Privacy Policy
1. Introduction
1.1 Our Commitment to Privacy
CredFill ("Company," "We," "Us," "Our") is committed to protecting your privacy and ensuring transparency in how we collect, process, store, and use your personal and sensitive information. This Privacy Policy explains:
- What information we collect
- How we collect it
- Why we collect it
- How we use, process, and secure it
- Your rights regarding your data
- How long we retain it
- Who we share it with
1.2 Scope and Applicability
This Privacy Policy applies to:
- All users accessing CredFill's platform, services, and products
- All forms of data collection: WhatsApp communications, web forms, mobile applications, account registrations
- All CredFill services: ITR filing, compliance automation, CBDO sales agent, lending facilitation
- All interactions with CredFill, its partners, and third parties on your behalf
Important: This Privacy Policy is incorporated into and part of the CredFill Terms and Conditions. If there is a conflict, the most protective provision (protecting user privacy) shall prevail.
1.3 Governing Laws
Our data handling practices comply with:
- Information Technology Act, 2000 (India)
- Information Technology Rules, 2000 (India)
- Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011
- Personal Data Protection Act, 2023 (India, as applicable)
- Reserve Bank of India (RBI) Data Protection Guidelines (for lending services)
- General Data Protection Regulation (GDPR) 2016/679 (for EU/EEA users – see GDPR Compliance)
2. Definitions
2.1 Key Data Terminology
"Personal Data" – Information that identifies or can identify an individual, including:
- Name, date of birth, age, gender
- Contact details (email, phone, address)
- Identification numbers (PAN, Aadhar, Voter ID)
- Device identifiers (IP address, device ID, cookies)
"Sensitive Personal Data" – Information requiring heightened protection:
- Financial data (bank account, credit card, income, assets, liabilities)
- Health data (in context of loan underwriting)
- Biometric data (fingerprints, iris scan, if collected during KYC)
- Tax data (ITR, business financials, income details)
- Credit information (CIBIL score, credit history, defaults)
- Government IDs (Aadhar, PAN, Passport)
- Password and authentication data
"Data Subject" – You, the person whose data is being processed.
"Data Controller" – CredFill, which determines purposes and means of data processing.
"Data Processor" – Third parties processing data on CredFill's behalf (cloud hosts, payment gateways, verification services).
"Processing" – Any operation performed on data: collection, storage, use, analysis, transfer, disclosure, deletion.
"Consent" – Your voluntary, informed, specific agreement to processing for stated purposes.
3. What Information We Collect
3.1 Information You Provide Directly
A. Registration and Account Creation:
- Full name (as per identity documents)
- Date of birth
- Email address
- Mobile phone number
- Address (residential and/or business)
- Password and security questions
- Profile picture (optional)
- Preferred communication language
B. Identity and KYC Verification:
- PAN (Permanent Account Number)
- Aadhar number (optional, for faster verification)
- Passport/Voter ID/Driver's License copies
- Address proof documents (utility bills, rental agreements)
- Bank account details (for refunds and transactions)
- Occupation and income details
- Business registration documents (for business users)
C. Financial Information (for ITR and Lending Services):
- Income sources (salary, business, investments, rentals)
- Income amounts and tax paid details
- Investment portfolio details
- Property details and valuations
- Loan history and outstanding liabilities
- Credit card and bank account details
- Business financials (revenue, expenses, profit/loss)
- Asset and liability declarations
3.2 Information Collected Automatically
A. Usage Data:
- Pages visited, features used, and interaction patterns
- Time and duration of Platform use
- Device used (desktop, mobile, tablet)
- Operating system and browser type
- Search queries and filters applied
B. Device and Technical Data:
- IP address and location (approximate, based on IP geolocation)
- Device identifiers (IMEI, device ID, device fingerprint)
- Browser and version information
- Cookies and similar tracking technologies
- WhatsApp metadata (message delivery, read receipts, online status)
3.3 Information from Third Parties
- Identity verification results (Aadhar verification, PAN verification)
- Document verification reports
- Credit score and credit report data from CIBIL/Experian
- Bank account verification data from NPCI
- GST registration and status from GST ASEC
- Loan application status and decisions from partner lenders
4. How and Why We Collect Data
4.1 Legal Basis for Data Processing
CredFill processes your data based on the following legal justifications:
A. Consent:
- Explicit consent from you for specific processing activities
- Consent obtained during registration, service sign-up, or special requests
- Consent can be withdrawn at any time, with effects going forward
B. Contract Performance:
- Processing necessary to fulfill services you've requested
- ITR filing and document processing
- Compliance automation and filing
- Loan matching and facilitation
- Sales agent service (CBDO)
C. Legal Obligation:
- Tax compliance (Income Tax Act, GST Act, MCA rules)
- RBI regulations (for lending services)
- Anti-money laundering and Know Your Customer requirements
- Data protection and cybersecurity regulations
- Government requests and court orders
D. Legitimate Interest:
- Fraud prevention and security
- Platform improvement and maintenance
- Analytical and statistical analysis (anonymized)
- Customer support and complaint resolution
5. How We Use Your Data
5.1 Data Usage Summary
| Purpose | Data Types | Retention |
|---|---|---|
| Service Delivery | Financial, KYC, Tax, Business | Duration of service + statutory |
| Tax Compliance | ITR, Income, Deductions | 7 years post-filing |
| Lending Facilitation | Financial, Credit, KYC | 7 years per RBI guidelines |
| Fraud Prevention | All data types | 1 year post-incident |
| Analytics (Anonymized) | Usage patterns, features | 1 year (anonymized) |
6. Who We Share Your Data With
6.1 Data Sharing Principle
CredFill shares data only when necessary for service delivery, legal compliance, or user consent. We do NOT sell user data to marketers or data brokers.
6.2 Categories of Data Recipients
A. Government and Regulatory Authorities (Mandatory Sharing):
- Income Tax Department: ITR documents and supporting data
- GST Council and GSTN: GST return data
- Ministry of Corporate Affairs (MCA): Company registration and compliance data
- Reserve Bank of India (RBI): KYC data for lending services
- Financial Intelligence Unit (FIU): Suspicious Transaction Reports
- Law Enforcement and Courts: Data disclosed in response to legal process
B. Partner Lenders (Conditional – For Lending Service Only):
When you request loan facilitation, we share the following with partner lenders:
- Full name, DOB, contact information
- PAN and Aadhar number (if provided)
- Income and financial documents
- Credit score and credit report data
- Employment/business verification details
C. Third-Party Service Providers (Data Processors):
- Cloud Hosting: Amazon Web Services (AWS) India, Microsoft Azure India
- Identity Verification: Aadhar e-KYC, PAN verification providers
- Payment Gateways: Razorpay, PayU, PhonePe, Google Pay
- Credit Bureaus: CIBIL (TransUnion CIBIL), Experian, Equifax
- SMS/WhatsApp Providers: Twilio, Exotel
7. Data Security and Protection
7.1 Security Infrastructure
A. Encryption:
Data in Transit: All data transmitted between your device and CredFill servers uses HTTPS/TLS 1.2 or higher
Data at Rest: All sensitive data encrypted using AES-256 encryption or equivalent
B. Access Controls:
- Multi-factor authentication (MFA) for user accounts
- OTP-based verification for critical operations
- Role-based access control (RBAC) for employees
- Principle of least privilege
- Session timeouts after 30 minutes of inactivity
C. Network Security:
- Firewalls and intrusion detection systems (IDS)
- Web Application Firewall (WAF) for DDoS and attack prevention
- Penetration testing and vulnerability assessments (quarterly)
7.2 Data Breach Response
In Case of Data Breach:
- Immediate Actions (within 24 hours): Identify and contain the breach, preserve evidence
- Regulatory Notification: RBI notification (for lending-related breaches), Law enforcement notification (if criminal activity)
- User Notification: Email notification to all affected users within 72 hours
8. Data Retention and Deletion
8.1 Retention Periods by Data Type
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| ITR Data | 7 years post-filing | Income Tax Act, 1961 |
| Compliance Data | 6-7 years | GST Act, Companies Act |
| KYC Data | Duration of service + 5 years | RBI Master Directions |
| Lending Data | 7 years post-disbursals | RBI guidelines |
| Transaction Data | 5 years | Information Technology Rules |
| Usage Analytics | 1 year (anonymized thereafter) | Business analytics |
8.2 Deletion of Data
User-Initiated Deletion:
You can request deletion of your data by:
- Submitting a written request to vikash@credfill.com
- Providing your Account ID and reason for deletion
- Completing any pending transaction or compliance obligations
Deletion Timeline: Acknowledgment within 5 business days, completion within 30 days.
9. Your Privacy Rights and Choices
9.1 Right to Access
You have the right to access all personal data CredFill holds about you.
How to Exercise:
- Submit written request to vikash@credfill.com with subject: "Data Access Request"
- Include your Account ID and specific data types requested
- Provide proof of identity
9.2 Right to Correct
You have the right to correct inaccurate or incomplete data.
How to Exercise: Log into your Account and update information directly, or email vikash@credfill.com
9.3 Right to Deletion
You have the right to deletion ("Right to be Forgotten") in specific circumstances:
- Data is no longer necessary for purposes collected
- You withdraw consent and no other legal basis exists
- You object to processing and no legitimate interest overrides
- Data was processed unlawfully
9.4 Right to Data Portability
You have the right to receive your data in structured, machine-readable format and transmit it to another service provider.
9.5 Right to Object
You have the right to object to processing based on legitimate interest, direct marketing, and profiling.
Objections to Marketing:
- Opt-out links in every marketing email
- WhatsApp opt-out by replying "STOP"
- SMS opt-out by replying "STOP"
10. Cookies and Tracking Technologies
10.1 What Are Cookies?
Cookies: Small text files stored on your device that identify you and remember preferences.
10.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session ID | User authentication and session management | Session |
| CSRF Token | Security against cross-site attacks | Session |
| Language/Theme | Remember user preferences | 1 year |
| Analytics ID | Track usage patterns, features used | 2 years |
10.3 Your Cookie Choices
- Cookie consent banner upon first visit
- "Accept All" accepts all non-essential cookies
- "Reject All" rejects analytics and marketing cookies
- Change preferences in Account Settings anytime
11. GDPR Compliance (For EU/EEA Users)
If you are located in the European Union (EU), European Economic Area (EEA), or accessing CredFill from these regions, your data processing is governed by GDPR (General Data Protection Regulation 2016/679).
Please refer to our comprehensive GDPR Compliance Document for detailed information about:
- GDPR Data Protection Rights
- Legal Basis for GDPR Processing
- International Data Transfers
- Data Processing Agreements
- Supervisory Authority Complaints
12. Privacy Policy Updates
12.1 Changes to This Policy
CredFill's Right to Amend: CredFill may update this Privacy Policy at any time to reflect regulatory changes, improve service offerings, or enhance security.
Notification:
- Updates posted on this page with "Last Updated" date
- For material changes, email notification to registered email
- For GDPR users, 30 days' advance notice for adverse changes
13. Privacy Grievances and Complaints
13.1 How to File a Complaint
Step 1 – Contact CredFill:
- Email: vikash@credfill.com
- Subject: "Privacy Complaint"
- Include: specific issue, data affected, date, desired resolution
Step 2 – Investigation:
- CredFill will acknowledge within 5 business days
- Investigation within 15 days
- Written response with findings and action
Step 3 – Escalation (if unsatisfied):
- Email: vikash@credfill.com (Grievance Redressal Officer)
- GRO will review complaint independently
- Response within 30 days with final resolution
14. Contact Information
14.1 Privacy and Data Protection Contacts
Data Protection Officer:
- Email: vikash@credfill.com
- Hours: Monday – Friday, 10:00 AM – 5:00 PM IST
- Response Time: 5 business days
Grievance Redressal Officer:
- Email: vikash@credfill.com
- Complaints Team: vikash@credfill.com
- Hours: Monday – Saturday, 9:00 AM – 6:00 PM IST
- Response Time: 30 days
Customer Support:
- Email: contact@credfill.com
- WhatsApp: +91 9472194303
Legal Compliance:
- Email: vikash@credfill.com
- Registered Address: CredFill, 24 Jagjiwan Lane, Rajendra Nagar, Patna, Bihar, India - 800003
15. Acknowledgment
By registering for and using CredFill, you acknowledge:
- You have read and understood this Privacy Policy
- You consent to the data processing described herein
- You authorize CredFill to process your data as described
- You understand your privacy rights and how to exercise them
- You will notify CredFill of any changes to your information
- You understand security limitations and accept risks
Document Version: 1.0
Last Updated: January 07, 2026
Effective Date: January 07, 2026
Classification: Public
Authority: CredFill Data Protection Team
This document is a comprehensive privacy policy. Regular review is recommended. For updates or clarifications, contact vikash@credfill.com.