We may collect personal and non-personal information about the users. Such information and data may be collected on the basis of the information that Users provide on the Platform or through technologies as more particularly set out in this Privacy Policy.

Please note that the access and use of the Website is restricted for persons above the age of 18 only. The Website and services are not intended for minors and the Company does not target any of its services to minors. The Company does not knowingly collect Personal Information from minors. If you are under the age of 18, please do not register to use the services and do not provide us with any Personal Information.

We collect information about merchants accessing, using or registering on the Website to avail the services. Such information may be collected at the time of accessing the Website, registering or creating an account on the Website or availing any service. At the time of sign up we may collect information pertaining to name, address, mobile number or user's app details. In addition, while undertaking onboarding of merchant, we collect information based on the category of merchants (sole proprietorship/partnership/HUF/private or public company, Trust, society etc.). Such information includes proof of company details (registration details, partnership deed, certificate of incorporation GST details, utility bills etc.), PAN details, bank account details and details of authorised signatory (driving license, passport, Aadhar, Voter ID etc.). Such information may include Personal Information where it is individually or in combination with other information, capable of identifying an individual.

We collect and generate various data points about Customers who access a Merchant website or mobile application where our Payment Services are integrated. Customer here refers to individuals undertaking transactions on the Merchant website with the use of payment aggregation services as provided by the Company. Personal Information we may collect from the Customer is set out herein below:

• Personal details (e.g. name, contact details including, residential address, date of birth, documents such as identity card / passport details / Aadhaar details / PAN / Voter ID / driving license, and/or education details) provided by the User to Us to avail various products/services from Us and for processing the transactions.
• details including transaction history, balances, payment details, for effecting transfer of monies through various payment channels provided by us.
• financial details (e.g. income, expenses, and/or credit history) needed as part of request for some of our products/services;
• images of documents/ photos required to avail any of our products/services.
• voice recordings of our conversations with our customer care agent with you to address your queries/grievances;
• employment details (e.g. occupation, positions held, employment history, salary and/or benefits) as part of our record retention for credit/various product evaluations or required under applicable law including Prevention of Money Laundering (Maintenance of Records) Rules, 2005.
• specimen signature(s) for processing of User instructions received by us through our various payment and delivery channels;
• opinions provided by Use to us by way of feedback or responses to surveys;
• information obtained from User mobile device by way of using our app like device location, communication information including contacts and call logs, device information (including storage, model, mobile network), transactional and promotional SMS/app notifications. Such information is used for preparing reports and analytics for improving services which are rendered to Use.

The Website also recognizes and collects the home server of visitors IP address, URL request, browser type, and date and time of your request. For example, we can tell which Internet Service Provider our visitors use, but not the names, addresses or other information about our visitors that would allow us to identify a particular visitor to our Web Site unless such information is voluntarily provided by the user. We may share non-personally identifiable information (such as referring/exit pages, anonymous usage data, and URLs, platform types, number of clicks, etc.) with interested third parties to help them understand the usage patterns for certain services.

Except in the limited circumstances as set out in this Policy, we do not share any Personal Information without your consent. In various processes / submission of applications / availment of product/service offerings, we even seek your explicit consent of to use / share your Personal Information.

However, we may share limited information as part of our business and operational processes with designated personnel, partners or service providers including group companies on a "need-to-know" basis to perform the various functions including risk analytics, verification and authentication of the information which is submitted including as part of the know your client and anti-money laundering obligations, assessment of Merchant websites, monitoring of transactions on the Merchant website/mobile applications, creation of an account with banks and facility providers providing services, conducting quality assurance testing, providing technical and customer support, providing collection or recovery related services or providing specific services in accordance with your instructions. Third parties are required not to use your Personal Information other than to provide the services.

We may share Customer data with competent/ legal/statutory/regulatory agencies / authorities, banks/financial institutions/card networks /facility providers partners/service providers acting on our behalf (as the case may be) in following cases:

• For enabling provision of the products/services availed by you, strictly on a "need to know" basis and subject to applicable laws;
• Authentication and authorisation of transactions undertaken on the merchant site and processing any requests for chargebacks, refunds etc..
• Where such information is directed or required by legal/regulatory / statutory / governmental authorities under applicable laws/regulations though a legally obligated request.
• Where such information is required by financial institutions to verify, mitigate or prevent fraud or to manage risk or recover funds in accordance with applicable laws/regulations.

We may disclose information in the aggregate to third parties relating to User behaviour in connection with actual or prospective business relationship with those third parties, such as advertisers and content distributors. For example, we may disclose the number of users that have been exposed to, or clicked on, advertising banners.

a. We use Personal Information provided by you in our business activities for providing our products/services or the products / services of our partners and to perform, among other actions, the following:

• to facilitate the transactions or report on these transactions;
• to undertake research and analytics for offering or improving our products/services and their security and service quality;
• to check and process User requirements submitted to us for products/services and/or instructions or requests received from User in respect of these products/services;
• to share with User, updates on changes to the products/services and their terms and conditions;
• to take up or investigate any complaints/claims/disputes including pursuing any collection related activities;
• to respond to User queries or feedback submitted by you;
• to verify User identity for us to provide products/services to the User;
• to carry credit checks, screenings or due diligence checks as lawfully required by us;
• to monitor and review products/services from time to time;
• to undertake financial/regulatory/management reporting, and create and maintain various risk management models;
• for conducting audits and for record keeping purposes;
• for selective offers and promotions.

b. External processing: We may provide User personal information to our affiliates or other trusted businesses or persons or service providers engaged by us, or institutions that partner with to assist Us with providing the User with products/services to better serve needs of the User and interests, based on the instructions of the User and in compliance with Our Privacy Policy and any other appropriate confidentiality and security measures.

c. Our security practices and procedures limit access to personal information on need-only basis.

d. When we dispose of your Personal Information, we use reasonable procedures to erase it or render it unreadable (for example, shredding documents, wiping electronic media or anonymising such information).

e. We also use Personal Information to fulfill the requirements of applicable laws/regulations and/or court orders/regulatory directives received by us.

a. A merchant availing payment aggregation services may delete its Paytm account at any point of time by making such choice in writing to Us. Upon termination of such services, we will discontinue any external processing as mentioned above, except where external processing is required for regulatory reasons. However, we may retain Personal Information of a merchant as long as the purpose for its usage exists, after which the same is disposed off by us except for any record retention required as per applicable law.

b. Please note that we may be required to store transaction logs and data for longer periods post the deletion of an account. Further, in the event of the pendency of any legal/regulatory proceeding or receipt of any legal and/or regulatory direction to that effect, we may retain Personal Information for such longer duration as may be required to ensure compliance with applicable laws.

Without prejudice to anything stated herein and in addition to the disclaimers provided elsewhere in this policy, the users/members by accessing the Website and/or registering on the Website or otherwise using Paytm services specifically acknowledge and understand that whilst the Company shall make all reasonable endeavors to protect and secure the confidentiality of the information provided by the users/members, the Company shall not be liable in the following circumstances (please note that this is not an exhaustive list and the specification of any instances hereinbelow shall be in addition to other defenses which may be available to the Company under applicable laws):

• ) Credit Fraud or other criminal offences committed by any third party with the use of credit cards/debit card etc. or other bank details provided by the members/users which fraud or offence has been committed in spite of the reasonable security measures adopted by the Company as part of its Website infrastructure or where such fraud or criminal offence is committed owing to negligence, acquiescence or connivance or assistance, whether voluntary or involuntary of the user/member.
• Unauthorised Use (i.e. use, reproduction, distribution, disposition, or any other activity, including, without limitation, decompilation, reverse engineering, modification or disassembly etc. without the authorisation from the Company) or Unauthorised access (access, or to attempt to access, or to penetrate, or attempt to penetrate by any third party's computer software or electronic communications system, including, without limitation, hacking, introduction of any virus, malware, spyware, trojans, any intrusion resulting in the corruption or loss of data etc.) of the Website by a user/member or by any third party which may cause any loss or damage to the user/member or the third party where such unauthorized use or access could not be prevented despite reasonable safety precautions undertaken by the Company.
• Disclosure of information by the Company pursuant to any enquiry or notice received from a governmental authority pertaining to the activities of the user/member on the Website.

We may use cookies to improve the quality of services offered on the Website. Please note that a "cookie" is a small piece of information stored by a web server on a web browser so it can be later read back from that browser. We may use cookie and tracking technology depending on the features offered. We may use both session cookies (which expire once you close your browser) and persistent cookies (which stay on your computer until you delete them). Persistent cookies can be removed by following your browser help file directions. If you choose to disable cookies, some areas of Website may not work properly or at all. No Personal information is collected via cookies and other tracking technology; however, if you have previously provided Personal Information, cookies may be tied to such information.

Like most standard websites we may use log files. This includes IP (internet protocol) addresses, browser type, ISP (internet service provider), referring / exit pages, platform type, date / time stamp and number of clicks to analyze trends, administer the Website, track user's movement in the aggregate, and gather broad demographic information for aggregate use. IP addresses, etc. are not linked to personally identifiable information. The same may be used to track the behavior of the customers or identify the area of interest of the customer, which might further be useful for advertisement, promotions etc.

Our website may contain links to other websites which are not maintained by us. This privacy policy only applies to Us. Users are requested to read the other websites' privacy policies when visiting these websites. In addition, Customers undertaking transactions on the Merchant websites/mobile applications are required to read the terms and conditions and privacy policy as available on such sites/application and which govern the use, sharing, collection and dissemination of information on the merchant's sites. Please note that while we require our merchant's to specify terms and conditions and privacy policy on their website, we are not responsible for any misuse of information provided by a Customer on the merchant site.

We have implemented reasonable security practices and procedures that are commensurate with the information assets being protected and with the nature of our business. We take various steps and measures to protect the security of the your Personal Information from misuse, loss, unauthorised access, modification or disclosure. We use latest secure server layers encryption and access control on our systems. Our safety and security processes are audited by a third party cyber security audit agency from time to time.

The policy will be reviewed by us and when required, the same may change at any time. The latest and most updated policy will be found on this page.

While we will make reasonable efforts to keep you posted on any updates to this privacy policy, to make sure that you are aware of any changes, we recommend that you review this policy periodically

Paytm Payments Services Limited (the “Company”) is a public limited company incorporated under the Companies Act, 2013, as amended. The Company is desirous of establishing a Vigil Mechanism/ Whistle Blower Mechanism for directors, employees (and their representative bodies) and Other Persons (as defined below; collectively or individually referred to as “Eligible Person(s)”) to report concerns of unethical behaviour, actual or suspected, fraud or violation of inter-alia the Company’s Code of Conduct (“COC”) or Anti Bribery and Corruption (“ABAC”) Policy.

The Company believes in conducting its business / affairs in a fair and transparent manner, with the highest standards of professionalism, honesty, integrity and ethical behaviour. In pursuit of the same, the Company encourages Eligible Persons to raise genuine concerns about any malpractices in the work place without fear of retaliation and will protect them from victimisation or dismissal.

The Vigil/Whistle Blower Mechanism established by the Company pursuant to this Policy aims to provide a channel to the Eligible Persons to report genuine concerns about unethical behaviour of any employee of the Company or any other matter, who shall promptly report such concerns using the disclosure channels (set out in Section 4 below), as and when he/she becomes aware of any actual or possible violation of the Company’s COC, ABAC Policy or any other instance of misconduct, fraud, or act not in Company’s interest.

The functioning of the Vigil Mechanism/Whistle Blower Mechanism is subject to review by the Audit Committee established by the Board of Directors of the Company (“Board”), and recommendations (if any) made by them shall be implemented by the Company.

In addition to the terms defined in the body of this Policy, the following capitalised terms used in the Policy shall have the meanings ascribed below:

• “Other Persons” means and includes employees/directors of service providers, vendors, business partners, consultants, retainers, trainees or any individual engaged in providing services to the Company and other stakeholders (if any) of the Company.
• “Protected Disclosure” shall mean an oral or written communication of a genuine factual concern (containing as much specific information as possible to allow for proper assessment/investigation) made in good faith, which discloses or demonstrates information that may evidence an unethical or improper activity (as covered under “Scope” of the Policy) with respect to the Company.
• “Subject” means a person or group of persons against whom or in relation to whom a Protected Disclosure is made or evidence gathered during the course of an investigation.
• “Whistle Blower(s)” can be any Eligible Person who makes a Protected Disclosure under this Policy and may also be referred in this Policy as the “Complainant”.

The Policy is in addition to the Code of Conduct and the Anti-Bribery and Anti-Corruption Policy of the Company, and covers disclosures of any unethical, improper behaviour or malpractices and events, which have taken place or suspected to have taken place inter-alia involving:

• Breach of inter-alia Company’s COC, ABAC Policy, the Codes governing disclosure of Unpublished Price Sensitive Information and prohibition of Insider Trading etc.;
• Financial irregularities, including fraud or suspected fraud; forgery; falsification or alteration of documents; manipulation of Company’s data and records; or any other deliberate violation of applicable laws/regulations;
• Gross and/or wilful negligence causing substantial and specific danger to health and safety of Eligibe Persons or to the environment;
• Gross wastage/ misappropriation of Company’s funds and/or assets and/or resources;
• Any incidence of harassment of any employee of the Company based on caste, colour, creed, religion, faith, disability, sexual orientation, national origin, age, marital status, sex, veteran or citizenship or other characteristics protected by law;
• Any other illegal, unethical or improper conduct, of any nature whatsoever.

All Eligible Persons can make Protected Disclosure(s) under the Policy in relation to any matter(s) concerning the Company and/or matters as laid down in above paragraph. Further, the Company has established a separate committee i.e. Internal Complaints Committee pursuant to the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 and any rules made thereunder, each as amended, which is specifically responsible to receive, investigate and conclude complaints pertaining to sexual harassment of women at the workplace.

• Protected Disclosures can be made by Whistle Blower(s) using the following reporting channels:

The Complainant may submit a Protected Disclosure by way of sealed cover mail addressed to Head of Legal at the Corporate Office of the Company, who is authorised by the Audit Committee inter-alia for maintaining and implementing this Policy and receiving Protected Disclosures.

The Head of Legal is authorized to delegate the day-to-day Policy functionalities to specific Company employees, and can be reached at the following coordinates:

Head of Legal, Paytm Payments Services Limited, 8th Floor, Skymark One, Tower-D, Plot No H-10 (B), Sector 98, Noida, Uttar Pradesh 201301; E-mail ID: whistleblower@paytmpayments.com

• All the Protected Disclosures should be reported using the above reporting channel, by the Complainant as soon as possible, preferably not later than 30 days after the concern arises or the Complainant becomes aware of the same.
• A Protected Disclosure against the Head of Legal should be addressed to the Chief Executive Officer. A Protected Disclosure against the Chief Executive Officer should be addressed to the Board of Directors.
• If any Protected Disclosure is received by any executive of the Company, they should report it to the Head of Legal, who shall have the same duly investigated.
• The Company also accepts anonymous complaints; however, the Complainant is encouraged to disclose his/her name and contact details for follow-up discussions and further investigations. It is the responsibility of officer(s) of the Company tasked with receiving and investigating the Protected Disclosures to protect the identity of the Complainant.

• All Protected Disclosures under this Policy will be recorded and thoroughly investigated (by such internal teams as are best suited to conduct the investigation). If necessary, the Head of Legal, with the prior approval/ concurrence of Chief Executive Officer, would be at liberty to engage a suitable external agency.
• The investigation by itself does not tantamount to an accusation and is to be treated as a neutral fact finding process. The Subject shall have a duty to cooperate with the investigators during investigations, to such extent that such cooperation does not compromise the self incrimination protection (to the extent applicable) under applicable laws.
• The identity of the Subject shall be kept confidential to the extent possible, given the legitimate needs of the investigation. The Subject shall be informed of the allegations at the commencement of a formal investigation (unless the circumstances involved and/ or the nature of investigation involved, require that the Subject not be informed of the allegations) and the Subject shall be given an opportunity to explain his/her side in keeping with the principles of natural justice (unless such opportunity to be heard can be dispensed with in accordance with applicable laws). No allegation of wrongdoing against the Subject shall be considered as maintainable unless there is adequate evidence in support of the allegation.
• The Subject(s) shall have a right to be informed of the outcome of the investigation, upon completion of the same.
• The investigation shall normally be completed within 90 days of the receipt of the Protected Disclosure, and the said time period is extendable by the Head of Legal (in consultation with Chief Executive Officer, wherever required).
• Any officer of the Company tasked with investigation pursuant to the Protected Disclosure having any conflict of interest (inter-alia as set out in the Conflict of Interest Policy of the Company) with the matter shall disclose his/her concern forthwith and shall not deal with the matter.
• In case the concern does not fall within the ambit of this Policy, the sender shall be informed that the concern is being forwarded to the appropriate department/authority for further action, as deemed necessary.

If an investigation leads to a conclusion that an improper or unethical act has been committed, the investigation team shall make recommendations for appropriate disciplinary or corrective action as it may deem fit. Any disciplinary or corrective action initiated against the Subject, as a result of the findings of an investigation pursuant to this Policy, shall adhere to the applicable disciplinary procedures established by the Company.

The investigation shall be deemed as closed upon conclusion of the inquiry and implementation of recommended disciplinary action, if any, which may include recovery proceedings, initiation of legal proceedings, or reporting as required by the Company’s policies. A quarterly report of complaints received under the Policy and their outcome shall be placed before the Audit Committee.

The Complainant, Subject, Head of Legal, members of the Audit Committee, every officer of the Company tasked with investigation shall maintain confidentiality of all matters under this Policy; discuss the same only to the extent or with those persons as required under this Policy for completing the process of investigations or as required for the purposes of complying with applicable laws; and keep all related documents/papers in safe custody.

• No unfair treatment will be meted out to / tolerated against a Whistle Blower on account of his/her having reported a Protected Disclosure under this Policy. The Company condemns any kind of discrimination, harassment, victimization, retaliation or any other unfair employment practice being adopted against Whistle Blowers. Complete protection will, therefore, be given to Whistle Blowers against any unfair practice like retaliation, threat or intimidation of termination / suspension of service, disciplinary action, transfer, demotion, refusal of promotion or the like including any direct or indirect use of authority to obstruct the Whistle Blower’s right to continue to perform his duties / functions including making further Protected Disclosure(s).
• The identity of the Whistle Blower shall be kept confidential to the extent possible and permitted under law. Any other employee assisting in the said investigation shall also be protected to the same extent as the Whistle Blower.
• While it will be ensured that genuine Whistle Blowers are accorded complete protection from any kind of unfair treatment, any abuse of the Whistleblower Mechanism will warrant disciplinary action. Protection under this Policy would not mean protection from disciplinary action in accordance with the rules, procedures and policies of the Company arising out of false or bogus allegations made by a Whistle Blower knowing it to be false or bogus or with a mala fide intention. This will also apply to any employees, who make false statements or give false evidence during the investigations.

The Complainant shall have the right to access chairman of the Audit Committee directly in appropriate or exceptional cases, and the chairman of the Audit committee is authorised to prescribe suitable directions in this regard, as may be deemed fit.

The contact details of the Chairman of the Audit Committee are as under:

Chairman of Audit Committee

E-mail ID: chairman.auditcommittee@paytmpayments.com

This Policy shall be published on the intranet and on the website of the Company.

All Protected Disclosures received in writing or documented along with the results of investigation relating thereto, shall be retained by the Company for a period of 8 (eight) years or such other period as specified by any other law in force, whichever is more.

The Company reserves its right to amend or modify this Policy in whole or in part, at any time without assigning any reason whatsoever in accordance with applicable laws.

Anyone who wants to raise grievance relating to this Policy, regarding contents or provisions hereof, should reach out to the Head of Legal at whistleblower@paytmpayments.com