Privacy Policy

This Privacy Policy governs the collection, use, storage, and disclosure of personal and financial information by Capora Fintech Private Limited ("Capora", "we", "our", "us") in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and applicable Reserve Bank of India (RBI) guidelines. Capora operates as a fintech platform offering credit score improvement services on a subscription basis and acts as a Loan Service Provider (LSP) for referral of loan and insurance products.

Capora Fintech Private Limited is the Data Fiduciary responsible for processing your personal data. We are incorporated under the Companies Act, 2013 and our registered office is in India.

For all data-related matters, contact: privacy@capora.in

We collect the following categories of data to deliver our services:

• Identity Data: Full name, date of birth, PAN, Aadhaar (as permitted under applicable law), government-issued photo ID
• Contact Data: Mobile number, email address, residential and correspondence address
• Credit & Financial Data: Credit bureau reports (CIBIL, Experian, Equifax, CRIF Highmark), credit score history, repayment behaviour, existing loan details, income details, bank statements (where provided voluntarily)
• Subscription & Payment Data: Subscription plan details, payment history, billing cycle, UPI/card/net banking transaction references
• KYC Data: Photograph, signature, video KYC recordings (where applicable for partner onboarding)
• Device & Technical Data: IP address, device identifiers, operating system, browser type, cookies, approximate location (with consent)
• Usage Data: Features accessed, credit score reports viewed, recommendations read, session duration
• Communication Data: Support emails, in-app messages, feedback forms
• Referral Data: Information shared with you regarding loan or insurance products, and your responses to such referrals

We process your data on the following lawful bases:

• Consent: For fetching your credit bureau report, sending product recommendations, lead sharing with lending/insurance partners, and marketing communications
• Contractual Necessity: To activate and manage your subscription, process subscription payments, and deliver credit improvement insights
• Legal Obligation: KYC/AML compliance where applicable under PMLA 2002 and RBI guidelines for LSPs
• Legitimate Interests: Fraud prevention, platform security, improving our credit improvement algorithms and recommendations

• Pull and display your credit bureau report and credit score with your explicit consent
• Analyse your credit profile to provide personalised credit improvement recommendations and action plans
• Track your credit score progress over your subscription period
• Process monthly subscription payments and send billing notifications
• Share your information as a lead with RBI-registered lending partners (NBFCs/Banks) or insurance companies, only with your prior explicit consent
• Verify identity and conduct KYC where required under applicable law
• Send transactional notifications, subscription renewal reminders, and service updates
• Detect and prevent fraud, unauthorised access, and abuse of platform
• Respond to customer queries and resolve grievances
• Send marketing communications about new features and relevant financial products (only with your explicit opt-in consent; you may opt out at any time)

A core part of our secondary service is connecting you with suitable loan and insurance products offered by our regulated partners. We will:

• Share your contact details and basic financial profile with lending partners (NBFCs/Banks) or insurance companies only after obtaining your explicit, informed consent at the time of referral
• Disclose the name of the partner(s) with whom your data is being shared before you consent
• Not share your credit bureau report or detailed financial data without a separate, specific consent
• Maintain a record of all consents given for lead sharing

Once your data is shared with a partner, that partner becomes a separate Data Fiduciary and their own privacy policy governs further processing. Capora is not responsible for partner data handling post-referral.

Capora fetches your credit report from licensed credit information companies (CICs) — CIBIL, Experian, Equifax, or CRIF Highmark — under your explicit consent as required by the Credit Information Companies (Regulation) Act, 2005. Each credit pull is a "soft inquiry" for personal monitoring purposes and does not affect your credit score.

We do not sell your personal data. We may share your information with:

• Credit Information Companies (CICs): To fetch and update your credit report
• Lending & Insurance Partners: Only with your consent, for lead referral purposes
• Payment Processors: Razorpay, Cashfree, or similar payment gateways for subscription billing
• KYC Agencies: For identity verification where required
• Regulatory Authorities: RBI, FIU-IND, Income Tax Department, and other authorities as required by law
• Technology Service Providers: Cloud, analytics, and security vendors — under strict confidentiality agreements
• Legal & Professional Advisors: Auditors, lawyers, as necessary

• Subscription & Account Data: Duration of subscription plus 3 years after account closure
• Credit Reports & Score History: Duration of subscription plus 2 years, or as required by applicable law
• KYC Records: Minimum 5 years after end of the relationship (PMLA requirement)
• Payment Transaction Records: As required under IT Act and applicable tax law
• Marketing Consent Data: Until consent is withdrawn or 3 years of inactivity

Upon expiry of the retention period, data is securely deleted or anonymised.

• Right to Access: Obtain a summary of personal data being processed and the processing activities
• Right to Correction: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of data where it is no longer necessary (subject to legal obligations)
• Right to Withdraw Consent: Withdraw any previously given consent, including for lead sharing or credit bureau access
• Right to Grievance Redressal: Lodge complaints with our Grievance Officer and, if unresolved, with the Data Protection Board of India
• Right to Nominate: Nominate an individual to exercise your rights in the event of death or incapacity

To exercise your rights, email privacy@capora.in. We will respond within 30 days.

• AES-256 encryption for data at rest; TLS 1.2+ for data in transit
• Role-based access controls and multi-factor authentication for internal systems
• Regular penetration testing and vulnerability assessments
• Security incident response procedures in compliance with RBI's IT Security Framework

In the event of a data breach likely to cause harm to you, we will notify you and relevant authorities as required by applicable law.

Our platform uses cookies for authentication, security, analytics, and personalisation. You may manage cookie preferences through your browser settings. Disabling essential cookies may affect service functionality.

Our services are not directed to individuals below 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will delete it promptly.

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent notice on our platform at least 30 days before taking effect.