WHAT KIND OF PERSONAL INFORMATION DO WE COLLECT?
platform, website or landing page, when your organisation registers as member of our
platform and when we provide services to your organisation through our platform, website
or landing page.
It describes how we collect, use and process your personal data, and how, in doing so, we
comply with our legal obligations to you. Your privacy is important to us, and we are
committed to protecting and safeguarding your rights.
For the purpose of applicable data protection legislation (including but not limited to the
General Data Protection Regulation 1 (Regulation (EU) 2016/679) (the "GDPR") and the
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 (the ‘Sensitive Information Rules’) the
company responsible for your personal data ("CreditEnable" or "us") is Oktober6 Insight
Private Limited I 175, Metro Estate, Kagalwala House, C-East, CST Road Kalina, Bandra
Kurla Complex, Santacruz East, Mumbai, - 400098, India, with trading offices at 1902,
Tower-B Peninsula Business Park, GK Marg, Lower Parel, Mumbai, 400013.
- provides you with details of the SPDI that we may need to collect from you
(including the purpose of the collection, the intended recipients of it and associated
contact details); and
- seeks your consent in relation to the collection of SPDI for the purposes set out in
please contact CreditEnable (email@example.com). If you agree to provide your consent
to the collection and use of SPDI as set out then please provide your consent by accepting
If you do not agree to provide your consent, CreditEnable may not be in a position to
process your loan application.
stay up-to-date as we will post any changes here. If you are dissatisfied with any aspect of
If your organisation registers to use the Services provided on our platform, we need to collect and
use information about you or individuals at your organisation in relation to your loan application, in
the course of providing you with our Services. This information is likely to include information which
is classified as Sensitive Personal Data or Information (‘SPDI’) under the Sensitive Information
Depending on the relevant circumstances, we may collect some or all of the information listed
below to help us with this:
HOW DO WE COLLECT YOUR PERSONAL DATA?
- Names of directors, executives or founders of your organisation;
- Business activities of directors, executives or founders at your organisation;
- Login details;
- Your name;
- Your telephone number;
- Your email address;
- IP address;
- KYC documents;
- Income tax filings;
- Goods and services tax (GST) filings;
- Financial accounts;
- Bank statements; and
- CIBIL score (if available).
We collect your personal data in three primary ways:
- Personal data that you give to us;
- Personal data that we receive from other sources; and
- Personal information we collect automatically.
Personal data you give to us
- Where your organisation registers with our platform;
- Where your organisation uploads information about itself to our platform or.
Personal data we receive from other sources
- We may seek more information about your organisation from other sources generally by
way of due diligence or other market intelligence including research and analysis of the
filed accounts of your organisation.
Personal data we collect automatically
WHY WE USE YOUR PERSONAL DATA?
- When you visit our platform, we collect technical information, including the Internet protocol
(IP) address used to connect your computer to the Internet, your login information, browser
type and version, time zone setting, browser plug-in types and versions, operating system
We collect and use your personal data for a number of reasons, including:
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
- To carry out our obligations to you as a result of any contract entered into between us and
you or your organisation.
- To enable us to provide the analysis and reports requested by you or your organisation.
- To verify your identity to ensure that you are authorised to access the platform and to
protect against unauthorised use and access of the platform.
- To better understand your preferences to enable us to provide you with a better service
and tailored suggestions for your lending or financing needs.
- To improve your experience of using our platform, for example by analysing your recent
search criteria to help us to present the information that is most relevant to you.
- To notify you about changes to the products and services that we offer and to directly
market these products and services to you. We may periodically send promotional emails
about new products, special offers or other information which we think you may find
interesting using the email address which you have provided.
- To contact you via email, facsimile, phone or text message, to deliver certain services or
information you have requested.
- To administer our platform for internal operations, including troubleshooting, data analysis,
testing, research and statistical and survey purposes.
To assist you in assessment suitability for a loan application, in particular to:
- conduct a credit assessment on you;
- comply with CreditEnable's Know-Your-Client ("KYC") procedures;
- comply with any potential lender's KYC procedures;
- comply with any potential lender's documentation requirements in relation to loan approval.
From time to time, we may also use your information to contact you for market research
purposes. We may contact you by email, phone, fax or mail. We may use the information
to customize the platform or website according to your interests.
We will share your personal data primarily to ensure we provide you with the most efficient and
effective services to you. Unless you specify otherwise, we may share your information with
any of the following groups:
HOW DO WE SAFEGUARD YOUR PERSONAL DATA?
- Lenders that can login in to our platform to download reports on your organisation;
- Lenders who will consider your loan application;
- Borrowers, who may be provided with the contact details of someone at the lending
- Any members of our group company where this is necessary to complete CreditEnable’s
credit assessment analysis and processes, and in accordance with laws on data transfers;
- Any members of our group company where this is otherwise necessary, and in
accordance with laws on data transfers;
- Tax, audit, or other authorities, when we believe that the law or other regulation requires us
to share this data (for example, because of a request by a tax authority or in connection
with any anticipated litigation);
- Third party service providers who perform functions on our behalf (including external
consultants and professional advisers such as auditors and accountants, technical support
functions and IT consultants carrying out testing and development work on our business
- Third party outsourced IT providers where we have an appropriate data processing
agreement (or similar protections) in place;
- Other third parties who have an association with you (for example, suppliers to your
industry) who may wish to provide you with direct marketing information about their
products and services; and
- If CreditEnable merges with or is acquired by another business or company in the future,
we may share your personal data with the new owners of the business or company (and
provide you with notice of this disclosure).
We care about protecting your information. That's why we put in place appropriate measures
that are designed to prevent unauthorised access to, and misuse of, your personal data.
We are committed to taking all reasonable and appropriate steps to protect the personal
information that we hold from misuse, loss, or unauthorised access. We do this by having in
place a range of appropriate technical and organisational measures, including encryption
measures and disaster recovery plans.
If you suspect any misuse or loss of or unauthorised access to your personal information
please let us know immediately. Please raise your concern with firstname.lastname@example.org, in the
first instance, and we will investigate the matter and update you as soon as possible on next
HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
We will not keep your personal data for longer than is necessary for the purposes for which we
collect it unless we believe that the law or other regulation requires us to preserve it (for
example, because of a request by a tax authority or in connection with any anticipated
When it is no longer necessary to retain your data, we will delete the personal data that we
hold about you from our systems. While we will endeavour to permanently erase your personal
data once it reaches the end of its retention period, some of your personal data may still exist
within our systems, for example if it is waiting to be overwritten. For our purposes, this data has
been put beyond use, meaning that, while it still exists in the electronic ether, our employees
will not have any access to it or use it again.
WHAT ARE MY RIGHTS?
You have various rights in relation to the data which we hold about you. We have set these out below.
To get in touch with us about any of these rights, please contact email@example.com. We
will seek to deal with your request without undue delay, and in any event within one month
(subject to any extensions to which we are lawfully entitled). Please note that we may keep a
record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your personal data where we do so for one of
the following reasons:
- because it is in our legitimate interests to do so;
- to enable us to perform a task in the public interest or exercise official authority;
- to send you direct marketing materials; or
- for scientific, historical, research, or statistical purposes.
Right to withdraw consent
Where we have obtained your consent to process your personal data for certain activities (for
example, for marketing), you may withdraw this consent at any time and we will cease to use
your data for that purpose unless we consider that there is an alternative legal basis to justify
our continued processing of your data for this purpose, in which case we will inform you of this
Data Subject Access Requests
You may ask us for a copy of the information we hold about you at any time, and request us to
modify, update or delete such information. If we provide you with access to the information we
hold about you, we will not charge you for this unless permitted by law. If you request further
copies of this information from us, we may charge you a reasonable administrative cost.
Where we are legally permitted to do so, we may refuse your request. If we refuse your request
we will always tell you the reasons for doing so.
Right to erasure
You have the right to request that we "erase" your personal data in certain circumstances.
Normally, the information must meet one of the following criteria:
- The data are no longer necessary;
- You have withdrawn your consent to us using your data, and there is no other valid reason
for us to continue;
- The data has been processed unlawfully;
- It is necessary for the data to be erased in order for us to comply with our obligations under
- You object to the processing and we are unable to demonstrate overriding legitimate
grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited
circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably
practicable steps to delete the relevant data.
Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain
circumstances, for example if you dispute the accuracy of the personal data that we hold about
you or you object to our processing of your personal data for our legitimate interests. If we have
shared your personal data with third parties, we will notify them about the restricted processing
unless this is impossible or involves disproportionate effort. We will, of course, notify you before
lifting any restriction on processing your personal data.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete personal data that
we hold about you. If we have shared this personal data with third parties, we will notify them
about the rectification unless this is impossible or involves disproportionate effort. You may
also request details of the third parties that we have disclosed the inaccurate or incomplete
personal data to. Where we think that it is reasonable for us not to comply with your request,
we will explain our reasons for this decision.
Right of data portability
If you wish, you have the right to transfer your personal data between service providers. In
effect, this means that you are able to transfer the details we hold on you to another third party.
To allow you to do so, we will provide you with your data in a commonly used machine-
readable format so that you can transfer the data. Alternatively, we may directly transfer the
data for you.
Right to complain
You also have the right to lodge a complaint with your local supervisory authority.
You can also lodge a complaint with CreditEnable at:
WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?
CreditEnable is responsible for processing your personal data. CreditEnable is a private limited
company with its registered office located at 175, Metro Estate, Kagalwala House, C-East, CST Road Kalina, Bandra Kurla Complex,
Santacruz East, Mumbai, - 400098, India and trading offices
at 1902, Tower B- Peninsula Business Park, GK Marg, Lower Parel, Mumbai 400013.
Your information will be stored by CreditEnable and/or its affiliated technology partners via secure
We take privacy seriously and will get back to you as soon as possible.
HOW DO WE STORE AND TRANSFER YOUR DATA INTERNATIONALLY?
The data that we collect from you will be transferred to, and stored at, destinations both within
and outside the European Economic Area (EEA).
We want to make sure that your personal data is stored and transferred in a way which is
secure. We will therefore only transfer data outside of the EEA where it is compliant with data
protection legislation and the means of transfer provides adequate safeguards in relation to
your data. For example, this could be:
- By way of an intra-group agreement between Oktober6 Ltd entities, incorporating the
current standard contractual clauses adopted by the European Commission for the transfer
of personal data by controllers in the EEA to controllers and processors in jurisdictions
without adequate data protection laws;
- By way of a data transfer agreement with a third party, incorporating the current standard
contractual clauses adopted by the European Commission for the transfer of personal data
by controllers in the EEA to controllers and processors in jurisdictions without adequate
data protection laws; or
- By transferring your data to an entity which has signed up to the EU-U.S. Privacy Shield
Framework for the transfer of personal data from entities in the EU to entities in the United
States of America or any equivalent agreement in respect of other jurisdictions; or
- By transferring your data to a country where there has been a finding of adequacy by the
European Commission in respect of that country's levels of data protection via its
- Where it is necessary for the conclusion or performance of a contract between ourselves
and a third party and the transfer is in your interests for the purposes of that contract (for
example, if we need to transfer your data to a benefits provider based outside the EEA); or
- Where you have consented to the data transfer.
Where we transfer your personal data outside the EEA and where the country or territory in
question does not maintain adequate data protection standards, we will take all reasonable
steps to ensure that your data is treated securely and in accordance with this policy.
LEGAL BASES FOR US PROCESSING YOUR DATA
There are a number of different ways that we are lawfully able to process your personal data. We
have set these out below.
Where processing your data is within our legitimate interests
We are allowed to use your personal information where it is in our interests to do so, and those
interests aren't outweighed by any potential prejudice to you.
We believe that our use of your personal information is within a number of our legitimate
interests, including but not limited to:
- To administer our platform for internal operations, including troubleshooting, data analysis,
testing, research, and statistical and survey purposes
- To help us understand you better and provide you with better, more relevant services
- To ensure that our systems run smoothly
- To help us keep our systems secure and prevent unauthorized access or cyber attacks
- To drive commercial value
We don't think that any of the activities set out above will prejudice you in any way. However,
you do have the right to object to us processing your personal information on this basis. We
have set out details regarding how you can go about doing this in the "Access, Correction and
Inquires" section below.
Where you give us your consent to process your personal data
We are allowed to use your personal information where you have specifically consented. In
order for your consent to be valid:
- It has to be given freely, without us putting you under any type of pressure;
- You have to know what you are consenting to – so we'll make sure we give you enough
- You should only be asked to consent to one thing at a time – we therefore avoid "bundling"
consents together so that you don't know exactly what you're agreeing to; and
- You need to take positive and affirmative action in giving us your consent – for example,
we could provide a tick box for you to check so that this requirement is met in a clear and
We seek your consent when you register to use our platform or website. Before giving your
consent you should make sure that you read any accompanying information provided by us so
that you understand exactly what you are consenting to.
You have the right to withdraw your consent at any time, and details of how to do so can be
found above in the "Right to withdraw consent" section above.
Where processing your personal data is necessary for us to carry out our obligations
under our contract with you
We are allowed to use your personal information when it is necessary to do so for the
performance of our contract with you.
For example, we need to hold your email address in order to be able to send you reports and
other analysis where you have requested them.
to your information (including any SPDI) being collected for the purposes set out in this Privacy
Policy and for its handling and storage in the manner as set out in this letter.
1 The GDPR has an effective date of 25 May 2018, and any references to it should be construed to include
any national legislation implementing it.