Legal

Privacy Policy

Effective: 15 June 2026 · Last updated: 15 June 2026 · 14 sections · ~7 min read

Our commitments to you

  • We do not sell your data. Your personal information is never sold to third parties, ever.
  • We share data only when you act. Lenders receive your details only when you explicitly submit an enquiry.
  • We don't collect sensitive IDs. No Aadhaar, PAN, bank account details, or credit score — unless you choose to share them with a lender directly.
  • You have rights under DPDP Act 2023. Access, correct, erase, and more — email us and we will respond within 30 days.
1

Introduction

Finmet Technologies Pvt. Ltd., operating under the brand name SonaFin ("Company," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal data when you access or use the SonaFin platform at https://www.sonafin.com and any associated mobile-optimised interfaces (collectively, the "Platform").

By using the Platform, you consent to the data practices described in this Policy. This Policy should be read alongside our Terms & Conditions. If you do not agree with this Policy, please discontinue use of the Platform.

2

Information We Collect

Data Type What We Collect Why
Registration Data Name, mobile number, PIN code Account creation and OTP verification
Gold Loan Query Data Gold weight, purity, desired loan amount, lender preferences, priorities To generate comparison results
Existing Loan Data (SonaSwitch) Current lender name, outstanding amount, interest rate, remaining tenure To calculate loan transfer savings
Lender Preference Data Preferred lender type, scheme type, sorting priorities To personalise comparison ranking
Communication Data Enquiry details, callback requests, messages sent via forms To connect you with lenders and support
Usage & Analytics Data Pages visited, features used, click-paths, time spent To improve the Platform
Device Data IP address, browser type, OS, screen resolution Security and analytics
What we do NOT collect: Aadhaar number, PAN, bank account details, credit score, or any other sensitive financial identifiers — unless explicitly disclosed to you as part of a specific lender referral process.

3

How We Use Your Information

  • To operate, personalise, and improve the Platform and its features
  • To display gold loan comparison results and SonaSwitch savings estimates
  • To connect you with lenders you choose to enquire about
  • To send OTPs, service communications, and (with your consent) promotional messages
  • To improve our algorithms, data quality, and user experience
  • To comply with applicable laws, regulations, court orders, and regulatory requirements
  • To detect, investigate, and prevent fraud, abuse, or security incidents
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects without your knowledge.

4

Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we process your personal data on the following lawful bases:

Consent

You have provided explicit consent by registering, submitting enquiry forms, or using Platform features.

Contractual Need

Processing is necessary to provide the comparison and lead facilitation services you have requested.

Legitimate Interest

Analytics and fraud prevention activities to operate and improve the Platform responsibly.

Legal Obligation

Compliance with applicable laws, including anti-money laundering, data localisation, and regulatory reporting obligations.

Where we rely on consent as the legal basis, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.


5

Data Sharing & Disclosure

5.1 — Lenders & DSA Partners

When you submit an enquiry for a specific lender, your contact details and loan requirements are shared with that lender or its authorised Direct Selling Agent (DSA) partner only. This sharing is a core function of the Platform, and you consent to it when you submit an enquiry.

5.2 — Legal & Regulatory Requirements

We may disclose your information where required by law, court order, government authority, or regulatory directive — including obligations under the DPDP Act, the Information Technology Act, 2000, and applicable financial sector regulations.

5.3 — Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the successor entity, subject to equivalent or stronger privacy protections. We will notify you of any such change via the Platform or registered contact details.


6

Data Retention

We retain your personal data only for as long as necessary for the stated purposes:

Registration & Lead Data

3 years

from last activity, then deleted

Analytics Data

3 years

anonymised after 3 years

Communication Data

1 year

then deleted or anonymised

We may retain data for longer periods where required by law, regulation, or ongoing legal proceedings. Upon expiry of the retention period, data is securely deleted or irreversibly anonymised.


7

Cookies

We use cookies and similar tracking technologies to operate and improve the Platform:

Strictly Necessary

Session authentication and core Platform functionality. Cannot be disabled without breaking the Platform.

Analytics

Google Analytics GA4 cookies to understand usage patterns and improve features. Can be opted out via browser settings.

Preference

Stores your comparison settings and form progress for a smoother experience. Session-scoped.

You can control cookies through your browser settings. Disabling certain cookies may affect Platform functionality. For Google Analytics opt-out, visit tools.google.com/dlpage/gaoptout.


8

Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the following rights with respect to your personal data:

  • Right to Access — Obtain confirmation of and access to the personal data we hold about you.
  • Right to Correction — Request correction of inaccurate, incomplete, or outdated personal data.
  • Right to Erasure — Request deletion of your personal data, subject to legal retention obligations.
  • Right to Withdraw Consent — Withdraw consent for data processing at any time, where consent is the legal basis. Withdrawal does not affect past processing.
  • Right to Grievance Redressal — Lodge a complaint with our Grievance Officer (see Section 13) if you believe your rights have been violated.
  • Right of Nomination — Nominate an individual to exercise your data rights in the event of your incapacity or death.
To exercise any right, email support@sonafin.in with subject line "Data Privacy Request". We will acknowledge within 72 hours and respond fully within 30 days.

9

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction:

  • TLS Encryption — All data in transit is encrypted using TLS 1.2 or higher.
  • Encryption at Rest — Personal data stored in our databases is encrypted at rest.
  • Access Controls — Role-based access ensures only authorised personnel can access personal data, on a need-to-know basis.
  • OTP Authentication — Account access is secured via one-time password verification through Exotel's secure delivery infrastructure.
  • Secure Cloud Hosting — The Platform is hosted on DigitalOcean's infrastructure, which maintains SOC 2 Type II compliance.
No system is completely secure. SonaFin cannot guarantee absolute security and shall not be liable for any unauthorised access, breach, or data loss that occurs despite our reasonable precautions. If you suspect any security issue, please contact us immediately at support@sonafin.in.

10

Children's Privacy

The Platform is intended solely for individuals who are at least 18 years of age. We do not knowingly collect, use, or disclose personal data from minors under the age of 18. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at support@sonafin.in and we will promptly delete such data.


11

Cross-Border Data Transfers

Our primary data storage is in India via DigitalOcean's Bangalore data centre. However, some of our third-party service providers (including Google Analytics) may process data outside India. Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses with the service provider
  • Use of providers that maintain certification under recognised international security frameworks
  • Anonymisation or pseudonymisation of data before transfer, where feasible

We will comply with any restrictions on cross-border data transfers that may be notified by the Government of India under the DPDP Act, 2023.


12

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the effective date at the top of this page and, where practicable, notify registered users via their registered mobile number or the Platform. Continued use of the Platform after the effective date of any revised Policy constitutes your acceptance of those changes.


13

Grievance Officer

As required under the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

DesignationGrievance Officer, Finmet Technologies Pvt. Ltd.
Response TimeAcknowledge within 48 hours; resolve within 30 days
AddressS.F.No.357/1B, NGR PURAM, Behind ESI Compound, Irugur, Coimbatore, Tamil Nadu 641103
If you are not satisfied with the response from our Grievance Officer, you may lodge a complaint with the Data Protection Board of India once it is constituted under the DPDP Act, 2023.

14

Contact Us

Privacy questions or data requests?

Finmet Technologies Pvt. Ltd. · sonafin.com

support@sonafin.in

Registered Address: S.F.No.357/1B, NGR PURAM, Behind ESI Compound, Irugur, Coimbatore, Tamil Nadu 641103

For data requests specifically: Use subject line "Data Privacy Request" for faster routing.

© 2026 Finmet Technologies Pvt. Ltd.