Privacy Policy

Platform Operator

The Pocket Rupee platform is operated by PHRENOLOGICAL INFO AUDIT AND APP SOLUTION PRIVATE LIMITED, which provides technology infrastructure and operational support for digital lending services.

Company details of PHRENOLOGICAL INFO AUDIT AND APP SOLUTION PRIVATE LIMITED are as follows:

1. i. Registered Address:Shop No.270, Sahara Shopping Centre, Lekhraj Market, Faizabad Road , LUCKNOW, Uttar Pradesh, India - 226016.
2. ii. Contact Email: support@phrenological.com

acts solely as a technology service provider and Lending Service Provider (LSP) and does not directly provide loans.

Lending Partner (NBFC)

Loan products available on the Pocket Rupee platform are provided by our regulated lending partner Allen's Housing & Finance Limited.

Company details are as follows:

1. i. Registered Address:3RD FLOOR, RGM-260 ALLEN ESTATE KRISHNAPUR ROAD KOLKATA, West Bengal 700102, India
2. ii. License Number:No. B.05.06399
3. iii. Corporate Identity Number (CIN):U65993WB1992PLC056844

Allen's Housing & Finance Limited is a Non-Banking Financial Company (NBFC) registered with the Reserve Bank of India (RBI) under the Companies Act, 2013.

All loan approvals, loan disbursements, and lending decisions are made solely by Allen's Housing & Finance Limited in accordance with applicable Indian laws and RBI regulatory guidelines.

1. Objective

1.1. We collect, receive, possess, store, deal with, or otherwise handle information provided by users in the course of offering or providing our products or services, either directly or through various digital channels. This policy has been developed and implemented to ensure the lawful handling of personal information, including sensitive personal data or information of such users, and to ensure that users provide their personal information to us with free, specific, informed, and unambiguous consent.

2. Scope

2.1. We process your Personal Data on the basis of your free, specific, informed, and unambiguous consent obtained at the time of collection of such data for the following purposes:

1. i.Processing and evaluation of your loan application.
2. ii.Credit assessment, underwriting, and risk evaluation.
3. iii.Conducting Know Your Customer (KYC), e-KYC, Video KYC, and related identity verification processes.
4. iv.Obtaining and sharing credit reports with Credit Information Companies.
5. v.Loan servicing, account maintenance, and customer support.
6. vi.Facilitating insurance or other ancillary products where specifically opted by you.
7. vii.Sending service-related communications and updates.
8. viii.Sending promotional or marketing communications, where separate and explicit consent has been obtained.

3. Categories of Personal Data Collected

3.1. The company may collect and process the following categories of personal data in connection with its housing finance business:

i. Identification and Personal Identity Information

Name, date of birth, gender, photograph, signature, mobile phone number, email address, PAN, Aadhaar (where voluntarily provided and lawfully processed), and any one of the following officially valid documents for identity verification purposes, including passport, voter ID, driving licence, ID card, or any other officially valid document permitted under applicable law.

For the avoidance of doubt, the Data Principal is required to provide any one valid officially recognized identification document sufficient to establish identity for KYC or verification purposes. Submission of multiple identity documents is not mandatory unless specifically required under applicable law or regulatory directions.

This information is collected primarily for identity verification, KYC compliance, credit analysis and ensuring information security.

ii. Contact Information

Residential address, correspondence address, email address, and telephone number for communication and service-related purposes.

iii. Financial, Credit and Employment Information

Income details, employment information, employer details, bank account details, payment information, transaction records, tax returns, salary slips, credit reports, credit scores, repayment history, and other financial information relevant to credit appraisal.

We collect such financial information for credit assessment and underwriting purposes.

Financial information such as bank account details or payment instrument details may constitute Sensitive Personal Data or Information (SPDI) under the Information Technology Act, 2000 and the SPDI Rules, and shall be processed in accordance with applicable law.

iv. Loan, Property and Security Information

Loan application details, sanctioned loan terms, property details (where applicable), valuation reports, security documents, and repayment records.

v. Technical, Device and Usage Information

IP address, device model, operating system version, Android ID, browser type, log data, cookies, and other device identifiers.

We collect such information:

To ensure account login security (including identifying unusual devices or abnormal login locations).

For fraud prevention and risk control.

To improve and optimize service experience.

For system operation assurance and data analysis.

Device-related information is not used independently to directly identify the Data Principal.

Information collected during digital onboarding processes, including e-KYC or video KYC recordings (where applicable), also falls within this category.

vi. GAID (Google Advertising ID)

To provide more personalized advertising services, we may collect your GAID information for advertising delivery analysis and personalized recommendations.

We commit that GAID will not be combined with personally identifiable information. You may opt out of personalized advertising at any time through your device settings.

vii. Emergency Contact Information

When you use Pocket Rupee for loan services, you are required to select emergency contact information (including contact name, contact phone number, and relationship) from your address book.

We do not access your address book permission. We only enable you to select specific contact information from your address book to serve as your emergency contact for identity verification, risk management, and fraud prevention activities.

The selected emergency contact information is securely uploaded to our secure center at: https://ensean.rupikrapidrupee.com/

All such data is stored in encrypted form.

Without your consent, we will not share your data with any unrelated third parties other than the Lending Institution with whom you have applied for a loan, and we will not sell or leak user data.

viii. Image Information and Camera Permission

Image Uploads:

When you use Pocket Rupee for identity verification, you may need to upload identification documents or financial proof.

You will select images through your photo album. We do not access your photo album without your action; we only enable you to select images voluntarily.

Pocket Rupee collects uploaded image information, including image details, file size and file type, for verification purposes.

All collected image information is encrypted and securely uploaded to our secure center at: https://ensean.rupikrapidrupee.com/

We will not share such data with any unrelated third parties other than the Lending Institution with whom you have applied.

Camera Access:

When users use the camera to take photos or perform facial recognition for certain functions, we access the camera function only upon your explicit authorization.

This permission is used solely for data collection during application use and identity verification.

ix. Social Account Information

Where voluntarily provided, we may collect information related to your social accounts to assist in verifying your identity and maintaining communication.

All such information is encrypted and uploaded to our secure center (https://ensean.rupikrapidrupee.com/) for protection.

4. Purpose of Data collection

4.1. The Company processes Personal Data solely for specified, lawful, and legitimate purposes in connection with its housing finance business, including: (i) receipt, appraisal, evaluation, and underwriting of loan applications; (ii) conducting know-your-customer (KYC) verification, customer due diligence, and compliance with anti-money laundering and counter-terrorism financing requirements; (iii) obtaining, furnishing, and reporting credit information to and from Credit Information Companies and other authorised entities; (iv) loan disbursement, account administration, repayment processing, monitoring of security, enforcement of contractual rights, and recovery proceedings; (v) compliance with applicable laws, regulatory directions, and supervisory requirements issued by the Reserve Bank of India and other competent authorities; (vi) prevention, detection, investigation, and mitigation of fraud, financial crime, and credit risk; (vii) communicating with applicants and customers regarding applications, loan accounts, transactions, service updates, and regulatory disclosures; (viii) handling queries, complaints, and grievance redressal; and (ix) sending promotional or marketing communications relating to the Company's products or services, strictly where separate and explicit consent has been obtained. The Company shall not process Personal Data for purposes other than those specified herein except in accordance with applicable law or upon obtaining additional consent where required.

5. Legal Basis for processing

5.1. The Company processes Personal Data on lawful grounds in accordance with the Digital Personal Data Protection Act, 2023 and applicable laws. Processing is undertaken: (i) pursuant to the free, specific, informed and unambiguous consent of the Data Principal, wherever such consent is required; (ii) where necessary for the performance of a contract or to take steps at the request of the Data Principal prior to entering into a loan or related agreement, including appraisal, disbursement, servicing and enforcement of loan facilities; (iii) where necessary for compliance with legal and regulatory obligations, including but not limited to directions and guidelines issued by the Reserve Bank of India, obligations under the Prevention of Money Laundering Act, 2002, the Credit Information Companies (Regulation) Act, 2005, and other applicable statutory requirements; and (iv) for legitimate uses recognised under the Digital Personal Data Protection Act, 2023, including prevention and detection of fraud, exercise or defence of legal claims, enforcement of contractual rights, and compliance with lawful orders or requests of courts, regulators or governmental authorities. The Company processes Personal Data strictly to the extent necessary and proportionate to such lawful purposes.

6. Digital Lending Specific Disclosure

a) In respect of loan products sourced, processed, or serviced through digital platforms, mobile applications, or Digital Lending Applications (DLAs), the Company complies with the Reserve Bank of India (Digital Lending) Directions, 2025, as amended from time to time.

b) The Company collects Personal Data strictly on a need-based basis and only to the extent necessary for the purpose of processing loan applications, conducting credit assessment, complying with KYC and regulatory requirements, disbursing and servicing loans, and managing credit risk. The Company does not access, collect, or store any data from a borrower's mobile device or digital platform that is not required for such specified purposes.

c) The Company shall not access mobile phone resources such as contact lists, call logs, media files, or other personal storage data, except where strictly necessary for a lawful purpose and with the prior explicit consent of the borrower. Any access to device features such as camera, microphone, or location services shall be preceded by clear disclosure and explicit consent and shall be limited to the functionality required for onboarding, verification, fraud prevention, or regulatory compliance.

d) The Company does not store biometric data of borrowers unless such storage is expressly permitted or required under applicable law. Where Aadhaar-based authentication or Video KYC is undertaken, the processing of such data shall be carried out strictly in accordance with applicable legal and regulatory requirements.

e) All Personal Data collected in connection with digital lending activities shall be stored and processed on servers located in India, in compliance with applicable regulatory requirements. The Company shall ensure that its digital lending platforms and service providers adhere to applicable data security and localisation norms.

f) Prior to execution of any digital loan agreement, the Company shall provide the borrower with a Key Fact Statement (KFS) containing material terms of the loan, including the annual percentage rate (APR), fees, charges, penal interest, and other key disclosures, in accordance with RBI Directions. The Company shall also provide, where applicable, details of any cooling-off or look-up period during which the borrower may exit the loan by paying the principal and proportionate charges, in the manner prescribed under applicable RBI guidelines.

g) The Company shall ensure that all digital lending arrangements, including those involving lending service providers, are conducted in a transparent, fair, and compliant manner consistent with applicable RBI Directions and the Company's Board-approved policies.

7. Sharing and Disclosure of Personal Data

7.1. The Company may share or disclose Personal Data only in accordance with applicable law and strictly to the extent necessary for legitimate business, regulatory, or contractual purposes. Such sharing is subject to confidentiality obligations, contractual safeguards, and compliance with applicable data protection and security standards. Personal Data shall not be sold or disclosed for unrelated commercial purposes without the explicit consent of the Data Principal.

The categories of recipients with whom Personal Data may be shared include:

A. Data Sharing with Lending Partner: To provide loan services through the Pocket Rupee platform, personal information collected from users will be shared with our regulated lending partner, Allen's Housing & Finance Limited, a Non-Banking Financial Company (NBFC) registered with the Reserve Bank of India (RBI). Such information is used for credit assessment, loan processing, loan approval, loan disbursement, loan servicing, and compliance with applicable legal and regulatory requirements. All lending decisions and loan disbursements are made solely by Allen's Housing & Finance Limited, while we act only as a technology service provider and Lending Service Provider (LSP).

B. Regulatory and Statutory Authorities: Personal Data may be disclosed to the Reserve Bank of India, Financial Intelligence Unit - (FIU-IND), courts, tribunals, law enforcement agencies, and other statutory or regulatory authorities as required under applicable laws or directions.

C. Credit Information Companies: Personal Data may be furnished to and obtained from credit bureaus and other authorised financial institutions for the purposes of credit appraisal, reporting, and monitoring, in accordance with the Credit Information Companies (Regulation) Act, 2005.

D. Co-lenders and Assignment Partners: Personal Data may be shared with co-lending partners, securitisation entities, or assignees for the purposes of loan disbursement, servicing, risk management, or portfolio transfer, subject to applicable confidentiality and contractual safeguards.

E. Outsourcing Partners: Personal Data may be shared with service providers engaged by the Company for outsourced functions, including loan processing, customer support, collections, and technology services, in compliance with the Reserve Bank of India Guidelines on Outsourcing of Financial Services. All such partners are contractually bound to maintain confidentiality and implement reasonable security practices.

F. Technology Service Providers: Personal Data may be shared with technology vendors, cloud service providers, and platform providers solely for facilitating digital onboarding, loan processing, storage, or secure transmission, under agreements that ensure adherence to applicable data protection laws and security standards.

G. Overdue Repayment Reminder and Collection Co-operation: In the event of any overdue and unpaid amounts, for the purpose of lawful reminder and recovery, we may share relevant information with authorized collection partners strictly on a need-to-know basis. Such information may include the user's name, mobile phone number and number of overdue days. All collection activities shall be conducted in strict compliance with applicable laws and regulations. We continuously monitor and supervise our collection partners to ensure their operations to remain lawful and compliant and to safeguard the legitimate rights and interests of users.

H. Auditors, Legal Advisors, and Consultants: Personal Data may be disclosed to statutory auditors, internal auditors, legal counsel, or other professional advisors for audit, compliance, risk management, and legal purposes, under binding confidentiality obligations.

I. AppsFlyer (https://www.appsflyer.com/): We will collect and share device-related information to optimize advertising effectiveness and conduct data analysis.

J. Firebase Analytics (https://firebase.google.com/support/privacy): We will collect and share device-related information to enhance the precision of advertising delivery and deepen data analysis capabilities, and to deliver personalized marketing campaigns to you, ensuring you are promptly informed of the latest offers and improving your user experience.

7.2. The Company ensures that all recipients of Personal Data process such data only for the purposes for which it is shared and implement security and confidentiality measures consistent with applicable law, including the Digital Personal Data Protection Act, 2023, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other regulatory requirements.

8. Data Retention

8.1. The Company retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, to comply with contractual obligations, applicable laws, regulatory requirements, and RBI record retention norms, including KYC and anti-money laundering obligations. Personal Data may also be retained for the duration of limitation periods or as required for regulatory inspections, audits, or legal proceedings.

8.2. Once the purpose for which Personal Data was collected is fulfilled, or upon expiry of the applicable retention period, whichever is later, the Company shall ensure that such data is securely deleted, anonymised, or destroyed in a manner that prevents unauthorized access, use, or disclosure, in accordance with the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

8.3. The Company does not knowingly collect or process Personal Data of individuals below the age of eighteen (18) years without verifiable consent from a parent or legal guardian. Where Personal Data of such individuals is collected, the Company shall ensure that verifiable parental or guardian consent has been obtained prior to collection or processing.

8.4. The Company shall not engage in behavioural tracking, profiling, or targeted marketing of children under the age of eighteen. Any collection or processing of data in connection with digital platforms or services that may involve individuals under eighteen shall be strictly limited to purposes necessary for providing the service and in compliance with applicable laws, including the Digital Personal Data Protection Act, 2023, and any rules thereunder.

9. Data Security Practices

9.1. The Company implements and maintains reasonable security practices and procedures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and applicable law. Security measures include, without limitation, encryption of data in transit and at rest, role-based access controls, regular security audits, secure authentication mechanisms, monitoring of systems, and vendor due diligence to ensure that service providers adhere to equivalent security standards. Where adopted, the Company follows ISO 27001 or an equivalent information security management framework. The Company also maintains an incident response plan to promptly address, contain, and remediate any security incidents or data breaches in accordance with applicable regulatory requirements, including the provisions of Section 43A of the Information Technology Act, 2000.

10. Rights of Data Principal

10.1. In accordance with the Digital Personal Data Protection Act, 2023, and applicable Rules, Data Principals have the following rights with respect to their Personal Data:

a) Right of Access: The right to obtain confirmation of whether Personal Data concerning them is being processed, and to access such Personal Data.

b) Right to Correction and Erasure: The right to request correction of inaccurate or incomplete Personal Data or erasure of Personal Data processed in contravention of law.

c) Right to Withdraw Consent: The right to withdraw previously provided consent, without affecting the lawfulness of processing based on consent prior to withdrawal.

d) Right to Grievance Redressal: The right to lodge complaints or seek redressal of grievances relating to the processing of Personal Data.

e) Right of Nomination (if applicable): The right to nominate a person to exercise the above rights in the event of death or incapacitation, in accordance with applicable Rules.

10.2. The Company shall facilitate the exercise of these rights through established processes and within the timelines prescribed under applicable law.

11. Data Deletion

11.1. You can contact our customer service team by emailing our official email address at support@phrenological.com. Our customer service staff will assist you in completing the data deletion process. Please note that once your account information is deleted, the data cannot be recovered. If you wish to use "Pocket Rupee!" services in the future, you will need to re-register.

11.2. For user convenience, we also provide the ability to submit a deletion request directly within the app. You can find the account deletion process in the app's settings or privacy options and follow the prompts to complete the deletion process. Upon your request, we will promptly and completely delete all related data to ensure the security of your personal information.

12. Withdrawal of Consent

A Data Principal may withdraw consent at any time by submitting a request through the mechanisms provided by the Company. Withdrawal of consent will be effective prospectively and shall not affect the processing of Personal Data conducted prior to such withdrawal, nor shall it impact the ability of the Company to continue processing Personal Data where required to comply with contractual or legal obligations. Withdrawal of consent may impact the availability of certain products or services, and the Company will inform the Data Principal of such impact at the time of withdrawal.

13. Grievance Redressal Mechanism

The Company has established a grievance redressal mechanism to address complaints or concerns regarding the processing of Personal Data. The Grievance Officer is designated to handle such complaints and can be contacted at:

a) Name/Designation:Shailendra Pandey

b) Email: support@phrenological.com

c) Postal Address: Centura Square, Unit 113 1st Floor Plot No B-44 & B-44A. Road No 27, Wagle Estate, MIDC, Thane (W) 400 604

d) Telephone: 7208002957

14. Cookies and Tracking (Website / Mobile Application)

The Company's digital platforms may use cookies, web beacons, and similar tracking technologies to enhance user experience, monitor site usage, and support analytics. The types of cookies used may include session cookies, persistent cookies, and third-party analytics cookies. Users may choose to disable cookies through their browser settings or device preferences; however, certain features of the website or mobile application may be limited as a result. The Company's use of cookies and tracking technologies is in accordance with applicable law and best practices for digital data privacy.

15. Amendments to Privacy Policy

The Company reserves the right to update, modify, or amend this Privacy Policy from time to time to reflect changes in legal, regulatory, or operational requirements. The effective date of any such amendment will be communicated through the Company's website or other appropriate means. Each version of the Privacy Policy will be subject to version control, with prior versions retained for regulatory and audit purposes. Continued use of the Company's services after such changes shall constitute acceptance of the updated Privacy Policy.