We act as a Data Processor when processing Personal Data strictly on behalf of our Customers and exclusively under their documented instructions. This applies to:

• Collexo Collect (fee collection workflows)
• Collexo EMI (installment management)
• Collexo AutoDebit (e-mandate initialization and reminders)
• Collexo Central Pay (institution-driven payment portals)

In these scenarios:

• The Customer is the Data Controller/Data Fiduciary .
• The Customer determines what Personal Data is collected, why it is collected, and how it should be processed.
• We process such data solely for delivering contractual Services.
• We do not determine retention periods or purposes of processing.
• We do not use Customer-controlled data for analytics, product development, AI training, advertising, profiling, or behavior tracking.
• We retain, delete, or return data strictly in accordance with Customer instructions.

In the Pixi ecosystem:

• PPI Issuer(s) is the Data Controller/Data Fiduciary for all KYC, card activation, transaction processing, AML/CFT checks, fraud monitoring, and regulatory retention.
• Collexo acts strictly as a Program Manager and Data Processor on behalf of PPI Issuer(s).
• NPCI (National Payments Corporation of India) acts as an Independent Data Controller for switching, tokenization, transaction settlement, and authentication.

Collexo’s Processor responsibilities for Pixi include:

• Facilitating the KYC submission process within the Collexo mobile app.
• collecting KYC Data solely to transmit it securely to PPI Issuer(s).
• Performing preliminary completeness checks (e.g., image clarity, file validity).
• Enabling card activation status updates.
• Displaying transaction summaries provided by PPI Issuer(s).
• Supporting user onboarding flows under PPI Issuer(s)’s guidelines.

Collexo does not determine:

• whether KYC is required.
• which documents are acceptable.
• retention periods.
• AML/CFT rules.
• card usage terms and conditions.
• onboarding criteria.

These are exclusively determined by PPI Issuer(s).

We act as an independent Controller/Fiduciary only for limited operational and app-level data, such as:

• device metadata.
• performance logs.
• crash diagnostics.
• application usage metrics.
• security and anomaly detection.
• service analytics.

This processing is required to:

• secure the application.
• detect and prevent fraud.
• ensure service reliability.
• troubleshoot issues.
• improve app performance.

To deliver our Services, we engage authorized Sub-Processors who support:

• cloud hosting.
• payment gateway integrations.
• SMS/email communication.
• document verification.
• identity verification.
• fraud detection.
• customer support.
• notification and messaging workflows.

• implement strict security measures.
• maintain confidentiality.
• process data only under contractually defined purposes
• adhere to international transfer standards where applicable.

• a visitor.
• a Customer.
• a Customer’s user.
• a student.
• a parent/guardian.
• a payer.
• a Pixi cardholder.
• or whether you interact with us directly.

When you browse our website or mobile applications, we may collect Personal Data including:

• Your name, phone number, email address, organization name (when you voluntarily submit forms or request callbacks).
• Technical information such as IP address, device type, browser type, operating system, network identifiers, screen resolution, and unique device identifiers.
• Behavioral and usage information including pages viewed, time spent, clickstream data, scroll behavior, session duration, referring URLs, and navigation patterns.
• Cookie and tracking information such as device identifiers, web beacons, pixels, tags, logs, and marketing identifiers.
• Information from third-party sources, where permitted under applicable laws, such as data aggregators or advertising partners.

We collect visitor data for purposes including:

• understanding how visitors interact with our website.
• improving website functionality, navigation, user experience, and content relevance.
• responding to requests such as demo requests, support queries, or call-back submissions.
• connecting you to relevant resources or product specialists.
• delivering marketing or promotional content (with appropriate consent).
• performing remarketing through third-party advertising platforms (Google/Meta), where allowed.
• analyzing engagement data to improve campaigns, optimize performance, and understand interest levels.
• maintaining security, identifying misuse, and preventing fraudulent activity

When an organization becomes a Customer, we may collect:

• the identity and contact details of authorized representatives
• official email addresses and phone numbers.
• organization name, address, authentication details, GST information (if applicable).
• billing and invoicing information.
• support ticket metadata.
• system log entries associated with administrative actions.
• audit trail data to ensure compliance with security standards.

When an organization becomes a Customer, we may collect:

We collect and process Customer-level data to:

• create, administer, and maintain Customer accounts.
• provide platform access to authorized personnel.
• support onboarding, configuration, training, and support delivery.
• manage subscriptions, billing, invoicing, and contractual obligations.
• ensure compliance with audit, security, and regulatory standards.
• provide essential notifications such as updates, outages, or changes in service.
• monitor for fraud, unauthorized access, or operational anomalies.

For Users who log into Collexo platforms on behalf of Customers, we may collect:

Identity & Contact Information:

• name, email address, official phone number, and organization details.

Authentication & System Data:

• login timestamps, logout timestamps.
• device names, browser versions, OS details.
• IP address and approximate geolocation.
• multi-factor authentication records.

Behavior & Usage Data:

• tasks performed on the platform.
• modules accessed.
• records viewed or actions taken.
• workflow triggers activated.
• performance metrics.

Optional Permissions (Only With Explicit Opt-In):

• SMS metadata and call logs metadata (sender/recipient, timestamps—NOT message/call content).

We never collect:

• call recordings.
• content of SMS messages.
• contact lists from devices.
• personal email content.
• photos, media, or files unless voluntarily uploaded.
• biometric data unless strictly mandated by a Controller (e.g., liveness for Pixi KYC).

We collect User data to:

• enable secure platform access;
• provide payment, and workflow capabilities;
• enhance User productivity through reminders, follow-ups, and automation;
• ensure auditability and compliance with institutional requirements;
• troubleshoot system issues and improve platform reliability;
• maintain logs for fraud detection, misuse prevention, and policy enforcement;
• adhere to Customer contractual obligations.

Optional features rely exclusively on consent and may be revoked anytime via app or device settings.:

Institutions may share student or user lists including but not limited to:

Identity & Contact Information:

• name.
• gender.
• phone number.
• email address.
• roll number/student ID.
• academic program.
• eligibility or entitlement information.
• institution-specific attributes.

Inside the Collexo app, Pixi card applicants may be required to submit:

This means:

• Collexo does not store Aadhaar XML, PAN images, CKYC, photographs, address proofs, or liveness videos.
• No copies are stored in logs, databases, backups, caches, or analytics systems.
• The Third-party service provider may retain, store, and process KYC data in accordance with its own privacy policy and terms of service, provided that such retention and processing is undertaken with
• The consent of the user and in compliance with applicable laws.

This zero-retention policy is maintained in accordance with:

• RBI PPI Master Directions.
• UIDAI/Aadhaar Storage Restrictions.
• DPDP Act–Data Minimisation Principle.
• GDPR Article 5(1)(e).
• NPCI guidelines.

• transaction amounts;
• merchant category codes;
• timestamps
• UPI token references;
• status codes;
• chargeback notifications.

Enabled only with explicit opt-in:

• Camera and/or microphone (for KYC video capture).
• photos/media (for identity uploads).
• notifications.
• contacts or SMS metadata (never content).

You may revoke permissions anytime through device settings or the app.