Last updated: 16 June 2026
Effective date: 16 June 2026
Applies to: the SquareNow web platform at https://squarenow.co.in, the SquareNow Android application distributed on Google Play (package [CONFIRM: in.kapiital.squarenow]), and any APIs or integrations branded “SquareNow”.
This policy is published by Kapiital Systems Private Limited (“Kapiital”, “we”, “our”, “us”), registered in India at [CONFIRM: registered office address, CIN]. SquareNow is a product of Kapiital Systems Pvt Ltd.
If you have a question or a request about your personal data, write to [CONFIRM: privacy@kapiital.com]. For grievances under the IT Rules 2021 and the Digital Personal Data Protection Act 2023, see Grievance Officer below.
1. Who we are, and the two hats we wear
SquareNow operates in two distinct roles, and the protections that apply to you depend on which role applies.
Role A — Data Fiduciary. When you visit https://squarenow.co.in, request a demo, talk to our sales team, sign a contract with us, or use SquareNow as a customer-administrator (lender employee, integration partner, or vendor), Kapiital is the Data Fiduciary under the Digital Personal Data Protection Act 2023 (“DPDP Act”). We decide what is collected and why, and the obligations in this policy fall on us directly.
Role B — Data Processor. When a regulated lender (an NBFC, MFI, co-operative bank, or Section 8 lender) uses SquareNow to run their loan operations, SquareNow processes the personal data of their borrowers, leads, and field staff on the lender’s instructions. In that case the lender is the Data Fiduciary, and Kapiital is a Data Processor acting under a written Data Processing Addendum. Borrowers should refer to the lender’s own privacy notice for primary rights against the controller. Section 7 below describes what we still owe you directly even in the processor role.
2. What this policy covers — and what it does not
This policy covers SquareNow’s website, marketing operations, the SquareNow Android app, the SquareNow web console used by lender staff, and the APIs Kapiital exposes to integration partners.
It does not cover: (a) other Kapiital products (kapiital.com, paisanow.live, getitnow.digital — each has its own policy), (b) third-party platforms we link to but do not control (e.g. WhatsApp, the Bureau APIs, payment gateways, your own banking partner), or (c) anything you do on a lender’s own systems outside SquareNow.
3. Personal data we collect
We collect only what we need to run the service, support customers, comply with Indian law, and keep the platform secure.
3.1 Data you give us directly
- Account and identity data: name, work email, work phone, employee designation, employer (the lender entity), profile photo if you upload one.
- Authentication data: password hash, multi-factor authentication enrolment (TOTP secret or registered device fingerprint), session tokens.
- Commercial data: if you sign a contract with us — billing address, GSTIN, PAN, signed agreements, purchase orders, invoices, payment records.
- Communications: content of emails, chat messages, support tickets, demo notes, recorded calls (only when both parties consent at the start of the call).
3.2 Data we collect when you use SquareNow (web console or Android app)
- Usage logs: API endpoints invoked, search queries you ran inside the console, files you opened, actions you performed (created, approved, rejected, exported). Used to provide audit trails for the lender and to debug the product.
- Device data: device model, operating system version, app version, language, time zone, IP address, network type (Wi-Fi/cellular), crash logs, performance traces.
- Approximate location (Android app): derived from IP address. Used to flag impossible-travel sign-ins and to route field staff to the right branch.
- Precise location (Android app, only when you grant permission): GPS coordinates, captured only when the app is in the foreground and only when the lender’s workflow requires field-visit geo-tagging (e.g. collections visit, customer verification visit). Each capture is logged and visible to you.
- Camera and storage (Android app, only when you grant permission): images of documents you upload (Aadhaar masked, PAN, address proof, banking docs) and selfies for live-photo verification, where the lender’s workflow needs them. Images are uploaded to encrypted storage and are not used for any other purpose.
- Microphone (Android app, only when you grant permission): voice notes you attach to a case file. Not used for any other purpose.
- Contacts, SMS, call logs, photos library, calendar, health data: we do not access these. The SquareNow Android app does not request
READ_CONTACTS,READ_SMS,READ_CALL_LOG, or any media-library permission beyond the photos you actively pick. If a future version needs any of these, this policy will be updated and you will be re-prompted.
3.3 Data we collect from third parties (only on a lender’s instruction, Role B)
When a lender uses SquareNow to process borrower files, the lender directs SquareNow to fetch data from RBI-authorised bureaus, the GSTN, the MCA portal, NSDL/UTI for PAN verification, Account Aggregators, Aadhaar-based verification providers, the lender’s own banking partner, and similar sources. SquareNow does not retain this data beyond what the lender’s retention configuration allows.
3.4 What we do not collect
We do not collect: precise location in the background, contact lists, SMS messages, call logs, the user’s media library, biometric raw templates (only verification results from authorised verifiers), health/fitness data, or browsing history outside our own properties. We do not buy personal data from data brokers.
3.5 Sensitive personal data
Under DPDP Act 2023 and the IT Rules 2011, certain data is “sensitive personal data” — including financial information (account/card details), Aadhaar numbers, biometric verification results, passwords, and health information. Where SquareNow handles such data on behalf of a lender, we use ISO 27001-aligned controls, AES-256 encryption at rest, TLS 1.2+ in transit, role-based access, masking in non-production environments, and audit logging of every access.
4. Why we use the data (purposes and legal basis)
| Purpose | Data used | Legal basis under DPDP Act |
|---|---|---|
| Provide the SquareNow platform (auth, console, app, APIs) | Account, authentication, usage, device | Necessary for the contract you / your employer has with us |
| Customer support and onboarding | Account, communications, usage | Necessary for the contract |
| Security, fraud detection, audit logging | Device, IP, usage, approximate location | Specified legitimate use (security) under DPDP Act §7(j) |
| Comply with RBI, KYC, AML, and statutory record-keeping | All processing data | Compliance with law |
| Improve and develop the product (de-identified analytics only) | Aggregated usage data | Specified legitimate use; no individual targeting |
| Marketing emails (only to opted-in business contacts) | Work email, role | Consent, withdrawable at any time |
| Billing and invoicing | Commercial data | Necessary for the contract |
| Process borrower data on a lender’s instructions | Whatever the lender configures | The lender’s lawful basis; we process under DPA |
We do not use personal data for advertising profiling, do not sell personal data, and do not use SquareNow audit logs to train any external AI model. Internal models used by SquareNow’s AI agents are trained on lender-owned, de-identified data only when the lender’s contract permits it.
5. Who we share data with
We share personal data only with:
- Sub-processors under written contracts that require equivalent protection. Current sub-processors include cloud infrastructure (data hosted in India —
[CONFIRM: AWS Mumbai / Azure India South / GCP Mumbai]), email and SMS delivery, telephony, error monitoring, and analytics. A current list is available at[CONFIRM: sub-processor list URL or "on request to privacy@kapiital.com"]. - The lender (customer) you are working under, who is the Data Fiduciary for their borrowers’ data.
- Regulators, law-enforcement agencies, and courts when there is a binding legal demand we are required to comply with, after verifying its validity.
- Professional advisers (auditors, lawyers, bankers) under confidentiality.
- A successor entity in the event of a merger, acquisition, or restructuring, with notice to affected users.
We do not sell, rent, or lease personal data to anyone.
6. Cross-border transfers
Personal data of users in India is hosted in India in the production environment. Some sub-processors (e.g. error monitoring, email delivery) may store metadata outside India. Where they do, we use contractual safeguards approved under the DPDP Act and applicable rules, and we restrict to non-sensitive operational telemetry. We do not transfer personal data to jurisdictions notified as restricted by the Central Government under the DPDP Act.
7. Your rights
As a data principal under the DPDP Act 2023, you have the right to:
- Access the personal data we hold about you in a structured form.
- Correct, complete, or update inaccurate personal data.
- Erase personal data when it is no longer needed for the purpose it was collected (subject to laws that require us to retain it — for example, RBI KYC records must be kept for the statutory period).
- Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
- Nominate another individual to exercise these rights in the event of your death or incapacity.
- Grievance redressal — register a complaint with us first (see Section 9), and if unresolved within 30 days, escalate to the Data Protection Board of India.
To exercise any of these rights, write to [CONFIRM: privacy@kapiital.com] from the email address linked to your account, or use the in-app “My Data” controls in the SquareNow Android app or web console. We respond within the period required by law (currently 30 days, or sooner where reasonable). If you are exercising rights against a lender (the Data Fiduciary in Role B above), we will route your request to them and assist.
Account deletion has its own dedicated workflow — see https://squarenow.co.in/account-deletion.
8. Data retention
We keep personal data only as long as necessary:
| Category | Retention |
|---|---|
| Active account data | Life of the account + 12 months after closure (to handle disputes, audits) |
| Authentication logs | 12 months |
| Audit logs of console/app actions (lender records) | Per the lender’s retention configuration, default 7 years to meet RBI norms |
| Marketing contacts | Until you unsubscribe or 24 months of inactivity, whichever is sooner |
| Billing records | 8 financial years (Companies Act 2013 + GST rules) |
| Crash logs and diagnostics | 90 days |
| Recorded support calls (if any) | 6 months |
| KYC / borrower data processed for a lender | Per the lender’s instruction; default 10 years post loan closure to meet PMLA + RBI directions |
When the retention period ends, data is deleted from production systems within 30 days and from encrypted backups within the backup rotation window (currently 90 days), unless a legal hold applies.
9. Grievance Officer (India)
Per Rule 5(9) of the IT Rules 2021 and Section 8(9) of the DPDP Act 2023:
Name: [CONFIRM: Grievance Officer name] Designation: Grievance Officer & Data Protection Officer, Kapiital Systems Pvt Ltd Address: [CONFIRM: registered office address] Email: [CONFIRM: grievance@kapiital.com] Acknowledgement window: within 24 hours Resolution window: within 15 days for IT Rules grievances, within the period prescribed by the DPDP Rules for data-protection grievances
You may also escalate to the Data Protection Board of India once it is operationalised, in the manner notified by the Central Government.
10. Security
We follow industry-standard controls to protect personal data:
- AES-256 encryption at rest for all production data stores.
- TLS 1.2 or higher for all data in transit.
- Hardware security module (HSM) backed key management.
- Role-based access control with the principle of least privilege.
- Multi-factor authentication required for all employee access to production.
- Quarterly access reviews, annual VAPT, and continuous dependency scanning.
- ISO 27001-aligned controls (
[CONFIRM: certificate status]). - Data breach response plan with a target of regulator notification within 72 hours where required.
No system is perfectly secure. If you suspect a security issue, please report it to [CONFIRM: security@kapiital.com].
11. Children
SquareNow is a B2B platform for adults working at regulated financial institutions. It is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a child has provided personal data to us, contact us and we will delete it.
12. Cookies and tracking
Our website uses only essential cookies (session, CSRF, language preference) and a privacy-respecting analytics tool that does not use third-party cookies and does not fingerprint users. We do not run advertising trackers, retargeting pixels, or third-party social plugins on our pages. The Android app does not contain advertising SDKs.
13. Changes to this policy
If we change this policy in a way that affects how we handle your personal data, we will give notice — by email to active users, by a banner on the website, and by an in-app notice in the SquareNow Android app — at least 30 days before the change takes effect, except where a shorter notice is required by law.
The “Last updated” date at the top of this page always shows the current version. A change log is maintained at [CONFIRM: changelog URL or "available on request"].
14. Contact
Kapiital Systems Private Limited [CONFIRM: registered office address] CIN: [CONFIRM] Email (privacy): [CONFIRM: privacy@kapiital.com] Email (security): [CONFIRM: security@kapiital.com] Email (grievance): [CONFIRM: grievance@kapiital.com]
This is a published Indian privacy policy. Nothing in it overrides a separate data-processing addendum signed between Kapiital and a customer.