Privacy Policy

Privacy Policy

for Transakt

Our role under Indian law

For most features we act as a Data Fiduciary under the Digital Personal Data Protection Act 2023. We decide the purpose and means of processing your personal data and of data about your customers and beneficiaries. You have rights to access, correction, erasure, grievance redressal, and nomination which we explain below.

We also follow the Information Technology Act and the SPDI Rules that require a published privacy policy, a grievance officer, and reasonable security practices.

Who this policy covers

  • Visitors to our website

  • Users of our dashboard mobile SDKs and APIs

  • Employees or owners of our merchants and partners

  • Customers and beneficiaries whose payments are processed through Transakt on behalf of a merchant

If you are a customer of a merchant that uses Transakt, the merchant remains responsible for its own privacy disclosures. We process your data to run the payment flows for the merchant.

What we collect

Information you provide

  • Business profile and KYC data of merchants such as PAN GSTIN CIN registered address directors and beneficial owners

  • Contact details such as name email phone

  • Support tickets and call recordings

  • User credentials and role assignments for the dashboard

KYC collection is a regulatory requirement for payment firms in India and is performed as part of merchant onboarding.

Information we get automatically

  • Device and network data such as IP address user agent OS and app version

  • Log events for API calls webhooks and dashboard sessions

  • Cookies or similar identifiers for session management and analytics

Information from third parties

  • Banks payment networks NPCI BBPS entities telecom providers fraud intelligence vendors and identity providers share data that helps us run payments detect risk and meet compliance duties. For UPI and BBPS we follow the applicable NPCI and RBI frameworks.

End user and beneficiary data processed on behalf of merchants

  • Payment instrument information such as masked account numbers UPI IDs and bank IFSC details

  • Transaction details such as amount timestamp reference IDs and status

  • Beneficiary details for payouts

Why we use your data

We use data to:

  1. Provide and improve our products including UPI collection instant payouts BBPS and connected banking

  2. Verify merchants and prevent fraud and abuse

  3. Operate settlement reconciliation and ledger functions

  4. Provide support and resolve disputes

  5. Meet legal and regulatory duties including KYC AML recordkeeping tax and audit

  6. Communicate product updates and service notices

  7. Run analytics to improve reliability success rates and user experience

Where the DPDP Act requires consent we seek it in clear and plain language and you can withdraw consent at any time in a way that is as easy as giving it. Withdrawal does not affect past lawful processing.

We may also process data for legitimate uses allowed by law such as compliance with legal obligations investigation of fraud and enforcement of rights. MeitY

Cookies and similar technologies

We use necessary cookies for security and session management and optional cookies for analytics and product improvement. You can control cookies through your browser. Blocking some cookies may affect site features.

Sharing your data

We share data only as needed to deliver the service or as required by law:

  • Banks and payment networks like NPCI and participating banks for UPI transactions

  • BBPS participants and operators for bill payments and confirmations

  • Technology and security vendors such as cloud hosting communications analytics and fraud prevention

  • Compliance partners for KYC screening and risk checks

  • Government authorities or regulators when required by law or for lawful requests

UPI complaints are raised in the PSP or TPAP app by selecting the transaction which then follows the NPCI process. BBPS grievance handling follows RBI and BBPS procedures.

We do not sell personal data.

Retention

We keep data only as long as needed for the purpose it was collected and to meet legal and audit duties. After that we delete or anonymize it.

Security

We apply reasonable security practices that include encryption in transit and at rest, access controls, logging, and periodic audits. Indian SPDI Rules require reasonable security practices and the appointment of a grievance officer. DataGuidance

If we learn of a personal data breach we will take steps to contain it and will notify the Data Protection Board of India and affected users where the DPDP Act requires it.

Children

We do not knowingly offer services directly to children. Under the DPDP Act a child is a person under eighteen years of age. Where we process data about a child through a merchant, that processing must be backed by verifiable consent of a parent or lawful guardian and must avoid tracking and targeted advertising to children.

Your rights

Subject to law, you can:

  • Access a summary of your personal data and how we use it

  • Correct or update inaccurate or incomplete data

  • Erase your data when it is no longer needed or when you withdraw consent and law allows erasure

  • Raise a grievance with our Grievance Officer and escalate to the Data Protection Board after using our process

  • Nominate another person to exercise your rights in case of death or incapacity

We will provide easy ways to exercise these rights and will respond within the time the rules prescribe. MeitY

To exercise your rights email [privacy email] or use the dashboard privacy tools if available. We may ask for information to verify your identity and authority.

Cross border transfers

We may transfer personal data to service providers or partners outside India. Under the DPDP Act, cross border transfers are permitted to all countries except those the Government of India may blacklist through notification. As of today the negative list has not been notified. We use contractual and technical safeguards when we transfer data.

Transfers of sensitive personal data must also meet the SPDI Rules.

Data about employees of our merchants and partners

If your employer gives us your details to create a dashboard login or to manage the account we process that data to operate the service, verify access, and keep audit trails. You can ask your admin to update or remove your access.

Links and third party services

Our dashboard may link to services we do not control. Their privacy policies apply to their handling of data.

Changes to this policy

We will update this policy when we add features or when laws change. We will post the revised policy here with a new date. If changes are significant we will try to give advance notice.

Region specific notes

  • UPI. We rely on the UPI ecosystem of TPAPs PSP banks and NPCI to process payments and to resolve complaints. NPCI

  • BBPS. BBPS flows follow the RBI Master Directions and BBPS procedural and compensation rules.