Privacy Policy

Corpcash (the “Platform”) is made available by Kalp Digital Infra Private Limited (the “Company”, “we”, “our”, or “us”). We are committed to protecting your privacy. This Privacy Policy explains how personal data is collected, used, shared, and safeguarded when the Platform is made available to you by the Company as part of its closed-loop employee benefit and redemption programme. This Privacy Policy applies to our website, APIs, and mobile applications, and any related services and subdomains (collectively, the “Services”). It is intended to be read together with the Corpcash Terms and Conditions. We process personal data in accordance with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023 and applicable rules thereunder (as amended from time to time). By using our Services, you confirm that you have read and understood this Privacy Policy and agree to the data handling practices described in this Policy.

1. Definitions
   • “Platform” or “Corpcash” means the closed-loop digital employee benefit and redemption system made available by the Company for use by its authorized user.
   • “Company” means Kalp Digital Infra Private Limited.
   • “Finance/HR Manager” means an Employee of the Company with delegated administrative duties on the Platform (for example, helping to manage Token distribution or approvals under the Organization Admin’s oversight).
   • “Employee” means a current employee of the Company (or such other individual authorized by the Company) who is invited/registered to use the Platform.
   • “Vendor” means a third-party service provider, contractor or business partner approved by the company to accept Tokens as internal payment and, where enabled, to request settlement of Tokens through a Cash-Out Request, subject to Company approval.
   • “Token” means a closed-loop, contractual unit of account recorded on the Platform and made available by the Company for limited programme purposes. Tokens are not money, legal tender, a deposit, or a stored-value wallet balance, and (for Employees) are not redeemable for cash.
   • “Wallet” means the Platform ledger account associated with a User that records Token balance and transaction history.
   • “Cash-Out Request” means a request raised by a Vendor through the Platform to redeem a specified Token amount, which is reviewed and either approved or rejected by the Company. Upon approval, the corresponding Tokens are burned/deducted on the Platform and the Company settles the corresponding amount to the Vendor outside the Platform.
   • “Intellectual Property” means all proprietary rights in the Platform and its content, including all software, code, designs, text, graphics, logos, trademarks, and related documentation. All such Intellectual Property is owned by the Company or its licensors (including any provided by the Organization, such as its logos). No rights are transferred to Users by virtue of these Terms.
   • “Gift Card” means a prepaid gift voucher, gift card, or voucher code that may be made available through the Platform for redemption against the goods/services of a third-party merchant/brand (“Merchant”), and that is fulfilled through the Gift Card Partner and issued by the Merchant (not by the Company).
   • “Gift Card Partner” means a third-party fulfilment/reseller partner engaged by the Company to facilitate Gift Card fulfilment, including any replacement/additional partner engaged from time to time.
   • “Merchant” means the third-party brand or service provider that issues and honours a Gift Card for redemption of its goods or services. The Merchant determines the applicable Gift Card terms (including validity and redemption rules) and is independent of the Company. The Company does not control, endorse, or assume responsibility for the Merchant’s goods, services, or actions.

Capitalized terms not defined above shall have the meanings given elsewhere in this Policy.

2. Scope of this Privacy Policy
   • This Privacy Policy applies to personal data collected and processed through the Platform and any associated mobile or web interfaces used by the Company’s authorized employees to access and use the Platform, including to view Token balances and transaction history, to make payments to registered Vendors via QR workflows (where enabled), and to purchase Gift Cards through the Company’s Gift Card Partner (where enabled). This Privacy Policy also applies to personal data processed when the Company onboards or offboards employees, when employees authenticate using one-time passwords (“OTPs”) delivered to registered email addresses, and when employees contact Platform support.
     The Company may process Vendor personal data as part of enabling Vendor registration, processing Vendor cash-out requests (where enabled), and facilitating off-Platform settlement by the Company.

• This Privacy Policy does not apply to any websites, applications, or services that are not operated by the Company, even if accessible via links in the Platform. In particular, Gift Cards are issued and governed by third-party merchants/brands and may be fulfilled via third-party partners (including the Company’s Gift Card Partner). Any personal data you provide to, or that is collected by, such third parties is governed by their own privacy notices and terms, and you should review those policies before using their services.

• This Privacy Policy forms part of the documentation governing your use of the Platform alongside the Corpcash Terms and Conditions. In the event of any inconsistency, the Terms govern service use and contractual rights and obligations, and this Privacy Policy governs how personal data is collected and processed, in each case subject to Applicable Law.

• The Platform is intended for use by authorized employees of the Company and is not designed for use by children. You must be at least 18 years of age to use the Platform, unless the Company expressly authorizes a minor in exceptional circumstances and assumes responsibility for such access and supervision. If you believe a minor has been onboarded without appropriate authorization, please notify the Company at care@corpcash.in

3. Identity of the Data Fiduciary
   • Data Fiduciary: For the purposes of the Digital Personal Data Protection Act, 2023 and applicable rules thereunder, Kalp Digital Infra is the Data Fiduciary in respect of personal data processed through the Platform, as the Company determines the purposes and means of such processing in connection with operation of the Platform, user access enablement, Token administration, and Vendor settlement workflows (where enabled).

• Data Processors and Independent Processing: The Company may engage third-party service providers to support operation of the Platform, including technology, infrastructure, hosting, security, analytics, and support services. Such service providers act as data processors and process personal data only on the Company’s documented instructions, in accordance with applicable law and contractual arrangements with the Company.

The Company may also process personal data for its own purposes where necessary to comply with Applicable Law, to secure and protect the Platform, to maintain audit and security logs, to prevent fraud and misuse, and to manage service communications, updates, and operational notices relating to the Platform.

4. Personal Data We Collect
   • Information you provide directly:
5. Account and profile data (Employees): name, Company email address, employee identifier, job title/role, and other information necessary for onboarding and account management.
6. Vendor and settlement data (Vendors, where enabled): Vendor name, contact details, tax/invoicing information (if collected), information for processing cash-out requests and off-Platform settlement by the Company.
7. Communications: information you provide when contacting support, reporting issues, raising requests relating to Gift Cards, or raising a Vendor cash-out request (where enabled).

The Platform is not intended for public posting, messaging, or user-generated content hosting. Please do not input or store any unlawful information, sensitive personal data not required for Platform workflows, or data that infringes third-party rights.

• Information collected automatically:

1. Transaction data: Token balances, allocations, payments to Vendors (where enabled), Gift Card purchase details and fulfilment status, cash-out request status and approvals (where enabled), and related transaction references.
2. Technical data: IP address, device identifiers, browser type, operating system, timestamps of Platform access and security/audit events.
3. Usage data: login frequency, features used, performance and error logs, and diagnostic data used to improve service quality and prevent fraud.

• Information from third parties:

1. The Company may receive information from internal Company systems or authorised personnel to manage user access (for example, employment/role status needed for joiner–mover–leaver controls).
2. Gift Card Partners and Merchants may share fulfilment status, redemption information, and fraud/risk alerts with the Company for transaction processing, support, and fraud prevention.

5. How We Use Your Personal Data
   • Service delivery and account management: To create and manage your Platform access, authenticate you via OTP, maintain Token balances and transaction history, process Employee payments to registered Vendors (where enabled), enable Gift Card purchases via the Gift Card Partner (where enabled), and administer Vendor cash-out requests and related off-Platform settlement workflows (where enabled).

• Compliance and security: To operate the Platform securely, detect and prevent fraud and misuse, maintain audit and security logs, enforce our Terms, comply with Applicable Law (including responding to lawful requests by competent authorities), and protect the rights, safety, and integrity of the Company, Users, Vendors, and the Platform.

• Communications and support: To send service and transaction communications (for example, OTPs, payment confirmations, Gift Card codes/links, status updates, and support responses), respond to your enquiries, and provide alerts about policy updates or service changes. We will not send you marketing communications unless you have separately opted in where required.

• Analytics and improvement: To analyse usage and performance trends to improve the Platform, reliability, and security. Where feasible, we use aggregated or de-identified information for analytics and reporting.

6. Legal Basis for Processing

The Company processes personal data in accordance with the Digital Personal Data Protection Act, 2023 and applicable rules thereunder. Depending on the context, processing may be carried out based on:

1. your consent, including consent obtained through your use of the Platform and/or Company onboarding/offboarding processes; and/or
2. permitted grounds under Applicable Law, including processing necessary for providing the Services you request through the Platform, maintaining security, preventing fraud and misuse, record-keeping and audit, and compliance with legal obligations and lawful requests.

The Company may engage third-party service providers as data processors to support the Platform, who process personal data only on the Company’s documented instructions and in accordance with applicable law and contractual safeguards.

7. Sharing and Disclosure
   • Within the Company: Authorized personnel of the Company may access personal data on a need-to-know basis to administer the Platform, including onboarding/offboarding, Token administration, processing Employee payments to registered Vendors (where enabled), processing Vendor cash-out requests and off-Platform settlement (where enabled), providing support, resolving disputes, and meeting Applicable Law obligations.

• Gift Card Partner and Merchants: When you purchase a Gift Card (where enabled), the Company shares the minimum personal data and transaction information necessary with the relevant Gift Card fulfilment partner and/or the relevant merchant/brand issuer (“Merchant”) to facilitate fulfilment, issue/deliver the Gift Card, record and reconcile the transaction, and provide customer support (for example, name, email address, delivery address (if applicable), Token amount/value, and transaction identifiers). Such parties may process the data for fulfilment, support, fraud prevention, compliance with Applicable Law, and responding to lawful requests by competent authorities, in accordance with their own privacy notices and legal obligations. We require our partners, where contractually applicable, to protect personal data and to process it only for the purposes described above or as required by law.

• Service providers: We engage third-party service providers (for example, cloud hosting providers, OTP/email delivery providers, customer support tools, and security service providers) to operate and support the Platform. These service providers act as data processors, are bound by contractual obligations to protect personal data, and may process personal data only on our documented instructions.

• Regulators and legal requests: We may disclose personal data where required by Applicable Law, court order, or lawful request by a competent authority, or where necessary to protect rights, safety, or property, investigate fraud or security incidents, or enforce our Terms.

• Transfers outside India: The Platform is designed primarily for use in India. Where cross-border transfer of personal data is necessary (for example, use of service providers with infrastructure outside India), we will take reasonable steps to ensure such transfers comply with Applicable Law.

We do not sell or rent personal data. Employees cannot transfer Tokens or personal data to other Employees; permitted Token workflows are defined in the Terms.

8. Cookies and Similar Technologies

The Platform may use session cookies, local storage, and similar technologies that are necessary to maintain login sessions, support OTP authentication flows, preserve user preferences, and protect the Platform against fraud and unauthorised access. The Platform is not designed to use cookies for cross-site behavioural advertising or to track Users across third-party websites. Where the Platform integrates services operated by third parties (such as Gift Card fulfilment by a Gift Card Partner or redemption by a Merchant), those third parties may apply their own cookies or similar technologies under their own policies, and the Company does not control such practices. You can control cookies through your browser or device settings; however, disabling strictly necessary cookies or local storage may prevent you from logging in or using certain Platform features reliably.

9. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy and as required by Applicable Law, including accounting, audit, tax, security, dispute management, and enforcement of our Terms. Transaction and accounting records relating to Token issuance and allocation, payments to Vendors (where enabled), Gift Card purchases, and Vendor cash-out requests/approvals (where enabled) are retained for the period required under Applicable Law and internal retention requirements. Security and operational logs are maintained for a reasonable period and may be retained longer where necessary for incident investigation, audit, dispute resolution, or compliance with lawful directions. Account and profile data is retained while you remain an authorised employee User and for a reasonable period thereafter to support offboarding, reversals, and dispute resolution. At the end of the applicable retention period, personal data is securely deleted, anonymised, or archived with access restrictions, subject to lawful holds. After your authorization ends, you may lose access to your Wallet and transaction history, but the Company may retain records as required for legitimate business purposes and legal compliance.

10. Security Measures

We implement appropriate technical and organisational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, consistent with Applicable Law. These measures may include encryption of sensitive data in transit and, where appropriate, at rest; authentication using one-time passwords (“OTPs”) delivered to registered email addresses; role-based access controls and least-privilege administration; logging and monitoring; secure development and change-management practices; and periodic security testing. We require our service providers and processors to implement reasonable security controls and to process personal data only on our documented instructions. In the event of a suspected or confirmed personal data breach or cyber security incident affecting the Platform, we will take reasonable steps to contain, assess, and remediate the incident and will comply with applicable reporting and notification obligations under Applicable Law. Users must also protect their access credentials and must promptly notify the Company at care@corpcash.in of any suspected compromise.

11. Your Rights

• Access and information: Subject to Applicable Law, you may request from the Company a summary of the personal data processed about you through the Platform and information regarding such processing, including the identities of data processors with whom such personal data has been shared (where required to be provided under Applicable Law). This right is subject to lawful exclusions and limitations, including restrictions under the Digital Personal Data Protection Act, 2023.
• Correction: You may request correction, completion, or updating of your personal data where it is inaccurate, misleading, incomplete, or out of date, in accordance with Applicable Law.

• Erasure: You may request erasure of personal data for which processing is based on consent. Upon receiving a valid request, the Company will erase such personal data unless retention is necessary for the purposes set out in this Privacy Policy or for compliance with Applicable Law (including record-keeping, audit, dispute resolution, security, and legal compliance requirements).

• Withdrawal of consent: Where processing is based on your consent, you may withdraw your consent through Platform features made available to you or through other means described in the notice provided to you. The withdrawal process will be no more burdensome than the process by which consent was provided. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal and may result in suspension or termination of your access to the Platform or to specific features.

• Nomination: You may, in accordance with Applicable Law and the terms of access arranged by the Company, nominate one or more individuals who may, in the event of your death or incapacity, exercise your rights under Applicable Law.

• Grievance redressal and escalation: You may submit a grievance relating to the processing of your personal data or the exercise of your rights by contacting the Company at care@corpcash.in.

  To enable us to act on your request, we may verify your identity using reasonable means (for example, confirming control over your registered email address and account identifiers). We will respond to grievances within the timeframe required under Applicable Law and our grievance redressal mechanism. Under the Digital Personal Data Protection Act, 2023, you may be required to exhaust the Company’s grievance redressal process before approaching the Data Protection Board of India.

12. Contact, Grievances and Data Protection Officer
    • Support Contact: For Platform support (including access issues, OTP issues, and Gift Card-related queries), you may contact the Company at care@corpcash.in.

• Data Protection Officer (Company): For matters relating to this Privacy Policy, your personal data, or to exercise your rights under Applicable Law, you may contact the Company’s designated Privacy/Grievance Officer: care@corpcash.in

• Privacy Queries, Requests and Complaints: Privacy-related queries, requests (including access/correction/erasure), and complaints may be submitted using the contact details above. We will acknowledge and respond in accordance with Applicable Law. For more information on your rights and the grievance redressal process, see Clause 11 (Your Rights).

13. Changes to this Policy

We may amend this Privacy Policy from time to time to reflect changes in Applicable Law, technology, or our Services. If any change materially affects your rights, we will provide reasonable notice through the Platform and/or via email to your registered address, unless a shorter notice period is required for legal, security, or operational reasons. The updated Privacy Policy will be effective from the “Effective Date” stated in the revised policy. Continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

14. Governing Law and Dispute Resolution

This Privacy Policy is governed by the laws of India. Any dispute arising out of or relating to this Privacy Policy shall be resolved in accordance with the governing law and dispute resolution provisions set out in the Corpcash Terms and Conditions.