← Back

Privacy Policy

Effective date: 18 May 2026 · Version 1.0.0-beta.1

This Privacy Policy has been prepared in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable guidelines issued by the Reserve Bank of India (RBI), including the Master Direction on Information Technology Framework for the NBFC Sector and the RBI Cyber Security Framework.

This Privacy Policy explains how CapitalXB Financial Services Private Limited ("CapitalXB", "Data Fiduciary", "we", "us", or "our"), CIN: [●], registered at [●], Mumbai, Maharashtra, collects, uses, stores, and protects personal data processed through the CapitalXB Internal Helpdesk ("System"). This Policy applies to all employees, contractors, and other authorised users ("Data Principals", "you") who access the System.

1. Data Fiduciary Details

Attribute	Details
Name	CapitalXB Financial Services Private Limited
Address	[Registered office address]
Contact for privacy matters	helpdesk@capitalxb.com

2. Personal Data We Collect

We collect and process the following categories of personal data when you use the System:

Category	Examples	Source
Identity data	Full name, employee ID, designation, department	Provided by you or HR system
Contact data	Corporate email address, phone number	Provided by you or HR system
Usage data	Login timestamps, IP address, browser/device type, actions taken in the System	Automatically collected
Ticket data	Subject, description, attachments, comments, priority, status, resolution details	Provided by you
Approval data	Approval decisions, comments, timestamps	Provided by you
Authentication data	Microsoft Entra ID (Azure AD) token claims; session identifiers (encrypted)	Microsoft identity platform

We do not intentionally collect sensitive personal data (as defined under the DPDP Act) unless it is voluntarily included in ticket descriptions by the Data Principal. If sensitive data is included, it will be handled with the same controls as other personal data and will not be processed for any purpose other than resolving the relevant ticket.

3. Purpose and Legal Basis for Processing

Purpose	Legal basis (DPDP Act)
Operating and managing internal support tickets	Legitimate use — necessary for employment and internal operations
Assigning and routing tickets to appropriate teams	Legitimate use
Sending email notifications about ticket status	Legitimate use
Processing approval workflows	Legitimate use — compliance with internal governance
Security monitoring and audit logging	Legal obligation — RBI IT Framework, DPDP Act Section 8(5)
Performance monitoring and SLA reporting	Legitimate use

4. Data Storage and Localisation

In compliance with RBI guidelines on data localisation and relevant advisories, all personal data processed through the System is stored exclusively on servers located within the territory of India (AWS Mumbai region, ap-south-1). No personal data is transferred to, or stored in, any server outside India without prior regulatory approval.

File attachments uploaded through the System are stored in an AWS S3 bucket in the Mumbai region, encrypted at rest using AES-256 server-side encryption.

5. Data Retention

Data type	Retention period	Basis
Active ticket data and comments	5 years from ticket closure	RBI record-keeping requirements
Audit logs	5 years	RBI IT Framework — audit trail requirements
File attachments	3 years from ticket closure	Operational necessity
Session data	120 minutes (active session) + 30 days (remember token)	Security requirement
User account data	Duration of employment + 1 year post-termination	Legal obligation

On expiry of the applicable retention period, personal data will be securely deleted or anonymised. Data required to be retained for legal or regulatory proceedings will be preserved for the duration of such proceedings.

6. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We may share personal data with the following categories of recipients:

Internal teams: IT, HR, Finance, Compliance, and other departments as necessary to resolve your ticket or complete an approval workflow.
Microsoft Corporation: For identity authentication via Microsoft Entra ID (Azure AD) and email services via Microsoft Graph API, under Microsoft's applicable data processing terms.
Amazon Web Services (AWS): As cloud infrastructure provider for hosting, storage, and monitoring. AWS processes data as a data processor under a data processing agreement. All data remains in India (AWS Mumbai region).
Laravel Nightwatch: For application performance monitoring. Nightwatch receives anonymised telemetry data only; ticket descriptions and personal identifiers are redacted before transmission.
Regulators and law enforcement: Where required by applicable law, court order, or regulatory direction from RBI or any other competent authority.

7. Rights of Data Principals

Under the DPDP Act, 2023, you have the following rights with respect to your personal data:

Right to access: You may request a summary of personal data we hold about you.
Right to correction: You may request correction of inaccurate or incomplete data.
Right to erasure: You may request erasure of personal data where it is no longer necessary for the purpose for which it was collected, subject to retention obligations under law.
Right to grievance redressal: You may raise a complaint with our Grievance Officer (details in Section 10).
Right to nominate: You may nominate another individual to exercise your data rights in the event of your death or incapacity.

To exercise any of the above rights, submit a written request to the Grievance Officer at the contact details provided in Section 10. We will respond within 30 days of receipt of your request.

8. Security Measures

We implement the following technical and organisational measures in accordance with the RBI Cyber Security Framework and DPDP Act obligations:

HTTPS enforced on all connections; HSTS headers set with 2-year max-age;
Session data encrypted at rest (AES-256) and transmitted only over secure channels;
Role-based access control — users access only data relevant to their role and department;
All privileged operations recorded in a tamper-evident audit log;
Multi-factor authentication available via Microsoft Entra ID SSO;
File attachments stored with server-side encryption (SSE-AES256) in S3;
API access protected by scoped, time-limited Sanctum tokens;
Rate limiting on all endpoints to prevent brute-force and denial-of-service attacks;
Passwords hashed using bcrypt with a work factor of 12.

9. Cookies and Session Data

The System uses strictly necessary session cookies for authentication and CSRF protection. These cookies are:

Encrypted at rest;
Marked HttpOnly and Secure (HTTPS only in production);
Set with SameSite=Strict to prevent cross-site request forgery;
Automatically expired when you log out or after 120 minutes of inactivity.

The System does not use advertising cookies, tracking cookies, or any third-party analytics cookies.

10. Grievance Officer

In accordance with Section 13 of the DPDP Act, 2023, CapitalXB has designated a Grievance Officer for privacy-related matters:

Attribute	Details
Designation	Grievance Officer — Data Privacy
Email	helpdesk@capitalxb.com
Address	[Registered office address], Mumbai, Maharashtra
Response time	Within 30 days of receipt of complaint

If you are not satisfied with our response, you may approach the Data Protection Board of India once constituted under the DPDP Act, 2023.

11. Changes to This Policy

CapitalXB may update this Privacy Policy from time to time. Material changes will be communicated to users via the System or corporate email. Continued use of the System following notification of changes constitutes acceptance of the updated Policy. The current version and effective date are displayed at the top of this page.

12. Governing Law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable RBI regulations.