aaopay mobile app previewAaopay
Sign in

AaoPay Privacy Policy

1. Introduction

We, at HARI PAY PRIVATE LIMITED (“AaoPay” or “We”), deeply value your privacy and are committed to protecting it. It is therefore important for us to ensure that You (“You”, “Customer”, or “User”), the user of our website www.aaopay.in (the “Website”) and its associated mobile applications, AaoPay (the “Application” or “App”, collectively referred to as the “Platform”), clearly understand:

  • the purpose for which we collect your information,
  • the manner in which we collect, use, store, and share it, and
  • the rights and choices you have in relation to your personal data.

This Privacy Policy has been prepared in strict compliance with applicable data protection and financial regulations, including but not limited to:

  • Information Technology Act, 2000, and the rules framed thereunder;
  • Digital Personal Data Protection Act, 2023;
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
  • Reserve Bank of India (RBI) Master Directions on Prepaid Payment Instruments (PPIs);
  • RBI Guidelines on Digital Lending, 2022;
  • UIDAI’s Aadhaar (Data Security) and (Authentication) Regulations, 2016; and
  • Any other applicable Indian laws, circulars, notifications, or guidelines issued by relevant regulatory authorities including the RBI, UIDAI, or CERT-IN.

Use of the Platform constitutes your explicit consent to the terms of this Privacy Policy. If you do not agree with any part of this Policy, please discontinue using, accessing, downloading, or installing the Platform immediately.

2. Applicability

This Privacy Policy applies to:

  • All users of AaoPay’s website and mobile application;
  • All lending and non-lending services facilitated by AaoPay, including prepaid payment instruments (wallets/UPI), loans, and value-added services;
  • Any data shared by users directly or collected through automated means.

Data Controller and Processor Role: For all services offered through the Platform, AaoPay (Hari Pay Private Limited) acts as the Data Controller...

3. Consent

By accessing or using our Platform, you expressly consent to:

  • The collection and processing of personal and sensitive personal information as outlined herein.
  • . The transfer and disclosure of your information to authorized financial institutions, partners, or service providers in compliance with law.
  • The use of your data for verification, KYC, onboarding, and compliance with regulatory obligations.

You may withdraw your consent at any time; however, withdrawal may result in the discontinuation of services.

4. Categories of Information Collected

AaoPay collects information to facilitate digital lending, wallet services, and other value-added offerings. Data collection is divided into the following categories:

4.1 Personal Information

  • Full name, date of birth, gender, residential and correspondence addresses;
  • Mobile number, email address, photograph;
  • PAN, Aadhaar/VID, GSTIN, and other government identifiers;
  • Employer name, income, salary, and employment proof (for lending services);
  • Bank details: account number, IFSC, transaction history;
  • Financial statements, tax data, and credit reports.

4.2 Device & network Information

  • IP address, device ID, IMEI, MAC address, OS type and version;
  • Log data including access times, errors, and crashes;
  • Application performance analytics.

4.3 Location, Camera, Microphone, and Contacts

  • Location data for KYC/address verification;
  • Camera access for scanning documents during onboarding;
  • Microphone access for Video KYC sessions;
  • Contacts access for wallet and UPI functionalities only (not for lending services).

4.4 SMS Data

  • AaoPay only reads transactional or OTP-based SMS sent by 6-digit alphanumeric senders;
  • Personal or private SMS are not collected or stored.

4.5 Data from Third Parties

  • Credit bureau information (CIBIL, Experian, etc.);
  • GST details from the GSTN portal using secure API;
  • KYC validation data from NSDL, UIDAI, and authorized partners.

All such third-party data is collected only with user consent and directly transmitted to our lending partners.

5. Non-Personal and Aggregated Information

We may automatically collect anonymized, aggregated, or non-personal data such as:

  • Application usage trends, time spent, and click patterns;
  • Device specifications and behavioral data for analytics;
  • Aggregated demographic information for research and platform improvement.

Such data does not identify individual users and is used solely for analytics and system optimization.

6. Purpose of Data Collection

AaoPay collects and processes user data for lawful purposes, including but not limited to:

  1. Identity Verification: To comply with KYC/AML norms and authenticate user identity.
  2. Loan Facilitation: To assess creditworthiness, process loan applications, and enable disbursements.
  3. Payment Services: To provide UPI, wallet, and digital payment services.
  4. Communication: To send alerts, confirmations, and regulatory updates.
  5. Customer Support: To respond to service requests, queries, and complaints.
  6. Security: To detect fraud, prevent unauthorized access, and ensure platform integrity.
  7. Analytics: To improve products, assess performance, and enhance user experience.
  8. Marketing: To inform users about offers or new services (subject to opt-in consent).
  9. Compliance: To adhere to legal obligations and RBI/UIDAI audit requirements.

7. Legal Basis for Processing

  • User consent;
  • Contractual necessity;
  • Compliance with legal obligations;
  • Legitimate interest in fraud prevention, security, and service improvement.

8. Disclosure of Information to Third Parties

AaoPay may share your information only in the following lawful circumstances:

  1. Lending Partners: RBI-registered Banks/NBFCs for KYC, loan assessment, and disbursal.
  2. Payment Partners: NPCI, banks, and payment gateway providers for UPI/wallet services.
  3. Verification Agencies: UIDAI, NSDL, GSTN, and credit bureaus for validation.
  4. Technology Providers: Cloud hosting, analytics, and security infrastructure vendors.
  5. Regulatory Authorities: Government bodies, courts, or regulators when legally required.
  6. Corporate Transactions: In mergers, acquisitions, or restructuring, subject to confidentiality.
  7. User Notification for Third-Party Disclosures: Whenever AaoPay engages any new third-party partner or expands the scope of data sharing beyond what is already disclosed, users shall be informed through in-app notifications, email alerts, or updates to this Privacy Policy before such sharing takes effect. Users will have the right to review such disclosures and may withdraw consent if they do not wish to continue using the affected services.

All third-party disclosures shall be governed by written confidentiality and data processing agreements, restricting use to specified purposes only.

9. Data Storage and Localization

  • All personal and financial data is securely stored on servers located in India.
  • Sensitive data, including Aadhaar/e-KYC information, is stored only in encrypted form.
  • No personal data shall be transferred outside India unless in compliance with applicable Indian law.

10. Retention and Deletion Policy

  • Personal data is retained only for the duration necessary to fulfill the service or legal requirements.
  • Lending data shall be retained for a minimum of 7 years or as mandated by RBI.
  • Aadhaar authentication logs shall be stored for 2 years and archived thereafter as per UIDAI guidelines.
  • Users may request deletion of their data, subject to regulatory retention requirements.

Upon account closure or withdrawal of consent, AaoPay shall delete or anonymize data within 30 business days, unless retention is required for ongoing investigations or legal obligations.

11. User Responsibilities

  • Provide accurate, complete, and truthful information.
  • Maintain confidentiality of their account credentials.
  • Promptly notify AaoPay of unauthorized access or misuse of their account.

AaoPay shall not be liable for any losses arising due to user negligence in maintaining account security.

12. Marketing and Communication Preferences

  • Users can opt-in to receive promotional emails, SMS, or WhatsApp messages.
  • Users can opt-out or withdraw consent for marketing communications at any time by contacting legal@aaopay.in.
  • Transactional and regulatory notifications shall continue as per applicable law.

13. Automated Processing and AI-based Decisions

AaoPay may use Artificial Intelligence (AI) and algorithmic tools to:

  • Analyze creditworthiness, detect anomalies, and prevent fraud;
  • Recommend products and assess user eligibility.

All automated processing shall be subject to human review and shall not result in a fully automated decision without oversight.

14. Cookies and Tracking Technologies

AaoPay uses cookies, web beacons, and local storage to improve functionality and personalize services. You may disable cookies via browser settings, though certain features may not function optimally.

Types of cookies used:

  • Essential Cookies: Required for secure login and transactions.
  • Analytics Cookies: To analyze user activity and app performance.
  • Preference Cookies: To remember your settings and choices.

Cookie Management Preferences:

AaoPay provides a cookie consent banner and management panel on its website and mobile application that allows users to accept, reject, or customize their cookie settings. Users can change their cookie preferences anytime by visiting the “Cookie Settings” section within the app or website footer.

The Cookie Policy link is also available at: www.aaopay.in

15. Policy Continuation

This Part 1 of the AaoPay Privacy Policy includes the provisions related to collection, storage, and processing of user data. Part 2 of this Policy details sections on:

  • Security measures,
  • User rights,
  • Aadhaar Data Protection,
  • Data breach protocols,
  • Grievance redressal mechanisms, and
  • Governance and compliance framework.

16. Security Measures

AaoPay implements comprehensive administrative, technical, and organizational safeguards to protect user data from unauthorized access, misuse, loss, or alteration. Our data protection infrastructure is based on the following principles:

  1. Encryption: All data in transit and at rest is protected using TLS 1.2+ and AES-256 encryption standards. Aadhaar-related data is encrypted using UIDAI-approved Hardware Security Modules (HSMs).
  2. Access Control: Restricted access to personal data on a need-to-know basis only. Role-based access mechanisms and MFA (Multi-Factor Authentication) are enforced.
  3. Data Segregation: Financial data, Aadhaar/e-KYC data, and behavioral analytics are maintained on separate databases.
  4. Regular Audits: Periodic security audits, VAPT (Vulnerability Assessment & Penetration Testing), and compliance reviews are conducted by CERT-IN or STQC certified auditors.
  5. Secure Software Development: Security by Design and Privacy by Design principles are embedded at every stage of the product lifecycle.
  6. Monitoring and Detection: Real-time monitoring and threat detection tools ensure continuous oversight of data security.
  7. Employee Confidentiality: All employees, contractors, and vendors handling personal information sign NDAs and undergo mandatory privacy training.
  8. Incident Response Plan: Defined escalation matrix and rapid response protocols in case of suspected breaches.

17. Data Breach Management

In case of a data breach or unauthorized access:

  1. AaoPay shall notify the affected users and relevant authorities (RBI, CERT-IN, UIDAI, or other regulatory bodies) within 72 hours of becoming aware of the breach.
  2. The notification will include:
    • Nature and scope of the breach;
    • Types of data affected;
    • Number of users impacted;
    • Steps taken to mitigate the damage;
    • Contact details for grievance redressal.
  3. Impacted users will be guided on recommended protective actions.
  4. AaoPay shall document the breach, corrective measures, and preventive steps for internal review and regulatory reporting.
  5. Transparency Reporting: AaoPay is committed to maintaining transparency regarding data access, law enforcement requests, and breach notifications.

An annual “Privacy and Security Transparency Report” shall be published on our website summarizing:

  • Number of user data requests received and processed,
  • Security incidents or breaches (if any),
  • Steps taken for remediation and compliance improvements.

18. Aadhaar and e-KYC Data Protection Policy

As a UIDAI-registered e-KYC User Agency (KUA), AaoPay complies strictly with the Aadhaar (Authentication) Regulations, 2016 and related data protection standards.

18.1 Aadhaar Data Handling

  • Aadhaar/VID collection is voluntary, used only for identity verification and KYC.
  • No storage of Aadhaar numbers, biometric data, or PID blocks except in the UIDAI-approved encrypted Aadhaar Data Vault.
  • e-KYC responses are encrypted and stored for limited durations in compliance with UIDAI norms.
  • Authentication logs retained for 2 years, archived for 5 years, and deleted thereafter unless legally required.

18.2 Secure Transmission

  • Aadhaar authentication and OTP verification occur through UIDAI-approved APIs.
  • Biometric data, if collected, is encrypted at the device level using certified biometric capture devices.

18.3 Resident Rights

Users (Aadhaar number holders) can:

  • Request to view e-KYC information stored with AaoPay;
  • Revoke consent for retention of e-KYC data;
  • File complaints for Aadhaar misuse via UIDAI or AaoPay’s Privacy Officer.

18.4 Legal Compliance

AaoPay adheres to the Aadhaar Act, 2016, Aadhaar and Other Laws (Amendment) Act, 2019, and all circulars issued by UIDAI regarding privacy, security, and grievance redressal.

19. User Rights under Data Protection Laws

Users are entitled to the following rights under the Digital Personal Data Protection Act, 2023 and related regulations:

  1. Right to Access: Obtain confirmation whether data is being processed and receive a copy.
  2. Right to Correction: Rectify inaccurate or incomplete personal information.
  3. Right to Deletion: Request deletion of personal data that is no longer required.
  4. Right to Data Portability: Request transfer of data in a structured, machine-readable format.
  5. Right to Withdraw Consent: Withdraw consent previously given for specific purposes.
  6. Right to Restrict or Object: Limit or object to processing in certain cases.
  7. Right to Complain: File a complaint with the Grievance Officer or Data Protection Board of India.

Requests can be made by emailing legal@aaopay.in. AaoPay will acknowledge such requests within 24 hours and respond within 30 days.

20. Privacy by Design and Governance Framework

AaoPay integrates privacy into its technology and organizational framework through the following mechanisms:

  • Privacy Impact Assessments (DPIA): Conducted before implementing new technologies or products that process sensitive data.
  • Privacy by Design: Privacy principles embedded during software and process development.
  • Data Minimization: Only data necessary for service delivery is collected.
  • Periodic Audits: Regular third-party privacy audits to ensure compliance.
  • Accountability: Designated Privacy Officer responsible for monitoring and reporting compliance.

AaoPay maintains a Privacy Committee to oversee data governance, review internal compliance, and ensure risk mitigation in data processing activities.

21. Data Localization and International Transfers

  • All financial and Aadhaar data are stored strictly within India.
  • Cross-border transfer of non-sensitive personal data may occur only with explicit consent and under lawful data transfer agreements ensuring adequate safeguards.
  • Transfers shall comply with RBI and DPDP 2023 data localization requirements.

22. Children’s Data

  • AaoPay’s services are intended for individuals aged 18 years or above.
  • We do not knowingly collect data from minors.
  • If discovered, any data of a child will be deleted promptly and verified through the parent/guardian.

23. Grievance Redressal Mechanism

Grievance Officer / Privacy Officer:

  • Name: Divyanshu Kumar
  • Address: D30, Vibhuti Khand, Gomti Nagar, Lucknow, Uttar Pradesh - 226010
  • Email: legal@aaopay.in
  • Phone: +91 7840075527
  • Timings: Mon – Sat (10:00 AM – 6:00 PM)

Complaint Process:

  • Acknowledgement within 24 hours.
  • Resolution within 15 working days.
  • If unresolved, users may escalate to the Data Protection Board of India or UIDAI for Aadhaar-related concerns.

24. Policy Modifications

AaoPay reserves the right to amend or update this Privacy Policy at any time. Changes shall be posted on the Platform and will become effective immediately upon publication unless stated otherwise.

Users are encouraged to review the Privacy Policy periodically. Continued use of the Platform after modifications indicates acceptance of the updated terms.

25. Contact and Legal Notices

For all privacy-related queries, notices, or data requests, contact:

  • Legal Department: Hari Pay Private Limited
  • Email: legal@aaopay.in
  • Phone: +91 7840075527
  • Postal Address: D30, Vibhuti Khand, Gomti Nagar, Lucknow, Uttar Pradesh – 226010

26. Annexures (Optional Attachments)

Annexure A – Data Retention Schedule

  • Personal Identification Data: 7 years (RBI compliance)
  • Aadhaar/e-KYC Data: 2 years + archive 5 years (UIDAI compliance)
  • Transaction Records: 7 years (Banking Regulation Act)
  • Complaint Logs: 3 years

Annexure B – Data Subject Request Form

Template form for users to request access, correction, or deletion of their data.

Annexure C – Third-Party Partner List

Indicative list of regulated entities, partners, and vendors with whom AaoPay may share user data:

CategoryPartner Name / TypePurpose of Data SharingRegulatory Status
Lending PartnersRBI-registered NBFCs and BanksLoan processing, disbursal, repaymentRegulated by RBI
KYC / Verification PartnersNSDL, UIDAI, CKYC RegistryIdentity verification, KYC validationGovernment-authorized
Payment PartnersNPCI, PayU, Razorpay, Banking PSPsUPI, wallet, and payment processingRegulated by RBI
Credit BureausCIBIL, Experian, CRIF High MarkCredit scoring and history checkRBI-approved
Cloud & Data Hosting ProvidersAWS India, Azure IndiaSecure data storage and infrastructureISO 27001 Certified
Analytics & Fraud Detection VendorsInternal AI tools and licensed vendorsRisk assessment and fraud preventionUnder NDA
Customer Support VendorsCRM software providers (Zoho, Freshdesk, etc.)User communication and ticket handlingContractually bound by DPA

Note: The above list is subject to periodic updates. The latest version will always be available on the AaoPay website under the Privacy Policy section.

27. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts at Lucknow, Uttar Pradesh, India.

Effective Date & Summary

Effective Date: 01 November 2025

Last Updated: 26 October 2025

Quick Summary: This policy explains how AaoPay collects, uses, protects, and manages user data in compliance with the DPDP Act 2023, IT Act 2000, and RBI Guidelines.

Disclaimer: AaoPay is a payment facilitator, not a bank or NBFC. We provide payment services through authorized partners (banks/NBFCs).

Category-wise Data Retention Summary:
- KYC Data: 2 years, archived for 5 years (UIDAI compliance)
- Transaction Records: 7 years (RBI compliance)
- Complaint Logs: 3 years
- Marketing Data: Retained until consent is withdrawn or up to 1 year.