1.1
Information Provided by You or Your Employer
1.
Full name and employee ID
2.
Corporate and personal email addresses
3.
Age and gender
4.
PIN code and billing address
5.
PAN, Aadhaar, or other government-issued identifiers (for KYC compliance under applicable law)
6.
Where enabled by your device settings, biometric authentication features such as fingerprint or facial recognition may be used solely for local device authentication. Spentro does not independently collect or store raw biometric templates.
7.
Transactional data linked to Spentro Cards
1.2
Information Collected Automatically
1.
IP address and browser/device information
2.
Pages visited, time spent, and navigation patterns on our website and app
3.
Log files including date/time stamps and referring URLs
We process your personal information only where we have a lawful basis to do so. The lawful bases on which we rely are:
1.
Consent: Where you have given explicit consent to a specific processing activity. You may withdraw consent at any time (see Section 8).
2.
Contractual Necessity: Where processing is necessary to deliver the Services you or your employer has subscribed to.
3.
Legal Obligation: Where processing is required to comply with applicable Indian law, including RBI regulations, IT Act 2000, IT Rules 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).
4.
Legitimate Interest: Where processing is necessary for fraud prevention, security, and service improvement, and such interests are not overridden by your data protection rights.
We use the information we collect for the following purposes:
1.
To register and verify your identity through KYC processes as required by law
2.
To operate, maintain, and improve the Services, including automated GST recovery, spend analytics, and fraud detection
3.
To enforce Policy-linked Spend Controls through RBI-regulated banking and card network partners
4.
To send service-related communications, including updates, alerts, and notifications
5.
To allow your employer to monitor and evaluate usage of the Services in accordance with your employment arrangement
6.
To detect, prevent, and investigate fraud, security incidents, or violations of applicable law
7.
To comply with legal obligations and respond to lawful requests from government or regulatory authorities
8.
Where the Services are provided pursuant to an arrangement with your employer or organisation, certain personal data may be processed on the instructions of such employer for purposes including expense management, policy compliance, audit, reimbursement processing, fraud prevention, and financial oversight.
9.
You consent to receiving transactional communications, OTPs, security alerts, and service-related notifications via email, SMS, WhatsApp, push notifications, or other electronic means
As part of the Services, Spentro shares relevant compliance and transactional data with our parent ecosystem, GYFTR Limited, for the following limited purposes:
1.
To trigger the issuance of rewards and vouchers when policy-linked spend conditions are met
2.
To validate user eligibility under the spend-compliance rewards programme
5.1
Essential Cookies
These are necessary for core functionality such as authentication, security, and session management. You cannot opt out of essential cookies without affecting your ability to use the Services.
5.2
Analytics and Performance Cookies
We use these to understand how users interact with our platform, measure traffic, and improve performance. These do not directly identify you. You may disable these through your browser settings at any time.
Our Services may include links to third-party websites or banking partner portals. Such sites are governed by their own privacy policies, which are beyond our control. We encourage you to review those policies before submitting any personal information.
We engage third-party processors for cloud hosting, payment processing, fraud detection, and analytics. All third-party processors are contractually bound to process your data only on our instructions and in compliance with applicable data protection laws. Categories of processors engaged include:
1.
Cloud infrastructure and hosting providers
2.
RBI-regulated banking partners and card networks
3.
Fraud detection and security service providers
4.
Analytics service providers
Spentro does not sell your personal data. We share personal information with third parties only in the following circumstances:
1.
Legal Compliance: When required by law, court order, or a competent government or regulatory authority for identity verification, or for the prevention, detection, and investigation of cyber incidents or offences.
2.
Group Processing: Within GYFTR Limited and its authorised officers and employees, for the purpose of processing information on our behalf, subject to strict confidentiality and security obligations.
3.
Financial Partners: With RBI-regulated banking partners and card networks, to the extent necessary to operate Policy-linked Spend Controls.
4.
Third-Party Processors: As described in Section 6 above.
Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian law, you have the following rights in respect of your personal data:
1.
Right to Access: You may request a summary of the personal data we hold about you and the purposes for which it is processed.
2.
Right to Correction: You may request correction of inaccurate or incomplete personal data.
3.
Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal and regulatory retention obligations.
4.
Right to Withdraw Consent: You may withdraw consent for any processing activity for which consent was the lawful basis. Withdrawal does not affect the lawfulness of processing prior to withdrawal. You may lose access to certain Services upon withdrawal.
5.
Right to Grievance Redressal: You have the right to lodge a complaint with our Grievance Officer (see Section 11) or with the Data Protection Board of India once constituted.
6.
Right to Nominate: You may nominate an individual to exercise your data rights in the event of your death or incapacity, as provided under the DPDP Act.
To exercise any of the above rights, write to us at legal@spentro.com. We will respond within 30 days of receipt of your request.
Spentro's Services are designed for use by corporate employees and are not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. Employers are responsible for ensuring that they do not register individuals under 16 on the platform.
We retain personal data for as long as is required under applicable Indian law, including but not limited to the Information Technology Act 2000, IT Rules 2011, RBI regulations, and the DPDP Act 2023. Upon expiry of the applicable retention period or upon account closure (whichever is later), personal data will be anonymised or securely deleted.
Certain KYC, transactional, accounting, and audit records may be retained for periods prescribed under applicable RBI regulations, anti-money laundering laws, taxation laws, and other legal obligations.
We may retain certain data beyond the standard period where required to resolve disputes, enforce agreements, or comply with a legal obligation or court order.
Spentro implements robust technical and organisational security measures to protect against unauthorised access, alteration, disclosure, or destruction of personal data. These include:
1.
Data encryption in transit (SSL/TLS) and at rest
2.
Access controls on a need-to-know basis
3.
Internal reviews of data collection, storage, and processing practices
4.
Physical security measures for data infrastructure
While we strive for the highest standards of security, no system is impenetrable. We cannot guarantee that data will not be intercepted during transmission over the internet. In the event of a data breach affecting your rights and interests, we will notify you in accordance with applicable law.
Spentro may update this Privacy Policy from time to time to reflect changes in our Services, applicable law, or regulatory requirements. Material changes will be communicated to registered users via email or through a prominent notice on our website prior to the change taking effect. Continued use of the Services after such notice constitutes acceptance of the revised Policy.
This Policy is governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts in New Delhi, India.
Any complaints or concerns regarding this Policy, a data breach, or the handling of your personal data may be directed to our designated Grievance Officer:
Grievance Officer
Spentro / GYFTR Limited (formerly known as LKP Finance Limited)
Email: legal@spentro.com
Address: : 3rd Floor, B-11, Block B, Qutab Institutional Area, New Delhi, Delhi 110016
We will endeavour to acknowledge your complaint within 48 hours and resolve it within 30 days of receipt, in accordance with the Information Technology Act, 2000 and the rules thereunder.
Spentro reserves the right to suspend or deactivate accounts in cases of suspected fraud, policy violations, misuse of the Services, or where required by law or regulatory direction.