Privacy Policy for Invoicepar

1. Introduction & Commitment

This Privacy Policy ("Policy") describes the practices of Blocsol Technologies Private Limited ("we," "us," or "our"), a company registered under the Companies Act, 2013, with its registered office at F547 Modern Towers phase 8A Industrial Area Sector 75 SAS Nagar Punjab 160055 , regarding the collection, use, storage, processing, disclosure, and protection of your information. We own, manage, and operate the platform under the brand name 'Invoicepar' (the "Platform").

We operate as a Buyer Network Participant on the ONDC (Open Network for Digital Commerce) Financial Services network and function as a Loan Service Provider (LSP). Our Platform connects Micro, Small, and Medium Enterprises (MSMEs) seeking GST invoice-based financing ("Borrowers", "Users", "You", "Your", "Yourself") with participating banks and financial institutions ("Lenders").

This Policy demonstrates our commitment to protecting your privacy and complying with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules") .

We recognize the importance of "Personal Data" and "Sensitive Personal Data or Information" (SPDI) provided by natural persons under lawful contract. We intend to take reasonable measures to keep such information confidential and may share it with affiliates, Lenders, and third-party service providers under appropriate arrangements and in compliance with applicable laws and this Policy.

This Policy applies to information collected through our Platform (https://invoicepar.com, the Invoicepar mobile application), and in email, text, and other electronic communications sent through or in connection with our services (collectively, "User Information").

Scope Exclusion:

This policy does not apply to information you provide directly to, or that is collected by, any third party, such as Lenders, ONDC, credit bureaus, or other services you may access via links from our Platform. We encourage you to consult directly with such third parties about their privacy practices.

2. Your Acknowledgment and Consent

By accessing, registering, or using the Platform or its services, you agree to be bound by the terms and conditions of this Privacy Policy. If you do not agree, please do not use or access our Platform.

By mere use of the Platform, you expressly and unconditionally agree to the terms of this Policy and provide your consent to the collection, storage, processing, handling, use, and disclosure of your User Information (including Personal Data and SPDI) in accordance with the terms contained herein.

Where specific processing activities require explicit consent under the DPDP Act (e.g., processing of SPDI, sharing data for purposes not directly related to the primary service, accessing credit reports), we will obtain such consent separately through clear affirmative action (e.g., checkboxes) before undertaking such processing.

You represent, warrant, and confirm that the User Information provided by you is and shall continue to be valid, true, accurate, and complete. We shall not be liable for the authenticity of any User Information provided by you.

3. Information We Collect (User Information)

We collect various types of information from and about Users to provide our services, fulfill our role as an LSP, and comply with legal obligations. This includes:

a) Personal Data:

As defined under the DPDP Act, this means any data about an individual who is identifiable by or in relation to such data. This includes, but is not limited to:

• Identity & Contact Details: Full name, date of birth, email address, phone number, residential/business address, photographs, government-issued ID details like PAN, Aadhaar (collected only where mandatory for KYC/compliance as per law and with your consent where required), signature.
• Business Details: Business name, entity type, incorporation/registration details, GSTIN, Udyam registration, industry type, operational details, business-related licenses/approvals.
• Technical & Usage Details: IP address, device information (ID, type, OS, browser), mobile network information, app usage patterns (features used, time spent, clicks, navigation), logs, cookie data, location data (if enabled by you).
• Communication Details: Records of communication with us (emails, chats, support tickets, call recordings if applicable with notice/consent), feedback, survey responses.
• User Inputs: Information you provide when you fill forms, participate in promotions, or use interactive features, including reviews or comments if applicable (posted at your own risk).

b) Sensitive Personal Data or Information (SPDI):

As defined under the IT Rules, 2011, this is a subset of Personal Data consisting of information relating to:

• Passwords associated with our Platform.
• Financial information such as bank account details (account number, IFSC code, bank statements), credit/debit card details (if collected, though typically for LSP services bank details are primary), GST returns data, detailed invoice information (buyer/seller details, value, date), financial statements, credit information and history (obtained from bureaus with explicit consent).
• Biometric information (if ever collected, which is unlikely for this service but included for definition completeness - requires explicit consent).
• Any detail relating to the above provided to us for service provision.
• Any information received under the above clauses by us for processing under lawful contract.

We collect and process SPDI strictly necessary for providing the loan facilitation services (KYC, credit assessment support for Lenders, disbursement/repayment setup) and only with your explicit consent , obtained before or at the time of collection.

Note: Information freely available in the public domain or furnished under the Right to Information Act, 2005, is not regarded as SPDI.

c) Bureau Data:

With your explicit consent, we or the Lenders may collect financial data and credit history/scores from financial organizations and credit information companies (including, inter-alia, TransUnion CIBIL Limited, Experian, Equifax, CRIF High Mark).

4. How We Collect Your Information

We collect User Information through various methods:

• Directly from You: When you register, complete application forms, upload documents (invoices, bank statements, KYC docs, etc.), interact with customer support, respond to surveys, or otherwise provide information on the Platform. We indicate mandatory and optional fields where possible.
• Automatically: As you navigate and interact with our Platform, we automatically collect technical and usage data using cookies, log files, web beacons, device IDs, and similar tracking technologies. (See Section 9 on Cookies).
• From Third Parties:
  • Lenders: Information regarding your loan application status or related data as necessary for the service.
  • Credit Bureaus: Credit reports and scores (only with your explicit consent).
  • KYC Verification Agencies: To validate the identity and business documents you provide.
  • GST Network (GSTN) / GSPs: With your explicit consent and authorization, accessing GST data (returns, invoice details) required for loan assessment via authorized channels.
  • ONDC Network: Transaction IDs and necessary operational data related to your interactions on the ONDC network.

5. How We Use Your Information (Purposes)

We use your User Information, including Personal Data and SPDI, only for specified, explicit, and legitimate purposes for which we have obtained your consent or as permitted by law. These purposes include:

• Service Provision: To create/manage your account, verify your identity (KYC/AML checks), process and submit your loan applications to selected Lenders via the ONDC network, facilitate communication, and provide overall Platform functionality.
• Loan Facilitation Support: To enable Lenders to assess your creditworthiness and make informed lending decisions based on the information shared through our Platform (Note: The final credit decision rests solely with the Lender).
• Platform Improvement: To operate, maintain, analyze usage, conduct internal reviews/surveys, understand user needs, improve content/features, develop new services, and personalize your experience.
• Communication: To send service-related communications (application status, updates, security alerts, support), notifications, and respond to your queries.
• Marketing & Offers (Consent-Based): With your separate consent, to send you surveys, marketing communications, or information about potentially relevant third-party offers or services.
• Legal & Compliance: To comply with applicable laws, regulations, ONDC network rules, RBI guidelines (if applicable to our specific LSP role), legal processes, governmental requests, and enforce our Terms of Use.
• Security & Fraud Prevention: To protect the integrity of our Platform, prevent fraud, diagnose technical problems, troubleshoot issues, and ensure the security of our systems and User Information.
• Analytics & Reporting: To prepare anonymized or aggregated reports for internal analysis, business intelligence, or reporting requirements.

6. Disclosure of Your Information

We may disclose your User Information (including Personal Data and SPDI where necessary and consented) to third parties only in accordance with this Policy, for the purposes outlined above, and as permitted by law. Disclosures may be made to:

• Lenders: Sharing your application form, KYC documents, business/financial data (including consented GST data, invoices), credit bureau reports (if consented), and other necessary information with Lenders you choose to apply to, enabling them to evaluate and process your loan request.
• ONDC Network Participants: Sharing necessary data as required by ONDC protocols for facilitating transactions and communication within the network.
• Service Providers & Partners: Engaging third parties who perform services on our behalf, such as cloud hosting providers (e.g., AWS, GCS), KYC verification agencies, credit bureaus (with consent), data analytics providers, communication tool providers (SMS/email gateways), customer support platforms, GSPs (for consented GST data access), IT infrastructure support, and security services. These parties are contractually obligated to maintain confidentiality and security of your data and use it only for the purposes specified by us.
• Affiliates: Sharing information with our subsidiary or affiliate companies, subject to the terms of this Policy.
• Legal & Regulatory Authorities: Disclosing information when required by law, regulation, court order, or governmental request, or when necessary to protect our rights, property, safety, or that of our users or the public (e.g., for fraud investigation).
• Business Transfers: In the event of a merger, acquisition, reorganization, financing, sale of assets, or bankruptcy, your information may be transferred as part of the transaction. We will notify you of such an event and ensure the receiving entity honours the commitments in this Policy or informs you of any changes.
• Third-Party Marketing (Consent-Based): With your explicit consent, sharing information with third parties for their marketing purposes.
• Others with Your Consent: Sharing information with any other third party based on your explicit consent obtained for that specific purpose.

We take steps to ensure that third parties who receive your information adhere to appropriate data protection and confidentiality obligations.

7. Payment Related Information

To facilitate loan disbursement and repayment processes between you and the Lender, we may need to collect and share bank account details (Account Holder Name, Account Number, IFSC Code). By providing this information, you expressly consent to us sharing it with the relevant Lenders and payment processing partners involved in the transaction flow, solely for these purposes. We encrypt sensitive financial information like bank account details using industry-standard measures during transmission and storage.

8. Data Security Measures

We implement reasonable security practices and procedures as required under the IT Rules, 2011 and DPDP Act, 2023, to protect your User Information from unauthorized access, use, alteration, disclosure, or destruction. These include:

• Technical Measures: Encryption (in transit using TLS/SSL, at rest where appropriate), firewalls, secure server configurations, access controls, regular security assessments.
• Organizational Measures: Internal data handling policies, employee training, confidentiality agreements, limiting access on a need-to-know basis, incident response plans.
• Physical Measures: Secure office premises and data center access controls (where applicable).
• ISO 27001 Certified

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials (username, password). Do not share them with anyone. If we receive instructions using your credentials, we will consider you have authorized them.

In the event of a Personal Data breach affecting you, we will notify you and the relevant authorities (like the Data Protection Board of India, once established) as required by the DPDP Act.

You agree not to engage in data scraping, data crawling, or use automated tools to access the Platform without authorization.

9. Cookies and Tracking Technologies

We and our third-party partners use cookies, pixel tags, web beacons, mobile device IDs, and similar technologies to collect and store information regarding your use of the Platform and third-party websites. Cookies are small text files stored on your device that help us recognize you, store preferences, enhance user experience, deliver relevant content/ads, perform analytics, track usage, and assist with security/administration.

We use both session cookies (expire when you close browser) and persistent cookies (remain until deleted or expire). You can manage cookie preferences through your browser or device settings, but disabling some cookies may interfere with Platform functionality.

You may encounter cookies placed by third parties (e.g., analytics providers, advertisers) on certain pages. We do not control the use of cookies by third parties. Please review their privacy policies.

10. Data Retention

We retain your User Information only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with our legal and regulatory obligations. The retention period depends on the nature of the information and applicable laws (e.g., requirements under PMLA, RBI guidelines for LSPs/lending records, Company Act, DPDP Act storage limitation principle).

Generally, account information is retained while your account is active and for a necessary period afterward for legal/audit purposes. Loan application data retention aligns with lender and regulatory requirements.

Once the retention period expires or the purpose is fulfilled, we will securely delete or anonymize your Personal Data in a manner that prevents re-identification, as required by law.

Even if you close your account, we may retain certain information as required by law, for fraud prevention, dispute resolution, enforcing agreements, or other legitimate business purposes, unless prohibited by law. Copies may remain in backup archives for a limited period.

11. Your Rights as a Data Principal

Under the DPDP Act, 2023, you (as the "Data Principal") have certain rights regarding your Personal Data processed by us (as the "Data Fiduciary"). Subject to verification and legal limitations, these include:

• Right to Access Information: To obtain confirmation on whether we process your Personal Data, access the data, and receive a summary of processing (e.g., categories of data processed, recipients of sharing).
• Right to Correction & Erasure: To request correction of inaccurate or incomplete Personal Data, update outdated data, and request erasure of Personal Data that is no longer necessary for the original purpose (subject to legal retention obligations).
• Right to Withdraw Consent: Where processing is based on consent, to withdraw that consent at any time. Withdrawal does not affect past processing but may prevent us from providing certain services going forward. We will inform you of the consequences of withdrawal.
• Right to Grievance Redressal: To easily register grievances regarding this Policy or data processing with our Grievance Redressal Officer.
• Right to Nominate: To nominate another individual to exercise your rights on your behalf in case of your death or incapacity, as per rules under the DPDP Act.

To exercise these rights, please contact our Grievance Redressal Officer (details in Section 15). We will respond as per the timelines and procedures mandated by the DPDP Act. We may need to verify your identity before processing your request.

12. Third-Party Links

Our Platform may contain links to third-party websites or services (e.g., Lenders, ONDC, partners). We are not responsible for the privacy practices or content of these external sites. This Policy does not cover information you provide to or that is collected by them. We encourage you to read their privacy policies carefully before interacting with them.

13. Children's Privacy (Persons Below 18)

Our Platform and services are not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children under 18. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly. If you believe a child under 18 has provided us with Personal Data, please contact our Grievance Redressal Officer.

14. Amendments to this Privacy Policy

We reserve the right to update, modify, or amend this Privacy Policy at any time to reflect changes in law, our data practices, Platform features, or technology. We will post the revised Policy on this page and update the "Last Updated" date. For material changes, we may provide additional notice (e.g., via email or app notification).

Please review this Policy periodically. Your continued use of the Platform or Services after changes are posted constitutes your acceptance of the revised Policy.

15. Grievance Redressal Officer

In accordance with the DPDP Act, 2023 and the IT Rules, 2011, the contact details for our Grievance Redressal Officer are:

For any queries, concerns, grievances regarding this Policy or your Personal Data processing, or to exercise your rights, please contact the Grievance Redressal Officer. We will acknowledge and address your concerns per applicable legal timelines.

16. Governing Law and Dispute Resolution

This Privacy Policy and your use of the Platform shall be governed by and construed in accordance with the laws of India.

Any dispute arising out of or in connection with this Policy, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the competent courts located in SAS Nagar (Mohali), Punjab, India .

17. Force Majeure

Notwithstanding anything contained in this Policy, we shall not be held responsible for any loss, damage, or misuse of your User Information, if such loss, damage, or misuse is attributable to a Force Majeure Event. A "Force Majeure Event" means any event beyond our reasonable control, including, without limitation, sabotage, fire, flood, explosion, acts of God, civil commotion, strikes, industrial action, riots, insurrection, war, acts of government, computer hacking, unauthorized access to computer data and storage devices, technical snags, power failure, breach of security and encryption.