Privacy Policy
Introduction & Scope
Bridg Financial Technologies Private Limited (“bridg.money”, “we”, “our”, or “us”) is committed to safeguarding the privacy and security of personal, financial, and business data. This Privacy Policy describes how we collect, process, use, disclose, and protect information in compliance with Indian regulations, including the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, RBI Master Directions, PMLA Rules, FIU-IND guidelines, and global best practices. It applies to all visitors, customers, merchants, partners, and users of our website, applications, and services.
Who We Are
bridg.money is a Technology Service Provider (TSP) offering secure and scalable API-based financial infrastructure for payouts, collections, reconciliation, escrow/pooled accounts, and connected banking solutions. We work in close partnership with RBI-licensed banks, card networks, NPCI, and other regulated service providers to deliver compliant and reliable money movement infrastructure.
Applicability & Consent
By accessing or using our platform, services, or website, you consent to the collection and processing of your personal and business information as outlined in this policy. Where required by law, we seek explicit consent and provide clear notice at the point of data collection. You may withdraw consent at any time; however, certain services may not be available without required information. Consent withdrawal is always subject to applicable legal and regulatory requirements.
Data We Collect
- Identity & KYC Information: Name, date of birth, PAN, Aadhaar, passport, voter ID, GSTIN, CIN, registered business details, shareholding patterns, beneficial ownership data, and address proofs.
- Business & Financial Data: Bank account numbers, UPI handles, virtual account identifiers, settlement instructions, and transaction history.
- AML & Screening Data: Results of sanctions checks, Politically Exposed Person (PEP) identification, adverse media scans, and internal blacklist/watchlist screenings.
- Technical Information: Device identifiers, IP address, operating system, browser type, cookies, geolocation (where permitted), and system usage logs.
- Communication Records: Emails, chat records, grievance submissions, call logs, and customer support tickets.
- Third-Party Data: Information shared by partner banks, verification agencies, payment networks, and fraud detection providers.
Purpose of Collection & Use
- To onboard merchants, partners, and customers in compliance with regulatory requirements.
- To perform due diligence, KYC, and AML checks before granting access to services.
- To process payments, settlements, collections, and payouts securely.
- To monitor transactions in real-time for fraud, suspicious activity, and risk management.
- To generate reports, statements, and records required by regulators (RBI, FIU-IND).
- To enhance service performance, improve user experience, and provide customer support.
- To send service-related communications and, with consent, relevant marketing material.
AML & KYC Compliance
- Customer Due Diligence (CDD): We verify the identity of individuals and businesses through official documents, government databases, and third-party verification providers. For businesses, we also verify directors, partners, and beneficial owners.
- Enhanced Due Diligence (EDD): Customers identified as high-risk undergo stricter checks, including deeper financial scrutiny, source of funds verification, and frequent review cycles.
- Sanctions & Screening: Every customer and beneficial owner is screened against OFAC, UN, EU, RBI, and SEBI sanctions lists. We also check against adverse media and PEP lists.
- Transaction Monitoring: We use automated and manual monitoring systems to detect suspicious patterns such as unusual transaction sizes, frequency anomalies, or cross-border risks.
- Regulatory Reporting: We file Suspicious Transaction Reports (STRs), Cash Transaction Reports (CTRs), and other mandated reports to FIU-IND promptly, maintaining strict confidentiality.
- Record Keeping: In compliance with PMLA, we retain transaction records for 10 years and KYC/relationship records for 5 years post account closure.
- Ongoing Compliance: Our AML program includes employee training, regular audits, maker-checker controls, and board-level oversight to ensure adherence to evolving regulations.
Customer Acceptance Policy
- Permitted Customers: Businesses operating in lawful industries such as e-commerce, SaaS, education, healthcare, lending, gig economy, and financial services. These entities must provide complete KYC/KYB documentation.
- Restricted/High-Risk Customers: Entities engaged in cross-border remittances, gaming, or other higher-risk industries are subject to Enhanced Due Diligence and stricter monitoring.
- Prohibited Customers: bridg.money does not onboard entities involved in gambling, pornography, narcotics, arms and ammunition, money mules, shell companies, cryptocurrency exchanges (unless permitted under Indian law), and any activities restricted by RBI or other regulators.
- Risk Categorization: All customers are classified into Low, Medium, or High risk categories based on industry, geography, business model, transaction volume, and ownership. High-risk customers are reviewed more frequently.
- Transparency Requirement: Businesses must have clear ownership structures and lawful sources of funds. Anonymous or fictitious accounts are not permitted.
Data Storage & Security
- All data is encrypted both at rest and in transit using industry-standard protocols.
- Systems are hosted in data centers compliant with RBI’s data localization guidelines.
- Security controls include multi-factor authentication, access logging, firewalls, intrusion detection, and real-time monitoring.
- Incident response procedures are in place, with CERT-In aligned reporting within 6 hours of identifying a breach.
- We periodically undergo independent security audits and assessments (ISO 27001, PCI DSS compliance).
Sharing & Disclosure
- With partner banks, NBFCs, and regulated institutions for processing transactions.
- With KYC/AML verification agencies, fraud detection service providers, and auditors bound by confidentiality.
- With regulators, courts, and law enforcement agencies when legally required.
- With consultants or vendors under strict data processing agreements.
We do not sell or misuse customer data under any circumstances.
International Transfers
Where necessary, data may be transferred outside India to service providers or affiliates. Such transfers are subject to strict contractual safeguards, including Standard Contractual Clauses (SCCs) or equivalent mechanisms, and always in compliance with Indian law, including government restrictions on cross-border transfers.
Data Retention
- Transaction Data: Retained for a minimum of 10 years.
- KYC & Onboarding Data: Retained for 5 years after termination of the business relationship.
- Other Data: Retained only as long as necessary to meet operational, legal, or regulatory obligations.
Cookies & Analytics
We use cookies, tracking pixels, and analytics tools (such as Google Analytics) to improve user experience, analyse traffic, and enhance platform security. Users can control cookie preferences through browser settings. Some cookies are essential for platform functionality and cannot be disabled.
Children’s Data
Our services are intended for businesses and adults. We do not knowingly collect data from children under 18. If we discover such data has been collected inadvertently, we delete it immediately unless retention is legally required. If parental consent is identified as necessary under law, we will ensure appropriate steps are taken.
User Rights
Users and customers have the right to:
- Request access to personal and business data held by us.
- Correct inaccurate or incomplete data.
- Request deletion of data, subject to mandatory legal retention requirements.
- Withdraw consent for optional data processing, including marketing.
- Opt-out of marketing communications via unsubscribe links in emails or by contacting us directly.
- Request data portability where applicable.
- Nominate a representative to exercise rights in case of death or incapacity, as permitted under DPDP Act 2023.
- Raise grievances and seek resolution.
Security Measures
- Encryption protocols, secure storage, and access controls.
- Periodic penetration testing and vulnerability assessments.
- Independent audits and certifications (ISO 27001, PCI DSS).
- Employee training and awareness programs.
- Data breach protocols ensuring timely communication with affected parties and regulators.
Grievance Redressal
We maintain a structured grievance redressal mechanism in line with RBI and IT Act requirements.
Grievance Officer / Data Protection Officer (DPO):
- Email: grievance@bridg.money
- Address: WorkFlo Ranka Junction, Property No. 224, 3rd Floor, #80/3, Vijinapura Village, Old Madras Road, Hobli, Krishnarajapuram, Bengaluru, Karnataka 560016.
Complaints are acknowledged within 48 hours and resolved within 30 days.
Third-Party Links
Our platform may link to external sites. We are not responsible for their privacy practices and recommend users review their policies before engagement.
Policy Updates
We may revise this Privacy Policy from time to time to reflect legal, regulatory, or operational changes. Updated versions will always be published at https://bridg.money/privacy-policy. Users are encouraged to review this page periodically.