PRIVACY POLICY - ONEFIN DEALER MANAGEMENT SYSTEM

Effective Date: 21-11-2025
Last Updated: 21-11-2025

This Privacy Policy (“Policy”) describes how OneFin Technology Solutions Private Limited (hereinafter referred to as “Company”, “OneFin”, “we”, “our”, or “us”) collects, uses, stores, discloses, and protects personal data and other information processed through the OneFine Dealer Management System (“DMS” or “Portal”).

This Policy applies to all authorized dealers and their employees/personnel/representatives (“Dealer(/s)”, “you”, or “your”) who access and use the Portal for the purposes of FASTag sales, issuance, activation, inventory management, and related operations, as well as to any personal data processed during these activities.

This Policy is prepared in accordance with the provisions of the Digital Personal Data Protection Act, 2023 (“DPDPA 2023”), the Information Technology Act, 2000, and other applicable regulatory guidelines issued by the Reserve Bank of India (RBI), National Highways Authority of India (NHAI), and other competent authorities.

By accessing and using the Portal, the Dealer acknowledges that they have read and understood this Privacy Policy and agree to comply with their obligations set out hereunder and under applicable data protection laws.

1. Scope

This Policy applies to:

• Personal Data collected directly from customers, vehicle owners, or authorized representatives during the onboarding and issuance of FASTags;
• Personal Data collected from the Dealer and their personnel for authentication, access, and usage of the Portal;
• Data shared between OneFin, the Dealer, Issuing Banks, and regulatory authorities for legitimate business, legal, or compliance purposes;
• Data processed through the inventory management system within the DMS.

This Policy does not apply to third-party websites, applications, or services that may be linked from the Portal.

2. Definitions

For the purposes of this Policy:

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data including information such as identity documents, vehicle registration details, payment instrument data, and contact information collected during FASTag issuance.
• “Data Principal” refers to the individual to whom the personal data relates (e.g., the FASTag customer).
• “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. For certain activities, OneFin and the relevant Issuing Bank may act as joint Data Fiduciaries.
• “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary. The Dealer and their personnel may act as Data Processors under contractual arrangements.
• “Processing” refers to the collection, storage, use, disclosure, sharing, or otherwise handling of personal data.

3. Categories of Personal Data Collected

Depending on the activity, the Portal may collect the following categories of personal data:

A. Customer / Vehicle Owner Data (Data Principals)

• Full name, address, contact details (mobile, email);
• Know Your Customer (KYC) documents (e.g., PAN, Aadhaar, driving license, registration certificate);
• Vehicle information (registration number, chassis number, engine number, make/model);
• Bank account or payment details for FASTag issuance and recharge (as per Issuing Bank protocols);
• FASTag serial numbers, issuance and activation details.

B. Dealer and User Data

• Dealer entity name, business address, GST details, and contact information;
• Authorized user name(s), employee ID, mobile number, email address, and login credentials;
• Access logs, IP addresses, time stamps, and activity logs.

C. System & Transaction Data

• Portal usage data, audit trails, inventory records, order history, and status of FASTag issuance;
• Communications between the Dealer, OneFin, and Issuing Banks through the Portal.

4. Purpose of Data Processing

Personal Data collected through the Portal is processed for the following lawful purposes:

• To verify customer identity and vehicle details as per RBI/NHAI guidelines and the Issuing Bank’s KYC requirements.
• To enable the Dealer to manage FASTag stock, record issuance, and track real-time inventory across locations.
• To comply with legal obligations, including those under the DPDPA 2023, RBI and NHAI circulars, anti-money laundering (AML) guidelines, and other applicable laws.
• To create and manage Dealer accounts, control access rights, and ensure secure system usage.
• To maintain audit trails, monitor suspicious activities, and prevent misuse.
• To send notifications, confirmations, system alerts, and updates related to FASTag transactions and portal operations.
• To handle complaints, disputes, or regulatory investigations, and to comply with lawful requests from authorities.

5. Lawful Grounds for Processing

Personal Data is processed on one or more of the following grounds:

• Consent of the Data Principal for onboarding, FASTag issuance, and related processing;
• Performance of a legal obligation under RBI, NHAI, or other regulatory frameworks;
• Compliance with legal or regulatory obligations including audits, inspections, and law enforcement requests.

6. Data Sharing and Disclosure

OneFin may share Personal Data with the following categories of recipients, on a need-to-know basis and subject to appropriate safeguards:

• Issuing Banks, for the purpose of FASTag issuance, activation, KYC verification, and related banking operations;
• Regulatory and Government Authorities, including RBI, NHAI, law enforcement agencies, or courts, where required under applicable law;
• The Dealer, as Data Processors, for performing onboarding, issuance, and inventory operations;
• Authorized service providers or technology partners, for hosting, IT support, or security services, under strict contractual obligations;
• Auditors or legal advisors, for the purpose of compliance and dispute resolution.

OneFin does not sell or rent personal data to third parties for marketing or unrelated purposes.

7. Data Retention

Personal data will be retained only for as long as necessary to fulfil the purposes outlined in this Policy and to comply with applicable legal, regulatory, and contractual requirements, including RBI’s data retention guidelines and DPDPA 2023 obligations. Data may be anonymized and retained for statistical or audit purposes after the retention period expires.

8. Data Principal Rights

Data Principals have the following rights in respect of their personal data:

• Right to Access Information: To obtain details about personal data processed, purposes, and recipients.
• Right to Correction and Erasure: To request correction of inaccurate data or erasure of data that is no longer necessary.
• Right to Grievance Redressal: To lodge a complaint with the Data Fiduciary or the Data Protection Board of India in case of grievances.
• Right to Nominate: To nominate another individual to exercise rights in case of death or incapacity.

The Dealer must ensure that Data Principal rights requests are promptly escalated to OneFin through designated channels. OneFin, as Data Fiduciary, will respond to such requests within the timelines prescribed under the DPDPA 2023.

9. Security Measures

OneFin adopts reasonable technical and organizational measures to protect personal data, including but not limited to:

• Role-based access controls and multi-factor authentication;
• Regular security audits and vulnerability assessments;
• Logging and monitoring of access activities;
• Incident response protocols in accordance with regulatory guidelines.

The Dealer is required to comply with OneFin’s security protocols, safeguard credentials, and immediately report any data breaches or unauthorized disclosures.

10. Cross-Border Data Transfer

If any Personal Data is transferred outside India, such transfer shall comply with the provisions of the DPDPA 2023, applicable government notifications, and contractual safeguards. OneFin shall ensure that adequate protection measures are in place for any such transfer.

11. Grievance Redressal Mechanism

Data Principals or the Dealer may raise grievances regarding data processing or privacy practices by sending an email to dealer.support@onefin.tech.

12. Changes to this Privacy Policy

OneFin reserves the right to amend or update this Policy at any time, to reflect changes in legal requirements, technology, or operational practices. The updated Policy will be posted on the Portal with a revised “Last Updated” date. Continued use of the Portal constitutes acceptance of the updated Policy.

13. Governing Law

This Policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable RBI/NHAI regulations. Any disputes shall be subject to the exclusive jurisdiction of the courts at Mumbai, India.