2.3 Information From Third Party 

Credit bureaus and credit information companies (e.g., CIBIL, Experian, CRIF Highmark) — for credit assessment, as permitted under applicable law

Regulatory databases — for KYC verification and fraud prevention. Security Measures 

Note: We do not knowingly collect Sensitive Personal Data or Information (SPDI) beyond what is required for KYC compliance and loan processing under applicable RBI regulations. Any SPDI collected is handled with enhanced security measures.

3 How We Use Your Data
We use your personal data for the following purposes only: 

Service Delivery: To process loan enquiries and applications, perform eligibility assessments, and provide NBFC services offered through the website. 

KYC & Regulatory Compliance: To verify customer identity and address as mandated by RBI Master Directions on KYC, Prevention of Money Laundering Act (PMLA), and other applicable regulations. 

Credit Assessment: To evaluate creditworthiness by accessing credit bureau reports with your consent, as part of the loan appraisal process. 

Communication: To respond to your queries, send application status updates, and issue service-related notifications. 

Security & Fraud Prevention: To detect, prevent, and investigate fraudulent or unauthorised activity and ensure the security of our systems.

Legal & Compliance Obligations: To comply with court orders, regulatory directions, audit requirements, and other legal obligations applicable to NBFCs.

Website Improvement: To analyse aggregated and anonymised usage data to improve the functionality, content, and user experience of our website.

Grievance Redressal: To address and resolve complaints and grievances in accordance with our Grievance Redressal Policy and RBI guidelines

We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human oversight. 

4 Legal Bases for Processing 

Legal Bases for Processing 

Our processing of your personal data is based on one or more of the following legal grounds: 

Contractual Necessity: Processing required to enter into or perform a contract with you (e.g., processing a loan application). 

Legal Obligation: Processing necessary to comply with RBI regulations, PMLA, Income Tax Act, and other applicable laws. 

Consent: Where you have given explicit consent (e.g., accessing your credit bureau report). You may withdraw consent at any time without affecting the lawfulness of prior processing. 

Legitimate Interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, website security), provided such interests are not overridden by your rights and interests. 

5 Data Retention 
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to any longer retention period required by law. The following retention periods apply: 
1 Category of Data KYC Documents & Customer Records.

Retention Period 8 years from end of business relationship.

Basis PMLA, RBI KYC Master Directions.

2 Category of Data Loan Application Data (approved)

Retention Period Duration of loan + 8 years post-closure 

Basis RBI prudential norms

3 Category of Data Loan Application Data (rejected)

Retention Period 3 years from date of rejection 

Basis Internal policy & legal limitation 

4 Category of Data Website Usage / Analytics Data

Retention Period Up to 24 months (anonymised after 6 months) 

Basis Legitimate interest

5 Category of Data Cookie Data

Retention Period As per cookie category (see Section 10)

Basis Consent / Legitimate interest 

6 Category of Data Grievance Records 

Retention Period 5 years from resolution 

Basis RBI Grievance guidelines

6 Data Sharing and Disclosure 
We do not sell, rent, or trade your personal data. We may share your data only in the following limited circumstances: Regulatory and Legal Authorities 

.61 Regulatory and Legal Authorities : We may disclose personal data to the Reserve Bank of India, Financial Intelligence Unit – India (FIU-IND), Income Tax authorities, or any other government or regulatory body when required by law, regulation, court order, or official request

6.2 Credit Information Companies
We may share data with licensed credit bureaus (e.g., CIBIL, Experian, Equifax, CRIF High Mark) as permitted under the Credit Information Companies (Regulation) Act, 2005, for credit assessment and reporting purposes. 

6.3 Service Providers and Technology Partners 
We engage carefully vetted third-party service providers (e.g., cloud hosting, KYC verification platforms, IT support) who process data on our behalf and are bound by contractual data protection obligations. They are not permitted to use your data for their own purposes.

6.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections. You will be notified of any material change in control. 

6.5 With Your Consent
We may share data with other third parties where you have provided specific, informed consent for such sharing. 

7 International Data Transfers

Finasia Capital primarily processes and stores personal data within India. If any data is transferred to, or accessed from, a jurisdiction outside India (e.g., through cloud infrastructure), we ensure that adequate safeguards are in place, including: 

Contractual clauses that replicate the protections required under Indian law; 

Transfers only to jurisdictions with equivalent data protection standards; and 

Compliance with any applicable RBI data localisation requirements for regulated financial data. 

As of the effective date of this Policy, all primary data storage is located within the territory of India. 

8 Your Rights
You have the following rights in relation to your personal data. We will respond to all valid requests within 30 days (or sooner where required by law):
1 Your Right Right of Access 
What It Means Request a copy of personal data we hold about you
How to Exercise Email our Grievance Officer
2 Your Right  Right to Correction
What It Means Ask us to correct inaccurate or incomplete data
How to Exercise Email / Written request
3 Your Right  Right to Deletion
What It Means Request erasure of data (subject to legal obligations)
How to Exercise Email our Grievance Officer
4 Your Right  Right to Object
What It Means Object to processing for purposes beyond those stated. 
How to Exercise Written notice to Grievance Officer
5 Your Right  Right to Portability 
What It Means Receive your data in a structured, machine-readable format
How to Exercise  Email request 
6 Your Right  Right to Withdraw Consent 
What It Means Withdraw consent at any time without affecting prior processing
How to Exercise Email / Written request 
To exercise any of the above rights, please contact our Grievance Officer (see Section 13). We may need to verify your identity before processing your request. Certain rights may be limited by legal or regulatory obligations. 

9 Security Measures 

We are committed to protecting your personal data against unauthorised access, disclosure, alteration, or destruction. We implement the following measures in accordance with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and RBI cybersecurity guidelines: 

Encryption of data in transit using industry-standard TLS/HTTPS protocols. 

Access controls limiting data access to authorised personnel only, based on the principle of least privilege. 

Regular internal security reviews and vulnerability assessments. 

Secure storage of KYC and financial documents with restricted access. 

Employee training on data privacy and information security practices. 

Incident response procedures to detect, report, and address personal data breaches promptly. 

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that poses a significant risk to you, we will notify you and the relevant authorities as required by law.

10 Cookies and Tracking Technologies
Our website uses cookies and similar technologies. Below is a summary of the types of cookies we may use: 

1 Cookie Type Strictly Necessary 
Purpose Required for core website functionality (navigation, security).
Duration Session 
Can Be Disabled? No — essential for the site to work
2 Cookie Type Functional 
Purpose Remember your preferences and improve user experience.
Duration Up to 12 months
Can Be Disabled? Yes — via browser settings
3 Cookie Type Analytics 
Purpose Collect anonymised data on how visitors use our site (e.g., Google Analytics). 
Duration Up to 24 months
Can Be Disabled? Yes — via cookie preferences
4 Cookie Type Marketing / Third-Party
Purpose We do not currently use marketing or tracking cookies for advertising
Duration  N/A
Can Be Disabled? N/A
You can manage your cookie preferences through your browser settings. Disabling strictly necessary cookies may affect certain website functionalities. Continued use of our website after being notified of our cookie usage constitutes acceptance of cookies in accordance with this Policy. 

11 Children's Privacy

Our website and services are directed exclusively at adults who are 18 years of age or older. We do not knowingly collect, use, or store personal data from individuals under the age of 18. If you believe that a minor has submitted personal data to us, please contact our Grievance Officer immediately and we will take prompt steps to delete such data.  NBFC services — including lending products — are available only to eligible adults as defined by the applicable laws of India and RBI regulations.

12 Updates to This Privacy Policy 

We may update this Privacy Policy from time to time to reflect changes in our practices, regulatory requirements, or applicable law. When we make material changes, we will: 

Update the 'Effective Date' at the top of this Policy; 

Post the revised Policy on our website; and 

Where practicable, notify registered users via email or a prominent notice on our website. 

We encourage you to review this Policy periodically. Your continued use of our website following the publication of changes constitutes your acknowledgement of those changes. If you do not agree to the revised Policy, you should discontinue use of our website. 

13 Contact Us — Grievance Officer
If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your rights, please contact our designated Grievance Officer

Grievance Officer

Finasia Capital - Mirage Advances Private Limited

Registered Office: 5th Floor, The Mirage, 556-B, Cool Road, Jalandhar City, Punjab 144001

Corporate Office: 350, Nemi Sagar Colony, Queens Road, Vaishali Nagar, Jaipur 302021

CIN U65921PB1995PTC016834

Please mark all communications Privacy Grievance - Finasia Capital

We will acknowledge your complaint within 7 working days and endeavour to resolve it within 30 days. If you are not satisfied with the resolution, you may escalate the matter to the Reserve Bank of India's online complaints portal (https://cms.rbi.org.in) or the RBI Ombudsman for NBFCs, as applicable.