Privacy Policy

This Privacy Policy explains how Capline Ventures Private Limited (CIN: U62099MH2024PTC435972), a company incorporated under the Companies Act, 2013 with its registered office at G-502, Plot 6, Sector 9, Darave, AWHO, Thane – 400706, Maharashtra, India ("Company", "BlinkMoney", "we", "us", "our"), collects, uses, stores, shares, and protects your personal data when you access or use the BlinkMoney website at www.blinkmoney.in, the BlinkMoney mobile application and any associated SDKs (collectively, the "Platform"), and any services offered through the Platform (the "Services").

"You", "Your" and "User" mean any individual who visits, registers on, or uses the Platform or avails Services through it.

This Privacy Policy is published in compliance with: (i) the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules"); (ii) the Digital Personal Data Protection Act, 2023 and the rules notified thereunder (the "DPDP Act"); (iii) the Reserve Bank of India's Guidelines on Digital Lending dated September 2, 2022 (RBI/2022-23/111 DOR.CRE.REC.66/21.07.001/2022-23) and the Master Direction on Digital Lending – Directions, 2025 (the "RBI Digital Lending Guidelines"); and (iv) applicable Securities and Exchange Board of India (SEBI) regulations and the AMFI Code of Conduct governing mutual fund distribution.

By visiting the Platform or creating an account, you confirm that you have read, understood and agree to be bound by this Privacy Policy and the Terms of Use of the Platform, which are to be read together. BlinkMoney does not sell, rent, trade or otherwise commercially exploit your personal data. We do not share your data with third parties for their own marketing purposes without your explicit consent.

BlinkMoney is positioned as India's Liquid Wealth Account. Through the Platform we offer two integrated services:

• Mutual fund investment services — distribution of mutual fund schemes (including equity, debt, hybrid, gold and multi-asset schemes) under our SEBI / AMFI Mutual Fund Distributor registration (ARN-330047, valid from 29 May 2025 to 28 May 2028, issued to Capline Ventures Private Limited), including a daily auto-invest feature.
• Loan Against Mutual Funds (LAMF) — a credit facility offered by our Lending Partners and secured by a lien on mutual fund units held in your name. BlinkMoney acts as a Lending Service Provider (LSP) and operates a Digital Lending Application (DLA) for the Lending Partners under the RBI Digital Lending Guidelines. BlinkMoney is not a lender, bank, NBFC, mutual fund or asset management company.

Data roles. Where we collect or process your personal data in our own capacity — for example, for account creation, investment services, customer communications, analytics and Platform operations — we act as a Data Fiduciary under the DPDP Act. Where we collect, store or transmit your personal data on behalf of a Lending Partner for the purposes of underwriting, sanctioning, disbursing, servicing or recovering a Credit Facility, we act as a Data Processor for that Lending Partner, who is the Data Fiduciary in respect of that processing.

BlinkMoney operates as an LSP and DLA in partnership with RBI-registered Regulated Entities ("REs") for facilitating LAMF services. Our current Lending Partners are:

• Bajaj Finance Limited (NBFC) — privacy policy at bajajfinserv.in/privacy-policy
• DSP Finance Private Limited (NBFC) — privacy policy at dspfin.com privacy policy

The most current list of Lending Partners, together with applicable terms and contact details, is maintained at www.blinkmoney.in. All lending activities facilitated through the Platform are conducted in full compliance with the RBI Digital Lending Guidelines, the Prevention of Money Laundering Act, 2002, the Credit Information Companies (Regulation) Act, 2005 ("CICRA") and other applicable laws.

We collect only the data we genuinely need to provide the Services, comply with law and protect you and the Platform. The categories of personal data we may collect are set out below.

• Directly from you — when you register, complete KYC, place an investment instruction, apply for a Credit Facility, complete a risk profile, respond to a survey, contact support or otherwise interact with the Platform.
• Automatically — through cookies, SDKs and similar technologies that record how you use the Platform (see Section 13).
• From third parties — KYC providers, RTAs, depositories, credit bureaus, banking and payment partners, Lending Partners, fraud prevention agencies, analytics providers and publicly available sources, in each case as permitted by law and after taking your consent where required.

We process your personal data only for one or more of the following specified purposes, and only to the extent necessary:

• To onboard you, verify your identity and complete KYC, AML/CFT, sanctions and risk checks.
• To provide, operate, maintain, secure and improve the Services, including the daily auto-invest engine, the portfolio dashboard, the LAMF Credit Facility and customer support.
• To execute your investment instructions and to distribute mutual fund schemes through Asset Management Companies.
• To generate and provide you with transaction statements, capital gains reports (including short-term and long-term capital gains arising from voluntary redemptions and from forced redemptions pursuant to margin call sell-downs), and other investment-related reports to assist you in computing your tax obligations.
• To facilitate evaluation, sanction, disbursal, servicing, recovery and closure of Credit Facilities by our Lending Partners.
• To mark and release liens or pledges over mutual fund units in your name in favour of a Lending Partner.
• To communicate with you about your account, transactions, Services, regulatory disclosures, policy changes and similar service messages.
• To send you product, marketing and promotional communications, where you have not opted out and subject to applicable TRAI / TCCCPR rules.
• To detect, prevent and investigate fraud, money laundering, unauthorised access, abuse and other unlawful activity.
• To comply with applicable law, including responding to requests from courts, tribunals, regulators (RBI, SEBI, FIU-IND, Income Tax authorities) and other governmental authorities.
• To establish, exercise or defend legal rights and claims.
• To carry out internal research, analytics, modelling, testing and audits, including on a de-identified or aggregated basis.

Purpose limitation between Services: If you use only the investment Services and do not apply for a Credit Facility, your personal data will not be shared with any Lending Partner or Credit Information Company for lending purposes. Additional data collection and sharing for LAMF (including credit bureau checks, lien marking, and data sharing with Lending Partners) is initiated only when you explicitly apply for a Credit Facility and provide the consents specified in Section 7.

Where required by the DPDP Act, processing is undertaken on the basis of your consent, or where a specified legitimate use under the DPDP Act applies.

In compliance with the RBI Digital Lending Guidelines, we disclose the following categories of third parties involved in processing your data in the context of LAMF Services:

• Regulated Entities (REs) / NBFCs — loan underwriting, credit assessment, sanction, disbursal, servicing and recovery (currently Bajaj Finance Limited and DSP Finance Private Limited).
• Credit Information Companies (CICs) — credit bureau checks and credit score retrieval (TransUnion CIBIL, Experian, Equifax, CRIF High Mark).
• Account Aggregator (AA) framework — where applicable in future, for fetching bank statement data with your explicit consent via RBI-licensed Account Aggregators.
• KYC and identity verification providers — identity verification, Aadhaar authentication, PAN validation and liveness detection.
• DigiLocker — fetching verified documents with your consent (Government of India).
• Payment and mandate partners — e-mandate registration, EMI / interest collection and disbursal, as specified by the RE.
• E-Sign and agreement partners — digital agreement signing, as specified by the RE.
• Analytics partners — app performance and user experience analytics (no lending-specific personal data shared).

Explicit consents obtained from borrowers. Before facilitating a Credit Facility, we obtain the following explicit consents from you, each recorded with a timestamp and made available for audit:

• Credit Bureau Consent — to fetch your credit score and credit report from one or more CICs.
• Mobile OTP Consent — to verify your mobile number via OTP for authentication.
• Device Permissions Consent — for one-time access to camera, microphone (if Video KYC) and location for KYC and onboarding purposes only.
• Data Sharing Consent — to share your personal and financial data with the specific Lending Partner for loan processing.
• DigiLocker Access Consent — to fetch verified documents from DigiLocker, where applicable.
• Aadhaar Sharing Consent — to share masked Aadhaar details with the Lending Partner for identity verification and KYC purposes, in accordance with UIDAI Directions.
• Lien Marking Consent — to mark a lien or pledge over your mutual fund units in favour of the Lending Partner.
• Lender-Specific Consents — any additional consents required by the specific Lending Partner.
• Terms & Conditions and Privacy Policy Acceptance — your acknowledgment and acceptance of BlinkMoney's Terms of Use and this Privacy Policy.

You may view and manage your consent preferences at any time through the BlinkMoney app or by writing to support@blinkmoney.in. Withdrawal of consent may result in discontinuation of all or part of the LAMF Services, and does not affect the lawfulness of processing carried out before withdrawal.

In addition to the disclosures in Section 7, we may share your data with:

• Asset Management Companies and RTAs — for purchase, redemption, switch and folio servicing of mutual fund units. AMCs may also use your investment data (including transaction amounts, folio details and AUM) for the purpose of calculating and paying trail commission to BlinkMoney as a registered Mutual Fund Distributor.
• Nominee data — where you have registered a nominee for your mutual fund investments, your nominee's name, relationship, contact details and share allocation will be shared with the relevant AMC and RTA for the purpose of maintaining nomination records as required by SEBI.
• Service providers — processors and service providers who help us run the Platform (see Section 13 for the third-party schedule).
• Regulators, authorities and legal process — RBI, SEBI, FIU-IND, Income Tax authorities, courts, tribunals, law enforcement and other authorities where required by law.
• Corporate transactions — in the event of a merger, acquisition, reorganisation, financing, sale of assets, bankruptcy or similar transaction.
• With your consent — any other recipient with your specific consent.

Restrictions on data usage. Borrower data collected for lending purposes is used solely for the purpose for which consent was obtained. We do not use such data for cross-selling or marketing of unrelated products without separate explicit consent. We do not sell, rent or trade your personal data to any third party.

All personal data we collect from you is stored on servers located in India, in compliance with the RBI Digital Lending Guidelines. Where any service provider processes data from outside India, we ensure that the transfer is permitted under the DPDP Act and is subject to appropriate contractual and security safeguards, and we will not transfer data to any country or territory restricted by the Central Government under the DPDP Act.

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required under applicable law. Specifically:

• Transaction and KYC records — retained for at least 7 years from the date of the relevant transaction or termination of the relationship, in line with the Prevention of Money Laundering Act, 2002.
• Active loan accounts — borrower data is retained for the duration of the loan and for 8 years from loan closure or last transaction, whichever is later.
• Rejected or incomplete loan applications — retained for a maximum period of 3 years from the date of rejection or abandonment.
• Consent records — retained for the duration of the business relationship and for a minimum of 5 years thereafter, for audit purposes.
• Credit information obtained from CICs — retained for a maximum of 6 months, in compliance with CICRA.
• Investment records — retained for a minimum of 5 years, or longer as required under SEBI Regulations and the applicable AMC's / RTA's retention policies.
• Marketing data — retained until you withdraw consent or opt out.
• Gmail-derived data — retained while your account is active and Gmail access is granted; deleted within 30 days of access revocation or account deletion.
• Implicit personal data of inactive users — purged after 6 months of inactivity.

We implement reasonable security practices and procedures commensurate with the sensitivity of the personal data we process.

Subject to applicable law (including the DPDP Act once notified provisions come into force) and to any record-keeping and other obligations we have under regulation, you have the following rights in respect of your personal data:

• Right to access a summary of the personal data we hold about you and the processing activities undertaken.
• Right to correction, completion and updation of inaccurate, incomplete or outdated data.
• Right to erasure of personal data which is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.
• Right to withdraw consent previously given, including withdrawal of consent for Gmail access, SMS access, marketing communications and data sharing.
• Right to restrict disclosure of personal data to third parties, except where mandated by regulatory or legal requirements.
• Right to grievance redressal through the mechanism in Section 15.
• Right to nominate another individual to exercise these rights in the event of your death or incapacity, as provided under the DPDP Act.
• Right to data portability, where provided under applicable law, the right to receive your personal data in a structured, commonly-used, machine-readable format.

How to exercise your rights. You may exercise any of these rights by:

• Writing to the Data Protection Officer at varun.bhandia@blinkmoney.in from your registered email address; or
• Using the in-app Delete Account flow: open the BlinkMoney app → Profile → Delete Account → Confirm.

We will verify your identity and respond within the timelines prescribed under applicable law, and in any case within 30 days of receiving a valid request.

We use cookies, SDKs and similar technologies on the Platform for the following categories of purpose: (a) strictly necessary — required for the Platform to function and keep your session secure; (b) functional — to remember your preferences and settings; (c) analytics — to understand how the Platform is used and to improve it; and (d) marketing — to measure the effectiveness of campaigns and, where you have consented, to deliver personalised advertising.

You can manage non-essential cookies through your browser settings or through our in-app preferences. Blocking certain cookies may affect the availability of some features.

We work with the following third-party processors and platforms. Each is bound by a written agreement and processes data only for the purposes stated.

Google API Services compliance. BlinkMoney's use of information received from Google APIs, including Gmail, adheres to Google's User Data Policy and the Limited Use requirements. Only the minimum necessary data is accessed; Gmail data is not shared with third parties, used for advertising, or accessed by humans.

This list may be updated from time to time. The latest version will always be available on the Platform.

Categories of communication. We use four categories of communication:

• Transactional — essential service messages, security alerts, transaction confirmations, KYC notifications, loan servicing communications. These continue even if you opt out of promotional messages.
• Promotional — marketing offers, product recommendations, investment opportunities.
• Service — product updates, app announcements, customer support communications.
• Research — surveys, feedback requests, market research.

Channels. Voice calls, SMS, WhatsApp, email, push notifications, in-app messages and physical mail, in each case subject to your consent and to TRAI / TCCCPR regulations and the Do Not Call (DNC) registry.

Managing your preferences. You can manage your communication preferences at any time through the in-app settings, by replying "STOP" to SMS communications, by clicking "unsubscribe" in any email, or by writing to support@blinkmoney.in. Opt-out requests are processed within 3–5 business days.

BlinkMoney has instituted a formal grievance redressal mechanism aligned with the RBI Digital Lending Guidelines, the DPDP Act and applicable SEBI regulations.

The Services are intended for individuals aged 18 years or above. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without verifiable parental consent as required under the DPDP Act, we will promptly delete that data and disable the relevant account. If you believe a minor has provided us with their data, please contact us at support@blinkmoney.in.

The Platform may contain links to third-party websites, applications and services that are not operated by us. We are not responsible for the privacy practices or content of those third parties. We recommend that you review the privacy policy of every third-party site you access through the Platform.

We may update this Privacy Policy from time to time to reflect changes in law, regulation, our practices or the Services. The revised policy will be posted on the Platform with an updated "Last Updated" date. Where the changes are material, we will notify you in advance through email, in-app notification or other appropriate means. Your continued use of the Platform after the revised policy becomes effective constitutes your acceptance of it.

This Privacy Policy is governed by and construed in accordance with the laws of India. Subject to the grievance redressal mechanism in Section 15, the courts at Mumbai, Maharashtra shall have exclusive jurisdiction over all disputes arising out of or in connection with this Privacy Policy.

• Capline Ventures Private Limited (CIN: U62099MH2024PTC435972)
• Registered office: G-502, Plot 6, Sector 9, Darave, AWHO, Thane – 400706, Maharashtra, India
• Customer Support: support@blinkmoney.in
• Data Protection Officer: varun.bhandia@blinkmoney.in
• Grievance Officer: grievance@blinkmoney.in
• Website: www.blinkmoney.in

This document is an electronic record in terms of the Information Technology Act, 2000 and the rules made thereunder, and the amended provisions pertaining to electronic records.