Privacy Policy — ai paymoney (Instilx Technology Private Limited)

Last Updated: 01 February 2026

This Privacy Policy (“Policy”) explains how Instilx Technology Private Limited (CIN: U62099MH2024PTC417654) having its registered office at VO-824, WeWork Vaswani Chambers, Worli, Mumbai - 400030, Maharashtra, India (hereinafter referred to as “Instilx”, “Company”, “we”, “us”, “our”) collects, uses, discloses, processes, stores, shares, and protects information in connection with the ai paymoney web portal available at https://aipaymoney.instilx.com and related websites, dashboards, tools, and services (collectively, the “Portal”).

This Policy applies to:

• merchants/partners onboarded on the Portal including Super Distributors, Distributors, and Retailers (“Merchant”, “you”, “your”); and
• where applicable, information relating to end customers / walk-in customers serviced by Retailers (“Customers”), to the extent such information is processed by us or our partners for transaction enablement, compliance, and dispute handling.

By accessing or using the Portal, submitting information, or onboarding as a Merchant, you acknowledge that you have read and understood this Policy and you consent to the processing described herein. If you do not agree, do not access or use the Portal.

1. IMPORTANT NOTES

1. Commercial Portal: ai paymoney is a B2B portal for merchants and merchant networks to offer services such as BBPS/bill payments, recharge, DMT, AePS/MicroATM (if enabled), QR/UPI acceptance (if enabled), travel (if enabled), and vendor payments/vendor payout service (vendor payments only), and related platform features.
2. Partner / Network Dependency: Many services are enabled using third-party banks, regulated entities, payment system operators, networks, and aggregators (“Third-Party Partners”). Data must be shared with such partners to provide the Portal and services.
3. Mandatory Processing: Certain data processing is mandatory for onboarding and continued access (e.g., KYC, risk checks, fraud monitoring, transaction logs). If you refuse required data, we may not be able to onboard you or continue providing services.
4. Legal and Compliance Priority: We may share data with law enforcement, regulators, and authorities where required or where we believe in good faith that disclosure is necessary to comply with law, protect the Company, users, partners, or the public, prevent fraud, or enforce our agreements.

2. DEFINITIONS

• “Personal Data” means information that relates to an identified or identifiable individual (e.g., name, phone, Aadhaar/PAN where applicable, address, ID information, selfie).
• “Business Data” means information related to a business/entity (e.g., firm name, incorporation documents, GST where applicable, business address, shop photos).
• “Transaction Data” means logs and details of transactions and events performed on the Portal (e.g., amounts, status, timestamps, identifiers such as RRN/UTR/transaction ID where applicable).
• “Sensitive Information” includes passwords, authentication data, financial account details, and identity documents; and may include other data treated as sensitive under Applicable Law.
• “Applicable Law” includes laws, rules, circulars, and directions applicable in India, including those issued by regulators and networks such as RBI/NPCI/BBPS/UIDAI where relevant.

3. INFORMATION WE COLLECT

We may collect information directly from you, from your use of the Portal, from your downline (if you operate a hierarchy), from your devices, from Third-Party Partners, and from publicly available or lawful sources.

3.1 Merchant Onboarding and KYC / KYB Information

To onboard and verify Merchants and their outlets, we may collect and process:

• Identity information: name, date of birth, gender (if provided/required), photo, signature (if provided/required), PAN, Aadhaar or other identity documents as required by partners or Applicable Law (Aadhaar may be collected only where permitted/required and in the manner required by applicable norms).
• Business information (KYB): entity type, business name, registration details (e.g., incorporation/partnership deed/udyam/shop & establishment or equivalent), business address, nature of business, outlet details, authorized signatory details.
• Banking and settlement information: bank account details, IFSC, beneficiary/account verification details, cancelled cheque, bank proof as required for settlements.
• Contact information: phone number(s), email address, communication address.
• Outlet verification: shop photo(s), signage photo(s), interior/exterior pictures, location pin/address confirmation, and other verification artifacts.
• Authorized signatory details: designation, authorization letter/board resolution (if applicable), KYC of signatory where required.

3.2 Transaction and Service Usage Information

When you use the Portal or services (including through your downline), we may collect:

• transaction requests, transaction identifiers, timestamps, amount, service type, beneficiary details where required, status, reversals/refunds, receipts generated, and associated metadata;
• ledger entries, wallet/float movements, commissions and overrides allocation records, and settlement records;
• dispute/complaint details, supporting documents, and resolution steps.

3.3 Device, Technical, and Usage Information

We may automatically collect technical and usage information, including:

• device identifiers, device model, OS version, browser type/version, language, time zone, screen resolution, app/portal version (if applicable), cookies, local storage identifiers;
• IP address, approximate location derived from IP, network information, referral URLs, pages viewed, clicks, session durations, error logs, crash logs;
• security and risk signals (e.g., unusual activity indicators, velocity patterns, failed logins, device fingerprinting signals).

3.4 Location Information (If Collected)

We may collect location information where:

• required for outlet verification and risk controls;
• captured by the Portal during onboarding or verification flows; and/or
• provided by you. Location data may include GPS coordinates (if captured), approximate location, or address-based location.

3.5 Communications

We may record and store:

• emails, tickets, chats, and communications with our support teams;
• calls may be recorded where permitted by Applicable Law for quality, training, compliance, dispute resolution, and fraud prevention;
• notices and acknowledgements sent and received.

3.6 Downline Information (Hierarchy)

If you are a Super Distributor or Distributor managing a downline, we may collect and process:

• onboarding, KYC/KYB, and transaction information of your downline participants (Retailers/Distributors), and information required to allocate commissions and manage risk/compliance. You acknowledge you are responsible for ensuring that you have the necessary rights and consents to provide downline information to us.

3.7 Information from Third-Party Partners and Verification Sources

We may receive information from Third-Party Partners, verification service providers, and lawful sources, such as:

• account verification responses, KYC/KYB verification outcomes, risk signals, chargeback/dispute statuses, bank network responses, and compliance flags.

3.8 Cookies and Similar Technologies

We use cookies and similar technologies to operate the Portal, remember sessions, improve performance, reduce fraud, and understand usage. You may be able to control cookies through browser settings, but disabling cookies may limit functionality.

4. HOW WE USE INFORMATION

We use collected information for the following purposes:

1. Onboarding and account administration: create accounts, verify identity/business, activate services, maintain merchant profiles, manage hierarchy.
2. Service enablement and processing: execute transactions, generate receipts, maintain transaction history, manage wallet/float and settlements, allocate commissions/overrides.
3. Risk, fraud prevention, and security: detect, investigate, prevent, and respond to fraud, abuse, security incidents, and suspicious activity; enforce restrictions and limits; protect the Portal and users.
4. Compliance and legal obligations: comply with Applicable Law, partner rules, audits, regulatory requests, law enforcement requests, and internal governance.
5. Customer support and dispute handling: respond to queries, investigate disputes, process reversals/refunds/chargebacks where applicable, and resolve complaints.
6. Analytics and improvements: monitor performance, improve features, troubleshoot, fix bugs, conduct internal analysis, and develop new functionality (without making non-sense claims).
7. Communications: send service alerts, OTPs, receipts, policy updates, administrative notices, and support communications.
8. Enforcement of agreements: enforce Terms/Policies/MSA, detect violations, recover losses, withhold settlements where permitted, and take action as required.
9. Business operations: internal audits, training, quality assurance, record-keeping, reporting, and business continuity.

We may process information using automated systems and may generate risk scores or flags based on transaction patterns and security signals.

5. LEGAL BASIS / GROUNDS FOR PROCESSING

We process information on one or more of the following grounds:

• Contractual necessity: to provide the Portal and services and to perform our agreements with you.
• Consent: where we obtain consent (including your acceptance of this Policy and any explicit consents captured on the Portal).
• Legal obligation: to comply with Applicable Law, regulatory directions, and lawful requests.
• Legitimate interests: to secure the Portal, prevent fraud, manage risk, improve services, and protect our rights, users, and partners, to the extent permitted by Applicable Law.

6. DISCLOSURE / SHARING OF INFORMATION

We may share information as follows:

6.1 With Third-Party Partners (Service Enablement)

We may share Merchant and Transaction Data with banks, regulated entities, networks, aggregators, payment system operators, biller systems, travel partners, verification providers, and other Third-Party Partners as required to:

• enable, process, and complete services;
• manage disputes, reversals, refunds, and reconciliations;
• comply with partner rules and audits; and
• manage fraud and risk controls.

6.2 With Service Providers and Contractors

We may share data with vendors that provide services such as hosting, analytics, monitoring, customer support tools, verification, communications (SMS/email), and security services, under contractual confidentiality and security obligations.

6.3 With Authorities / Legal Disclosures

We may disclose data to government authorities, regulators, courts, law enforcement, and other competent bodies:

• when required by law, regulation, court order, or lawful request;
• when necessary to prevent fraud or illegal activity;
• when necessary to protect the Company, Merchants, Customers, partners, and the public;
• for investigations, audits, and compliance reporting.

6.4 Within the Merchant Hierarchy (Commission and Operations)

If you participate in a Hierarchy, certain information may be visible to upstream roles (e.g., Distributor/Super Distributor) for operational needs such as network management, performance, settlement summaries, and commission allocation. We control the data visibility and may change it for security and compliance.

6.5 Business Transfers

If we undergo a merger, acquisition, reorganization, financing, or sale of assets, we may transfer information as part of such transaction, subject to confidentiality and lawful requirements.

6.6 No Sale of Personal Data for Unrelated Advertising

We do not sell Personal Data for unrelated third-party advertising. We may conduct business communications related to the Portal and services.

7. DATA RETENTION

We retain information as long as necessary for:

• providing services and managing accounts;
• compliance, audit, legal defense, dispute resolution, and investigations; and
• enforcement of agreements and risk controls.

Transaction records and compliance-related information may need to be retained for extended periods as required by Applicable Law, partner rules, and audit requirements. You acknowledge that deletion of certain records may not be possible due to legal and compliance obligations.

8. SECURITY MEASURES

We implement commercially reasonable security practices designed to protect information, which may include:

• encryption in transit (e.g., TLS/SSL) and access controls;
• role-based access control (RBAC) for internal systems;
• monitoring and logging for security events;
• periodic reviews and risk controls.

However, no system is completely secure. You are responsible for maintaining the security of your devices, credentials, OTP access, and for preventing unauthorized access by staff and downline.

9. MERCHANT RESPONSIBILITIES

You agree that you will:

1. provide accurate and lawful information and update it when changes occur;
2. obtain all necessary consents and authorizations from your staff, downline, and Customers (where applicable) for information you submit to the Portal;
3. secure your credentials, devices, and customer-facing processes;
4. not store biometric data locally or in any form on your systems where prohibited;
5. not misuse the Portal or attempt to bypass security controls.

10. CUSTOMER DATA (WALK-IN CUSTOMERS)

Retailers may process walk-in customer transactions. You acknowledge that:

• Customer information may be required for processing transactions, compliance checks, dispute handling, and reconciliation;
• Customer information may be shared with Third-Party Partners and authorities as required;
• you are responsible for lawful collection and disclosure of Customer information at your outlet and for providing receipts/acknowledgements and appropriate disclosures as required by Applicable Law and partner rules.

11. CROSS-BORDER TRANSFERS AND DATA LOCALIZATION

We endeavor to store and process relevant data in India, and may prioritize India-based infrastructure. However, some service providers or tools may process limited technical/operational data outside India for hosting, monitoring, or communications, subject to contractual protections and Applicable Law. Where data localization requirements apply, we comply to the extent required by Applicable Law and partner mandates.

12. YOUR CHOICES AND RIGHTS

Subject to Applicable Law, you may:

• request access or correction of certain account data;
• update certain data through the Portal;
• request support for issues using contact channels.

We may refuse requests that:

• conflict with legal/compliance obligations;
• would compromise security, fraud prevention, or investigations; or
• require deletion of records that must be retained.

13. CHILDREN

The Portal is intended for business users and is not directed to children. Do not submit children's data through the Portal unless explicitly required by a service workflow and permitted by Applicable Law.

14. CHANGES TO THIS POLICY

We may update this Policy from time to time. The updated Policy will be posted on the Portal/website and will become effective upon posting (or as stated). Continued use of the Portal after updates constitutes acceptance.

15. CONTACT AND GRIEVANCE

For privacy-related queries, data correction requests, or concerns, you may contact us:

Company: Instilx Technology Private Limited
Email: business@instilx.com
Registered Office: VO-824, WeWork Vaswani Chambers, Worli, Mumbai - 400030, Maharashtra, India

16. GOVERNING LAW

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes relating to this Policy shall be subject to the exclusive jurisdiction of courts at Mumbai, Maharashtra, India, subject to any arbitration clause agreed separately in the Merchant Master Services Agreement.