Privacy Policy

Hyperface Technologies Private Limited, its affiliates, subsidiaries, holding companies, and related group entities (collectively referred to as “Hyperface”, “we”, “our”, or “us”) respects your privacy and is committed to protecting personal data in accordance with applicable laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), the Information Technology Act, 2000, and other applicable laws of India.

This Privacy Policy explains how Hyperface collects, uses, processes, stores, shares, and protects personal data through its corporate website and related interactions.

By accessing or using our website, or by voluntarily submitting information to us, you acknowledge that you have read and understood this Privacy Policy.

1. Scope and Applicability

This Privacy Policy applies solely to:

• visitors of the Hyperface corporate website available at www.hyperface.co;

• individuals who contact Hyperface through the website;

• individuals subscribing to newsletters or marketing communications;

• individuals submitting forms, inquiries, demo requests, or recruitment applications through the website; and

• individuals otherwise interacting with Hyperface through the corporate website.

This Privacy Policy does not apply to:

• banking or financial products offered by banks, NBFCs, or partners;

• customer onboarding journeys hosted or controlled by banks or enterprise customers;

• client-controlled platforms or applications;

• partner-hosted environments;

• third-party websites or services; or

• Hyperface products or services governed under separate contractual arrangements or privacy notices.

2. Role of Hyperface

Hyperface may act either as:

• a Data Fiduciary/Controller for personal data collected directly through its corporate website and business communications; or

• a service provider/data processor when processing personal data on behalf of banks, financial institutions, enterprise customers, or business partners pursuant to contractual arrangements.

Where Hyperface processes end-customer or cardholder data on behalf of banks, financial institutions, or clients:

• such entities remain primarily responsible for determining the purposes and means of processing such personal data; and

• Hyperface processes such data only in accordance with contractual instructions, applicable law, and authorized operational requirements.

If you are an end customer of one of Hyperface’s partner banks, financial institutions, or clients and wish to exercise rights relating to your personal data, including requests for access, correction, deletion, or grievance redressal, you should contact the relevant bank or client directly.

Hyperface may assist such entities in responding to requests in accordance with applicable contractual obligations and applicable law.

3. Categories of Personal Data We Collect

Depending on your interaction with our website, Hyperface may collect the following categories of personal data:

3.1 Contact and Identity Data

• Name

• Email address

• Phone number

• Company name

• Designation or professional details

3.2 Communication Data

• Information shared through contact forms, demo requests, support inquiries, surveys, or correspondence

• Communication preferences

• Records of interactions with Hyperface

3.3 Recruitment Data

• Resume/CV

• Employment-related information voluntarily submitted by applicants

• Professional qualifications and experience details

3.4 Technical and Usage Data

When you access or interact with our website, we may automatically collect:

• IP address

• Browser type and version

• Device information

• Operating system

• Referring URLs

• Website usage patterns

• Date and time of access

• Pages viewed and interaction data

• Approximate location information

• Analytics identifiers and tracking information

We do not knowingly collect biometric data, medical records, health-related information, or other sensitive personal data categories through the corporate website unless specifically required and lawfully collected.

4. How We Collect Personal Data

Hyperface may collect personal data through:

• contact and inquiry forms;

• demo request forms;

• newsletter subscriptions;

• recruitment or careers submissions;

• direct communications and correspondence;

• automated technologies and analytics tools;

• cookies and similar tracking technologies; and

• publicly available professional or business sources where permitted under applicable law.

5. Purpose of Processing

Hyperface may process personal data for purposes including:

• responding to inquiries, requests, or communications;

• providing information regarding our services and offerings;

• scheduling meetings, demos, or business discussions;

• managing customer and business relationships;

• recruitment and hiring activities;

• improving website functionality, performance, and user experience;

• analytics, research, and website administration;

• sending newsletters, marketing communications, event invitations, or business updates;

• maintaining website security and preventing misuse or unauthorized activities;

• complying with legal, regulatory, audit, contractual, or compliance obligations; and

• protecting Hyperface’s legal rights and legitimate business interests.

We process personal data only for lawful purposes and to the extent reasonably necessary for such purposes.

6. Consent and Communications

Where required under applicable law, Hyperface shall provide a notice to Data Principals prior to processing their personal data. In accordance with the DPDP Rules, such notice shall contain: (a) an itemised description of the personal data to be processed; (b) the specified purpose of processing; and (c) a specific communication link or mechanism enabling Data Principals to withdraw consent, exercise rights, or make a complaint to the Data Protection Board of India. Hyperface may seek your consent prior to collecting or processing personal data.

By voluntarily submitting personal data through the website, you acknowledge and consent to the collection and processing of such information for the purposes described in this Privacy Policy.

Where marketing or promotional communications are sent, users may opt out at any time through:

• the unsubscribe mechanism included in the communication; or

• by contacting us at privacy@hyperface.co.

Withdrawal of consent shall not affect the lawfulness of processing undertaken prior to such withdrawal. In accordance with the DPDP Rules, the ease of withdrawing consent shall be comparable to the ease with which consent was given. Upon withdrawal of consent, Hyperface shall, to the extent feasible, cease processing the relevant personal data and ensure that any Data Processor engaged by Hyperface similarly ceases such processing.

7. Cookies and Similar Technologies

Our website may use cookies and similar technologies, including third-party analytics and tracking tools, to:

• improve website functionality and performance;

• analyse website traffic and user behaviour;

• measure effectiveness of communications and campaigns;

• support website administration and security; and

• enhance user experience.

Hyperface may use third-party tools and services including:

• Google Analytics,

• Mixpanel, and

• Brevo.

These third parties may collect and process information in accordance with their respective privacy policies.

Users may manage or disable cookies through browser settings, subject to certain functionality limitations.

8. Marketing Communications

Hyperface may periodically send newsletters, updates, promotional communications, event invitations, or other business-related information to users who interact with us or subscribe to such communications.

Users may opt out of receiving marketing communications at any time through:

• the unsubscribe link included in the communication; or

• by contacting us at privacy@hyperface.co.

Opting out shall not affect service-related or legally required communications.

9. Sharing and Disclosure of Personal Data

Hyperface may share personal data with:

• service providers, vendors, and contractors supporting our operations;

• analytics, hosting, communication, marketing, or recruitment service providers;

• professional advisors, auditors, consultants, and legal counsel;

• affiliates or group entities where necessary for legitimate business purposes;

• regulatory authorities, courts, governmental bodies, or law enforcement agencies where required under applicable law; and

• counterparties or successors in connection with mergers, acquisitions, restructuring, financing transactions, or transfer of business assets.

Hyperface does not sell personal data. Any disclosure of personal data shall be limited to lawful and legitimate purposes and subject to appropriate safeguards where applicable.

10. International Processing and Transfers

As a general principle, personal data collected through the corporate website is processed within India.

Where any cross-border transfer or processing becomes necessary, Hyperface shall implement reasonable safeguards and undertake such transfers in accordance with applicable law and regulatory requirements.Under the DPDP Rules, cross-border transfers of personal data are generally permitted unless the Central Government restricts transfers to specific foreign states or entities by general or special order. Hyperface shall monitor and comply with any such restrictions as and when notified. Where Hyperface is designated as a Significant Data Fiduciary (“SDF”) by the Central Government, additional data localisation obligations may apply in respect of categories of personal data specified by the Central Government.

11. Data Security

Hyperface implements reasonable technical, organisational, and administrative safeguards designed to protect personal data against unauthorised access, misuse, disclosure, alteration, loss, destruction, or accidental compromise.

Such safeguards may include:

• role-based access controls;

• encryption, obfuscation, masking, and use of virtual tokens (as mandated under the DPDP Rules) and secure transmission measures;

• secure hosting infrastructure;

• monitoring and logging mechanisms;

• internal information security policies;

• periodic assessments and reviews; and

• restricted access to personal data on a need-to-know basis.

While Hyperface endeavors to use commercially reasonable safeguards, no system or method of transmission over the internet can be guaranteed to be completely secure. In accordance with the DPDP Rules, Hyperface shall ensure that contracts with Data Processors engaged by it contain appropriate provisions requiring such Data Processors to implement reasonable security safeguards in relation to personal data processed on Hyperface’s behalf.

12. Data Retention and Disposal

Hyperface retains personal data only for as long as reasonably necessary:

• for the purposes described in this Privacy Policy;

• to comply with legal, regulatory, contractual, audit, or compliance obligations;

• for legitimate business requirements; or

• for the establishment, exercise, or defence of legal claims.

Upon expiry of the applicable retention period:

• personal data may be securely deleted,

• anonymised,

• archived where legally required, or

• disposed of in accordance with applicable law and internal retention policies.

Where anonymised, such information may be retained for research, analytics, statistical, or business purposes. In accordance with the DPDP Rules: (a) Hyperface shall notify affected Data Principals at least 48 (forty-eight) hours prior to the completion of the applicable retention period, allowing the Data Principal an opportunity to engage with Hyperface to preserve such personal data where permissible; and (b) traffic data and other processing logs shall be retained for a minimum period of 1 (one) year for forensic and investigative purposes, after which they shall be erased.

13. Your Rights

Subject to applicable law, individuals may have the right to:

• request access to personal data processed by Hyperface;

• request correction or updating of inaccurate or incomplete data;

• request erasure of personal data;

• withdraw consent previously provided;

• request grievance redressal relating to personal data processing;

• nominate another individual to exercise rights on their behalf in accordance with applicable law; and

• exercise such other rights as may be available under applicable law.

• make a complaint to the Data Protection Board of India in accordance with the DPDP Act and DPDP Rules, where a grievance raised with Hyperface has not been satisfactorily resolved.

Requests may be submitted using the contact details provided below. Hyperface shall endeavour to respond to requests within the timelines prescribed under the DPDP Act and DPDP Rules.

14. Recruitment and Career Applications

Where individuals submit applications, resumes, or recruitment-related information to Hyperface, such information may be processed for:

• recruitment evaluation,

• communication regarding employment opportunities,

• candidate assessment,

• background verification processes where applicable, and

• related hiring activities.

Hyperface may retain recruitment-related information for reasonable periods in accordance with applicable legal and business requirements.

15. Public Forums and User Content

Any information voluntarily disclosed by users in publicly accessible areas such as blogs, social media pages, or community forums may be viewed, collected, or used by third parties.

Users are advised not to disclose sensitive or confidential information in publicly accessible areas.

16. Third-Party Websites and Services

Our website may contain links to third-party websites, platforms, or services for convenience or informational purposes.

Hyperface does not control and is not responsible for:

• the privacy practices,

• security standards,

• content, or

• policies

of such third-party websites or services.

Users are encouraged to independently review the privacy policies of such third parties before providing personal data.

17. Children’s Privacy

The Hyperface corporate website is not intended for individuals below the age of 18 years.

Hyperface does not knowingly collect personal data from children. If Hyperface becomes aware that personal data relating to a child has been inadvertently collected, reasonable steps shall be taken to delete such information in accordance with applicable law.In accordance with the DPDP Rules, where personal data of a child (below 18 years of age) is required to be processed, Hyperface shall obtain verifiable consent from the parent or lawful guardian of the child prior to such processing. Hyperface shall implement appropriate technical and organisational measures to verify that the individual providing consent is an identifiable adult, including by reference to reliable identity and age verification means or virtual tokens issued by an authorised entity.

18. Legal Disclosure

Hyperface may disclose personal data where such disclosure is:

• required under applicable law;

• necessary to comply with judicial proceedings, court orders, regulatory directions, or lawful governmental requests;

• necessary to protect the rights, property, security, or legal interests of Hyperface, users, clients, or third parties; or

• necessary to investigate fraud, misuse, unauthorized access, or security incidents.

19. Business Transfers

In the event of a merger, acquisition, restructuring, financing transaction, insolvency proceeding, or sale or transfer of all or part of Hyperface’s business or assets, personal data may be transferred as part of such transaction, subject to applicable legal and confidentiality obligations.

20. Changes to this Privacy Policy

20A. Personal Data Breach Notification

In the event of a personal data breach, Hyperface shall, in accordance with the DPDP Rules: (a) intimate the Data Protection Board of India without delay with a description of the breach, followed by a detailed report within 72 (seventy-two) hours of becoming aware of such breach; (b) intimate each affected Data Principal without delay, providing a description of the breach, its likely consequences, and the measures taken or proposed to address and mitigate such breach; and (c) take such further steps as may be required under applicable law.

Hyperface may update or revise this Privacy Policy from time to time to reflect:

• changes in legal or regulatory requirements;

• operational or business changes;

• technology updates; or

• modifications to our data processing practices.

Any updated version shall become effective upon publication on this page unless otherwise specified.

Users are encouraged to periodically review this Privacy Policy.

21. Contact Details and Grievance Redressal

If you have any questions, concerns, requests, or grievances relating to this Privacy Policy or the processing of personal data, you may contact:

Hyperface Technologies Private Limited
Email: privacy@hyperface.co

Hyperface shall endeavour to address grievances and requests within the timelines prescribed under the DPDP Act and DPDP Rules. Where a grievance is not satisfactorily resolved by Hyperface, the Data Principal may escalate the matter to the Data Protection Board of India through its online portal as prescribed under the DPDP Rules.