Privacy Policy

Privacy Policy

Switch My Loan Private Limited, having its registered office at 902, Shubh Jeevan Arcade, B wing, Borivali (W), Mumbai 400092, Maharashtra, is the owner of the application Cready (“App”) and the website www.cready.in (“Site”) and hereinafter referred to as ‘Cready’ or ‘the Company’ or ‘us’ or ‘we’ or ‘our’.

Cready maintains the App and the Site for your communication and information. By availing any service/facility being provided by Cready directly or indirectly including by utilising the App or the Site (“Services”), you have agreed to each and all of the terms and conditions of this Privacy Policy as set forth below and waive any right to claim ambiguity or error in the same.

Collection of Information

Cready may collect, store and use information about you when you (a) visit, use, view, and/or otherwise utilise the App/ Site including filling out any form and subscribing to any newsletter and/or (b) fill any loan application form online or otherwise when you apply for a loan via Cready and this loan application form called by whatever name, may be provided directly by Cready or through any sourcing partner of Cready and may or may not specify the name of Cready as the lender and/or (c) through any other modes and includes the information that you submit directly or indirectly to us for availing the Services. Further, the information provided by you may be further utilised to procure more information.

In the course of using this App/ Site or availing the Services, Cready collects various information including your name, address, email address, phone number, date of birth, occupation, financial information (such as income, income sources, bank account details, vehicle details, etc.), biometric information, documents that you provide to us to verify your identity or in terms of KYC requirements (such as copies of your Aadhaar Card, PAN Card, and/or bank statement). Also, once any loan has been granted to you, Cready may from time to time undertake your credit evaluation including taking out your CIBIL Score, statement of accounts etc.

Permissions Used by the App

The Cready App requires the following permissions to provide you with our services:

• • Camera: Used for KYC verification and document capture to verify your identity during the loan application process.
• • Internet: Required to access our services, submit applications, and communicate with our servers.
• • Audio Settings: Used during video KYC or customer support calls.
• • Record Audio: Used during video KYC sessions for identity verification purposes.
• • Biometric/Fingerprint: Used for secure authentication and to protect your account with fingerprint or face recognition.
• • Vibrate: Used to provide haptic feedback for better user experience.
• • System Alert Window: Used to display important notifications and alerts related to your loan application or account.

We do not request or access the following permissions:

• • Location (ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION): We do not track your location.
• • Storage (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE): We do not access files on your device storage.
• • Media Files (READ_MEDIA_IMAGES, READ_MEDIA_VIDEOS, READ_MEDIA_AUDIO): We do not access your photos, videos, or audio files.
• • Contacts (READ_CONTACTS): We do not access your contact list.
• • Phone Numbers (READ_PHONE_NUMBERS): We do not read your phone numbers.

All document uploads (such as Aadhaar, PAN, bank statements) are captured directly through the thrid party api for KYC verification purposes only. We do not access your device's gallery or file system.

We may also collect information about your activity on our Site, which might include:

• • Frequency of visits to our Site;
• • Average length of visits;
• • Pages viewed during a visit. advertising id.

We may use various technologies to collect information about your activities on our App/ Site, including Cookies and beacons. By accessing and using the App/ Site, you consent to the storage of cookies, other local storage technologies, beacons and other information on your devices. You also consent to the access of such cookies, local storage technologies, beacons and information by us and by the third parties mentioned herein.

Use of collected Personal Information

• • Responding to your requests for our products and services;
• • To undertake your credit valuation from time to time to ensure due payment of any loan facility granted to you;
• • Responding to your requests for information;
• • Maintaining and managing your account with us; advertising
• • To personalise your experience (your information helps us to better respond to your individual needs);
• • To improve our App/ Site (we continually strive to improve our Site offerings based on the information and feedback we receive from you);
• • To improve customer service (your information helps us to more effectively respond to your customer service requests and support needs);
• • To process transactions and to provide you with transaction and post transaction-related services;
• • For advertising, such as providing customised and personalised advertisements, sponsored content and sending you promotional or marketing communications;
• • To send periodic emails;
• • The email address and phone number you provide may be used to send you information, respond to inquiries, and/or other requests or questions.

Your personal information is being used by automated algorithms only.

In addition, certain information we collect, such as the IP address of any computer or other device that you use to access our App/ Site and any other domains that may be operated by Cready, will be used to monitor and investigate possible violations of and to enforce any terms and conditions associated with our Services or other applicable agreements / contract between you and Cready / any service provider of Cready. By availing any Service, using the App/ Site and / or providing Cready with your information, you consent to the storing of information by Cready.

How We Share Personal Information

Service Providers:

We may disclose your information to companies that provide services for or on behalf of Cready. There are certain third parties that source customers to Cready and directly interact with the customers before introducing them to Cready and such third parties may separately collect information from you which may or may not be shared with Cready.

Group Companies:

Cready may share collected personal information with group companies/ subsidiaries / affiliates with your consent whose products and services we believe you may find of interest. We will not share your personal information with any third parties for the third parties’ marketing purposes, without your consent.

Statutory and other Disclosures:

There may be instances when we disclose your information to other parties (including government/regulatory bodies or agencies):

• • to comply with the law or respond to compulsory legal process or when we believe release is appropriate...
• • for the purposes of verification of identity or for prevention, detection, investigation including cyber incidents...
• • to verify or enforce compliance with the policies governing the Services;
• • to protect the rights, property, or safety of Cready, or any of Cready’s respective affiliates, business partners, or customers or employees.
• • to investigate, prevent, or take other action regarding illegal activity, suspected fraud, or other wrongdoing.

By using Our Services, You agree and consent to our collection, storage, processing and sharing of information (including sensitive personal data or information) about you or your use of Services with third parties or service providers identified above.

Marketing:

Non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Transactions:

Cready may share personal information in connection with a substantial corporate transaction, such as mergers, acquisition, the sale of its business, a divestiture, consolidation, or asset sale, or in the unlikely event of bankruptcy.

Third Parties:

For our Site users’ convenience, Cready may provide links or otherwise refer you to third parties, such as operators of internet services linked to from our App/ Site, that may collect personal information from you.

If you do not agree to each and all of these terms and conditions, please do not use the App/ Site or avail Services from Cready.

Retain Information

We will retain your information till the time You revoke the consent. We will ensure to fulfil your request subject to any requirement of retaining information as per applicable law.

Changes to your Information

If the information provided by you has changed, then you may update it by contacting us on the details provided below.

Monitoring

All transactions of suspicious nature and/ or any other type of transaction notified under The Prevention of Money-Laundering Act, 2002, shall be reported to the appropriate law enforcement authority.

Proprietary Rights

Cready owns the copyright in all of the information and material contained in this App/ Site.

No Contractual Obligation

Please note that this Privacy Policy does not create any contractual or other legal rights in or on behalf of any party.

Personal Information Protection

Cready shall use commercially reasonable security measures...

Disclaimer and Indemnity

WITHOUT LIMITING THE FOREGOING, EVERYTHING ON THIS SITE, THE CONTENT, SERVICES AND MATERIALS IN THE SITE ARE PROVIDED "AS IS" AND ON AN "AS AVAILABLE" BASIS WITHOUT REPRESENTATIONS OR WARRANTIES...

Account Deletion

When you request account deletion from app or web link, all your data will be deleted from Cready.

Incident Management Policy and Procedure

This policy applies to all types of information security incidents occurring within Switch My Loan. This policy is applicable to all employees and related departments and functions that may come across any information security incident.

The purpose of this policy is to define the rules for managing information security incidents which include reporting, categorization, resolution, causal analysis, and planning corrective actions for avoiding recurrence. This document provides details of the processes being followed at Switch My Loan to ensure a prompt and effective response to any information security incident that has the potential to harm the Company.

Terms and Definitions

• • ISG: Information Security Group
• • Information Security: Protection of confidentiality, integrity, and availability of information and information assets.
• • Event: An event is an exception to normal operation.
• • Incident: An incident is an event that indicates a harm or has a high potential to cause harm to the company.
• • Security Event: A security event is a change in the everyday operations of a network or information technology service indicating that a security policy may have been violated or a security safeguard may have failed.
• • Information Security Incident: An information security incident is a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of any information security related policy.
• • Security Breach: A security breach is any incident that results in unauthorized access of data, applications, services, networks, and/or devices by bypassing their underlying security mechanisms. A security breach may be intentional or unintentional.
• • Data Breach: A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. A data breach may be intentional or unintentional.
• • Personal Data Breach: A data breach involving personal data or personally identifiable information of any living person or individual. The personal data breach also includes sharing or disclosure of personal data without the knowledge or consent of the person to whom it belongs.
• • RCCA: Root Cause Corrective Action – Process of conducting causal analysis of any incident to identify the root cause (why the incident occurred) and planning corrective action / preventive action so as to avoid recurrence of the incident.

Incident Handling Team

Team handling or resolving the Incidents. Incident Handlers may be:

• • Human Resource for HR-related incidents
• • Admin Team for Physical Security related incidents
• • IT Team for IT related incidents
• • Product Team for Platform related incidents

Responsibilities

The primary ownership of implementing this policy is with the Information Security Group (ISG). All employees of Switch My Loan are responsible for reporting an event and the Incident handling team is responsible for responding to the event.

Policy

• • Appropriate channels for reporting information security events and weaknesses shall be established.
• • All employees and third-party users having access to the Switch My Loan's information assets and information processing facilities shall receive adequate information related to reporting information security events and weaknesses.
• • Information security events and incidents shall be reported as early as possible through the appropriate channel so that a quick response can be given by the company and further impacts can be prevented or reduced.
• • All reported information security events and weaknesses shall be assessed by the Information Security Group to determine if they can be classified as information security incidents.
• • All personnel involved in responding to an information security incident shall receive adequate training on procedures for responding to information security incidents.
• • Evidence related to the information security incidents shall be collected and preserved for further analysis or reporting, as necessary.
• • Knowledge gained from analyzing and resolving information security incidents shall be captured and used for reducing the likelihood or impact of future incidents.

Procedure

Reporting an Information Security Event or Weakness

Any detected information security event or weakness shall be reported through any of the following channels:

• • Email: durwang@switchmyloan.in
• • In-person: Durwang Sawant - Business Head - Insta PL & Digital PL

Following details shall be provided to facilitate appropriate analysis and response:

• • Name and contact details of the person reporting the information security event/weakness
• • Date and time of first identification of the event/weakness
• • Information system/information processing facility where the event/weakness is observed
• • Impacts (if known)

Reporting Timeline: All suspected or confirmed information security incidents, including data breaches, shall be reported immediately upon identification and no later than 24 hours from detection. Any delay in reporting must be documented with justification and approved by the Information Security Group.

Analyzing Reported Information Security Events or Weaknesses

The Information Security Group shall assess the reported event/weakness to determine if it can be classified as an information security incident. For identified information security incident, the Information Security Group shall conduct an impact analysis and document the impact in either of the following categories:

• • High Impact: Incidents that have a monumental/catastrophic impact on the company's business or services to its customers. E.g., Ransomware attack, DDoS attack, compromise of administrative privileges of core business applications, etc. Note: In cases where such high impacting incidents have the potential to cause a complete shutdown/stoppage of the company's business or services to its customers, the Information Security Group may request the Business Continuity Team to initiate the Business Continuity Plan.
• • Medium Impact: Incidents that have a significant impact or have the potential to escalate to a monumental/catastrophic incident. E.g., an in-progress hacking attempt, virus infection detected on a few networked systems, etc.
• • Low Impact: Incidents that are isolated in nature and may not have the potential to affect a significant number of users. E.g., virus infection on an end-user device, suspected or occurred unauthorized entry in the company's facility, etc.

Based on the impact analysis, the Information Security Group shall assign the ticket to the Incident Handling Team with a priority level for the response based on the impact:

• • Priority Level 1: Needs to be responded to immediately (same day).
• • Priority Level 2: Needs to be responded to within 1 (one) business day.
• • Priority Level 3: Needs to be responded to within 3 (three) business days.

Note: Priority Levels are applicable for 'Remediation' only. In any situation, the containment must be done immediately.

Responding to the Information Security Incident

Containment: The Incident Handling Team shall take either of the following containment actions to prevent further damage from occurring:

• • Short-term containment: These are actions to cut off the attack or damage. E.g., isolating a network segment that is under attack or taking down production servers that have been hacked.
• • Long-term containment: These are actions to temporarily fix the issue while working on a permanent solution. E.g., applying temporary fixes to affected systems to allow them to be used in production, while rebuilding a clean system, preparing to bring them online in the recovery stage of the response procedure.

Remediation: Once the incident has been contained, the Incident Handling Team shall follow the following steps to remediate the incident:

• • Analysis: The root cause of the incident shall be determined through appropriate investigation of the incident.
• • Eradication: The root cause of the incident shall be addressed through appropriate application of procedural or technical measures.

Recovery: After remediating the incident, the Incident Handling Team shall restore the systems/facilities back to their normal state. For example, a hacked server may undergo clean build, patch management, restoration of configuration and data, etc., and then will get connected back to the network.

Data Breach & Security Incident Management

A data breach refers to any incident involving unauthorized access, disclosure, alteration, loss, or destruction of personal or sensitive information. In the event of a data breach, Cready follows a structured incident management process aligned with its internal information security policies and procedures.

Incident Response Process

• •Identification and Immediate Containment: Upon detection of a suspected or confirmed data breach, immediate steps are taken to contain the incident and prevent further impact. This may include isolating affected systems, restricting access, disabling compromised credentials, or implementing temporary safeguards.
• •Assessment and Classification: The incident is assessed to determine the type of data involved, extent of systems or users affected, and potential risk to customers or business operations. Based on this assessment, the incident is classified according to its impact level.
• •Internal Escalation and Handling: The incident is escalated to appropriate internal teams, including information security, compliance, and senior management, and handled by the designated incident response team.
• •Remediation and Recovery: Corrective actions are taken to address the root cause of the breach, including applying security patches, strengthening controls, removing vulnerabilities, and restoring systems using verified backups.
• •Documentation and Evidence Preservation: All data breach incidents and response actions are documented, and relevant evidence is securely preserved for audit, regulatory, or legal purposes.

Reporting of Security Breach / Incident

• •Regulatory and External Reporting: Where required, confirmed security incidents and data breaches are reported to relevant regulatory bodies and law enforcement agencies in line with applicable laws and guidelines.
• •Customer Notification: In cases where a breach involves personal or sensitive customer information and poses a material risk, affected customers may be notified through appropriate communication channels.
• •Third-Party and Partner Coordination: If the incident involves third-party service providers or partners, Cready coordinates with them to ensure timely investigation, mitigation, and resolution.

Post-Incident Procedures

• •Review: A post-incident review is conducted to evaluate response effectiveness. If gaps are identified, remediation activities are reinitiated.
• •Archival of Evidence: All incident-related evidence is securely backed up to ensure availability for future audits, investigations, or regulatory escalations without tampering.
• •Breach Notification: If customer or personal data is impacted, affected individuals or entities are notified using established breach notification procedures.
• •External Notification and Escalation: Where contractually or legally required, incidents are reported to lenders, customers, and regulatory authorities within mandated timelines.
• •Lessons Learnt: Lessons learned are documented and used to enhance security controls, processes, and preventive measures to avoid recurrence.

Policy Governance and Review

Cready periodically reviews and updates its privacy, security, and incident response practices to ensure continued alignment with internal policies, regulatory requirements, and industry best practices.

Contact Information

In case of any grievance / review of information, you may contact the grievance officer on the coordinates provided below: