This policy applies to bizindiapay.com, the partner dashboard at b2b.bizindiapay.com, our mobile apps and our APIs. It is published under the Information Technology Act, 2000 and the rules made under it, and is aligned with the Digital Personal Data Protection Act, 2023.
Who is responsible for your data
The data fiduciary is Bhavi Lax Technologies & Utility Solutions Private Limited (trading as BizIndiapay), registered at 603, 6th Floor, Classic Accord Building, Near Anupam Cinema, Station Road, Goregaon East, Mumbai – 400063.
Our role changes depending on whose data it is:
- Your data, as a partner. We decide why and how it is processed. We are the data fiduciary.
- Customer data at your counter. For a regulated transaction, the Partner Bank is the fiduciary and we process data on its instructions to route the transaction. You collect the data and are responsible for doing so lawfully and with consent.
If you are a Customer, start with your bank
If you used a BizIndiapay counter for AEPS or a money transfer and want to know what happened to your data, contact your own bank first — it holds the transaction record. You can also write to us at info@bizindiapay.com with the date, amount and counter name and we will help trace it.
What we collect
From you, as a partner
- Identity and KYC: name, photograph, date of birth, PAN, Aadhaar number or Virtual ID, address proof, signature, video-KYC recording.
- Business: shop name and address, GSTIN, shop or trade licence, photographs of your premises, ownership and constitution documents.
- Contact: mobile number, email, alternate number.
- Financial: bank account number and IFSC, cancelled cheque, wallet balance, transaction and commission history, payout records, TDS records.
- Network: the tier above and below you, and who onboarded you.
From your device
- IP address, device ID and model, operating system, app version, browser type.
- Login timestamps, session records, and the biometric device serial number and registration status.
- Approximate location at the time of a transaction, where the Service or a Partner Bank requires it for fraud control.
- Diagnostic logs and crash reports.
About Customers, through you
- Name, mobile number, and beneficiary account details for a money transfer.
- Aadhaar number or Virtual ID and bank name for AEPS.
- Consumer number, biller, policy number, ticket details for bill payment, insurance and booking Services.
- A fingerprint captured live for a single AEPS transaction — see clause 04.
Aadhaar and biometric data
This is the most sensitive category we touch, and the rules are strict.
- A fingerprint is captured on an STQC-certified registered device, encrypted at the device itself, and passed straight through to NPCI and UIDAI for authentication via the Partner Bank.
- The biometric never exists in usable form on your machine or on ours. We do not store it, and we cannot read it. We do not create a biometric database.
- What we retain is the outcome — success or failure, a response code, a timestamp, the amount and the transaction ID. That is what a dispute needs.
- We do not store the full Aadhaar number in our records where the Service allows a Virtual ID or reference key instead, and we mask it wherever it is displayed.
- Aadhaar data is used only for the authentication the Customer consented to, at that moment, for that transaction. It is never used for marketing, profiling, scoring or any secondary purpose.
Partner obligation: consent, every single time
Before capturing a fingerprint you must tell the Customer, in a language they understand, what the transaction is, the amount, and that their Aadhaar is being used to authenticate it — then take their consent. Capturing a biometric without the Customer present, or storing, photographing or reusing one, is a criminal offence under the Aadhaar Act and ends your account immediately.
Why we use it
We use personal data only for these purposes:
| Purpose | What this looks like in practice |
|---|---|
| Providing the Services | Opening your account, routing a transaction to a Partner Bank, showing the outcome, settling your wallet. |
| Verification | KYC and re-KYC, matching your PAN and bank account, checking your premises are real. |
| Money and tax | Calculating and paying commission, processing payouts, deducting TDS, issuing certificates, GST records. |
| Fraud and risk | Detecting credential sharing, device spoofing, round-tripping and unusual transaction patterns; setting your limits. |
| Legal and regulatory | PMLA and KYC obligations, records and reporting required by RBI, NPCI, UIDAI or a Partner Bank, responding to lawful requests. |
| Support and disputes | Answering your calls, tracing a transaction, raising a dispute with a Partner Bank. |
| Improving the platform | Diagnosing crashes, measuring which Services are used, capacity planning — using aggregated or de-identified data wherever we can. |
| Communicating with you | Service alerts, slab changes, downtime notices, security warnings. Marketing only where you have opted in. |
We do not sell personal data. We do not share it with advertisers or data brokers. We do not use Customer data captured at your counter to market anything to that Customer.
Our lawful basis
Under the DPDP Act, 2023 we process personal data on these grounds:
- Consent — which you give when you register, and which the Customer gives before an AEPS or DMT transaction. Consent must be free, specific, informed and unambiguous, and it can be withdrawn.
- Certain legitimate uses — where processing is needed to comply with a law, to respond to an order of a court or regulator, or to fulfil an obligation to a Partner Bank.
Where you withdraw consent, we will stop processing for that purpose. We will keep what the law requires us to keep, and we will not be able to continue providing Services that depended on the consent you withdrew.
Who we share it with
- Partner Banks and payment participants — because they perform the transaction and are legally required to hold the record.
- NPCI and UIDAI — for AEPS, IMPS, UPI, RuPay and BBPS routing and authentication.
- Operators, billers, insurers, airlines and aggregators — only the fields needed to fulfil what the Customer asked for.
- Service providers — hosting, SMS and email delivery, KYC verification, fraud tooling and support tools, all under written contract, bound to confidentiality, and permitted to use the data only for the service they provide us.
- Auditors and advisers — under professional confidentiality.
- Government, regulators, courts and police — where we are legally obliged to disclose. We check that the request is lawful and disclose no more than it requires.
- An acquirer — if the business is merged, acquired or restructured, subject to this policy continuing to apply.
We share the minimum necessary in each case. Distributors and Super Distributors see business metrics for the network below them — volumes, commission, KYC status — not Customer personal data.
Where the data lives
Payment and Aadhaar data is stored on servers located in India, in line with RBI's data-localisation requirements and UIDAI rules. If any processing ever happens outside India, it will only be to a country not restricted by the Central Government, and under contractual safeguards.
Cookies and tracking
Our website and dashboard use cookies and similar technologies for:
- Strictly necessary — keeping you logged in, holding your session, preventing cross-site request forgery. These cannot be switched off.
- Preference — remembering your language and layout choices.
- Analytics — understanding which pages and Services are used, in aggregate.
You can block or delete cookies in your browser settings. If you block the strictly necessary ones, you will not be able to log in to the dashboard.
How long we keep it
We keep data only as long as we need it, or as long as the law requires — whichever is longer.
| Data | Retention | Why |
|---|---|---|
| KYC records | 5 years after your account closes | PMLA and Partner Bank requirements |
| Transaction records | At least 5 years from the transaction | PMLA, tax law, dispute and audit trail |
| Biometric templates | Not retained | Passed through, encrypted, never stored |
| Wallet, commission and payout ledger | 8 years | Companies Act and tax records |
| Support tickets and call recordings | 2 years | Grievance handling and quality |
| Device and session logs | 12 months | Security and fraud investigation |
| Marketing consent records | Until withdrawn, plus 3 years | Proof of consent |
When a retention period ends, we delete the data or irreversibly anonymise it so it can no longer identify anyone.
How we protect it
- Encryption in transit (TLS) and at rest for sensitive fields.
- Biometric encryption at the registered device, before the data reaches any software of ours.
- Role-based access — staff see only what their job needs, and access to KYC and transaction data is logged.
- Two-factor authentication on partner logins, and OTP confirmation on payouts and high-value transactions.
- Network segregation, firewalling, and continuous monitoring for unusual access.
- Periodic security testing and review of our providers.
No system is perfectly secure. If a breach occurs that is likely to affect you, we will notify you and the Data Protection Board of India as the DPDP Act requires, describing what happened, what data was involved and what to do about it.
Your part matters too: do not share your password, PIN or OTP with anyone — including someone claiming to be from BizIndiapay. We will never ask you for your password, PIN or OTP.
Your rights
As a Data Principal under the DPDP Act, 2023 you can ask us to:
- Show you a summary of the personal data we hold about you and who we have shared it with.
- Correct or complete data that is wrong, misleading or out of date.
- Erase data we no longer need — except where a law requires us to keep it.
- Withdraw consent at any time, as easily as you gave it.
- Nominate someone to exercise your rights if you die or become incapacitated.
- Complain to our Grievance Officer, and then to the Data Protection Board of India.
Write to info@bizindiapay.com from your registered email, with your Partner ID. We will verify your identity before acting, and respond within 30 days. There is no charge for a reasonable request.
Children
The platform is for business use by adults. We do not knowingly open accounts for anyone under 18 and we do not knowingly collect a child's personal data for profiling or advertising. If you believe a child's data has reached us, tell us and we will delete it.
Changes to this policy
We may update this policy as the law, our Services or our Partner Banks change. The current version always sits at this URL with its effective date at the top. Where a change materially affects you, we will notify you in the dashboard or by email. Continuing to use the platform after a change means you accept it.
Contact and grievances
For anything about your data — a question, a request, or a complaint — start here.
Grievance Officer — BizIndiapay
- Company
- Bhavi Lax Technologies & Utility Solutions Private Limited
- Address
- 603, 6th Floor, Classic Accord Building, Near Anupam Cinema, Station Road, Goregaon East, Mumbai – 400063
- info@bizindiapay.com
- Phone
- +91 88799 64465
- Hours
- Mon–Sat, 10:00–18:00 IST
We acknowledge within 48 hours and respond within 30 days. If you are not satisfied with our response, you may complain to the Data Protection Board of India.