Privacy Policy

1. Introduction

---

Kuvik Solutions Private Limited (CIN: U66190RJ2026PTC111957, PAN: AAMCK6374Q, GST: 08AAMCK6374Q1ZI), incorporated under the Companies Act, 2013, having its registered office at Office No. 103 & 203, 2nd Floor, Ram Bharat Villa, Siddharth Colony, Ajmer Road, Jaipur - 302006, Rajasthan, India ("Company", "Kuvik", "we", "us", "our"), operating under the brand Kuvik Loans, is committed to protecting the privacy of its Users and maintaining the confidentiality of personal information.

This Privacy Policy ("Policy") is an electronic record under the Information Technology Act, 2000 ("IT Act"), the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"). It is published in compliance with Rule 4 of the SPDI Rules and is legally binding between the User and the Company.

This Policy governs the collection, use, processing, storage, sharing, and disclosure of information submitted by Users through the Platform. The Platform means, collectively, the website at www.kuvikloans.com, web-based application journeys, digital forms, landing pages, KYC workflows, communication channels, and any other digital interface operated by the Company.

Kuvik currently operates through website and web-based workflows. It does not currently operate a live standalone public mobile application in its own name. If and when a mobile application is launched, this Policy will be updated accordingly.

By accessing or using the Platform, submitting information, or interacting with the Company, you confirm that you have read, understood, and consent to this Policy. If you do not agree, do not use the Platform or submit your information.

1.1 Definitions

"Personal Information" means any information that identifies or can be used to identify a natural person, directly or indirectly, available with the Company in electronic form. It excludes anonymised or irreversibly de-identified data.

"Sensitive Personal Data or Information" (SPDI) has the meaning under the SPDI Rules, 2011 and includes: passwords; financial information (bank account details, credit/debit card details, payment instrument details); physical, psychological, and mental health conditions; sexual orientation; medical records and history; and biometric information. The Company collects SPDI strictly with prior explicit User consent and only for the purposes described in this Policy.

"User / you / your" means an adult individual (18 years of age or above), a resident of India, who visits, accesses, or uses the Platform or submits information through it.

"Business Partners" means persons with whom the Company has a contractual arrangement for Platform operations, including Lending Partners, KYC verification agencies, credit bureau API providers, payment gateways, Account Aggregators, cloud hosting providers, and technology service vendors.

"KFS" means Key Fact Statement in the format prescribed under RBI Circular DOR.STR.REC.13/13.03.00/2024-25 dated April 15, 2024, to be provided to each Customer before execution of the Loan Agreement, containing the APR, all charges, repayment schedule, and the Cooling-Off Period.

2. Acceptance

---

By accessing or using the Platform, submitting your information, applying for a loan, or otherwise interacting with the Company, you acknowledge that you have read and understood this Policy and consent to the collection and processing of your information in accordance with this Policy and Applicable Law. If you do not agree, you should not use the Platform or submit your information.

3. Scope

---

This Policy applies to information collected through: website and web-based application journeys; online forms and landing pages; lead forms and KYC onboarding workflows; servicing and communication channels; and information received from authorised service providers, Lending Partners, and verification partners.

4. Information We Collect

---

We collect the following categories of information, depending on the product, workflow, and interaction. Categories marked (SPDI) are Sensitive Personal Data or Information as defined under the SPDI Rules, 2011.

4.1 Personal Information

• Full legal name
• Mobile number
• Email address
• Residential and/or business address
• Employment, business, income, and loan requirement details

4.2 Identity and KYC Information

• PAN Card number
• Aadhaar-related information, where lawfully collected and processed through UIDAI-authorised means (raw Aadhaar data is not stored)
• Proof of identity and proof of address documents
• Live photograph or selfie, where required for liveness and KYC verification

4.3 Financial and Application Information (SPDI)

• Bank account details including account number and IFSC code (SPDI)
• Bank statements (last 3 to 12 months as required by the Lending Partner)
• Salary slips and/or Form 16 (for salaried applicants)
• GST registration certificate and business financial statements (for self-employed or business loan applicants)
• Credit score and credit bureau report, obtained from licensed Credit Information Companies (CIBIL, Experian, Equifax, CRIF High Mark), strictly with your explicit prior consent
• Loan application details and underwriting inputs

4.4 Technical and Usage Information

• IP address
• Browser type and version, device information, and operating system
• Session logs and website usage behaviour
• Cookies and similar technologies (see Section 11)
• Approximate location data, where required and specifically consented to

4.5 Documents, Files, and Media

We may collect documents, files, and media uploaded by you for onboarding, KYC, loan processing, fraud checks, servicing, or support purposes. Files are used solely for the stated purpose and handled under appropriate safeguards.

4.6 SMS-Related Information

Where you have provided explicit, separate, and specific consent for SMS access, the Company or its authorised technology service provider may access or process limited SMS data from your device for the following purposes only: bank statement analysis for financial assessment; OTP auto-fill; and fraud detection. This access requires your affirmative opt-in and may be withdrawn by you at any time. SMS data will not be used for any purpose beyond those stated above.

5. How We Collect Information

---

We collect information through the following lawful channels:

• Directly from you — via Platform registration, loan application forms, document upload flows, and KYC processes
• Automatically — via cookies, web beacons, and server log files upon Platform usage
• From third parties — credit bureaus (with your explicit consent); Account Aggregator platforms under the RBI Account Aggregator Framework (with your consent); UIDAI for Aadhaar e-KYC; NSDL for PAN verification; Lending Partners; and other licensed data sources
• From customer support interactions, including telephone calls and written communications, which may be recorded for quality assurance and regulatory compliance

6. How We Use Your Information

---

We process your Personal Information on the basis of your consent and in furtherance of our contractual, regulatory, and legitimate business obligations, for the following defined purposes:

6.1 Loan Facilitation (Primary Purpose)

• Registering and identifying you on the Platform
• Processing loan enquiries and applications and facilitating KYC and verification checks
• Connecting you with relevant Lending Partners and supporting underwriting and eligibility assessment
• Sending OTPs, application status updates, support messages, repayment reminders, overdue notices, and compliance communications
• Facilitating loan disbursement, mandate registration, and servicing through Business Partners

6.2 Regulatory and Legal Compliance

• Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance under the Prevention of Money Laundering Act, 2002 (PMLA)
• Compliance with the RBI Digital Lending Guidelines (September 2022) and RBI (Digital Lending) Directions, 2025
• Compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and SPDI Rules
• Responding to lawful orders and requisitions from the RBI, courts, Income Tax Department, UIDAI, Enforcement Directorate, law enforcement agencies, or other competent authorities
• Credit bureau reporting as required under the Credit Information Companies (Regulation) Act, 2005 (CIC Act)
• Fraud prevention, audit, fraud checks, and maintenance of records mandated by Applicable Law

6.3 Service Improvement

• Improving service flows, product performance, and user experience
• Internal analytics and reporting

6.4 Marketing Communications (Consent-Based Only)

With your separate, explicit, and revocable consent (not bundled with your acceptance of this Policy or the Terms), we may send you personalised financial product offers and promotional communications via SMS, WhatsApp, email, push notifications, and telephone. You may withdraw this consent at any time (see Section 12).

7. Lending Decision Disclosure

---

Kuvik does not itself make lending decisions. All decisions regarding loan approval or rejection, sanctioned amount, interest rate, APR, fees and charges, repayment schedule, tenure, and disbursement are determined solely by the relevant Lending Partner. Kuvik does not guarantee loan approval.

8. Sharing and Disclosure of Information

---

We do not sell your personal information to any third party. We share information on a need-to-know basis only, with the following categories of recipients:

8.1 Lending Partners

Loan application data, KYC documents, and financial information are shared with the specific RBI-regulated Bank or NBFC to which you apply, for creditworthiness assessment, KYC verification, loan sanctioning, and servicing.

8.2 Authorised Service Providers and Technology Partners

• KYC verification agencies (Video KYC, Aadhaar OTP, DigiLocker, PAN verification)
• Licensed Credit Information Companies: CIBIL, Experian, Equifax, CRIF High Mark
• Account Aggregators under the RBI Account Aggregator Framework (with your explicit consent)
• Payment gateways and mandate registration platforms (eNACH / UPI AutoPay)
• Cloud hosting and analytics providers (servers located within India)
• Communication gateway providers (SMS, WhatsApp Business, email)
• Fraud analytics, device intelligence, and risk assessment vendors

8.3 Statutory Authorities

We may disclose your information, without prior consent, to the RBI, courts, tribunals, Income Tax Department, UIDAI, Enforcement Directorate, law enforcement agencies, and other competent authorities where required by a lawful order, statute, or regulatory direction.

8.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to prior written intimation to you and the successor maintaining equivalent data protection standards.

9. Storage, Security, and Retention

---

9.1 Security Measures

We implement reasonable technical, organisational, administrative, and physical safeguards to protect your information, including:

• 256-bit SSL/TLS encryption for all data in transit
• AES-256 encryption for data stored on servers
• Multi-factor authentication (MFA) for administrative and platform access
• Role-based access controls (RBAC) on a strict need-to-know basis
• Regular vulnerability assessments and penetration testing (VAPT)
• Employee data privacy training and signed confidentiality agreements
• Privacy-by-design principles in product development

9.2 Data Retention Schedule

Personal Information is retained only for the period necessary to fulfil the purposes described in this Policy or as mandated by Applicable Law. SPDI is not retained by the Company after being transmitted to the relevant Lending Partner, except to the minimum extent legally required.

9.3 Data Breach

In the event of a Personal Data breach, the Company shall: (a) promptly investigate and take remedial action; (b) notify affected Users as required under the DPDP Act, 2023; and (c) report the breach to the Data Protection Board of India and other competent authorities within prescribed timelines. To report a security vulnerability, email: support@kuvikloans.com.

10. Your Rights as Data Principal

---

Under the DPDP Act, 2023 and SPDI Rules, you are entitled to exercise the following rights:

To exercise any right, write to: support@kuvikloans.com. We will respond within 30 (thirty) days.

11. Credit Information Access — CICRA Consent Terms

---

By submitting a loan application on the Platform, you expressly appoint Kuvik Solutions Private Limited (CIN: U66190RJ2026PTC111957) as your authorised representative to receive your Credit Information from licensed Credit Information Companies (CICs) — including CIBIL, Experian, Equifax, and CRIF High Mark — solely for the purpose of assessing your loan eligibility ("End Use Purpose").

Credit Information (including scores, aggregates, inferences, and detailed reports) shall be used exclusively for the End Use Purpose. The Company shall not aggregate, retain, store, reproduce, sell, or share Credit Information beyond what is required for the End Use Purpose.

Credit Information shall be purged by the Company within 1 (one) business day of completing the End Use Purpose.

Your consent for credit bureau access is valid for 6 (six) months from the date of grant. After expiry, fresh consent is required for any new application.

This arrangement is governed by the Credit Information Companies (Regulation) Act, 2005 (CICRA) and applicable rules. Disputes relating to credit information access are subject to the exclusive jurisdiction of the courts of Jaipur, Rajasthan.

12. Cookies and Similar Technologies

---

The Platform uses the following types of cookies:

• Session cookies — deleted when you close your browser; used for login session management
• Analytics cookies — help us understand how users navigate the Platform
• Marketing cookies — used to deliver relevant content (only with your separate consent)

You may manage or disable cookies through your browser settings. Disabling cookies may impair certain Platform functionalities.

13. Opt-Out from Marketing Communications

---

You may withdraw consent for marketing communications at any time through the following channels:

• Email — click the "Unsubscribe" link in any marketing email
• SMS — send "START DND" to 1909 (toll-free) to register on the National Do Not Call Registry
• WhatsApp — reply "STOP" to any promotional WhatsApp message from us
• Written request — email support@kuvikloans.com

14. Restriction on Use by Minors

---

The Platform and Services are intended strictly for individuals 18 years of age or above who are legally competent to enter contracts under the Indian Contract Act, 1872. The Company does not knowingly collect Personal Information from Minors. If we become aware that Personal Information of a Minor has been collected, we shall promptly delete such information.

15. Amendments to This Policy

---

We may update this Policy at any time. Material changes will be communicated via in-app notification or registered email at least 15 (fifteen) days before taking effect. The updated Policy will be published at www.kuvikloans.com/privacy-policy with a revised effective date. Continued use of the Platform after the effective date constitutes your acceptance of the revised Policy. Material changes that expand the scope of processing shall require fresh consent.

16. Governing Law and Jurisdiction

---

This Policy is governed by the laws of India. All disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Jaipur, Rajasthan, India.

17. Grievance Redressal

---

Any User with a complaint, concern, or query relating to this Policy or the handling of Personal Information may contact our Grievance Officer in writing (by email or post):

All grievances shall be acknowledged within 24 (twenty-four) hours and resolved within 30 (thirty) days, in compliance with the IT Act, 2000 and applicable Rules.