The privacy of individuals, including our customers and clients, is of utmost importance to TransUnion Software Services Private Limited (“Company”). We are committed to adhere to the Information Technology Act, 2000 for the time being in force (“Act”) and the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 for the time being in force (“Rules”). This document sets out the policy governing the Company’s collection, use, possession, transfer, processing, storage, dealing, disclosure and handling of the Personal Information (“PI”) and the Sensitive Personal Data or Information (“SPDI”) by the Company in accordance with Rule 4 of the Rules. This Policy aims to set out in clear terms the type of PI and SPDI collected, used, possessed, transferred, processed, stored, dealt, disclosed and handled by the Company and the purpose for which the PI and SPDI is, or may be, used by the Company. This Policy also sets out the entities with whom the PI and SPDI of a person may be shared and also the reasonable security practices and procedures adopted by the Company in handling this information.

1. Definition

The following words and expressions shall have the meanings hereby assigned to them:

  1. The term “Personal Information” or “PI” as defined under the Rules, shall mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a Body Corporate, is capable of identifying such person.
  2. The term “Sensitive Personal Data or Information” or “SPDI” as defined under the Rules, shall include the following information:
    1. password;
    2. financial information such as bank account or credit card or debit card or other payment instrument details;
    3. physical, physiological and mental health condition;
    4. sexual orientation;
    5. medical records and history;
    6. biometric information;
    7. any detail relating to the above clauses as provided to the Company for providing services; and
    8. any information received under the above clauses, (a) and/or (b), by a body corporate for collection, use, transferring, processing, possessing, storing, dealing, disclosing and handling under lawful contract or otherwise.

However, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as Sensitive Personal Data or Information.

All capitalized terms not defined herein shall have the meaning assigned to them under the Act and the Rules.

2. Purpose of Collecting PI and SPDI

The Company will, or may, collect, use, receive, possess, process, store, deal, disclose, transfer or handle the Personal Information or PI for the following purpose:

  1. For providing personal identification and authentication services;
  2. For determining the financial standing and credit score of a person;
  3. For researching and developing new products and services; and
  4. In connection with other business of the Company from time to time.

3. Type of PI and SPDI Collected

For providing the services, the Company will collect, use, receive, possess, process, store, deal, disclose, transfer or handle PI and SPDI, which shall include, but not limited to, information regarding name, address, telephone number, date of birth, gender, e-mail id, financial information, biometric information, etc.

4. Source and Recipients

The Company shall be entitled to obtain, use, receive, possess, process, store, deal, disclose, transfer or handle the PI and SPDI to/from Banks, Non-banking Finance Companies, Leasing Companies, Insurance Companies, Utility Service Companies, Credit Card Companies, E-commerce Companies, Government Departments or Organisations, companies engaged in data management and analytics services and all other entities which have been authorised by the person (whose PI and/or SPDI is collected) to collect the PI and SPDI.

5. Sharing of PI and SPDI

In addition to the above entities, the Company may share PI and SPDI with the following entities:

  1. Governmental Agency or Courts or Regulators as required under the applicable law;
  2. Any agent, contractor or third party or service provider in connection with the Company’s business; and
  3. Any other person under duty of confidentiality to the Company.

6. Openness and Data Access

The person whose PI and/or SPDI is collected, received, possessed, processed, stored, transferred, dealt or handled may inquire as to the nature of data stored or processed by the Company. The person will be provided reasonable access to the person’s PI and SPDI held by the Company. If any data is inaccurate or incomplete, such person may request that the data be amended or modified or updated.

7. Option to Opt Out

The person has an option to withdraw the consent to use the PI or SPDI by the Company in accordance with this Policy. In that case the person should contact the Data Privacy and Grievance officer designated by the Company below.

8. Security Measures

The Company, being a group company of TransUnion LLC, U.S.A., has adopted the TransUnion Security Policy to ensure reasonable security practices and procedures are followed within the Company for the security and protection of PI and SPDI, in line with the internationally accepted standards which includes, technical, operational and physical security control measures.
The Company will observe the following guidelines when using, receiving, possessing, processing, storing, dealing, disclosing, transferring or handling the PI and SPDI:

  1. PI and SPDI will be collected, received, possessed, used, processed, stored, transferred, dealt, handled and disclosed in compliance with the Act and the Rules;
  2. PI and SPDI will be used for the purposes for which it has been collected or obtained;
  3. PI and SPDI will be relevant/necessary to/for the purposes for which it is collected and used; and
  4. Appropriate reasonable measures will be taken to prevent unauthorized access, use, processing, and accidental loss, destruction, or damage to such PI or SPDI.

9. Updates

The Company reserves the right to add, revise, amend, modify or delete any part of this Policy (in part or in full) at its discretion. The updated version of this Policy in force will be posted on the Company’s website from time to time. In the event of any change in the Act or the Rules or in case of any requirement arising under any of the applicable law, this Policy shall be deemed to be amended or modified to the extent necessary to comply with such amendment to the Act or the Rules or to meet any requirement under the applicable laws.

10. Data Privacy and Grievance Officer

Any questions, disputes, opt-out requests, grievances with respect to the processing of PI or SPDI can be referred to the Data Privacy and Grievance officer designated by the Company as below:

Name: Shaleen Srivastava
Address: TransUnion Software Services Private Ltd.
1231, Regus Cyber City
Level 12, Building No. 8, Tower C,
DLF Cyber City, Phase 2,
Gurgaon – 122002, Haryana, India
Toll-free: 1800 3000 6646