Privacy Policy
Last updated: June 8, 2026 · Effective: June 8, 2026
The short version: We collect only what we need. We protect everything with enterprise-grade AES-256 encryption. We never sell your data — ever. We share with partners only as needed to provide you financial services, and only with your consent.
1. Who We Are
Nishwik Global Fintech Private Limited ("Nishwik", "we", "our", "us") is a technology company registered in India. We operate the Nishwik app, web platform, and partner dashboards ("Platform"). We are not an NBFC or bank — we partner with RBI-registered NBFCs and scheduled commercial banks to provide financial products.
2. Data We Collect
2.1 Information You Provide
- Identity information: Name, date of birth, PAN, Aadhaar (via CKYC only)
- Contact information: Email address, phone number
- Financial information: Income, employment, bank account details (for disbursement/repayment only)
- KYC documents: As required by RBI-registered lending partners
- Application data: Loan amounts, purposes, partner selections
2.2 Information Automatically Collected
- Device data: Device type, OS version, app version
- Usage data: Features used, pages visited (anonymised)
- Technical data: IP address, crash reports
3. How We Use Your Data
- To process and facilitate loan applications and EMI products
- To verify your identity via CKYC-compliant processes
- To disburse and collect payments via BBPS-registered channels
- To communicate with you about your applications and account
- To send product and feature updates (with your opt-in consent)
- To improve our Platform (using anonymised, aggregated data only)
- To comply with legal and regulatory obligations
4. Data Sharing
We share your data with:
- RBI-registered NBFC and banking partners — strictly for loan underwriting and disbursement, under contractual data protection obligations
- CKYC Registry — for identity verification as required by RBI regulations
- BBPS — for payment processing
- Regulatory authorities — when legally required by RBI, SEBI, or other regulators
We never sell your personal data. We do not share your data with advertisers, data brokers, or third-party marketing platforms. Period.
5. Data Security
All data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. We maintain strict access controls, conduct regular security audits, and are pursuing ISO 27001 certification. Our security team reviews access logs continuously.
6. Your Rights
- Right to access your data
- Right to correct inaccurate data
- Right to request deletion (subject to regulatory retention requirements)
- Right to withdraw consent for marketing communications
- Right to data portability
To exercise any of these rights, contact us at privacy@nishwik.com. We respond within 30 days.
7. Data Retention
We retain your data for as long as your account is active and for up to 8 years after account closure, as required by applicable Indian financial regulations. Anonymised, aggregated data may be retained indefinitely for analytics purposes.
7B. Your Rights Under DPDP Act 2023
As a Data Principal under India's Digital Personal Data Protection (DPDP) Act, 2023, you have the right to:
- Right to Access: Know what personal data Nishwik holds about you
- Right to Correction: Correct inaccurate or incomplete personal data
- Right to Erasure: Request deletion of your personal data (subject to legal retention obligations)
- Right to Grievance Redressal: Raise concerns with our Data Protection Officer
- Right to Nominate: Nominate a person to exercise your rights in case of your death or incapacity
- Right to Withdraw Consent: Withdraw consent for data processing at any time
To exercise any right, email: privacy@nishwik.com. We will respond within 72 hours.
8. Cookies and Tracking
Our web platform uses strictly necessary cookies for functionality and optional analytics cookies (with your consent). We do not use advertising or tracking cookies. You can manage cookie preferences in your browser settings.
9. Children's Privacy
Our Platform is not intended for individuals under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately at privacy@nishwik.com.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. Continued use of the Platform after that date constitutes acceptance of the updated policy.
11. Contact & Grievance Officer
For privacy-related queries or complaints:
12. Data Deletion — Request Your Data to Be Erased
Your right under DPDP Act 2023 (Section 13): You have the right to request erasure of your personal data held by Nishwik. We will process verified requests within 30 days and confirm deletion in writing.
Under the Digital Personal Data Protection (DPDP) Act, 2023 and our obligations as a Data Fiduciary, Nishwik provides a clear, accessible process to request deletion of your personal data from our systems.
12.1 What Data Can Be Deleted
You may request deletion of:
- Your account profile — name, email address, phone number, address
- Identity documents uploaded during KYC (Aadhaar, PAN, photos) — subject to regulatory retention obligations below
- Communication history (chat logs, email threads, support tickets)
- Device data and usage data tied to your account
- Marketing preferences, consent records, and communication opt-ins
- Waitlist and newsletter subscriptions
12.2 Data That Cannot Be Deleted (Legal Retention Obligations)
Certain data must be retained under applicable Indian law and cannot be erased even upon request. We will inform you of the exact category and retention period when processing your request.
- Loan records and repayment history — 8 years under RBI Master Directions on KYC / loan documentation
- KYC records filed with the CKYC Registry (CERSAI) — controlled by the central registry; Nishwik cannot delete records already submitted
- BBPS payment and transaction data — retained under NPCI/RBI mandated timelines
- Records subject to ongoing legal, regulatory, or audit proceedings
- GST-relevant transaction records — 6 years under GST Act, 2017
- IT Act compliance records — as required under Section 43A and IT Rules, 2011
12.3 How to Submit a Deletion Request
📧 Option 1 — Email (Recommended, fastest)
Send an email to privacy@nishwik.com with subject line:
Data Deletion Request — [Your Registered Mobile Number]
Include in your email:
- Full name as registered on Nishwik
- Registered mobile number and email address
- Scope of deletion — all data, or specific categories
- Reason for deletion (optional — not mandatory)
📬 Option 2 — Written Request (Postal)
Nishwik Global Fintech Private Limited
Attn: Data Protection Officer
CIN: U62091MH2025PTC448673
Please include your full name, registered contact details, a self-attested copy of valid government-issued photo ID, and a clear description of the data you wish deleted.
12.4 Online Request Form
You can also submit your request directly using the form below. We will contact you on your registered mobile/email to verify your identity before processing.
12.5 What Happens After You Submit
- Within 72 hours: Identity verification — we will send an OTP or email link to your registered details
- Within 7 days: Written acknowledgement confirming scope of data to be deleted and any data that must legally be retained
- Within 30 days: Deletion completed and written confirmation sent to your registered email
- If retention is required: We will state the exact legal basis and estimated retention period in writing
12.6 Withdrawing Consent for Marketing Communications
To withdraw consent for marketing emails or SMS without deleting your account: click "Unsubscribe" in any Nishwik email, or write to privacy@nishwik.com with subject "Withdraw Marketing Consent — [Your Mobile Number]". We will process this within 5 business days.
12.7 Escalation and Complaints
If your deletion request is not handled correctly or within the required timeline:
- Step 1 — Grievance Officer: Write to grievance@nishwik.com — Vinit Pandey — response within 7 business days
- Step 2 — Data Protection Board of India: Once constituted under the DPDP Act 2023, you may file a complaint with the Board
- Step 3 — Consumer Forum: You may approach the applicable consumer forum under the Consumer Protection Act, 2019