Privacy Policy
Last updated: February 2025
1. Introduction & Scope
Kiranovations Technology Pvt. Ltd. (CIN: U74999HR2020PTC091133), operating under the brand name Crego, ("Company", "we", "us", or "our"), is committed to protecting your privacy.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our mobile application ("App"), website, platform, and related services (collectively, the "Services"). This policy complies with India's Digital Personal Data Protection Act (DPDPA) 2023, Apple App Store Guidelines, and Google Play policies.
By using our Services, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our Services.
2. Definitions
- "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA 2023.
- "Data Principal" means you, the individual whose personal data is being processed.
- "Data Fiduciary" means the Company, which determines the purpose and means of processing personal data.
- "Data Processor" means any entity that processes personal data on behalf of the Data Fiduciary.
- "Processing" includes collection, recording, storage, retrieval, use, disclosure, sharing, erasure, or destruction of personal data.
- "Consent" means free, specific, informed, unconditional, and unambiguous indication of your wishes by a clear affirmative action.
3. Information We Collect
3.1 Authentication & Identity Data
- Mobile phone number (for OTP-based login)
- Email address (for OTP-based login)
- Username and password (for credential-based login)
- Full name (first name, last name)
3.2 Financial & Application Data
- PAN number (Permanent Account Number)
- Loan application details
- Document uploads (identity proofs, address proofs, financial documents)
- Borrower type, city, state, and pincode
3.3 Device Permissions & Sensor Data
- Camera: Selfie capture for identity verification (KYC) and optional liveness detection.
- Location: GPS coordinates for address verification during loan application.
- Contacts: Emergency contacts and references for loan applications, accessed only with your explicit consent.
- Push Notifications: FCM token for receiving transaction alerts and system notifications.
3.4 Usage & Analytics Data
- Screen views and navigation patterns
- App interaction events (taps, form submissions, feature usage)
- Session duration and app lifecycle events (install, open, close)
- Device information (model, OS version, screen size)
- Session replay recordings (user interaction recordings for UX improvement)
3.5 Diagnostics
- Crash reports and error logs
- Performance metrics
- Network request data
4. How We Collect Information
- Directly from you: When you register, log in, submit loan applications, upload documents, or interact with the App.
- Automatically: Through analytics SDKs, device sensors, and diagnostic tools embedded in the App, as described in Section 7.
- From third-party services: Identity verification results from eKYC/Video KYC providers (Digio).
- Device permissions: Camera, location, and contacts are accessed only when you grant explicit permission through your device's operating system. You may revoke these permissions at any time through your device settings.
5. How We Use Your Information
We use your personal data strictly for the following purposes:
- Service delivery: To authenticate your identity, process loan applications, facilitate document verification, and provide platform features.
- Identity verification (KYC): To verify your identity using camera-based selfie capture, liveness detection, and document verification through our eKYC partner.
- Address verification: To use foreground location data to verify your address during loan application processes.
- Communication: To send transaction alerts, system notifications, and service-related communications via push notifications.
- Analytics & improvement: To understand usage patterns, improve user experience, identify bugs, and optimize App performance. This includes session replay recordings used solely for internal UX improvement.
- Diagnostics: To detect, diagnose, and resolve technical issues, crashes, and performance problems.
- Legal compliance: To comply with applicable laws, regulations, and legal processes, including RBI guidelines and DPDPA 2023 requirements.
We do not use your data for advertising, cross-app tracking, or any purpose other than those listed above.
6. Session Replay & Screen Recording Disclosure
Our App uses session replay features provided by Mixpanel and Amplitude that record user interactions within the App. These recordings capture:
- Touch and tap interactions
- Screen navigation patterns
- Form interactions (sensitive fields are masked)
- Scroll behavior
Purpose: These recordings are used exclusively for UX optimization and bug identification. They are not used for surveillance, advertising, or profiling.
Storage: Recordings are stored on Mixpanel and Amplitude servers in accordance with their respective data retention policies.
Sensitive data protection: Sensitive form fields (passwords, PAN numbers, financial data) are automatically masked in session recordings to prevent exposure of confidential information.
7. Data Storage & Security
7.1 Local Storage on Your Device
Encrypted storage (AES-256):
- JWT access token (stored in iOS Keychain / Android EncryptedSharedPreferences)
- JWT refresh token (same encryption)
Unencrypted local storage (AsyncStorage):
- Cached user profile data (for offline access)
- Active assignment/profile selection
- Language and theme preferences
- Notification preferences and local notification inbox
- Onboarding completion status
7.2 Security Measures
We implement industry-standard security measures to protect your data:
- HTTPS/TLS encryption for all API communications
- AES-256 encryption for sensitive tokens stored on device
- JWT-based authentication with access and refresh token mechanism
- Role-based access control (RBAC) on the platform
- Regular security audits and vulnerability assessments
- Secure data centers with appropriate physical and logical controls
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law:
| Data Category | Retention Period |
|---|---|
| Account & identity data | Duration of account + 5 years after deletion |
| Financial & loan application data | As required by RBI regulations (minimum 8 years) |
| KYC documents | As per RBI KYC norms (minimum 5 years after relationship ends) |
| Usage & analytics data | 24 months from collection |
| Session replay recordings | As per Mixpanel/Amplitude retention policies (typically 12 months) |
| Diagnostic data | 12 months from collection |
| Device tokens (FCM) | Until account deletion or token invalidation |
After the retention period expires, data is securely deleted or anonymized in accordance with our data disposal procedures.
9. Cross-Border Data Transfers
Some of our third-party service providers (Google, Mixpanel, Amplitude, Segment) are headquartered in the United States. As a result, certain analytics and diagnostic data may be transferred to and processed in servers located outside India.
We ensure that any cross-border transfer of personal data is conducted in compliance with the DPDPA 2023 and applicable regulations. Data is only transferred to jurisdictions not restricted by the Central Government of India. We implement appropriate contractual safeguards with our service providers to ensure your data is protected to standards equivalent to those required under Indian law.
10. Your Rights Under DPDPA 2023
As a Data Principal, you have the following rights under the Digital Personal Data Protection Act, 2023:
- Right to Access: You may request a summary of your personal data being processed by us and the processing activities undertaken.
- Right to Correction & Erasure: You may request correction of inaccurate or misleading personal data, completion of incomplete data, or erasure of personal data that is no longer necessary for the purpose for which it was collected.
- Right to Grievance Redressal: You have the right to have your grievances addressed by our Grievance Officer. If you are not satisfied with the resolution, you may approach the Data Protection Board of India.
- Right to Nominate: You may nominate an individual to exercise your rights in the event of your death or incapacity.
- Right to Withdraw Consent: You may withdraw your consent at any time by contacting us at the details provided in Section 14, or through the App's settings. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. Please note that withdrawing consent for essential services may result in limited or no access to the App.
To exercise any of these rights, please contact us using the details in Section 14. We will respond to your request within the timeframe prescribed under the DPDPA 2023.
11. Children's Privacy
Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately at the details provided in Section 14.
12. Cookies & Similar Technologies
Our mobile App does not use browser cookies. However, our website (crego.ai) may use cookies and similar technologies for essential functionality, analytics, and improving your browsing experience. Third-party analytics services integrated within the App may use device identifiers and similar technologies to collect usage data as described in this policy.
No tracking across third-party apps or websites: We do not track you across other companies' apps or websites. No App Tracking Transparency (ATT) prompt is required as we do not engage in cross-app tracking. All analytics are used solely for internal product improvement.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of any material changes by posting the updated policy on our website and App, along with the updated "Last updated" date. For significant changes, we may also send you a notification through the App or via email.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
14. Contact Us
If you have any questions, concerns, or grievances regarding this Privacy Policy or the processing of your personal data, please contact us at:
Kiranovations Technology Pvt. Ltd.
SCO 27, AIHP, Highway Side, Sector 32, Gurugram, Haryana 122001
Email: hello@crego.ai
Phone: +91 9871 713 175
We aim to resolve all grievances within 30 days of receipt. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDPA 2023.
15. Consent
By using our App and Services, you consent to the collection, use, storage, and processing of your personal data as described in this Privacy Policy. This consent is free, specific, informed, and given through a clear affirmative action (i.e., your continued use of the Services after reviewing this policy).
For specific data processing activities (such as accessing your camera, location, or contacts), separate explicit consent will be sought through your device's permission system at the time of access.
You may withdraw your consent at any time by contacting us using the details in Section 14 or using the in-app consent management features. Please note that withdrawal of consent may impact your ability to use certain features of the App.
Your data is never sold to third parties or data brokers.