CSAPay ← Back to Home
Privacy Commitment

Privacy Policy

Last updated: April 27, 2026

1. Overview

CSAPay respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our payment services, website, APIs, or mobile applications (collectively, the "Services").

We comply with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023, and RBI guidelines for payment system operators.

2. Data We Collect

2.1 Information You Provide

  • Business Information: Legal name, GSTIN, PAN, business address, contact details
  • Bank Details: Account number, IFSC code, bank name for settlement
  • Authentication Data: Email, phone number, API keys, passwords (hashed)
  • Transaction Data: Payment amounts, timestamps, UPI transaction IDs, customer references
  • Support Communications: Emails, chat logs, ticket details when you contact us

2.2 Information Collected Automatically

  • Technical Logs: IP address, device type, browser, OS, API request timestamps
  • Usage Analytics: Feature usage, error rates, performance metrics (aggregated)
  • Security Data: Failed login attempts, suspicious activity patterns

2.3 What We Do NOT Collect

  • Customer UPI PINs, passwords, or biometric data
  • Full bank account details of your end customers
  • Personal messages or content of transactions beyond necessary metadata

3. How We Use Your Data

We process your data for the following lawful purposes:

  • Service Delivery: Process payments, generate QR codes, send webhooks, settle funds
  • Account Management: Verify identity, manage subscriptions, provide support
  • Security & Fraud Prevention: Detect anomalies, prevent unauthorized access, comply with RBI directives
  • Legal Compliance: Maintain records for tax authorities, respond to lawful requests
  • Service Improvement: Analyze usage patterns to enhance features (using aggregated/anonymized data)
  • Communications: Send transaction alerts, policy updates, or service notices (you can opt out of marketing)

4. Data Sharing & Disclosure

We do not sell your personal data. We may share information only in these circumstances:

4.1 Essential Service Providers

  • NPCI & Banks: Transaction data required for UPI processing and settlement
  • Cloud Infrastructure: Encrypted data stored on AWS/Azure data centers in India
  • Analytics & Monitoring: Aggregated, non-personal metrics for performance tracking

4.2 Legal Requirements

We may disclose data if required by law, court order, or regulatory request from RBI, CERT-In, or other competent Indian authorities. We will notify you unless legally prohibited.

4.3 Business Transfers

In case of merger, acquisition, or asset sale, user data may be transferred subject to confidentiality obligations and notice to affected users.

5. Data Security

We implement industry-standard safeguards:

  • End-to-end TLS 1.3 encryption for data in transit
  • AES-256 encryption for sensitive data at rest
  • Regular security audits, penetration testing, and vulnerability assessments
  • Role-based access controls and multi-factor authentication for internal systems
  • Employee training on data protection and confidentiality

While we strive to protect your data, no system is 100% secure. Report suspected breaches to security@csapay.in.

6. Data Retention

We retain your data only as long as necessary:

  • Active Accounts: Data retained while your account is active
  • Closed Accounts: Transaction records retained for 7 years per RBI guidelines; other data deleted within 90 days
  • Logs: Security and access logs retained for 180 days for audit purposes

You may request deletion of non-mandatory data by emailing privacy@csapay.in.

7. Your Rights & Choices

Under Indian data protection law, you have the right to:

  • Access: Request a copy of your personal data we hold
  • Correction: Update inaccurate or incomplete information via your dashboard
  • Deletion: Request erasure of non-essential data (subject to legal retention requirements)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Opt out of non-essential processing (e.g., marketing communications)

To exercise these rights, contact privacy@csapay.in. We respond within 30 days.

8. Cookies & Tracking Technologies

Our website uses cookies for:

  • Essential: Session management, security, dashboard functionality (cannot be disabled)
  • Analytics: Understanding feature usage via anonymized metrics (Google Analytics with IP anonymization)
  • Preferences: Remembering language, theme, or dashboard layout choices

You can manage cookies via browser settings. Disabling essential cookies may break dashboard functionality.

9. International Data Transfers

CSAPay is an Indian company. All primary data processing occurs on servers located in India. If any data is transferred outside India (e.g., for global support tools), we ensure:

  • Compliance with RBI data localization guidelines for payment system data
  • Standard contractual clauses or adequacy decisions for any cross-border transfers
  • Encryption and access controls equivalent to Indian standards

10. Children's Privacy

Our Services are intended for businesses and individuals aged 18+. We do not knowingly collect data from children under 18. If we learn of such collection, we will delete the data promptly. Contact us if you believe a child has provided information.

11. Policy Updates

We may update this Privacy Policy to reflect changes in law, technology, or our practices. Material changes will be notified via email or dashboard notice at least 15 days before effectiveness. Continued use after changes constitutes acceptance. Check the "Last updated" date at the top of this page.

Contact Our Privacy Team

Questions, requests, or concerns about this policy?