PayVendo

Privacy Policy

Effective Date: June 1, 2026  |  PayVendo Mobile Application (Android & iOS)

PAYVENDO SOLUTIONS PRIVATE LIMITED is committed to safeguarding your personal and financial information. This policy applies to all users of the PayVendo mobile application. We comply with RBI Master Directions on KYC, Information Technology Act, 2000, IT (SPDI) Rules, 2011, PMLA 2002, DPDPA 2023, and Google Play Developer Program Policies.

1Introduction

PAYVENDO SOLUTIONS PRIVATE LIMITED ("PayVendo", "we", "us", or "our") operates the PayVendo mobile application ("App") on Android and iOS. This Privacy Policy explains what data we collect, why we collect it, and how we use it.

This policy complies with:

  • Information Technology Act, 2000
  • IT (SPDI) Rules, 2011
  • RBI Master Directions on KYC
  • Prevention of Money Laundering Act (PMLA), 2002
  • Digital Personal Data Protection Act (DPDPA), 2023
  • Google Play Developer Program Policies

By downloading or using the PayVendo App, you agree to this Privacy Policy.

2Data We Collect and Why

2.1 Personal & KYC Data

We collect your name, date of birth, gender, PAN number, Aadhaar-related information (may be processed through authorized KYC service providers in accordance with applicable regulations), passport or driving licence (for enhanced KYC), live selfie for liveness verification, and business registration documents for merchant accounts.

Why: Mandatory KYC as required by RBI and PMLA regulations.

2.2 Contact & Account Data

We collect your mobile number, email address, postal address, and login credentials (passwords are stored in hashed form and never in plaintext).

Why: To create and manage your account.

2.3 Financial Data

We collect your bank account number and IFSC code, linked UPI IDs, prepaid card details (tokenised as per PCI-DSS; CVV is never stored), transaction history, wallet balance, and settlement records.

Why: To process payments, recharges, and settlements.

2.4 Device & Technical Data

We collect your device model, OS version, anonymized device identifiers, IP address, network type, App version, session tokens, and crash reports.

Why: For security, fraud prevention, and App performance.

2.5 Location Data

We collect GPS coordinates only when you grant permission and only while the App is actively in use. We do not collect location data in the background.

Why: For nearest biller detection and anti-fraud geo-verification.

2.6 SMS Data

We use Google's SMS Retriever API or SMS User Consent API to automatically detect OTPs without accessing or storing any SMS content. We do not store, share, or upload your SMS messages or any other SMS content.

Why: To provide seamless OTP verification. This is the sole purpose of SMS access.

2.7 Support Communications

We collect in-app chat messages, support ticket content, and customer care call recordings. You will always be informed before a call is recorded.

Why: To resolve your queries and improve service quality.

3App Permissions

Required Permissions

INTERNET

Used to process transactions and communicate with our servers. The App cannot function without this permission.

SMS (via SMS Retriever / User Consent API)

We use Google SMS Retriever API / SMS User Consent API for OTP verification and do not require READ_SMS or access to SMS content.

CAMERA

Used for Aadhaar eKYC document scanning and QR code scanning during bill payments and FASTag recharge.

READ_PHONE_STATE

Used only for device-based security and fraud prevention as per applicable security requirements. No call data is accessed. We do not make or intercept calls.

Optional Permissions

ACCESS_FINE_LOCATION

Used for nearest biller/operator detection and geo-verification for fraud prevention. Used only when the App is open and only if you grant permission. You can deny this and still use all core services.

READ_CONTACTS

Used only when you initiate a money transfer or recharge for a saved contact. We do not upload, store, or sync your contact list to our servers.

READ/WRITE_EXTERNAL_STORAGE

We use system media storage APIs (MediaStore / Storage Access Framework) to save receipts and invoices on the device.

USE_BIOMETRIC / USE_FINGERPRINT

Used for App login security if you opt in. All biometric processing happens on your device only. Biometric data is never transmitted to or stored on our servers.

POST_NOTIFICATIONS

Used to send transaction alerts, OTP notifications, payment confirmations, and promotional offers. Promotional notifications are sent only with your consent and you can unsubscribe anytime.

You can revoke any optional permission at any time via your device Settings > Apps > PayVendo > Permissions.

4How We Use Your Data

We use your data only for the following purposes:

  • Account creation, KYC verification, and account management
  • Processing mobile recharges, DTH, FASTag, and data card top-ups
  • Processing utility and government bill payments via BBPS
  • Issuing and managing prepaid cards on RuPay, Visa, and Mastercard networks
  • Delivering bulk SMS and OTP services for business users
  • Fulfilling digital gift voucher purchases and delivery
  • Fraud detection, risk assessment, and prevention of unauthorized transactions
  • Sending transactional alerts — OTPs, receipts, and payment confirmations
  • Sending promotional communications — only with your prior consent; you can withdraw consent anytime via App Settings > Notifications
  • Improving App performance through anonymised, aggregated analytics
  • Complying with legal and regulatory obligations

We do not use your data for any purpose beyond what is listed above.

5Data Sharing

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

We share your data only with:

Regulators and Government Bodies

RBI, FIU-IND, NPCI, Income Tax Department, and law enforcement agencies — only when required by law, court order, or regulatory directive.

Banking and Payment Network Partners

Nodal banks, sponsor banks, and payment networks (RuPay, Visa, Mastercard, NPCI/UPI) — only for payment processing and settlement.

Telecom Operators and Billers

Relevant operators and BBPS-certified billers — only to complete your recharge or bill payment transaction.

Technology Service Providers

Cloud infrastructure, KYC verification, SMS/email delivery, and customer support vendors. We primarily process and store data in India using trusted third-party service providers. All vendors are bound by data processing agreements and are prohibited from using your data for their own purposes.

Business Transfers

If PayVendo undergoes a merger, acquisition, or sale of assets, you will be notified via in-app notification and email before any data is transferred to a new entity.

With Your Explicit Consent

For any sharing not described above, we will obtain your explicit consent beforehand.

6Data We Do NOT Collect or Store

To be fully transparent:

  • We do not store full Aadhaar numbers (only last 4 digits are retained)
  • We do not store CVV numbers or full card numbers (all card data is tokenised)
  • We do not store your biometric data on our servers
  • We do not read, store, or share SMS content other than OTPs
  • We do not collect contacts without your explicit action
  • We do not track your location in the background
  • We do not sell your data to advertisers

7Data Security

  • AES-256 encryption for all data stored at rest
  • TLS 1.2 / TLS 1.3 for all data transmitted between the App and our servers
  • PCI-DSS Level 1 compliant infrastructure for payment card data
  • Multi-Factor Authentication (MFA) for all administrative system access
  • Role-Based Access Control (RBAC) — staff access only what is necessary for their role
  • Regular third-party penetration testing and vulnerability assessments
  • All servers and data centres located within India
  • RBI-mandated breach notification protocols in place

8Data Retention

Data TypeRetention PeriodLegal Basis
KYC documents5 years after account closurePMLA, 2002
Transaction records5 years from transaction dateRBI mandate
Audit and API logs3 yearsRBI mandate
Support communications2 yearsBusiness necessity
Device and session logs6 monthsSecurity
Promotional consent recordsUntil withdrawn + 1 yearDPDPA, 2023

After the applicable period, data is securely deleted or irreversibly anonymised unless required for an active legal dispute or regulatory proceeding. Users can request account deletion from within the app or by contacting support.

9Your Rights

Under the IT (SPDI) Rules 2011 and the Digital Personal Data Protection Act 2023, you have the right to:

  • Access — Request a summary of personal data we hold about you
  • Correction — Request correction of inaccurate or outdated data
  • Deletion — Request deletion of your data, subject to mandatory legal retention obligations
  • Data Portability — Receive your data in a structured, machine-readable format
  • Withdraw Consent — Withdraw consent for non-essential processing (e.g. marketing) via App Settings > Privacy at any time
  • Grievance Redressal — File a complaint with our Grievance Officer

To exercise any right, email help@payvendo.in from your registered email address. We will acknowledge within 72 hours and resolve within 30 days.

10Children's Privacy

The PayVendo App is intended exclusively for users aged 18 years and above. We do not knowingly collect personal data from anyone under 18. If we discover a minor has registered, we will immediately delete their account and all associated data. If you believe a minor has used our App, please contact help@payvendo.in immediately.

11Third-Party SDKs and Services

The App uses third-party SDKs for the following purposes only:

  • Analytics (e.g. Firebase) — Crash reporting and anonymised usage analytics
  • Push Notifications (e.g. Firebase Cloud Messaging) — Transaction and account alerts
  • KYC / Video Verification — Aadhaar-based and video KYC processing
  • Payment Networks — RuPay, Visa, Mastercard SDK integrations

All SDK providers are contractually bound to process your data only for the purpose stated above. They are not permitted to use your data for advertising, profiling, or any independent purpose.

12Changes to This Policy

When we make material changes to this Privacy Policy, we will notify you via in-app notification and/or email to your registered address at least 7 days before the changes take effect. Your continued use of the App after the effective date constitutes acceptance of the revised policy. The latest version is always available at www.payvendo.in/privacy and within the App under Settings > Privacy Policy.

13Grievance Officer

Grievance Officer — Privacy

PAYVENDO SOLUTIONS PRIVATE LIMITED

Email: help@payvendo.in

Phone: +91 7073022020

Monday – Saturday, 9:00 AM – 6:00 PM IST

Office Address:

Office 515, 5th Floor, Mansarovar Plaza,

Mansarovar, Jaipur, Rajasthan – 302020, India

We acknowledge all complaints within 72 hours and resolve within 30 days.