Information Collection

We may collect your Personal Information when you use our services or Platform or otherwise interact with us during the course of our relationship. We collect Personal Information that is relevant and necessary for providing the services requested by you and for improving the NeoZAP Platform.

Personal and Sensitive Personal Information collected includes but is not limited to:

1. Name, age, gender, photograph, address, phone number, email ID, your contact (where explicitly permitted), and nominee details.
2. PAN number, KYC-related information, videos or verification documents as mandated by regulatory authorities, and business-related information
3. OTPs and verification codes issued by NeoZAP for the purpose of authenticating your login, account actions, or transactions on our Platform. Where you have granted SMS-read permission on your device, the NeoZAP app may auto-read NeoZAP-issued OTPs on-device only to pre-fill verification fields for your convenience; these OTPs are not transmitted to our servers except as necessary to complete the verification you initiated. We will never ask you to share an OTP issued by your bank, card issuer, UPI app, or any third-party payment gateway. Do not share bank or payment OTPs with anyone claiming to represent NeoZAP. Where a transaction requires a bank/issuer OTP, it is entered directly into the bank's or gateway's secure interface, and NeoZAP does not collect, store, or have access to it.
4. Balance, transaction history and value, bank account details, wallet balance, investment details and transactions, service or transaction-related communication, and partial card details required for providing NeoZAP services.
5. Device details such as device identifiers, mobile model, browser plug-ins, cookies or similar technologies, IP address, location, and time spent.

We and our service providers or business partners may also collect your Persona Information from third parties or publicly available sources for verification, fraud prevention, or regulatory compliance.

Information may be collected at various stages such as:

1. When visiting the NeoZAP Platform.
2. Registering as a user or under any relationship governed by Platform terms.
3. Transacting or attempting to transact on the Platform.
4. Accessing links, emails, chats, feedback forms, or notifications sent by NeoZAP.
5. When interacting with NeoZAP affiliates, business partners, or associates.

Purpose and Use of Personal Information

NeoZAP may process your Personal Information for purposes including but not limited to:

1. Creating your account and verifying your identity.
2. Providing access to products and services offered by us or our affiliates/partners.
3. Conducting KYC compliance as required by regulatory bodies.
4. Validating and sharing KYC or nominee details with relevant intermediaries or institutions.
5. Communicating for queries, transactions, or regulatory requirements.
6. Authenticating transactions, validating standing instructions, or confirming payments.
7. Enhancing user experience and analysing aggregated user behaviour.
8. Monitoring and improving our products/services and conducting audits.
9. Allowing third parties to contact you for services you request through the Platform.
10. Carrying out credit checks, fraud detection, money laundering checks, and enforcing terms.
11. Informing you about offers, updates, and marketing communications (where permitted).
12. Resolving disputes, troubleshooting issues, and providing technical support.
13. Identifying security breaches; investigating suspected fraud or illegal activities.
14. Any other legitimate business purpose permissible under applicable laws.

Your Consent

In accordance with Section 6 of the Digital Personal Data Protection Act, 2023, we process your Personal Information only on the basis of your free, specific, informed, unconditional, and unambiguous consent, given through a clear affirmative action — or on another lawful basis permitted under the Act (such as a legitimate use specified in Section 7, legal obligation, or compliance with a judgment/order).

How we obtain consent:

• At the point of account creation and KYC, you are presented with a plain-language Consent Notice (available in English and, where applicable, in the 22 Eighth Schedule languages) describing the Personal Information we collect, the specific purposes of processing, the manner of exercising your rights, and the grievance redressal mechanism.
• Where we process Personal Information for purposes beyond what is strictly necessary to deliver the service (for example, marketing communications, analytics, access to your device contacts, precise location, or sharing with selected partners), we obtain separate, granular consent for each such purpose, through in-app toggles or tick-boxes that are opt-in by default off.
• Consent for one purpose does not imply consent for another.

Withdrawal of consent:

You may withdraw any consent previously given, at any time, with ease comparable to the ease with which it was given, through:

• The "Privacy & Permissions" section of your in-app settings; or
• A written request to support@neofinity.in.

Withdrawal of consent is prospective and does not affect the lawfulness of processing carried out before withdrawal. Where a service or feature relies on specific processing for which consent has been withdrawn, that service or feature may become unavailable to you, and we will inform you of this consequence at the time you act to withdraw.

Third-party data: If you provide Personal Information of any other individual (for example, nominee or contact details), you represent and warrant that you have obtained their informed consent to share such information with us for the purposes set out in this Policy.

Cookies or Similar Technologies

We use cookies or similar technologies to analyze Platform usage, enhance user experience, support security, and enable certain platform features. You may decline/delete cookies if your browser permits, though this may limit Platform functionality.

Information Sharing and Disclosures

Personal Information may be shared, as allowed under applicable laws, after due diligence and only on a need-to-know basis with:

• Business partners, service providers, associates, subsidiaries, financial institutions
• Legally recognized authorities, regulatory bodies
• Internal teams (e.g., marketing, security, risk, investigation)

Personal Information may be shared for:

1. Enabling services availed by you.
2. Meeting KYC and regulatory requirements.
3. Completing transactions initiated by you.
4. Processing financial product or service requests.
5. Fraud detection, risk assessment, and managing disputes.
6. Communication, analytics, storage, security, and audit services.
7. Enforcing our Terms or responding to legal claims.
8. Complying with subpoenas, court orders, or other legal processes.

We ensure recipients follow privacy practices comparable to NeoZAP’s standards.

Cross Border Transfer

Personal Information collected through the NeoZAP Platform is primarily stored and processed on servers located within India.

In limited circumstances, certain Personal Information may be transferred to, processed, or accessed by service providers or sub-processors in jurisdictions outside India (for example, cloud infrastructure, crash analytics, or customer communication tools). Any such transfer will be undertaken:

1. Only to countries not restricted by the Central Government under Section 16 of the Digital Personal Data Protection Act, 2023;
2. Subject to contractual safeguards with the recipient (including confidentiality, security, and purpose-limitation obligations substantially equivalent to those in this Policy); and
3. In compliance with any sectoral restrictions applicable to NeoZAP, including RBI directions on storage of payment system data.

Payment system data regulated under the RBI circular dated 6 April 2018 is stored only in India, in accordance with applicable regulatory requirements.

Specified Retention Period

All Personal Information collected by NeoZAP is stored on servers located within India.

We retain Personal Information only for as long as necessary for the purposes for which it was collected, or for the retention periods mandated by applicable law, whichever is longer.

Indicative retention periods (subject to legal and regulatory requirements in force from time to time):

Data may be retained beyond these periods where necessary to comply with a legal obligation, respond to a lawful request from an authority, detect or prevent fraud, or pursue or defend legal claims. After the applicable retention period ends, we will delete, anonymize, or de-identify your Personal Information in accordance with our internal data deletion standards.

Reasonable Security Practices

We implement reasonable security practices and undergo internal/external security reviews to protect Personal Information. We use secure servers, firewalls, access controls, and encryption where applicable. However, no system is completely impenetrable, and we do our best to implement industry-standard safeguards.

Third-Party Products, Services, or Websites

When using third-party services through our Platform, Personal Information may be collected by those providers and will be governed by their privacy policies. We do not control and are not responsible for third-party privacy practices.

Your Rights

Under the Digital Personal Data Protection Act, 2023, you have the following rights in respect of your Personal Information:

1. Right to access a summary of the Personal Information being processed by us, the processing activities undertaken, and the identities of Data Fiduciaries and Data Processors with whom your Personal Information has been shared.
2. Right to correction and erasure of inaccurate, incomplete, misleading, or outdated Personal Information, and erasure where it is no longer necessary for the purpose for which it was collected (subject to retention obligations under applicable law).
3. Right to nominate any other individual, in the manner prescribed, to exercise your rights under the DPDPA in the event of your death or incapacity.
4. Right of grievance redressal through the Grievance Officer named in this Policy, and thereafter before the Data Protection Board of India.
5. Right to withdraw consent at any time, as described under "Your Consent."

How to exercise your rights:

• Submit a request via the in-app "Privacy & Permissions" → "My Data" section, or email privacy@neofinity.infrom the email address registered with your NeoZAP account.
• Your request should clearly state the right you wish to exercise and any specific Personal Information it relates to.
• To protect against unauthorized requests, we may verify your identity before processing your request (for example, by seeking confirmation via your registered email/mobile or through in-app authentication).
• We will respond to your request within thirty (30) days of receipt, or such shorter timeline as may be prescribed. If we are unable to fulfil a request (for example, where retention is legally required, or the request is manifestly unfounded or excessive), we will inform you of the reasons in writing and of your right to complain to the Data Protection Board of India.

There is no fee for exercising your rights. We may, however, charge a reasonable fee for manifestly unfounded, excessive, or repeated requests.

Children's Information

The NeoZAP Platform is intended for use by persons who are eighteen (18) years of age or older. We do not knowingly collect, store, or process Personal Information of children (persons under the age of 18) as defined under the Digital Personal Data Protection Act, 2023.

If you are under 18, you must not create an account, attempt KYC, or transact on the Platform. Any account found to belong to a person under 18 will be suspended and the associated Personal Information will be deleted, except where retention is required by law (e.g., under the Prevention of Money Laundering Act, 2002).

Where, in limited and specifically notified circumstances, we process Personal Information of a child or a person with disability, we will do so only after obtaining verifiable consent from the parent or lawful guardian in the manner prescribed under the DPDPA, 2023 and the rules made thereunder. We will not undertake tracking, behavioral monitoring, or targeted advertising directed at children.

If you believe a child has provided us with Personal Information, please write to support@neofinity.in so we can take prompt action.

Changes to the Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or business practices.

• Material changes (for example, changes to the categories of Personal Information collected, the purposes of processing, data sharing arrangements, or retention periods) will be notified to registered users at least seven (7) days before they take effect, via email, SMS, or in-app notification to the contact details on record.
• Non-material changes (clarifications, typographical corrections, or contact detail updates) will be reflected by updating the "Last Updated" date at the top of this Policy.

Superseded versions of this Policy will be archived and made available on request to privacy@neofinity.in. Continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the revised terms. If you do not agree with a material change, you may withdraw consent and discontinue using the Platform, subject to our retention obligations.

Data Protection Officer

Should NeoFinity Services Private Limited be classified as a Significant Data Fiduciary under Section 10 of the Digital Personal Data Protection Act, 2023, a Data Protection Officer (DPO) based in India and reporting to the Board of Directors will be designated. The DPO will be responsible for overseeing compliance with the DPDPA and serving as the point of contact for data principals and the Data Protection Board.

Current DPO / Data Protection Contact:

Name: Tamanna

Email: dpo@neofinity.in

Postal Address: Neofinity Services Private Limited, Neofinity HQ, Suncity Success Tower, Golf Course Extension Road, Sector 65, Gurugram – 122102, Haryana, India

You may contact the DPO directly for any queries relating to the processing of your Personal Information, exercise of your rights under the DPDPA, or data protection concerns that are not resolved through our standard support channels.

Grievance Officer

In accordance with the Information Technology Act, 2000, the Consumer Protection (E-Commerce) Rules, 2020, and the Digital Personal Data Protection Act, 2023, the following officer has been designated to address your grievances:

Name: Ajay Yadav

Designation: Grievance Officer

Email: grievance@neofinity.in

Phone: +91 90028 39002

Postal Address: NeoFinity Services Private Limited, NeofinityHQ, Suncity Success Tower, Golf Course Extension Road, Sector 65, Gurugram – 122102, Haryana, India

Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST (excluding public holidays)

Our Response Commitment:

We will acknowledge your grievance within forty-eight (48) hours of receipt.

We will resolve your grievance within fifteen (15) days of receipt, or within such shorter timeline as may be prescribed by applicable law.

Escalation: If you are not satisfied with the resolution provided by the Grievance Officer, or if your grievance is not resolved within the prescribed timeline, you may escalate your complaint to the Data Protection Board of India established under the Digital Personal Data Protection Act, 2023, at the address and through the mechanism notified by the Government of India. For RBI-regulated concerns, you may also approach the relevant regulator or the RBI Integrated Ombudsman Scheme, as applicable.