Privacy Policy

Version 1.0 | Effective Date: October 2025
Issued by: Minkville Innoventures Pvt. Ltd.
Registered Office: 102, Thakker Heights, Bhandup Village Road, Nahur West, Mumbai – 400078
Email: support@misscallpay.com
Data Protection Officer: infra@misscallpay.com

1. Introduction

1.1 This Privacy Policy (“Policy”) describes how Minkville Innoventures Pvt. Ltd., operating under the brand name MissCallPay (“MissCallPay”, “Company”, “we”, “our”, or “us”), collects, uses, processes, shares, and protects personal information and sensitive personal data belonging to users of its digital payment products and services.

1.2 MissCallPay operates multiple digital financial platforms designed to make payments inclusive and accessible to every Indian, including:

MissCallPay for Individuals & Service Providers — enabling smartphone-free UPI transactions via UPI-over-Voice;

MissCallPay for Business & Merchants — empowering merchants to accept digital payments and manage collections securely;

MCP Point — the Assisted UPI platform enabling Bank Mitras and Business Correspondents (“BCs/BMs”) to onboard and transact for customers without smartphones or internet.

1.3 This Policy complies with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the RBI’s Master Direction on Digital Payment Security Controls (DPSS.CO.OSD.No.1462/06.08.005/2020-21), and all relevant NPCI UPI Guidelines.

1.4 By using any MissCallPay product or service, you expressly consent to the collection and processing of your personal data in accordance with this Policy.

1.5 This Policy forms part of our Terms of Service and is legally binding on all users, merchants, BCs, agents, and partners who use the MissCallPay ecosystem.

2. Scope and Applicability

2.1 This Policy applies to all individuals and entities who:

Use the MissCallPay website (https://ind.misscallpay.com);

Access MissCallPay through the mobile apps or voice (IVR/UPI123Pay) interface;

Interact with MCP Point or Business dashboards, APIs, or SDK integrations;

Are merchants, BCs, distributors, employees, service providers, or partners involved in transactions processed by MissCallPay.

2.2 This Policy does not apply to third-party platforms or services integrated with MissCallPay unless expressly mentioned. Those services are governed by their own privacy policies.

2.3 All MissCallPay products are designed for users located in India. We process and store data solely within India in accordance with RBI’s data localization directives.

3. Definitions

For clarity and precision, the following definitions apply throughout this Policy:

3.1 “Account” means a unique account created for you to access and use our Service.

3.2 “Applicable Law” means all relevant laws and regulations of India, including the DPDP Act 2023, IT Act 2000, SPDI Rules 2011, RBI, and NPCI guidelines.

3.3 “Consent” means any freely given, specific, informed, and unambiguous indication of the user’s agreement to the processing of their personal data.

3.4 “Controller” refers to Minkville Innoventures Pvt. Ltd., which determines the purpose and means of processing personal data.

3.5 “Data Principal” refers to the individual to whom the personal data relates.

3.6 “Data Fiduciary” means the entity responsible for determining why and how data is processed, equivalent to the Data Controller.

3.7 “Data Processor” refers to third-party entities that process data on behalf of the Data Fiduciary.

3.8 “Personal Data” means any data about an identifiable individual, whether directly or indirectly.

3.9 “Sensitive Personal Data or Information (SPDI)” includes:

• Financial information such as bank account, UPI ID, or card details (limited to what is legally permissible);

• Passwords or authentication factors (except UPI PIN, which MissCallPay never stores or transmits);

• Government identifiers (PAN, Aadhaar, etc.);

• Biometric, audio, or voice data processed for UPI-over-Voice;

• Any other information classified as sensitive under applicable law.

3.10 “Service Providers” means third-party companies or individuals engaged by MissCallPay to perform services such as KYC, IVR/telecom, analytics, hosting, customer support, or settlement processing.

3.11 “UPI123Pay / UPI-over-Voice” means the NPCI-enabled mechanism allowing feature-phone users to perform UPI transactions through IVR calls without internet access.

3.12 “MCP Point” refers to the Assisted UPI solution by MissCallPay used by BCs/BMs for onboarding, UPI facilitation, and bill payments.

3.13 “DID” (Direct Inward Dialing Number) and “TID” (Terminal ID) together form the unique MissCallPay Number used for secure identification of customers in voice-based transactions.

4. Data We Collect

MissCallPay collects information essential to operate its services effectively and lawfully.

4.1 Information Provided by You

When you register, transact, or contact us, we may collect:

• Identity Data: Full name, date of birth, gender, and proof of identity (Aadhaar, PAN, Voter ID, Passport).

• Contact Data: Mobile number, email, address, and telecom operator details.

• Financial Data: Bank account number, IFSC, debit card (last 6 digits + expiry), and UPI ID.

• Business Data (for merchants and BCs): shop name, GST number, license copy, and business address.

• Transaction Data: Payment instructions, timestamps, beneficiary details, amount, and UPI handle.

• Voice Data: Audio or DTMF tones used during UPI-over-Voice transactions.

• Verification Documents: Photos or scanned copies of documents uploaded during KYC or support requests.

• Communication Data: Emails, chats, or calls with MissCallPay’s customer support.

4.2 Information Collected Automatically

During usage, we automatically collect:

• IP address and location metadata;

• Device type, operating system, and unique identifiers (IMEI, ESN);

• Network details (carrier, signal strength, tower ID);

• Transaction reference numbers and session tokens;

• Application usage logs and error diagnostics;

• Cookies and tracking data (as per Section 9).

4.3 Data from Third Parties

We may receive additional data from:

• Banks and NPCI for transaction validation and reconciliation;

• Telecom providers for IVR authentication;

• KYC service providers for verification;

• NBFCs or regulated partners for credit-related services;

• Government databases (e.g., CKYC, UIDAI) where legally permissible.

5. Purpose and Legal Basis of Processing

MissCallPay processes your personal data only for legitimate and clearly defined purposes. Every use of your information is supported by a legal basis under the Digital Personal Data Protection Act, 2023, and other applicable Indian regulations.

Our key purposes include:

Account Creation and Access – We use your personal details to register you as a customer or merchant, verify your identity, and create a secure account.

Legal basis: Contractual necessity.

Transaction Processing and Settlement – We process your information to execute payments, UPI transactions, settlements, refunds, and generate receipts in line with RBI and NPCI regulations.

Legal basis: Legal and regulatory obligation.

Fraud Prevention and Risk Monitoring – Your data helps us detect unauthorized activities, monitor suspicious transactions, and maintain platform integrity.

Legal basis: Legitimate interest and compliance with RBI cyber security guidelines.

KYC and Identity Verification – We collect and validate your identification documents to meet Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.

Legal basis: Legal and regulatory obligation.

Customer Support and Communication – We may use your contact details to respond to queries, provide transaction updates, send OTPs, and notify you about changes to our terms or services.

Legal basis: Contractual necessity.

Product Development and Analytics – We may use anonymized data to understand service performance, usage trends, and improve reliability.

Legal basis: Legitimate business interest.

Marketing and Promotions – With your explicit consent, we may send special offers, service updates, or feature announcements.

Legal basis: Consent-based processing.

Dispute Resolution and Regulatory Reporting – Information is retained and processed to investigate customer disputes, reconcile accounts, and comply with legal record-keeping requirements.

Legal basis: Legal obligation.

Corporate Governance and Business Continuity – In case of mergers, acquisitions, or restructuring, data may be processed for due diligence, ensuring continuity of service.

Legal basis: Legitimate business interest.

MissCallPay does not engage in automated profiling or decision-making that affects your rights without human intervention.

6. Consent and Withdrawal

6.1 Your consent is obtained through digital acceptance, IVR acknowledgment, or app-based opt-ins before collecting or processing personal data.

6.2 For voice-based transactions, pressing keys or confirming over IVR constitutes valid consent under RBI-approved mechanisms.

6.3 You may withdraw consent anytime by writing to infra@minkville.com

. Withdrawal may limit access to certain features.

6.4 In compliance with DPDP Act, we maintain records of when and how your consent was obtained.

7. Cookies and Tracking

7.1 MissCallPay uses cookies and related technologies to remember preferences, enhance functionality, and measure traffic.

7.2 Types of cookies used:

Essential cookies – for login and transaction continuity.

Analytical cookies – to assess user behavior and performance.

Preference cookies – to store language and accessibility choices.

7.3 You can disable cookies in your browser settings, but doing so may affect service performance.

8. Data Storage and Localization

8.1 All personal and transactional data is processed and stored within India in RBI-compliant data centers located in Mumbai and Hyderabad.

8.2 Data is replicated securely to prevent loss, using AES-256 encryption.

8.3 Backups are maintained with strict retention policies (see Section 13).

8.4 MissCallPay does not transfer or store any user data outside India.

9. Data Sharing and Disclosure

9.1 MissCallPay never sells, rents or leases Personal Data. However, we may lawfully share information under the following circumstances and strict contractual safeguards:

(a) Banks and Regulated Partners

Information is shared with partner banks, NPCI and licensed NBFCs to enable UPI, AEPS or other digital payment processing, settlement, refunds and reconciliations.

(b) Telecom and IVR Service Providers

For UPI-Over-Voice and voice alerts, basic call metadata is shared with licensed telecom operators to initiate and route calls. MissCallPay ensures that no financial credentials are transmitted to these providers.

(c) KYC and Verification Agencies

We engage RBI-approved and UIDAI-licensed entities for identity verification. These entities are bound by data processing agreements that mirror RBI Master Direction requirements.

(d) Technology and Infrastructure Vendors

Cloud-hosting providers, email/SMS gateways and analytics vendors may process limited data on our behalf under confidentiality and security clauses.

(e) Law Enforcement and Regulators

We may disclose data if required by law or court order to RBI, NPCI, FIU-IND, police or tax authorities.

(f) Corporate Reorganisation

In case of merger, sale or acquisition, data may be transferred to the new entity subject to the same privacy commitments.

(g) With User Consent

When you explicitly authorise sharing (e.g., to apply for a loan or link another service).

10. Data Retention and Deletion

MissCallPay retains personal and transactional data only for as long as necessary to fulfil the purposes described above, or as required by RBI, NPCI, or Indian tax and financial laws.

Retention timelines:

• Transaction Records: Retained for a minimum of 10 years from the transaction date to comply with statutory audit, reconciliation, and anti-fraud obligations.

• KYC and Identification Data: Maintained for up to 8 years after account closure, as mandated under the Prevention of Money Laundering Act (PMLA) and RBI Master Directions.

• Voice/IVR Metadata: Stored securely for up to 180 days for dispute resolution and fraud tracking, after which it is automatically deleted unless required for a legal process.

• System and Application Logs: Retained between 12 to 24 months for internal monitoring, troubleshooting, and compliance verification.

• Marketing and Preference Data: Maintained only until you withdraw consent.

Deletion and Anonymization:

• When retention is no longer necessary, data is securely deleted or irreversibly anonymized using industry-standard deletion protocols.

• Backups and audit trails are purged in accordance with approved data destruction cycles.

You may also request deletion of your data (see Section 12 — User Rights).

11. Data Processors and Contractual Safeguards

11.1 Each third-party processor is bound by a written agreement that includes:

• processing only for our documented instructions;

• data confidentiality and use restrictions;

• information-security obligations aligned with ISO 27001;

• breach notification within 72 hours; and

• deletion or return of data upon termination.

11.2 We conduct periodic security audits and vendor risk assessments.

12. User Rights under the DPDP Act 2023

As a Data Principal, you are entitled to the following rights subject to verification and legal exceptions:

12.1 Right to Access

Request confirmation of whether we process your data and obtain a copy of that data.

12.2 Right to Correction

Request rectification of inaccurate or incomplete data.

12.3 Right to Erasure

Request deletion of data no longer necessary or where consent is withdrawn.

12.4 Right to Portability

Request a structured, machine-readable export of your data.

12.5 Right to Grievance Redressal

File complaints regarding our data handling to our DPO and, if unsatisfied, to the Data Protection Board of India (DPB).

12.6 Exercise of Rights

Email infra@minkville.com with proof of identity to submit a request. We will acknowledge within 7 working days and respond within 30 days.

13. Information Security Measures

MissCallPay implements administrative, technical and physical controls consistent with RBI and ISO 27001 standards:

13.1 Encryption & Transmission

• AES-256 encryption for data at rest;

• TLS 1.3 for data in transit;

• UPI PINs never captured or stored.

13.2 Access Controls

• Role-based access for employees;

• Multi-factor authentication for internal systems;

• Principle of least privilege.

13.3 Monitoring & Audits

• 24×7 network monitoring and intrusion detection;

• Quarterly Vulnerability Assessment and Penetration Testing (VAPT);

• Annual third-party security audits.

13.4 Incident Response

• Dedicated Computer Security Incident Response Team (CSIRT);

• Breach notification to affected users and authorities within 72 hours.

13.5 Employee Confidentiality

All personnel sign confidentiality agreements and receive annual training on DPDP compliance.

14. Children’s Data

14.1 Our services are intended for adults (18 years and above). We do not knowingly collect data from minors.

14.2 If a parent or guardian believes a minor’s data has been collected, they should email infra@minkville.com for immediate erasure.

15. Product-Specific Clauses

15.1 MissCallPay for Individuals & Service Providers

Users can initiate and receive payments via UPI 123Pay without smartphones or the internet.

DID and TID act as secure identifiers; they do not expose bank account details.

Voice interactions are processed through NPCI-approved secure IVR systems; no UPI PIN is recorded or transmitted.

15.2 MissCallPay for Business & Merchants

Collect payments through UPI, Cards, EMI, Net Banking, PayPal etc.

Option to receive alerts on up to four mobile numbers and manage Digital Khata and Recurring Payments.

Merchant bank details and settlement preferences are stored securely within India.

15.3 MCP Point (Assisted UPI)

Enables BCs/BMs to facilitate onboarding and transactions for customers without internet or smartphones.

Only non-sensitive card elements (last six digits and expiry) used to trigger OTP for onboarding.

MCP Point transactions occur via UPI Over Voice; PIN entry remains private to the customer.

BCs must comply with RBI Business Correspondent guidelines and cannot store customer credentials.

16. Grievance Redressal Mechanism

Data Protection Officer (DPO):

Minkville Innoventures Pvt. Ltd. (MissCallPay)

Address: 102, Thakker Heights, Bhandup Village Road, Nahur West, Mumbai – 400078

Email: infra@minkville.com

Phone: 9891800800

16.1 The DPO is responsible for addressing privacy-related concerns, breach notifications and DPDP compliance.

16.2 Complaints will be acknowledged within 7 working days and resolved within 30 days.

16.3 If unsatisfied, users may escalate to the Data Protection Board of India (DPB) or the RBI Ombudsman for payment-related issues.

17. Changes to this Policy

17.1 We may update this Policy to reflect changes in law or technology. Any material changes will be communicated via email or notice on our website.

17.2 The “Last Updated” date at the top will indicate the current version. Continued use of the Service constitutes acceptance of the revised Policy.

18. Governing Law and Jurisdiction

This Policy is governed by the laws of India. Any dispute arising under this Policy shall be subject to the exclusive jurisdiction of the courts of Ahmedabad, Gujarat.

19. Annex A — Summary of Technical Controls

MissCallPay employs a layered security framework based on ISO 27001, RBI’s Cyber Security Framework for Payment Systems, and NPCI UPI guidelines. These controls are regularly reviewed and enhanced through periodic audits.

Key Security Measures Include:

Network and Infrastructure Security:

• Firewalls, intrusion detection, DDoS mitigation, and network segmentation across all environments.

• Data centers located exclusively in India with physical access restricted to authorized personnel.

Encryption and Data Protection:

• AES-256 encryption for all stored data, including logs and KYC files.

• TLS 1.3 encryption for all data in transit, including IVR, app, and dashboard communications.

• UPI PINs are never captured, stored, or processed by MissCallPay at any stage.

Access Governance:

• Role-Based Access Control (RBAC) with Multi-Factor Authentication (MFA).

• Strict adherence to the Principle of Least Privilege for all employees and service providers.

• Access reviews conducted quarterly and revoked upon role change or exit.

Application and Development Security:

• Secure Software Development Life Cycle (SDLC) practices, including code review, threat modelling, and OWASP validation.

• Regular vulnerability scans and penetration testing by certified auditors.

• Digital code signing for deployed builds to prevent tampering.

Incident Response and Monitoring:

• 24×7 continuous monitoring with automated alerts for anomalies or breaches.

• Computer Security Incident Response Team (CSIRT) established with defined escalation matrix.

• Any data breach or unauthorized access is reported to the Data Protection Officer and relevant authorities within 72 hours.

Vendor and Third-Party Risk Management:

All vendors undergo security due diligence and sign binding confidentiality agreements.

Vendors are required to meet or exceed MissCallPay’s own security standards.

Annual audits are conducted for critical service providers such as cloud and IVR partners.

Employee Confidentiality and Awareness:

All employees undergo background verification before onboarding.

Mandatory annual training on data privacy, RBI guidelines, and phishing awareness.

Strict disciplinary action for violations of data-handling protocols.

Audit and Compliance Oversight:

Annual audits conducted by independent security assessors under RBI and ISO frameworks.

Continuous compliance tracking for RBI’s Master Directions on Digital Payment Security Controls (DPSS 2020).

Data Backup and Disaster Recovery:

• Redundant data backups across multiple secure locations within India.

• Disaster Recovery (DR) drills conducted quarterly to ensure business continuity.

Periodic Security Reviews:

• Regular vulnerability scanning, code review, and simulated cyberattack testing.

• Security policies reviewed semi-annually by the DPO and compliance committee.

20. Annex B — Contact Points

Customer Support: support@misscallpay.com

Grievance Redressal: infra@minkville.com

Legal Notices: legal@minkville.com

Corporate Office: 102, Thakker Heights, Bhandup Village Road, Nahur West, Mumbai – 400078

21. Disclaimer

While MissCallPay follows industry-leading security practices, no electronic storage or transmission method is 100% secure. We shall not be liable for any unforeseeable breach beyond our reasonable control.