Privacy Policy

Account Information: When you register, we collect your name, business name, email address, phone number, PAN, GST number, bank account details, and documentation required for KYC/AML compliance.

Transaction Data: We log details of every payment processed through our platform, including amounts, currencies, payment methods, timestamps, and device/IP metadata.

Usage Data: We automatically collect information about how you interact with our dashboard and APIs, including log data, browser type, pages visited, and API call patterns.

Communications: If you contact our support team, we retain records of those communications to assist with dispute resolution and service improvement.

We use the information we collect to:

• Provide, operate, and improve the Service
• Process payments and facilitate settlements
• Verify your identity and comply with KYC/AML obligations
• Detect and prevent fraud, money laundering, and other financial crimes
• Communicate service updates, security alerts, and account notices
• Generate aggregated, anonymised analytics to improve platform performance
• Comply with applicable laws, regulations, and RBI Payment Aggregator guidelines

We do not sell your personal information. We share data with third parties only in the following circumstances:

Payment Partners: Banks, card networks (Visa, Mastercard, RuPay), and UPI PSPs require transaction data to process payments on your behalf.

Compliance & Legal: We may disclose information to regulators (RBI, FIU-IND, SEBI) or law enforcement when required by applicable law, court order, or regulatory directive.

Service Providers: We engage sub-processors (cloud infrastructure, email delivery, analytics) under strict data processing agreements that prohibit independent use of your data.

All data in transit is protected using TLS 1.3. Data at rest is encrypted using AES-256-GCM. Sensitive payment credentials are handled exclusively within our PCI-DSS Level 1 certified environment. We never store raw card numbers on our servers.

Access to production systems is restricted to authorised personnel via hardware MFA tokens. We conduct annual penetration tests and publish a summary in our Trust Centre.

We retain account and transaction data for a minimum of 5 years from the date of the last transaction, as required by PMLA (Prevention of Money Laundering Act) and RBI directives. You may request deletion of non-mandatory data (e.g., marketing preferences) at any time.

Subject to applicable law, you have the right to:

• Access a copy of the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of data we are not legally obligated to retain
• Port your data to another service provider
• Withdraw consent for direct marketing communications

To exercise these rights, email privacy@helmpay.com.

Our dashboard uses strictly necessary cookies for session management and authentication. We do not use third-party advertising or tracking cookies. You can control cookie preferences within your browser settings.

We may update this Privacy Policy periodically. Material changes will be communicated via email and an in-dashboard notification at least 14 days before taking effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

For privacy-related queries, contact our Data Protection Officer at:
privacy@helmpay.com
HelmPay Technologies Pvt. Ltd., Bengaluru, Karnataka, India.