Privacy Policy

Toucan Payments India Private Limited, together with its affiliates and subsidiaries, (together referred to herein as “Toucan” or ‘we’/’us’/’our’) are committed to safeguarding your right to privacy and protecting your Personal Data in accordance with applicable laws. This Privacy Policy explains how we collect, use, process, store and share your Personal Data when you use our websites (“Websites”), software applications (“Apps”), payment processing platforms (“Platforms”), or other financial technology products or services offered by Toucan. It also describes the rights available to you in relation to your Personal Data.

If you are one of our customers, merchants, or suppliers, the contractual documents executed between you and Toucan may contain further information on how we use your data.

If you are a consumer, we recommend that you also read the privacy notice of the merchant with which you did business to understand how they process your Personal Data.

WHAT IS PERSONAL DATA AND WHAT TYPES OF PERSONAL DATA DO WE COLLECT ABOUT YOU?

“Personal Information” or “Personal Data” means any information relating to an identified or identifiable individual and has the meaning assigned to “personal data” under the Digital Personal Data Protection Act, 2023, and the rules made thereunder.

“Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, transfer, alignment, restriction, erasure or destruction.

“Data Principal” means the individual to whom the Personal Data relates, as understood under the Digital Personal Data Protection Act, 2023.

“Data Processor” means any person who processes Personal Data on behalf of a Data Fiduciary.

“Data Fiduciary” means any person who alone or in conjunction with another person determines the purpose and means of processing Personal Data.

Depending on who you are (for example, a merchant, customer, cardholder, consumer, supplier, vendor, employee, job applicant or business partner) and how you interact with us, we may collect, use, receive, store, analyse, combine, transfer, disclose or otherwise process different categories of Personal Data, including the following:

◆Information you provide to us: Personal Data submitted by you when you complete forms, applications on our Website, register for our services, communicate with us, enter into a contract with us, or otherwise interact with our products, services or Platforms. This may include your name, email address, date of birth, phone number, billing address, country, company name and contact details, bank details, and information relating to your education and work experience where you apply or are considered for a role at Toucan, as well as any other information you choose to provide in such interactions.
 ◆Identity, verification and due diligence information: Personal Data collected or received for verification, onboarding, risk assessment, fraud prevention, sanctions screening, anti-money laundering compliance, or other due diligence purposes, which may include nationality, tax identification details, utility bills, proof of address, professional status, employer details, beneficial ownership details, politically exposed person status, sanctions screening results, and other supporting documents or information required for compliance or onboarding purposes.
◆Authentication data: Personal Data used to authenticate or enable your access to our systems, products, services, or dashboards, including signatures, login credentials, usernames, passwords, security identifiers, access logs, and similar authentication-related information.
◆Payment and transaction information: Personal Data relating to payment or transaction processing, such as bank account or payment instrument details, transaction reference numbers, name on credit card, a merchant’s name and identifiers, the date and amount of the transaction and other information provided by you directly or by banks or merchants, where such information is required to process a payment for you on behalf of one of our merchants or in connection with your use of any of our products or services. Toucan may also receive limited Personal Data relating to merchant customers where necessary to process transactions or enable services.
◆Communications, surveys and marketing information: Personal Data contained in correspondence or other communications with us, including customer support interactions, records of surveys or feedback voluntarily provided by you, preferences and interaction history, and records relating to your subscription to or withdrawal from marketing or promotional communications from Toucan.
◆Website usage and third-party sourced information: Information relating to your use of our Websites, Apps or communications, including data collected through cookies and similar technologies, such as IP address, browser and device information, browser language, access time, traffic data, approximate location data, web logs, website activity and referring website addresses. We may also receive Personal Data from third-party sources or publicly available records, including merchants, payment partners, financial institutions, affiliate companies, business partners, search engines, government or regulatory agencies, corporate registries, sanctions or watchlist screening databases, anti-money laundering databases, and other lawfully accessible compliance or verification sources.
Where our Websites or Apps include links to third-party websites, plug-ins and applications (including cookies, tracking technologies and widgets operated by third party advertisers), it is important that you understand that by clicking on those links or enabling those connections, you may allow third parties to collect or share data about you. We encourage you to read such third parties privacy statements to learn more about how they process your Personal Data. Toucan does not have oversight of these third-party websites and accordingly is not responsible for, and does not control, how such third parties process your Personal Data. 

We may also collect, use and/or share aggregated, anonymized, or de-identified information, such as statistical or demographic data.

As a principle, we do not intentionally collect any special or prohibited categories of Personal Data about you (such as details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, information about your health and genetic and biometric information). However, where required to provide certain services or products to you, or to comply with applicable legal or regulatory obligations, we may process limited categories of such Personal Data, and in such cases, we will ensure that such processing is carried out strictly in compliance with applicable laws.

USES OF YOUR PERSONAL DATA

In this section, we set out the purposes for which we use Personal Data that we collect and hold and, where required, identify the lawful grounds on which we rely to process such information in accordance with applicable laws.

We use your Personal Data only where we have a legitimate basis to do so under applicable law. Depending on the circumstances, we may rely on your consent, the necessity of processing for the performance of a contract with you, compliance with legal or regulatory obligations, the protection of vital interests, or other grounds permitted under applicable data protection laws. We may also process your Personal Data where such processing is necessary for legitimate business purposes permitted under applicable law, taking into consideration your interests, rights, and reasonable expectations, and subject to applicable legal requirements. We may also process Personal Data for internal administrative, audit, service improvement, fraud prevention, risk management, business continuity, analytics, and operational support purposes, as further described below and to the extent permitted under applicable law.

◆To verify, authenticate and authorize your use of our products or services
We may process Personal Data to conduct ‘Know Your Customer’ (“KYC”), identity verification, onboarding and merchant acceptance procedures, and risk assessments in order to verify your identity and authenticate and authorise your access to or use of our products or services, depending on whether you are a merchant, consumer, customer or other user of our Platforms. This may include processing Personal Data to establish contractual relationships, provide the payment services requested, execute payment transactions, process merchant payment requests, act upon payment or service instructions, and otherwise perform and administer our contractual obligations. Such processing may involve Identity, Contact and Financial information and is necessary for Toucan to provide the services requested and fulfil contractual obligations.

◆To process payment transactions made through our Platforms
Toucan offers multiple international and local payment methods which are subject to product-specific service terms and applicable legal obligations. When Toucan provides payment processing services as a payment aggregator, we may process Personal Data received from merchants, such as transaction details and, where applicable, cardholder information (for example, the name on card), in order to complete the payment made by you to the merchant for the purchase of goods or services. In such circumstances, Toucan generally acts as a Data Processor processing Personal Data on behalf of the merchant, who acts as the Data Fiduciary in relation to such information. In certain cases, you may provide personal information directly to Toucan through our Platforms in order for us to process the payment transaction, in which case such information is processed solely for the purpose of enabling and completing the payment.

◆To protect our business and to ensure compliance with the law
We may disclose your Personal Data to authorised external third parties such as service providers, contractors, agents, advisors, group companies, affiliates, subsidiaries, banks, and regulated partners, as well as competent supervisory or regulatory authorities, where necessary to comply with our contractual duties, legal obligations or to protect our legitimate business interests or your interests including enforcing or defending our legal rights or claims, and for fraud prevention, anti-money laundering checks, sanctions screening, risk management, and other compliance or security purposes.

We may also use your Personal Data to comply with our regulatory requirements or to engage and cooperate with regulators, as applicable, which may include disclosing your Personal Data to courts, tribunals, regulators, or law enforcement authorities in connection with enquiries, proceedings, audits, or investigations by such parties, where required or permitted under applicable law. Where permitted and feasible, we will seek to direct any such request to you or notify you before responding, unless doing so would prejudice or impede the prevention, detection, or investigation of a crime, fraud, or other unlawful activity.

In addition, Personal Data may be processed for internal operational and administrative purposes, including statistics and analytics for service improvement, internal audit and risk management, ensuring physical and technical security and business continuity, product and service development, and maintaining internal records necessary for regulatory, operational or administrative purposes.

When we use your information for these purposes, we base such use on contractual necessity (which means we will not be able to fulfil our part of an agreement without using your data to do so), our legal obligations (which means we are legally required to comply with certain laws), or on other lawful grounds permitted under applicable law.

◆To manage our relationship with you
If you contact us or otherwise give us your Contact information (for example by registering, by completing an enquiry form on our Website/s, or by subscribing to receive support, and service status communications, security notifications or fraud monitoring alerts), we may process your personal information to inform you about your products or services with Us and any changes to these products or services and any associated legal documents; to notify you if there is any interruption of services or products or of any quality management change, product or service improvement, update or upgrade; to ask you to provide information on how we can improve or develop services or products and to otherwise effectively communicate with you including where you request information about our products or services. We may also process your personal information to provide you with service assistance and issue resolution and to handle inquires, complaints and similar issues, to contact or send you notifications related specifically to the services or products we offer you, to obtain reports of technical or online problems relating to our websites, platforms or payment services, and to use your personal information in transactional, risk, or fraud monitoring reports (or both) as necessary for the performance of our contractual obligations. You may have the option to unsubscribe from certain non-essential reports or communications in accordance with the terms of our contract. Please review your contractual terms carefully before choosing to unsubscribe.

◆To provide information about our products and services and to improve our communications
We may process Personal Data to provide you with information about our products, services or related offerings, including promotional communications, where permitted under applicable law or where you have provided your consent. We may also use such information to improve and customise the content of our communications, advertisements or promotions so that they are more relevant to you. Where required by law, you will have the option to opt out of such marketing communications.

WHOM WE SHARE YOUR DATA

We may disclose your Personal Data to the following categories of recipients where this is necessary to provide our services to you, comply with legal or regulatory obligations, or operate our business in accordance with this Privacy Policy, including our subsidiaries, corporate affiliates and other authorised recipients described below.

1. Service Providers or Vendors
We may share your Personal Data with authorised service providers or vendors engaged by Toucan under contractual obligations, who assist us with our business operations, including payment processing, technology support, data storage, customer support, compliance, and audit related services, and who process such Personal Data solely on our behalf and in accordance with our instructions and applicable contractual, confidentiality and security obligations.

2. Our Clients
When We perform services for our clients, we may disclose Personal Data to such entities. For example, We may collect information about a client’s customers from or on behalf of the client, such as when We process payment transactions, and We may provide Personal Data about those customers back to the client for the purposes of completing the relevant transaction or service. In such cases, We generally act as a Data Processor processing Personal Data on behalf of the client, while the client acts as the Data Fiduciary determining the purposes and means of such processing. We are not responsible for the privacy practices of our clients, and we encourage you to review their respective privacy policies.

3. Participants in the transaction processing chain
We disclose Personal Data on a need-to-know basis with companies in the transaction processing chain in connection with processing a payment transaction, such as banks or other card issuers, card associations, debit network operators and their members.

4. Merchants
In accordance with our service contracts, including contracts in relation to payment aggregation and related services, We may share limited Personal Data with merchants to the extent necessary to process a payment transaction. For example, to process a card payment, we may need to share relevant details with the merchant that the payment relates to. If you are buying goods or services through the Platforms, we may also provide the merchant with your card billing address or other verification details, where required, to help complete a payment transaction.

5. Authorized financial institutions and banking partners
With whom we partner to enable and support the creation and offering of products and services. Depending on the type of payment chosen by the customer, payer or buyer, Toucan will share the information with the financial institutions that validate and process each means of payment for corresponding approval, validation, and settlement. This means that your Personal Data may be collected for those purposes by such financial institutions regarding the means of payment, acquiring financial services, payment processing networks, franchises such as Visa and MasterCard, card networks, card issuing banks and institutions, acquiring banks and service providers supporting tokenization or e-mandate services, where applicable.

6. Professional Advisors
We may disclose your Personal Data to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. We may also disclose Personal Data in connection with internal or external audits, card network audits, security assessments, compliance reviews, regulatory inspections, or other audit, advisory, investigative, accounting, or legal review processes.

7. Regulators, law enforcementauthorities and legal disclosures
We may disclose Personal Data to competent regulatory authorities, government bodies, courts, tribunals, law enforcement agencies, or other public authorities where such disclosure is required or permitted under applicable law, regulatory requirements, or lawful requests. Such disclosures may occur in connection with regulatory reporting obligations, investigations, audits, legal proceedings, or compliance with court orders or similar legal processes.

8. Corporate transactions
We may disclose or transfer Personal Data in connection with a merger, acquisition, restructuring, financing, sale of assets, or other corporate transaction involving Us or our affiliates. In such circumstances, Personal Data may be transferred as part of the relevant business assets, subject to applicable confidentiality obligations and legal requirements.

SECURITY: HOW WE PROTECT & STORE PERSONAL DATA

The security of your Personal Data is important to us. We implement appropriate physical, technical, managerial and operational safeguards designed to protect the integrity and security of the information we collect and maintain, in accordance with applicable laws in India.

We follow recognised payments industry standards for the protection of payment card information. We maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), which is adopted by payment card brands for organisations that process, store or transmit cardholder data. Our payment infrastructure may also be subject to periodic audits to maintain appropriate security certifications.

We also comply with applicable regulatory requirements relating to the storage of payment system data. To the extent required under regulations issued by the Reserve Bank of India or other competent authorities, payment data relating to transactions processed through our platforms is stored and maintained on systems located within India, except where limited processing or transfer is permitted under applicable regulatory frameworks.

We regularly review our policies and practices relating to the collection, storage, use and processing of Personal Data, including physical and logical security measures designed to prevent loss, misuse, unauthorised access, alteration or disclosure of Personal Data.

Access to Personal Data is restricted on a need-to-know basis to employees, service providers and representatives who require such access for legitimate business, operational, legal, security or compliance purposes and who are subject to appropriate confidentiality obligations.

We maintain documented procedures to respond to any actual or suspected information security or data breach and will notify affected individuals and relevant authorities where required under applicable law.

International Transfers of Personal Data

We primarily store and process Personal Data within India. However, in certain circumstances and only to extent permitted under RBI frameworks, we may transfer or allow access to Personal Data outside India, including to service providers, group entities, technology partners, or payment processing participants located in other jurisdictions. Any such transfer shall be carried out in accordance with applicable data protection laws and subject to appropriate contractual, technical, and organisational safeguards designed to ensure an adequate level of protection for Personal Data.

Where sector-specific regulatory requirements impose restrictions on cross-border transfer or storage of data, including requirements applicable to payment data or financial transaction information, we will comply with such requirements.

DATA RETENTION

Our obligations under applicable laws and regulations primarily determine how long we retain Personal Data. In many cases, we are required to retain certain data for a specific period of time and are not permitted to delete it before the expiry of such period.

In particular, we are required to retain transaction data (which may include Personal Data) during the course of the business relationship and for a minimum period of ten (10) years following termination of the business relationship, rejection of a customer or merchant application, or withdrawal of a request to establish such relationship, in accordance with applicable anti-money laundering laws and other regulatory requirements relevant to our business.

The retention period may be extended where necessary for other lawful purposes, such as handling complaints, legal proceedings, investigations, regulatory or tax requirements, or the prevention, detection, and investigation of fraud, financial crime, or other unlawful activities.

YOUR RIGHTS

We ensure that you may exercise your individual privacy rights under applicable privacy and data protection laws and as per our policies and this Toucan Privacy Policy. This means that Toucan enables individuals to submit requests regarding the processing of their Personal Data, including requests to access, correct, update, or withdraw consent in relation to such Personal Data, where applicable. Subject to the requirements of applicable laws in India and as per our policies, you can exercise the following rights.

◆Right to Grievance Redressal: You have the right to seek grievance redressal in respect of any act or omission by Toucan relating to the processing of your Personal Data. Toucan maintains a grievance redressal mechanism and has appointed a Grievance Officer whose contact details are provided in this Privacy Policy. Any grievance or complaint raised will be acknowledged and addressed within the timelines prescribed under applicable law.
◆Your other rights: When we process your personal data under this Privacy Policy, you have the right to require us to:
a) Review, correct or rectify Personal Data
b) provide you with further details on the use we make of your information;
c) provide you with a copy of your Personal Data that we hold;
d) delete or erase any Personal Data that we no longer have a lawful ground to use;
e) where processing is based on consent, withdraw your consent so that we stop that particular processing.
f) nominate any other individual who shall exercise your rights under applicable data protection laws in the event of the death or incapacity of the data principal, in accordance with applicable legal requirements.

If you wish to exercise any of the rights described above, you may contact Toucan through the Grievance Officer using the contact details provided in this Privacy Policy.

When submitting a request, you may be required to provide information necessary to verify your identity and confirm that you are entitled to make the request. Toucan may also request additional information or clarification where reasonably required in order to process and respond to your request efficiently and in accordance with applicable law.

CHANGES TO OUR PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES

We may update this Privacy Policy from time to time. The most recent version will always be published on our Websites, Apps and/or Platforms and will indicate the date it was last updated. Please revisit this page periodically to stay informed of any changes. Your continued use of our services after we publish changes to this Privacy Policy will be deemed to constitute your acceptance of the updated Privacy Policy. If you do not agree with the updated Privacy Policy, you must stop using our services and notify us.

It is very important that any Personal Data we hold about you is up to date and correct. Please inform us of any changes to your Personal Data at the earliest.

HOW TO CONTACT US

Toucan Payments India Private Limited has its registered office at Plot No.45, 4th Floor, Phase 1, Kavuri Hills, Hyderabad, Telangana, India – 500033. We are happy to address any of your queries, concerns or questions relating to processing of your Personal Data, which you can raise by writing to us at support@toucanus.com.

You may address any complaints or discrepancies in relation to the processing of your Personal Data to:

Grievance Officer email id –grievance@toucanus.com

Plot No.45, 4th Floor, Kavuri Hills, Phase-I, Madhapur, Telangana, India – 500033

Toucan Payments (India) Private Limited.

If you are not satisfied with the resolution provided through our grievance redressal process, you may have the right to escalate the complaint to the Data Protection Board of India or such other competent authority as may be prescribed under applicable data protection laws.