This Privacy Policy (“Policy”) describes the manner in which Gromor Finance Private Limited, a company incorporated under the Companies Act, 2013 (“Company”, “Gromor”, “we”, “our” or “us”), collects, receives, stores, processes, uses and discloses information obtained from users (“User” or “you”).

This Policy applies to the Company’s website ( www.gromor.in ) and any other electronic or physical interactions through which personal information may be collected by the Company.

This Policy is published in accordance with the provisions of:

1. the Information Technology Act, 2000.
2. the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
3. applicable CERT-In Cyber Security Directions.
4. and other applicable laws governing data protection and digital transactions.

By accessing the Company’s website or interacting with the Company through electronic or physical channels, the User consents to the collection, processing and use of information in accordance with this Policy.

1. DEFINITIONS

1.1 Personal Information means any information relating to a natural person which, either directly or indirectly, in combination with other information available with the Company, is capable of identifying such person.

1.2 Sensitive Personal Data or Information (SPDI) shall have the meaning assigned under the SPDI Rules and includes financial information, passwords and other information specified under applicable law.

1.3 Processing means any operation performed on personal information including collection, storage, use, disclosure, transfer, or deletion.

1.4 User means any person who accesses the Company’s website or otherwise interacts with the Company through digital or physical channels.

2. APPLICABILITY

2.1 This Policy applies to:

1. visitors accessing the Company’s website.
2. applicants for financial products offered by the Company.
3. customers and borrowers of the Company.
4. individuals interacting with the Company through electronic communications.

2.2 This Policy governs the collection, use, storage and disclosure of personal information obtained through the Company’s website, electronic communication channels and physical documentation.

3. INFORMATION COLLECTED

The Company may collect the following categories of information.

3.1 Personal Identification Information

The Company may collect personal information including but not limited to:

1. name.
2. gender.
3. date of birth.
4. residential and permanent address.
5. email address.
6. mobile number.
7. marital status.
8. family details.
9. occupation or business information.

3.2 Financial Information

For the purpose of evaluating eligibility for financial products, the Company may collect financial information including:

1. bank account details.
2. bank statements.
3. income proof documents.
4. salary slips.
5. income tax returns.
6. financial statements.
7. credit bureau reports.
8. loan repayment history.

3.3 KYC Information

In compliance with applicable regulatory requirements, the Company may collect identity verification information including:

1. PAN card.
2. Aadhaar details where permitted by law.
3. passport.
4. voter ID.
5. driving licence.
6. address proof documents.

3.4 Technical and Website Usage Information

When users access the Company’s website, certain technical information may automatically be collected including:

1. IP address.
2. browser type.
3. device type.
4. operating system.
5. internet service provider.
6. referring URLs.

Such information is used for system administration, security monitoring and website performance analysis.

4. COOKIES AND TRACKING TECHNOLOGIES

4.1 The Company may use cookies and similar technologies to enhance user experience and improve website performance.

4.2 Cookies may be used for the following purposes:

1. analysing website traffic.
2. remembering user preferences.
3. improving website functionality.

4.3 Users may disable cookies through browser settings; however certain website features may not function properly if cookies are disabled.

5. PURPOSE OF COLLECTION

The Company may collect and process personal information for the following purposes:

1. onboarding customers.
2. processing loan applications.
3. conducting credit assessment and underwriting.
4. identity verification and KYC compliance.
5. regulatory compliance and reporting.
6. fraud detection and risk management.
7. responding to customer queries.
8. improving services and website functionality.

6. LAWFUL BASIS FOR PROCESSING

The Company processes personal information only where there is a valid legal basis to do so.

Such legal bases may include:

1. consent provided by the User.
2. performance of contractual obligations.
3. compliance with legal or regulatory obligations.
4. legitimate business interests of the Company.

7. DATA MINIMISATION

7.1 The Company collects only such information as is reasonably necessary for the purposes described in this Policy.

7.2 The Company endeavours to ensure that personal information collected is adequate, relevant and not excessive in relation to the purposes for which it is processed.

8. SHARING OF INFORMATION WITH THIRD PARTIES

8.1 The Company may share personal information with third parties where necessary for providing services or complying with legal obligations.

8.2 Such third parties may include:

1. lending partners and financial institutions.
2. payment service providers and banking partners.
3. credit information companies including TransUnion CIBIL, Experian, CRIF High Mark and Equifax etc.
4. lending service providers engaged for customer onboarding, loan processing or servicing.
5. cloud service providers and IT infrastructure providers.
6. analytics providers and technology vendors.
7. auditors, consultants and legal advisors.
8. regulatory authorities and law enforcement agencies where required by law.

8.3 The Company ensures that third parties receiving personal information are bound by confidentiality and data protection obligations.

8.4 The Company does not sell personal information to third parties for marketing purposes.

9. CROSS-BORDER DATA TRANSFER

Personal information may be stored or processed on servers located outside India where such transfer is necessary for providing services.

The Company shall ensure that appropriate contractual safeguards and security measures are implemented for such transfers.

10. DATA STORAGE AND LOCALIZATION

Personal information collected by the Company may be stored on servers located within India or in jurisdictions where the Company’s service providers maintain infrastructure.

The Company ensures that adequate data protection measures are implemented for storage and processing of such information.

11. DATA RETENTION

The Company retains personal information only for the duration necessary for the purposes for which it was collected or as required under applicable laws.

Personal information may be retained for regulatory compliance, audit requirements, dispute resolution and fraud prevention.

Credit Assessment Data

Information collected solely for credit assessment or underwriting shall be retained only for the duration necessary to complete such assessment.

Upon completion of the assessment process, such information shall be securely deleted, anonymized or archived, unless retention is required under applicable law or regulatory obligations.

12. DATA SECURITY

The Company implements reasonable security practices and procedures in accordance with the SPDI Rules.

Security safeguards include:

1. role-based access controls.
2. encryption of sensitive information.
3. secure servers and firewalls.
4. vulnerability assessments.
5. periodic security audits.

The Company endeavours to align its information security framework with recognized standards such as ISO/IEC 27001 or equivalent frameworks.

13. CYBER SECURITY AND CERT-IN COMPLIANCE

The Company complies with applicable CERT-In cyber security directions.

In the event of a cyber security incident, the Company may:

1. investigate the incident.
2. implement corrective measures.
3. notify regulatory authorities where required.
4. maintain logs and security records as required under applicable law.

14. USER RIGHTS

Users may:

1. request access to personal information held by the Company.
2. request correction or updating of inaccurate personal information.
3. withdraw consent for processing where permitted by applicable law.

Requests may be submitted through the grievance mechanism provided in this Policy.

15. ACCURACY OF INFORMATION

Users undertake that the information provided to the Company is true, accurate and complete.

The Company shall not be responsible for any consequences arising from inaccurate or incomplete information provided by the User.

16. DISCLOSURE REQUIRED BY LAW

The Company may disclose personal information without prior consent where such disclosure is required:

1. by applicable law.
2. pursuant to court orders.
3. for regulatory compliance.
4. for prevention of fraud or illegal activity.
5. for protection of the Company’s legal rights.

17. DATA BREACH REPRESENTATION

Based on internal records and available information, the Company represents that no material data breach involving personal information has been reported to date.

The Company maintains mechanisms for detecting and responding to potential cyber security incidents.

18. THIRD-PARTY LINKS

The Company’s website may contain links to third-party websites.

The Company shall not be responsible for the privacy practices of such third-party platforms.

19. FUTURE DIGITAL PLATFORMS

If the Company introduces additional digital platforms, including mobile applications or other electronic interfaces in the future, such platforms shall also be governed by this Policy unless otherwise specified.

20. POLICY MODIFICATIONS

The Company reserves the right to modify this Policy from time to time.

Any revised version of the Policy shall be published on the Company’s website and shall become effective upon publication unless otherwise stated.

21. USER CONSENT

By accessing the Company’s website or interacting with the Company through digital channels, the User acknowledges and consents to the collection, processing and disclosure of information in accordance with this Policy.

22. LIMITATION OF LIABILITY

While the Company implements reasonable security practices and procedures to protect personal information, the User acknowledges that transmission of information over the internet cannot be guaranteed to be completely secure.

The Company shall not be liable for unauthorized disclosure of personal information caused by circumstances beyond its reasonable control.

23. GRIEVANCE REDRESSAL

In accordance with applicable laws, the Company has appointed a Grievance Officer.

Name: Rashi Kataria
Email: rashi.kataria@gromor.in

Address:
Gromor Finance Private Limited
B-202, 2nd Floor
SBI Pallavi CHSL
Veera Desai Road
Andheri (West)
Mumbai - 400058

The Grievance Officer may be contacted between 10:00 AM and 6:00 PM on working days.