LP Fintech Private Limited · CIN: U72900RJ2022PTC078895
Privacy Policy
Enterprise Fintech Infrastructure & Workforce Data Governance Framework — aligned with the Digital Personal Data Protection Act, 2023 and RBI/NPCI guidelines.
Introduction
LP Fintech Private Limited ("LP Fintech," "we," "us") operates payment infrastructure, UPI switch solutions, API banking services, white-label payment platforms, WorkPulse HRMS, merchant onboarding systems, fraud monitoring, soundbox and PoS solutions, and verification suites across India.
This Policy governs collection, processing, storage, sharing, retention, and protection of personal data across all our platforms. It is aligned with the Digital Personal Data Protection Act, 2023 (DPDPA), the IT Act 2000, SPDI Rules 2011, and applicable RBI/NPCI guidelines.
Key Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any data about an identifiable individual (DPDPA 2023). |
| Data Fiduciary | Entity that determines the purpose and means of processing. |
| Data Processor | Entity processing data on behalf of a Fiduciary. |
| Sensitive Personal Data | Financial data, biometrics, PAN/Aadhaar, health data (SPDI Rules 2011). |
| Merchant / Partner | Business entity enrolled for LP Fintech payment or infrastructure services. |
| Workforce Data | Payroll, attendance, leave, performance, and HR records. |
| Transaction Data | Records generated by payments, settlements, and reconciliation events. |
| Consent | Free, specific, informed, unconditional, and unambiguous agreement by the Data Principal. |
Scope
This Policy applies to all individuals who interact with LP Fintech as:
Covered surfaces include: websites, mobile apps, payment APIs, HRMS portals, banking dashboards, UPI switch infrastructure, soundbox/PoS networks, reconciliation systems, verification platforms, and all digital services of LP Fintech.
LP Fintech's Role: Fiduciary or Processor
| Context | LP Fintech Role | Data Fiduciary |
|---|---|---|
| Website enquiries & marketing | Data Fiduciary | LP Fintech |
| WorkPulse HRMS (enterprise SaaS) | Data Processor | Enterprise client |
| UPI Switch for Banking Partners | Data Processor | Banking partner / NPCI |
| Merchant onboarding (direct) | Data Fiduciary | LP Fintech |
| Internal employee management | Data Fiduciary | LP Fintech |
| Payment orchestration for banks | Data Processor | Merchant / bank |
Where LP Fintech acts as Processor, a Data Processing Addendum (DPA) governs the engagement. We do not process data beyond documented instructions from the Fiduciary, except where required by law.
Personal Data We Collect
Identity & Business
Name, date of birth, PAN, Aadhaar (where lawfully permitted), passport, CIN, GSTIN, director information, UBO details, digital signatures.
Financial & Transaction
Bank accounts, IFSC, UPI IDs/VPAs, masked payment instruments, settlement references, UTR numbers, reconciliation data, dispute records, ledger entries.
Technical & Device
IP addresses, browser fingerprints, device identifiers, cookies, session IDs, API logs, webhook payloads, telemetry, network performance metrics.
Workforce & HRMS
Employee ID, payroll components, EPF/ESI details, attendance logs, geolocation check-ins (where employer-enabled), appraisal data, disciplinary records, recruitment data, BGV reports.
KYC / KYB / AML
Identity proofs, business documents, AML risk records, sanctions screening results, PEP checks, UBO declarations, negative-list screening records.
API & Developer
API keys, OAuth tokens, webhook secrets, sandbox activity, SDK integration parameters, developer account details.
How We Use Personal Data
LP Fintech processes data solely for lawful, specified purposes:
Legal Basis for Processing
| Legal Basis | Application |
|---|---|
| Consent (DPDPA §6) | Marketing, optional data sharing, non-essential processing. |
| Contractual necessity | Merchant agreements, HRMS SaaS agreements, API terms. |
| Legal obligation | RBI directions, PMLA, Income Tax Act, EPF Act, ESI Act, POSH Act, CERT-In guidelines. |
| Legitimate interest | Fraud prevention, security monitoring, infrastructure stability. |
| Regulatory mandate | NPCI ecosystem participation, public interest regulatory functions. |
Fraud Prevention & Automated Decision-Making
LP Fintech deploys AI/ML models, rule-based risk engines, and analytical tools for: real-time transaction risk scoring, device fingerprinting, IP intelligence, velocity checks, AML monitoring, sanctions screening, and merchant risk profiling.
Certain decisions (transaction approval, merchant suspension triggers, onboarding risk outcomes) may involve automated processing. Where a decision produces significant effects, LP Fintech provides a mechanism for human review upon request through our Grievance Redressal process.
Cookies & Tracking
| Category | Purpose | Opt-Out? |
|---|---|---|
| Strictly Necessary | Authentication, session management, CSRF protection | No |
| Fraud Prevention | Device fingerprinting, IP reputation, session integrity | No |
| Performance | Anonymised usage analytics, API monitoring | Yes |
| Functional | User preferences, display settings | Yes |
| Marketing | LP Fintech website re-engagement only (with consent) | Yes |
Sharing & Disclosure
We share personal data only with: RBI, NPCI, FIU-IND, CERT-In (regulatory obligations); banking partners (settlement and reconciliation); KYC/AML bureaus (UIDAI, NSDL, authorised verification agencies); cloud and technology providers (within India-based infrastructure); auditors and legal advisors; and law enforcement under lawful orders.
In a merger or acquisition, data may be disclosed to successors subject to confidentiality obligations. All third-party subprocessors are bound by Data Processing Agreements.
Data Localisation & International Transfers
All payment transaction data, UPI switch records, and HRMS workforce data are stored and processed on India-based servers, in compliance with RBI data localisation norms and NPCI operating guidelines. Limited cross-border processing (where technically necessary) is subject to standard contractual safeguards and is conducted without compromising RBI/NPCI residency requirements.
Security Safeguards
Our multi-layered security framework is aligned with PCI-DSS, ISO/IEC 27001 principles, and the RBI Cybersecurity Framework. Controls include:
Breach Notification
In the event of a security incident, LP Fintech will: contain the breach, conduct forensic investigation, and notify affected Data Principals and relevant regulators. Critical incidents are reported to CERT-In within 6 hours as mandated. RBI and NPCI are notified per their respective frameworks. Breach notifications include: nature of the incident, data categories affected, estimated scale, and remediation measures.
Data Retention
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Payment transaction records | 5 years | RBI Payment Aggregator Guidelines, PMLA |
| KYC / KYB documents | 8 years post-closure | PMLA §12, RBI KYC Directions |
| AML records / STRs | 8 years | PMLA 2002 |
| Payroll & employee records | 8 years post-separation | EPF Act, Gratuity Act, Income Tax Act |
| Attendance & leave records | 5 years | Shops & Establishments Act |
| Security / SIEM logs | 2 years | CERT-In Direction 2022 |
| Unsuccessful candidate data | 12 months post-decision | Data minimisation principle |
Post the applicable period, data is securely deleted or anonymised unless a subsisting legal obligation, regulatory order, or dispute resolution process requires continued retention.
Your Rights as a Data Principal
Under the DPDPA 2023, you have the right to: access a summary of your data being processed; correct inaccurate or incomplete data; erasure where retention is no longer legally required; withdraw consent for consent-based processing; nominate a person to exercise rights on your behalf; and raise a grievance (see §18).
Rights requests are responded to within 30 days (extendable by 30 days for complex cases). Requests may be declined where retention is legally mandated, required for fraud investigation, or necessary for legal defence — with written reasons provided.
Consent Management
Consent obtained by LP Fintech is free, specific, informed, unconditional, and unambiguous — obtained through affirmative action, not pre-ticked boxes. Consent records (timestamp, mechanism, scope) are maintained in our Consent Management System. Withdrawal of consent is possible at any time via account settings or by writing to privacy@lpfintech.com, and does not affect prior processing carried out on valid consent.
Workforce, HRMS & Employee Privacy
Employees may access payroll records, salary slips, attendance history, and leave balances through the WorkPulse HRMS self-service portal. Where WorkPulse HRMS is deployed as an enterprise SaaS, LP Fintech acts as Data Processor and the employer remains the Data Fiduciary responsible for employee notice and consent.
Monitoring disclosures: Geolocation attendance, IP tracking for remote sessions, and work-hour analytics may be deployed by employers — disclosed to employees at onboarding. Unsuccessful candidate data is retained for 12 months and then securely deleted.
Grievance Redressal
Email: grievance@lpfintech.com
Postal: LP Fintech Private Limited, Jaipur, Rajasthan – 302 001, India
Acknowledgement: within 48 hours | Resolution: within 30 days
If unsatisfied with our resolution, you may escalate to the Data Protection Board of India (on constitution), the RBI Integrated Ombudsman (payment disputes), FIU-IND (AML/KYC matters), or CERT-In (cybersecurity incidents).
