LP Fintech Private Limited · CIN: U72900RJ2022PTC078895

Privacy Policy

Enterprise Fintech Infrastructure & Workforce Data Governance Framework — aligned with the Digital Personal Data Protection Act, 2023 and RBI/NPCI guidelines.

Effective: 18 May 2026
Version: 2.0
Jurisdiction: Republic of India
1

Introduction

LP Fintech Private Limited ("LP Fintech," "we," "us") operates payment infrastructure, UPI switch solutions, API banking services, white-label payment platforms, WorkPulse HRMS, merchant onboarding systems, fraud monitoring, soundbox and PoS solutions, and verification suites across India.

This Policy governs collection, processing, storage, sharing, retention, and protection of personal data across all our platforms. It is aligned with the Digital Personal Data Protection Act, 2023 (DPDPA), the IT Act 2000, SPDI Rules 2011, and applicable RBI/NPCI guidelines.


2

Key Definitions

TermMeaning
Personal DataAny data about an identifiable individual (DPDPA 2023).
Data FiduciaryEntity that determines the purpose and means of processing.
Data ProcessorEntity processing data on behalf of a Fiduciary.
Sensitive Personal DataFinancial data, biometrics, PAN/Aadhaar, health data (SPDI Rules 2011).
Merchant / PartnerBusiness entity enrolled for LP Fintech payment or infrastructure services.
Workforce DataPayroll, attendance, leave, performance, and HR records.
Transaction DataRecords generated by payments, settlements, and reconciliation events.
ConsentFree, specific, informed, unconditional, and unambiguous agreement by the Data Principal.

3

Scope

This Policy applies to all individuals who interact with LP Fintech as:

Merchants & merchant employees Banking partners End customers Employees & job applicants HRMS client organisations API developers Vendors & subcontractors Website visitors

Covered surfaces include: websites, mobile apps, payment APIs, HRMS portals, banking dashboards, UPI switch infrastructure, soundbox/PoS networks, reconciliation systems, verification platforms, and all digital services of LP Fintech.


4

LP Fintech's Role: Fiduciary or Processor

ContextLP Fintech RoleData Fiduciary
Website enquiries & marketingData FiduciaryLP Fintech
WorkPulse HRMS (enterprise SaaS)Data ProcessorEnterprise client
UPI Switch for Banking PartnersData ProcessorBanking partner / NPCI
Merchant onboarding (direct)Data FiduciaryLP Fintech
Internal employee managementData FiduciaryLP Fintech
Payment orchestration for banksData ProcessorMerchant / bank

Where LP Fintech acts as Processor, a Data Processing Addendum (DPA) governs the engagement. We do not process data beyond documented instructions from the Fiduciary, except where required by law.


5

Personal Data We Collect

Identity & Business

Name, date of birth, PAN, Aadhaar (where lawfully permitted), passport, CIN, GSTIN, director information, UBO details, digital signatures.

Financial & Transaction

Bank accounts, IFSC, UPI IDs/VPAs, masked payment instruments, settlement references, UTR numbers, reconciliation data, dispute records, ledger entries.

Technical & Device

IP addresses, browser fingerprints, device identifiers, cookies, session IDs, API logs, webhook payloads, telemetry, network performance metrics.

Workforce & HRMS

Employee ID, payroll components, EPF/ESI details, attendance logs, geolocation check-ins (where employer-enabled), appraisal data, disciplinary records, recruitment data, BGV reports.

KYC / KYB / AML

Identity proofs, business documents, AML risk records, sanctions screening results, PEP checks, UBO declarations, negative-list screening records.

API & Developer

API keys, OAuth tokens, webhook secrets, sandbox activity, SDK integration parameters, developer account details.


6

How We Use Personal Data

LP Fintech processes data solely for lawful, specified purposes:

Payment routing & settlement Merchant & partner onboarding KYB/KYC verification AML & fraud prevention Payroll processing Attendance & leave management Statutory compliance (EPF, ESI, TDS) Regulatory reporting Audit trail maintenance API monitoring & reliability Service improvement Customer support
We never sell, rent, or commercially exploit personal data to any third party for advertising, profiling, or any purpose outside contracted services.

7

Legal Basis for Processing

Legal BasisApplication
Consent (DPDPA §6)Marketing, optional data sharing, non-essential processing.
Contractual necessityMerchant agreements, HRMS SaaS agreements, API terms.
Legal obligationRBI directions, PMLA, Income Tax Act, EPF Act, ESI Act, POSH Act, CERT-In guidelines.
Legitimate interestFraud prevention, security monitoring, infrastructure stability.
Regulatory mandateNPCI ecosystem participation, public interest regulatory functions.

8

Fraud Prevention & Automated Decision-Making

LP Fintech deploys AI/ML models, rule-based risk engines, and analytical tools for: real-time transaction risk scoring, device fingerprinting, IP intelligence, velocity checks, AML monitoring, sanctions screening, and merchant risk profiling.

Certain decisions (transaction approval, merchant suspension triggers, onboarding risk outcomes) may involve automated processing. Where a decision produces significant effects, LP Fintech provides a mechanism for human review upon request through our Grievance Redressal process.


9

Cookies & Tracking

CategoryPurposeOpt-Out?
Strictly NecessaryAuthentication, session management, CSRF protectionNo
Fraud PreventionDevice fingerprinting, IP reputation, session integrityNo
PerformanceAnonymised usage analytics, API monitoringYes
FunctionalUser preferences, display settingsYes
MarketingLP Fintech website re-engagement only (with consent)Yes

10

Sharing & Disclosure

We share personal data only with: RBI, NPCI, FIU-IND, CERT-In (regulatory obligations); banking partners (settlement and reconciliation); KYC/AML bureaus (UIDAI, NSDL, authorised verification agencies); cloud and technology providers (within India-based infrastructure); auditors and legal advisors; and law enforcement under lawful orders.

In a merger or acquisition, data may be disclosed to successors subject to confidentiality obligations. All third-party subprocessors are bound by Data Processing Agreements.


11

Data Localisation & International Transfers

All payment transaction data, UPI switch records, and HRMS workforce data are stored and processed on India-based servers, in compliance with RBI data localisation norms and NPCI operating guidelines. Limited cross-border processing (where technically necessary) is subject to standard contractual safeguards and is conducted without compromising RBI/NPCI residency requirements.


12

Security Safeguards

Our multi-layered security framework is aligned with PCI-DSS, ISO/IEC 27001 principles, and the RBI Cybersecurity Framework. Controls include:

AES-256 encryption at rest TLS 1.2/1.3 in transit Tokenisation of payment data MFA & RBAC Privileged Access Management 24/7 SOC monitoring SIEM & IDS/IPS VAPT (periodic) Secure SDLC DR & BCP

13

Breach Notification

In the event of a security incident, LP Fintech will: contain the breach, conduct forensic investigation, and notify affected Data Principals and relevant regulators. Critical incidents are reported to CERT-In within 6 hours as mandated. RBI and NPCI are notified per their respective frameworks. Breach notifications include: nature of the incident, data categories affected, estimated scale, and remediation measures.


14

Data Retention

Data CategoryRetention PeriodLegal Basis
Payment transaction records5 yearsRBI Payment Aggregator Guidelines, PMLA
KYC / KYB documents8 years post-closurePMLA §12, RBI KYC Directions
AML records / STRs8 yearsPMLA 2002
Payroll & employee records8 years post-separationEPF Act, Gratuity Act, Income Tax Act
Attendance & leave records5 yearsShops & Establishments Act
Security / SIEM logs2 yearsCERT-In Direction 2022
Unsuccessful candidate data12 months post-decisionData minimisation principle

Post the applicable period, data is securely deleted or anonymised unless a subsisting legal obligation, regulatory order, or dispute resolution process requires continued retention.


15

Your Rights as a Data Principal

Under the DPDPA 2023, you have the right to: access a summary of your data being processed; correct inaccurate or incomplete data; erasure where retention is no longer legally required; withdraw consent for consent-based processing; nominate a person to exercise rights on your behalf; and raise a grievance (see §18).

Rights requests are responded to within 30 days (extendable by 30 days for complex cases). Requests may be declined where retention is legally mandated, required for fraud investigation, or necessary for legal defence — with written reasons provided.


16

Consent Management

Consent obtained by LP Fintech is free, specific, informed, unconditional, and unambiguous — obtained through affirmative action, not pre-ticked boxes. Consent records (timestamp, mechanism, scope) are maintained in our Consent Management System. Withdrawal of consent is possible at any time via account settings or by writing to privacy@lpfintech.com, and does not affect prior processing carried out on valid consent.


17

Workforce, HRMS & Employee Privacy

Employees may access payroll records, salary slips, attendance history, and leave balances through the WorkPulse HRMS self-service portal. Where WorkPulse HRMS is deployed as an enterprise SaaS, LP Fintech acts as Data Processor and the employer remains the Data Fiduciary responsible for employee notice and consent.

Monitoring disclosures: Geolocation attendance, IP tracking for remote sessions, and work-hour analytics may be deployed by employers — disclosed to employees at onboarding. Unsuccessful candidate data is retained for 12 months and then securely deleted.


18

Grievance Redressal

Grievance Officer — LP Fintech Private Limited
Email: grievance@lpfintech.com
Postal: LP Fintech Private Limited, Jaipur, Rajasthan – 302 001, India
Acknowledgement: within 48 hours  |  Resolution: within 30 days

If unsatisfied with our resolution, you may escalate to the Data Protection Board of India (on constitution), the RBI Integrated Ombudsman (payment disputes), FIU-IND (AML/KYC matters), or CERT-In (cybersecurity incidents).


19

Contact Us

Privacy Enquiries
Grievance Officer
Security Incidents
Legal & Compliance
General Enquiries

Governing Law & Acceptance: By accessing LP Fintech platforms, you acknowledge this Policy and agree to its terms. This Policy is effective from 18 May 2026 (Version 2.0) and supersedes all prior notices. Disputes are subject to the exclusive jurisdiction of courts in Jaipur, Rajasthan, India and governed by the laws of the Republic of India. LP Fintech reserves the right to update this Policy with 30 days' advance notice for material changes.

↑ Back to top