Privacy Policy

This Privacy Policy (“Policy”) sets out the manner in which Frax Digital Private Limited, a company incorporated under the Companies Act, 2013 and having its registered office at A-24, Kibithu Homes, Vikas Marg, Sector 47, Gurugram, Haryana – 122018 (“Company”, “we”, “us” or “our”), collects, processes, uses, stores, shares, retains and protects personal data in connection with the operation of the Company website, mobile application and associated digital interfaces (collectively, the “Platform”).

This Policy is issued in accordance with the Information Technology Act, 2000 and rules thereunder, the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other applicable laws of India. This Policy is intended to function as a comprehensive data governance and privacy framework governing the collection and processing of personal data through the Platform.

By accessing or using the Platform, you (“User” or “you”) acknowledge that you have read, understood and accepted this Policy and, where required under applicable law, expressly consent to the collection, processing, storage, use, disclosure and retention of your personal data in the manner described herein. Certain categories of processing may also be undertaken where necessary for compliance with applicable law, prevention of fraud, cybersecurity, enforcement of legal rights, operation of contractual arrangements or fulfilment of regulatory obligations, to the extent permitted under applicable law.

1. ROLE OF THE COMPANY

The Company operates the Platform as a technology and operations provider facilitating access to property-specific participation opportunities through special purpose vehicles, including SPV LLPs and similar structures. In this capacity, the Company may act as a data fiduciary, data processor or co-fiduciary, depending upon the nature of the data processed and the operational or regulatory context in which such processing occurs. Certain SPVs, LLPs, escrow entities, payment intermediaries or regulated counterparties associated with a transaction may independently determine the purpose and means of processing certain categories of personal data in accordance with applicable legal, accounting, regulatory or compliance obligations.

The Company processes personal data solely for lawful, legitimate, proportionate and purpose-specific objectives connected with onboarding, compliance, transaction facilitation, operational administration, security, auditability and regulatory obligations. The Company does not knowingly collect or process personal data for unrelated, speculative or unauthorised commercial purposes.

2. COLLECTION AND PROCESSING OF PERSONAL DATA

By accessing or using the Platform, you expressly consent to the collection, processing, storage and use of personal data by the Company for onboarding, verification, compliance, transaction facilitation, operational, audit, legal and security purposes.

The categories of personal data collected and processed may include, without limitation:

• identity and verification information, including name, date of birth, photograph, PAN, Aadhaar where voluntarily submitted or lawfully required under applicable verification processes , passport, driving licence or other government-issued identification documents;

• residential, contact and communication details including address, email address and telephone number;

• financial, banking and investment-related information including bank account details, IFSC, bank name, cancelled cheque, financial profile information and other information reasonably required for suitability, compliance and participation assessment;

• nominee and beneficiary details where voluntarily provided;

• KYC, anti-money laundering, fraud prevention and regulatory compliance information;

• technical, device and usage information generated through use of the Platform, including IP address, device identifiers, browser or application metadata, access timestamps, cookies, log records and system activity data;

• digital execution, verification and audit metadata including OTP confirmations, e-sign authentication records, timestamps, document hashes, live video verification recordings and related evidentiary records.

Such personal data may be processed for purposes including identity verification, compliance management, fraud prevention, platform security, transaction facilitation, operational administration, maintenance of audit trails, enforcement of legal or contractual rights and improvement of platform integrity and service quality.

The Company does not knowingly collect personal data of minors or persons not legally competent to contract. Any such person must not access or use the Platform. The Platform is not intended for individuals below eighteen (18) years of age and the Company does not knowingly undertake behavioural monitoring, profiling or tracking activities in relation to minors. Where the Company becomes aware that personal data relating to a minor has been submitted without lawful authorisation, the Company reserves the right to delete, restrict or discontinue processing of such data in accordance with applicable law.

3. PURPOSE AND BASIS OF PROCESSING

The Company processes personal data solely for lawful, legitimate and disclosed purposes connected with operation of the Platform, user onboarding, compliance management and transaction facilitation. Such purposes include, without limitation:

• user registration, onboarding and account administration;

• identity verification, KYC procedures and compliance with applicable anti-money laundering, taxation and regulatory requirements;

• execution, authentication, storage and maintenance of Investor Documents and related records;

• facilitation of transaction initiation, escrow routing, payment processing, distributions, refunds and other lawful payout mechanisms;

• maintenance of operational, financial and statutory audit trails and investor records;

• fraud prevention, risk management, misuse detection, cybersecurity and platform integrity monitoring;

• responding to user requests, grievances and support queries;

• compliance with applicable laws, regulatory directions, governmental requests and enforcement of contractual or legal rights.

Processing of personal data is undertaken on one or more lawful bases, including: (i) consent provided by the user; (ii) necessity for performance of contractual arrangements involving the user; (iii) compliance with legal and regulatory obligations; and (iv) legitimate business, operational, security, fraud-prevention, audit, evidentiary and compliance interests of the Company in maintaining a secure, reliable, compliant and operationally efficient Platform, subject always to applicable law and user rights. Users shall ensure that all personal data, documents, banking details, nominee information and other information submitted to the Company are accurate, complete, current and lawfully provided, and users shall promptly notify the Company of any material updates or corrections.

The Company shall not process personal data for purposes materially unrelated or incompatible with the purposes disclosed under this Policy without obtaining such additional consent or authority as may be required under applicable law.

4. DATA SHARING AND DISCLOSURE

The Company follows a controlled, purpose-specific and need-to-know approach in relation to disclosure of personal data. Personal data may be shared, disclosed or made accessible only to the extent reasonably necessary for lawful operational, contractual, compliance or regulatory purposes, including with:

• relevant SPVs, LLPs or affiliated entities in connection with onboarding, participation management, transaction facilitation and statutory compliance;

• escrow agents, trustees, payment gateways, banking partners and financial institutions for account administration, payment processing, funds routing, reconciliation and related compliance functions;

• KYC, identity verification, fraud detection, cybersecurity and technology service providers engaged for lawful operational and compliance purposes;

• auditors, legal counsel, compliance advisors, consultants and professional service providers acting under duties of confidentiality; and

• governmental authorities, regulators, courts, law enforcement agencies or statutory bodies where disclosure is required under applicable law, regulatory direction, judicial order or for protection and enforcement of legal rights and interests.

The Company does not sell personal data, engage in data brokerage activities or permit third parties to use personal data for independent advertising, marketing, profiling or unrelated commercial exploitation.

The Platform may integrate with or rely upon third-party verification providers, KYC utilities, payment gateways, banking channels, escrow service providers, authentication providers, cloud infrastructure vendors, communication platforms and other regulated or technology service providers. Processing undertaken directly by such third parties may additionally be governed by their respective privacy policies, contractual terms and applicable regulatory obligations.

Where personal data is shared with third-party service providers or partners, the Company undertakes reasonable measures to ensure that such parties remain bound by contractual obligations relating to confidentiality, purpose limitation, restricted use, data protection and appropriate security safeguards consistent with this Policy and applicable law.

5. DATA STORAGE, RETENTION AND SECURITY

Personal data is stored and maintained on systems, servers and infrastructure that are subject to commercially reasonable technical, organisational and security safeguards designed to protect confidentiality, integrity, availability and resilience of information systems and personal data. Access to personal data is restricted to authorised personnel, representatives and service providers strictly on a need-to-know and role-based access basis.

Personal data may be stored or backed up on servers located within or outside India, subject to applicable data protection laws and statutory restrictions relating to cross-border transfer of personal data. The Company shall undertake commercially reasonable measures and follow best industry practices to ensure that such transfer remains subject to appropriate confidentiality, contractual, organizational and technical safeguards.

The Company may implement appropriate security measures including encryption, access controls, authentication mechanisms, audit logging, cybersecurity audits, threat detention, vulnerability management, masking, tokenisation, environment segregation, monitoring systems and incident-response procedures for protection of sensitive and financial information.

The Company retains personal data only for such period as is reasonably necessary to fulfil the purposes for which the data was collected and processed, including user onboarding, transaction facilitation, compliance management, audit maintenance, dispute resolution, enforcement of contractual rights and satisfaction of applicable legal, tax, financial, anti-money laundering and regulatory retention obligations.

Certain categories of records, including executed Investor Documents, KYC records, transaction logs, payment records, audit trails, communication records and verification metadata, may be retained for extended durations where required under applicable law, regulatory guidance, internal compliance requirements or where reasonably necessary to protect the legal rights, interests and evidentiary position of the Company, SPVs, LLPs or users.

The Company does not retain personal data indefinitely without lawful purpose and undertakes periodic review of retention practices and stored data to ensure continued necessity, proportionality and compliance with applicable law. Upon expiry of the applicable retention period, personal data may be deleted, anonymised or securely archived in accordance with applicable legal and operational requirements.

While the Company undertakes commercially reasonable efforts to maintain a secure processing environment, no method of electronic transmission or storage is completely secure and the Company does not guarantee absolute security against all cyber, technical or unauthorised access risks.

6. USER RIGHTS AND CONSENT MANAGEMENT

Subject to applicable law, users may have the right to:

• seek access to personal data processed by the Company;

• request correction, updating or rectification of inaccurate or incomplete information;

• withdraw consent where processing is based on consent;

• request erasure of personal data, subject to legal, contractual or regulatory retention obligations;

• nominate another person to exercise rights in accordance with applicable law; and

• raise grievances relating to processing of personal data.

Requests relating to user rights, correction, erasure or withdrawal of consent may be made through the contact details specified in this Policy or through any consent management mechanism made available on the Platform or through such account settings, consent dashboards or withdrawal interfaces as may be provided by the Company from time to time.

Withdrawal of consent shall not affect processing undertaken prior to such withdrawal or processing required for compliance with legal obligations, regulatory requirements, contractual performance, fraud prevention, dispute resolution or protection of legal rights and interests.

Users acknowledge that withdrawal of consent or deletion requests may affect the ability to continue using the Platform or participating in ongoing contractual arrangements, and the Company reserves the right to suspend or discontinue access where such processing remains necessary.

7. COOKIES AND TECHNICAL DATA

The Platform may use cookies, SDKs and similar technologies to enable essential functionality, maintain session integrity, improve security, analyse usage patterns and enhance operational performance and user experience.

Such technologies are not used for unrelated behavioural advertising or unauthorised profiling purposes or impermissible tracking activities contrary to applicable law. Users may manage cookie preferences through browser or device settings, subject to the understanding that disabling certain technologies may impact Platform functionality or user experience.

8. DATA BREACH AND INCIDENT RESPONSE

In the event of any personal data breach, cybersecurity incident or unauthorized access event that is likely to materially affect users or trigger obligations under applicable law, the Company may undertake such measures as it considers reasonably necessary to contain, investigate, mitigate and remediate the incident.

The Company may notify affected users, regulators or authorities where required under applicable law or where considered reasonably necessary within the prescribed timelines as per applicable law, for protection of users, systems or legal interests. The Company maintains internal escalation, monitoring and incident-response protocols designed to facilitate timely and responsible handling of security incidents.

9. POLICY AMENDMENTS

The Company reserves the right to amend, modify or update this Policy from time to time to reflect changes in law, regulatory guidance, operational practices, security requirements or platform functionality.

Updated versions of this Policy may be published on the Platform together with the revised effective date. Continued access to or use of the Platform following such publication shall constitute acknowledgement and acceptance of the revised Policy, to the extent permitted under applicable law.

10. AFFIRMATION AND CONSENT

By clicking “I Agree”, “Proceed” or any similar acknowledgement mechanism, you confirm and acknowledge that:

• the information and documents provided by you are accurate, complete and belong to you or are lawfully provided by you;

• you have read, understood and voluntarily accepted this Policy;

• you expressly consent to the collection, processing, storage, use, disclosure and retention of your personal data for the purposes described herein and under applicable law.

Notwithstanding any withdrawal of consent, the Company may continue to undertake such activities as may be required for compliance with applicable law or statutory obligations, maintenance of records in accordance with applicable law, prevention of fraud, enforcement of legal rights, dispute resolution or performance of ongoing contractual obligations.

11. GRIEVANCE REDRESSAL AND CONTACT DETAILS

The Company shall endeavour to acknowledge and address any grievances, complaints or concerns with respect to the usage, storage or processing of personal data in a transparent manner within reasonable timelines and in accordance with applicable laws.

For any questions, concerns, requests or grievances relating to this Policy or the processing of personal data, users may contact:

Grievance / Data Protection Contact

Name: Compliance Officer

Email: hello@getCompany.com

Contact:+9192666 85853

Address: Second, 17, Cospaces Cowork, Raghvendra Marg, Phase 1 Rapid Metro Station, Sector 28, Gurugram, Haryana,122002

12. GOVERNING LAW

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising in connection with this Policy shall be subject to the dispute resolution mechanism specified in the applicable Terms and Conditions as provided on the website and the Platform.