Legal

Privacy Policy

Pey Technologies Private Limited ("PeyCoIn") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 read with the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 ("SPDI Rules"), and other applicable laws.

Last updated 14 June 2026Effective 14 June 2026

1. Who this Policy applies to

This Policy applies to anyone who downloads the PeyCoIn app, visits pey.co.in, or otherwise interacts with our Services. We act as the "Data Fiduciary" for personal data we determine the purposes and means of processing for. Where we process data on behalf of another entity (for example, an employer rolling out PeyCoIn for groups), we may act as a "Data Processor" and that entity will be the Data Fiduciary.

2. Personal data we collect

Data you provide

  • Identity: name, mobile number, email, date of birth, gender (optional);
  • KYC: PAN, Aadhaar reference (offline-XML where used), photograph, video selfie, address;
  • Financial: bank account details (last 4 digits + IFSC), VPAs, card BIN/last 4 digits (we never store full card numbers), and beneficiary information you add;
  • Content: expenses, notes, photos, group memberships;
  • Support: messages, attachments, recordings of support calls (with notice).

Data we collect automatically

  • Device: model, OS version, language, time zone, network operator, app version;
  • Usage: pages viewed, features used, error logs, crash reports;
  • Identifiers: device ID, advertising ID (only if you allow), IP address, approximate location derived from IP;
  • Cookies and similar technologies on the website (see Cookies Notice).

Data from third parties

  • Bank, UPI handle, and account aggregator data (only with your explicit consent under the AA framework);
  • KYC partners and identity-verification providers;
  • Fraud-prevention and credit-bureau partners (where applicable).

3. Why we process your data

  • To create and maintain your account and provide the Services;
  • To process and route payments through licensed banking and UPI partners;
  • To prevent, detect, and investigate fraud, money laundering, and terrorist financing in line with the PMLA and RBI Master Directions;
  • To comply with legal obligations, tax requirements, audits, and lawful requests from authorities;
  • To improve the Services, conduct analytics, and personalise your experience;
  • To communicate with you about updates, security alerts, and (with consent) marketing.

We process your personal data on one or more of the following bases:

  • Consent — clear, informed, free, specific consent (DPDP §6) for purposes such as marketing, optional features, and AA data fetching;
  • Legitimate use — performance of a contract, fraud prevention, security, and other "Legitimate Uses" under DPDP §7;
  • Legal obligation — KYC/AML, tax, and statutory record-keeping.

You may withdraw consent at any time from in-app settings or by emailing privacy@pey.co.in. Withdrawal does not affect processing carried out before withdrawal, nor does it relieve us from processing required by law.

5. How we share your data

We share personal data only with:

  • Banking & payment partners — to settle transactions through UPI, IMPS, NEFT, and card networks;
  • KYC and verification providers — to comply with RBI/PMLA;
  • Cloud and infrastructure providers — for hosting, storage, and analytics, under strict data-processing agreements;
  • Professional advisors — auditors, lawyers, and consultants under confidentiality;
  • Authorities — where compelled by valid legal process or to protect life, property, or national security.

We do not sell or rent your personal data to anyone, ever.

6. Storage and retention

Personal data is hosted primarily on servers located in India. We retain personal data only for as long as necessary to provide the Services and to comply with our legal obligations (typically a minimum of 5 years for transaction and KYC data under PMLA). After this, data is deleted or anonymised.

7. Security

We follow the security practices required under the SPDI Rules, including ISO/IEC 27001-aligned controls, AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, MFA for internal access, regular VAPT, and a documented incident response plan. We will notify the Data Protection Board of India and affected users of any qualifying personal data breach as required by §8(6) of the DPDP Act.

8. Your rights as a Data Principal

Under the DPDP Act you have the right to:

  • Confirmation and access — know what personal data we process about you;
  • Correction, completion, updating, and erasure of your personal data;
  • Grievance redressal — escalate complaints to our DPO and onwards to the Data Protection Board;
  • Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise these rights, write to our Data Protection Officer at dpo@pey.co.in. We will respond within 30 days of receiving a verifiable request.

9. Children

PeyCoIn is not directed at children under 18. We do not knowingly process personal data of children. Where we learn that we have collected such data, we will delete it. Where the DPDP Act requires verifiable parental consent for processing of children's data, we will obtain it before processing.

10. Cookies and SDKs

We use a small number of strictly-necessary cookies on the website, plus optional analytics SDKs in the app (e.g., crash reporting). You can manage these preferences in the app or via your browser. See our Cookies Notice for the full list.

11. International transfers

We process and store personal data primarily in India. Where data is transferred outside India to a sub-processor, the transfer occurs only to jurisdictions that the Central Government has not restricted under §16 of the DPDP Act, and only under contractual safeguards equivalent to those required in India.

12. Updates to this Policy

We may update this Policy from time to time. Material changes will be notified via the app or by email at least 14 days before they take effect.

13. Contact our DPO

Anurag Shahi, Data Protection Officer (Interim, Beta)
Email: dpo@pey.co.in
Phone: +91 87389 59415
Entity: Pey Technologies Private Limited.

If you are not satisfied with our response, you may approach the Data Protection Board of India once it is operational, or use the existing grievance mechanism under the IT Act / SPDI Rules.