Privacy Policy
Our commitments to you
- ✓ We do not sell your data. Your personal information is never sold to third parties, ever.
- ✓ We share data only when you act. Lenders receive your details only when you explicitly submit an enquiry.
- ✓ We don't collect sensitive IDs. No Aadhaar, PAN, bank account details, or credit score — unless you choose to share them with a lender directly.
- ✓ You have rights under DPDP Act 2023. Access, correct, erase, and more — email us and we will respond within 30 days.
Introduction
Finmet Technologies Pvt. Ltd., operating under the brand name SonaFin ("Company," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal data when you access or use the SonaFin platform at https://www.sonafin.com and any associated mobile-optimised interfaces (collectively, the "Platform").
Information We Collect
| Data Type | What We Collect | Why |
|---|---|---|
| Registration Data | Name, mobile number, PIN code | Account creation and OTP verification |
| Gold Loan Query Data | Gold weight, purity, desired loan amount, lender preferences, priorities | To generate comparison results |
| Existing Loan Data (SonaSwitch) | Current lender name, outstanding amount, interest rate, remaining tenure | To calculate loan transfer savings |
| Lender Preference Data | Preferred lender type, scheme type, sorting priorities | To personalise comparison ranking |
| Communication Data | Enquiry details, callback requests, messages sent via forms | To connect you with lenders and support |
| Usage & Analytics Data | Pages visited, features used, click-paths, time spent | To improve the Platform |
| Device Data | IP address, browser type, OS, screen resolution | Security and analytics |
How We Use Your Information
- To operate, personalise, and improve the Platform and its features
- To display gold loan comparison results and SonaSwitch savings estimates
- To connect you with lenders you choose to enquire about
- To send OTPs, service communications, and (with your consent) promotional messages
- To improve our algorithms, data quality, and user experience
- To comply with applicable laws, regulations, court orders, and regulatory requirements
- To detect, investigate, and prevent fraud, abuse, or security incidents
Legal Basis for Processing
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we process your personal data on the following lawful bases:
Consent
You have provided explicit consent by registering, submitting enquiry forms, or using Platform features.
Contractual Need
Processing is necessary to provide the comparison and lead facilitation services you have requested.
Legitimate Interest
Analytics and fraud prevention activities to operate and improve the Platform responsibly.
Legal Obligation
Compliance with applicable laws, including anti-money laundering, data localisation, and regulatory reporting obligations.
Where we rely on consent as the legal basis, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Data Sharing & Disclosure
5.1 — Lenders & DSA Partners
When you submit an enquiry for a specific lender, your contact details and loan requirements are shared with that lender or its authorised Direct Selling Agent (DSA) partner only. This sharing is a core function of the Platform, and you consent to it when you submit an enquiry.
5.2 — Legal & Regulatory Requirements
We may disclose your information where required by law, court order, government authority, or regulatory directive — including obligations under the DPDP Act, the Information Technology Act, 2000, and applicable financial sector regulations.
5.3 — Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the successor entity, subject to equivalent or stronger privacy protections. We will notify you of any such change via the Platform or registered contact details.
Data Retention
We retain your personal data only for as long as necessary for the stated purposes:
Registration & Lead Data
3 years
from last activity, then deleted
Analytics Data
3 years
anonymised after 3 years
Communication Data
1 year
then deleted or anonymised
We may retain data for longer periods where required by law, regulation, or ongoing legal proceedings. Upon expiry of the retention period, data is securely deleted or irreversibly anonymised.
Cookies
We use cookies and similar tracking technologies to operate and improve the Platform:
Strictly Necessary
Session authentication and core Platform functionality. Cannot be disabled without breaking the Platform.
Analytics
Google Analytics GA4 cookies to understand usage patterns and improve features. Can be opted out via browser settings.
Preference
Stores your comparison settings and form progress for a smoother experience. Session-scoped.
You can control cookies through your browser settings. Disabling certain cookies may affect Platform functionality. For Google Analytics opt-out, visit tools.google.com/dlpage/gaoptout.
Your Rights
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), you have the following rights with respect to your personal data:
- Right to Access — Obtain confirmation of and access to the personal data we hold about you.
- Right to Correction — Request correction of inaccurate, incomplete, or outdated personal data.
- Right to Erasure — Request deletion of your personal data, subject to legal retention obligations.
- Right to Withdraw Consent — Withdraw consent for data processing at any time, where consent is the legal basis. Withdrawal does not affect past processing.
- Right to Grievance Redressal — Lodge a complaint with our Grievance Officer (see Section 13) if you believe your rights have been violated.
- Right of Nomination — Nominate an individual to exercise your data rights in the event of your incapacity or death.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction:
- TLS Encryption — All data in transit is encrypted using TLS 1.2 or higher.
- Encryption at Rest — Personal data stored in our databases is encrypted at rest.
- Access Controls — Role-based access ensures only authorised personnel can access personal data, on a need-to-know basis.
- OTP Authentication — Account access is secured via one-time password verification through Exotel's secure delivery infrastructure.
- Secure Cloud Hosting — The Platform is hosted on DigitalOcean's infrastructure, which maintains SOC 2 Type II compliance.
Children's Privacy
The Platform is intended solely for individuals who are at least 18 years of age. We do not knowingly collect, use, or disclose personal data from minors under the age of 18. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at support@sonafin.in and we will promptly delete such data.
Cross-Border Data Transfers
Our primary data storage is in India via DigitalOcean's Bangalore data centre. However, some of our third-party service providers (including Google Analytics) may process data outside India. Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses with the service provider
- Use of providers that maintain certification under recognised international security frameworks
- Anonymisation or pseudonymisation of data before transfer, where feasible
We will comply with any restrictions on cross-border data transfers that may be notified by the Government of India under the DPDP Act, 2023.
Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the effective date at the top of this page and, where practicable, notify registered users via their registered mobile number or the Platform. Continued use of the Platform after the effective date of any revised Policy constitutes your acceptance of those changes.
Grievance Officer
As required under the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
Contact Us
Privacy questions or data requests?
Finmet Technologies Pvt. Ltd. · sonafin.com
Registered Address: S.F.No.357/1B, NGR PURAM, Behind ESI Compound, Irugur, Coimbatore, Tamil Nadu 641103
For data requests specifically: Use subject line "Data Privacy Request" for faster routing.