and how to reach us.
To get a complete understanding of Unlimint India and our service offering to you, please read this Notice with the relevant Terms and Conditions.

Who is Unlimint India?

Unlimint In Private Limited (“Unlimint India” or “we” or “us” or “our” or “Unlimit”) is a private limited company incorporated under the Companies Act, 2013 having its registered office at 14th Floor, Wing 1, AIPL Business Club, Sector 62, Gurugram, Haryana 122018.

Unlimint India is a part of Unlimint group companies or businesses that operates in the field of global payments and technology. This Privacy Notice applies to your use of our Website and our services.

Our Website may contain links to or come from websites or applications with their privacy notices or policies, which Unlimint India does not control. These websites will have different privacy notices or Notices, and we do not control these websites. Unlimint India does not accept any responsibility or liability for such websites.

In this Notice:

“personal data” refers to information that identifies you or may identify you (e.g., depending on who you are, a merchant, cardholder, supplier or business partner) and depending on how you interact with us, we may process different types of personal data.
“Processing” of personal data refers to collecting, gathering, handling, storing, transmitting and combining personal data.
A “data principal” is a person that can be identified or identifiable from the personal data processed by a controller or processor.
A “data processor” means any person who processes personal data on behalf of a data fiduciary.
A “data fiduciary” means any person who alone or in conjunction with another person determines the purpose and means of processing personal data.

What this Notice tells you

This Notice contains a description of:

When and why do we process personal data;
What types of personal data do we process;
How do we collect and use personal data;
What are the grounds that we rely on to process your personal data;
What are the purposes for processing your personal data;
Who do we share your personal data for;
What are your rights and how to raise a complaint;
How long we keep your personal data;
How we keep your personal data secure;
How do we tell you when we change this Notice.

When and why do we process personal data?

Unlimint processes your personal data:

On behalf of our merchants to comply with our contracts with the merchants
When you use our Website
When you choose to contact us through our Website
When you choose to use our services and engage in a business relationship via application forms, email, or forms available on our website or other means of communication

In addition to this Privacy Notice, please also your merchants’ privacy notices regarding important information about your personal data processing.

What types of personal data do we process?

Various types of personal data maybe processed in the context of the relationship between you and Unlimint India and according to the service/product used and your capacity. Unlimint India may process the following categories and types of personal data:

Individual Personal Data	Name, previous names, data and place of birth, language, if you hold prominent public functions (PEPs), residence permit.
Contact Details	Work address, home address, email address, mobile number, and other contact details.
Identity Information	Passport, National ID card, Nationality, Utility bill, tax residence and tax ID.
Financial Information	Personal bank details, professional status, employment field, employer details (including, for example, information such as certificates of directors).
Authentication Data	A signature or your user login to access our service dashboards.
Communications	Personal data that you may provide by filling in forms or by communicating with us (e.g. directed to us in letters, emails, via our electronic channels).
Transactional and other/ documents information	Personal Data arising for the execution of payment transactions (including data such as date, time, amount, currencies, beneficiary details, location information and merchant details), supplementary/supporting documentary evidence related to transactions, and further information arising from contractual obligations between Unlimint India and merchants.
Location and technical information	Location data (for example, at the time of login or a transaction); IP addresses and device information, visitor’s information and similar information.
Publicly available Personal Data	Details about you from public records and available in publicly accessible databases.
Investigations data/ results of due diligence and enhanced due diligence	Personal data regarding criminal convictions and offences (special category of data), as part of its compliance measures with regulatory obligations, as well as other supporting documents and personal data related to the categories above.
CCTV	Closed circuit television (CCTV) at our offices (which may collect videos of you).
Consents	Personal Data that you agree to give us by your active consent when you use our services or visit our Website

How do we collect your personal data?

1. Personal Data you submit to us

This can happen in different ways:

When you have agreed to give to the merchant your personal data who has a contract with us so we can provide our services to the merchant. E.g. during Unlimint India’s business relationship with a merchant, a Merchant is required to complete our application form and undergo Unlimint India’s verification and compliance checks which include that the merchant ensures that its customers know that we will process Transactional Information, Location and Technical information. We collect the Personal Data of customers only what is needed to process the transaction for the merchant.
When you accept our Privacy Notice, receive communications from us, via email or forms available on our Website or any other means of communication.

2. Personal Data we collect when you use our services

This personal data may include the following:

Payment and Transaction data:

Profile and usage data (such as data when you connect to internet banking, or SMS services (if applicable), and may include Personal Data on how you use the services. We may collect data from devices you use to connect to the services, such as computers and mobile phones, such as your IP address and use cookies.
Third-party data:

Personal data we lawfully obtain from other entities such as service providers, public authorities, persons that refer you to us, our Group companies, and companies processing payments.
Public data:
Databases and publicly accessible sources (e.g., Registrars of Companies, Commercial Registries, Screening databases (e.g., sanctions/anti-money laundering).

What are the lawful grounds we rely on to process your personal data?

When we process your personal data, we rely on the grounds for processing provided under the Digital Personal Data Protection Act, 2023 (“DPDP Act”).

We rely on your consent or the legitimate uses to process your personal data for the following lawful purposes:

Conclusion and performance of a contract

We process personal data to conclude a services contract with you or a merchant (acting as the Data Fiduciary) and to perform our obligations under a contract to provide our payment services with our merchants in compliance with applicable laws and regulations.

Legal obligation or public interest

Unlimint India is subject to various legal obligations and legal and regulatory requirements to provide payment services. We are also required to implement regulations and directives of multiple authorities to ensure compliance. The purposes of processing include verification controls of identity, money laundering and refund, chargeback processing fraud prevention, compliance with our record reporting obligations, tax obligations, risk control measures, and providing information to a competent authority, public body or law enforcement agency.

Purposes for which we use your personal data

We process your personal data for the following purposes:

1. Authenticate, Verify and Authorise you

To verify your identity (e.g., for authentication, purposes and fraud prevention purposes);
To provide our payment services requested (e.g., conduct merchant acceptance procedures to enter into a contract);
To execute transactions;
To execute merchant payment requests, act upon instructions;
To perform our contractual obligations.

2. Ensure we comply with the law and applicable regulations, directives

To perform anti-money laundering checks and evaluations;
For crime prevention purposes and, when required, to co-operation with authorities;
Statistics and analytics for internal purposes and improvement of services and website;
Enforce or defend the rights of Unlimint India or Unlimint group/affiliates;
Ensure physical and technical security and business continuity;
For internal operational support and administrative purposes (e.g., product development, audit, risk management);
General administrative functions (e.g., maintenance of our internal records necessary for keeping up-to-date information in our systems, general record-keeping).

3. To communicate, establish and maintain our services relationship with you

To provide ongoing support and handle inquiries, complaints and similar issues;
To provide information about our products, services or both when you request it;
To ensure that our internal procedures and protective measures against fraud, risk and financial crime are followed and that you are kept informed of this;
To obtain reports of an online problem (e.g. with our website or payment services);
To notify you of any quality management change, important product or service improvement, update or upgrade.

4. To market our product and services

To provide information about our products, services or both;
To improve and customise the content of our advertisements, promotions, and advertising that you may be interested in.

Who do we share your personal data with?

Internally

Unlimint India shares your personal data in the context of Unlimint India operations internally. This means that Unlimint India may share personal data with third parties from within the same group of companies to which Unlimint India belongs. We may disclose your personal information to those companies to:

provide support services and technical services to these internal third parties and receive some of these services from them;
contribute to research, data analytics and studies to improve our products and services.

Externally

We will share personal data with third parties to carry out requests, provide services or as required or permitted by law. Third parties under these circumstances include:

1. Merchants

Unlimint India shares your personal data with merchants to process a card payment transaction. When you buy products or services using Unlimint India payment services, we may provide the merchant with your credit card billing address to help complete an individual’s payment transaction.

2. Service providers

We will disclose personal data to third-party partners and service providers (processors), so they can process it on our behalf where required. These service providers must provide assurances in accordance with applicable data protection laws and associated requirements. (e.g., being bound contractually to data protection, privacy, security and confidentiality obligations). We will only share personal data as is strictly necessary for them to provide their services to us.

3. Auditors, advisors and consultants

We may disclose personal data for purposes and in the context of audits (e.g., external card scheme audits, regulatory authority audits like the Reserve Bank of India, security audits such as PCI DSS Level 1) to legal and other advisors, to investigate security issues, risks, complaints.

As such, personal data may be transferred and disclosed to:

Money laundering and fraud prevention aggregation or agencies, compliance and verification services and risk prevention services. This is required to verify your identity, ensure protection against fraud, and confirm eligibility for our services/ products;
Banks (other credit and financial service institutions) and similar institutions. These enable us to provide our payment services and include correspondent banks such as intermediary banks;
Payment Card Systems (Visa, Mastercard, RuPay etc.). These enable us to provide our card processing services;
Companies assisting us with the provision of our services (e.g. technological services, solutions, support such as support/maintenance/development of IT applications, technology, website management, telephony/SMS services);
Customer support service providers and marketing service providers;
Entities of Unlimint Group which are affiliated/related to us, acting as processors or controllers to provide services, streamlined services, ensure quality and effectiveness across the group;
Administrative service providers;
Auditing and accounting services and consultants;
External legal advisors.

Unlimint India takes all reasonable measures to ensure that every third party involved in processing your personal data has the required organisational and technical protection, including the required data processing and transfer agreements where necessary.

Regulatory authorities, law enforcement, courts

We may disclose personal data to comply with applicable legislation and regulatory obligations, to respond to requests of regulatory authorities, government and law enforcement agencies, courts and court orders in India, such as:

Reserve Bank of India;
Financial Investigative authorities and the Police (subject to the receipt of a subpoena, court order or similar lawful request or procedure);
Tax Authorities;
Other regulators, authorities and public bodies where applicable under Indian legislation.

Other recipients may be any person/legal entity/organisation for which you ask your data to be transferred (e.g., reference, etc.) or give your consent to transfer personal data.

We may also disclose your personal data if:

If we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or request;
To apply or enforce the Terms and Conditions or any other agreement in place in the context of our relationship and to investigate potential breaches;
To protect Unlimint India’s rights, safety or property, or that of our customers or third parties/the public which might involve exchanging information with other companies and organisations such as law enforcement authorities for the purposes of prevention of money laundering, fraud prevention and other equivalent risks;
If Unlimint India or substantially all of its assets are acquired by a third party, in which case personal data held by it will be one of the transferred assets;
If Unlimint India or substantially all of its assets are acquired by a third party, in which case personal data held by it about its merchants will be one of the transferred assets.

Transfers outside India

We are a company with a global reach. Your personal data may be processed locally in India or worldwide, to the extent permitted under applicable laws.

Your personal data may be transferred to international organisations if the transfer is necessary and transferee has reasonable degree of controls and measures, not less than as required as per applicable laws in India. Such transfers take place, for example:

When necessary to carry out and in the context of transactions (e.g. card transactions, payment orders to third countries, through a correspondent bank in the third country);
Under applicable law (e.g. tax legislation);
On the basis of your instructions or consent.

We aim to take all steps reasonably necessary to ensure that your personal data is treated securely and under this Privacy Notice (e.g., requirement to observe privacy standards equivalent to ours, maintaining security standards and procedures to prevent unauthorised access, use of technology such as encryption and firewalls) to protect the security of data in transit and at rest.

Unlimint India in respect of its services as licensed entity ensures that payments data is stored locally where required under applicable laws and regulations.

How we keep your personal data secure?

Unlimint India has established and regularly reviews its security internal policies and procedures for secure processing of personal data in order to protect personal data from unauthorized access, loss, misuse, alteration or destruction.

We ensure to the best of our abilities that access to personal data is limited to persons on a need-to-know basis, and that persons who have access are required to maintain its confidentiality. We utilise a series of technology and security solutions to protect personal data (such as storage of information you provide us on secure servers, perimeter security mechanisms, such as encryption etc.).

Unlimint India follows the payments industry standards regarding the protection of payment card information. Unlimint India’s payment card infrastructure will be regularly audited to maintain the highest level of security certification with the Payments Card information Security Standard Council (PCI) in respect of protecting card data.

In addition, Unlimint India in also carries out any other security measures (e.g. tokenisation) which may be specifically required to comply with its legal and regulatory obligations.

Your Rights

As per applicable law, you may have the following rights:

access your personal data (access rights): You have the right to ask us if we process personal information that relates to you, and you may ask us to provide you with details of the personal information we process about you (as required under applicable laws);
correct or erase your personal data: You can ask us to have inaccurate personal information we process about you fixed or changed.
Nomination: In the event of death or incapacity of the data principal the authorised representative may contact us at [email protected] to nominate another individual. Please note that when a request for nomination is received in accordance with Section 14 of DPDP Act, we may require additional information to complete such request.

As the majority of processing, is to meet our contractual and legal obligations, some of the rights may be limited by our legal, contractual and regulatory requirements.

Exercising your rights

You can address questions and concerns to the Data Protection Function as follows:

Unlimint IN Private Limited

14th Floor, Wing 1, AIPL Business Club, Sector 62, Gurugram, Haryana 122018

Email: [email protected]

Please note that you may be subject to identification procedures and measures in order to ensure that no personal data is disclosed to unauthorized persons. We may also request additional clarifications to process your request as rapidly and efficiently as possible.

Right to file a complaint or grievance

If you have any complaints or grievances about the use of your personal data, exercise of your rights, please write and/or file a complaint with us directly at the contact details indicated above.

Retention period

Our obligations primarily determine our retention period under applicable legislation to retain data for a specific time. Destruction will only be possible after the lapse of this period.

We are obliged to keep Transaction data (including personal data) during the business relationship and for a minimum period of 10 years after business relationship termination, or after Customer application rejection/withdrawal, per anti-money laundering legislation and other requirements applicable to our business.

The retention period may be extended in case of other lawful reasons justifying longer retention (such as for complaints handling, legal proceedings, investigations, regulatory, tax, money laundering and crime and fraud prevention purposes).

Your Responsibilities

You are responsible for ensuring that the information provided to Unlimint India by you/about you or on your behalf is accurate and up to date. You must inform us if anything changes as soon as possible.

Unlimint India’s services are not intended or designed to attract minors. We ensure through our contractual arrangements with the merchants that personal data pertaining to minors is not shared with us when providing our services. In the unlikely event that a minor’s data is received by us, we will take all necessary steps to ensure that such personal data is processed in accordance with applicable data protection laws.

Changes to our Privacy Notice

We may revise or update our Privacy Notice from time to time. In such a case, we make the most recent version of the Privacy Notice available on our website, informing you accordingly by displaying the updated version and relevant date of update.

You are advised to visit our website frequently to consult our Privacy Notice in its most recent version.

Privacy Notice UNL.IN_DP_PN_CUST-02/2024