Global Privacy Policy

Effective Date: March 14, 2026
Last Updated: June 29, 2026

1. Introduction, Scope, and Applicability

Welcome to KENILGLOBAL TECH (OPC) PRIVATE LIMITED ("KenilGlobal," "we," "our," or "us"). We are an advanced technology enterprise operating at the crucial intersection of fintech infrastructure, digital forensics, cybersecurity, and real-time intelligence systems. We inherently recognize that in the modern digital economy, data privacy is not merely a legal obligation but a fundamental human right and a core pillar of institutional trust.

This comprehensive Privacy Policy is designed to provide complete transparency regarding how we collect, use, process, transmit, store, and ultimately destroy your personal information when you interact with our website, our API infrastructure, our console dashboards, and any related digital platforms operated by KenilGlobal. It applies to all visitors, registered enterprise clients, business partners, and the end-users (Data Principals) whose data is programmatically processed through our secured verification pipelines.

By accessing our systems, implementing our APIs, or utilizing our forensic tools, you acknowledge that you have read, comprehensively understood, and agreed to be bound by the terms detailed within this document. This policy is stringently aligned with the Information Technology Act, 2000 (and its associated rules), the Digital Personal Data Protection (DPDP) Act, 2023, and global cybersecurity best practices.

2. Definitions of Key Legal Terms

To ensure absolute clarity and prevent legal ambiguity, the following terms used throughout this document carry specific statutory meanings:

  • "Personal Data" refers to any information that relates to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such natural person, whether online or offline, or any combination of such features.
  • "Data Principal" refers to the natural person to whom the personal data relates. In the context of children or persons with disabilities, it includes their parents or lawful guardians.
  • "Data Fiduciary" refers to any person or entity who, alone or in conjunction with others, determines the explicit purpose and means of the processing of personal data.
  • "Data Processor" refers to any person or entity who processes personal data purely on behalf of a Data Fiduciary.
  • "Processing" means any operation or set of operations performed on digital personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, combination, restriction, erasure, or destruction.

3. Granular Classification of Data Collected

As a highly specialized provider of KYC verification, AML (Anti-Money Laundering) checks, and digital forensic intelligence tools, the nature of our data collection is inherently technical and detailed. We categorize the collected information into the following exact classifications:

  • Corporate Account & Identity Data: When an enterprise registers for our console, we collect the first and last names of directors/officers, official corporate email addresses, mobile telephone numbers, business registration numbers (such as CIN, GSTIN, PAN), registered office addresses, and billing credentials.
  • Technical and Network Telemetry Data: Every interaction with our servers generates technical footprints. This includes internet protocol (IP) addresses, MAC addresses, browser types and versions, time zone settings, geographic location data, browser plug-in types, operating systems, platform environments, and internet service provider (ISP) details.
  • API Payload and Verification Data (End-User Data): When our enterprise clients (acting as Data Fiduciaries) push queries through our API endpoints for KYC or forensic purposes, they transmit specific identifiers. This may include government-issued ID numbers (Aadhaar, PAN, Voter ID, Driving Licenses), vehicle registration numbers, financial routing numbers, and associated metadata. KenilGlobal handles this data strictly as a Data Processor in a secure, ephemeral state.
  • Transactional and Financial Data: For the purposes of billing and wallet top-ups within our console, we collect transaction histories, payment routing information, wallet balance snapshots, and partial payment card details (managed securely via PCI-DSS compliant third-party payment gateways).
  • System Interaction and Behavioral Data: We track how users navigate our console, including Uniform Resource Locators (URLs) clickstreams to, through, and from our platform, page response times, download errors, lengths of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

4. Mechanisms and Methods of Data Collection

Our architecture ingests data through three primary vectors to ensure system integrity and service delivery:

  • Direct Provisioning: Data actively and voluntarily provided by you. This occurs when you fill out registration forms on our website, apply for API credentials, undergo KYB (Know Your Business) vetting, top up your financial wallet, or correspond with our technical support and compliance teams via email or telephone.
  • Automated Systemic Collection: As you navigate and interact with our technical infrastructure, our servers automatically collect Technical and Telemetry data. This is achieved utilizing server logs, secure session cookies, web beacons, cryptographic handshakes, and proprietary telemetry tracking embedded within our API response headers.
  • Third-Party and Government Nodal Agencies: In the course of executing verification APIs or forensic inquiries on behalf of our clients, our backend systems securely interface with external, authorized databases. This includes querying state-sponsored repositories, corporate registries, credit bureaus, and telecom operator databases to fetch and validate the requested data packets.

5. Lawful Basis and Precise Purposes for Processing

KenilGlobal processes digital personal data only when there is a documented, statutory lawful basis to do so. In alignment with Section 4 of the DPDP Act, 2023, we rely on the grounds of "Explicit Consent" (secured by our Data Fiduciary clients) and "Certain Legitimate Uses" (such as legal compliance, state functions, or security enforcement). We process data for the following specific purposes:

  • Service Delivery and API Fulfillment: To authenticate programmatic requests, execute high-speed data validation, return accurate forensic payloads to the requesting client, and manage the technical uptime of our server environments.
  • Account Governance and Administration: To manage client onboarding, execute KYB compliance, generate billing invoices, process wallet deductions, and provide specialized customer support.
  • Cybersecurity and Fraud Prevention: To monitor our network infrastructure for brute-force attacks, unauthorized credential stuffing, DDoS anomalies, and API abuse. Processing telemetry data is crucial to maintaining the physical and digital security of our platform.
  • System Enhancement and Algorithmic Training: To analyze statistical load distributions, optimize database query speeds, troubleshoot software bugs, and improve the overall efficiency of our technological offerings using anonymized and aggregated data matrices.
  • Regulatory and Legal Compliance: To comply with binding directives from Indian Law Enforcement Agencies (LEAs), respond to court orders, adhere to financial compliance audits, and maintain mandatory logs as prescribed by the Indian Computer Emergency Response Team (CERT-In).

6. Role Distinction: Data Fiduciary vs. Data Processor

Understanding the legal liability framework is critical for our enterprise partners. KenilGlobal operates in a dual capacity depending on the specific data flow:

As a Data Fiduciary: When an enterprise client registers for the KenilGlobal console, provides their corporate details, and tops up their wallet, KenilGlobal dictates the purpose of that data collection (to maintain the business relationship). In this specific context, we are the Data Fiduciary and bear the primary statutory responsibilities toward the client's corporate users.

As a Data Processor: When our enterprise clients (e.g., Banks, Fintechs) use our API to verify the identity of *their* customers, the enterprise client is the Data Fiduciary. They have secured the end-user's consent and determined the purpose of the verification. In this flow, KenilGlobal acts strictly as a Data Processor. We execute the algorithmic check, return the result, and discard the localized payload according to our ephemeral data policies. We do not claim ownership over this end-user data, nor do we repurpose it for internal marketing or resale.

7. Information Sharing, Disclosures, and Third Parties

Trust requires strict boundaries regarding data dissemination. KenilGlobal absolutely does not sell, rent, lease, or monetize your personal data to unauthorized third-party marketers or data brokers. However, executing complex fintech operations requires controlled data sharing under strict Non-Disclosure Agreements (NDAs). We may disclose data in the following scenarios:

  • Infrastructure and Cloud Providers: We host our services on Tier-1, enterprise-grade cloud environments (such as AWS, Google Cloud, or equivalent localized Indian data centers). These infrastructure providers act as our sub-processors and are bound by strict data processing addendums.
  • Authorized API Integration Partners: To fulfill verification requests, data must be routed to the respective nodal agencies, government repositories, or trusted financial bureaus holding the master records.
  • Law Enforcement and Statutory Bodies: As a cybersecurity and forensic intelligence company, we maintain a zero-tolerance policy towards digital crime. If served with a valid, legally binding warrant, subpoena, or directive from cyber cells, CERT-In, or judicial courts, we will disclose the requested data to fulfill our statutory obligations under the IT Act, 2000 and the DPDP Act, 2023.
  • Corporate Restructuring: In the event of a merger, acquisition, bankruptcy, or asset sale involving KENILGLOBAL TECH (OPC) PRIVATE LIMITED, customer data and operational logs may be transferred to the acquiring entity, subject to the continuation of the privacy protections outlined in this document.

8. Data Localization and Cross-Border Transfers

KenilGlobal is deeply committed to India's data sovereignty requirements. As a baseline policy, all core infrastructure, primary databases, and backup arrays containing sensitive Indian citizen data and financial logs are physically housed within server farms located within the territorial borders of the Republic of India. Should the technical necessity arise to route specific non-sensitive telemetry or analytics data through international servers, we ensure that such transfers strictly comply with the cross-border transfer mechanisms and geographical whitelists notified by the Central Government of India under the DPDP Act.

9. Data Security, Cryptography, and Infrastructure Safeguards

Information security is the bedrock of KenilGlobal’s operations. We have engineered a multi-layered, defense-in-depth architecture to neutralize unauthorized access, digital exfiltration, and malicious tampering. Our technical and organizational safeguards include, but are not limited to:

  • Cryptographic Standards: All data transmitted between our clients and our API endpoints is encrypted in transit using Transport Layer Security (TLS 1.3). All sensitive personal data and configuration credentials at rest within our databases are encrypted using Advanced Encryption Standard (AES-256) algorithms.
  • Access Control and Authentication: We utilize a Zero Trust Network Architecture (ZTNA). Internal access to production databases is heavily restricted, logged, and requires multi-factor authentication (MFA) and cryptographic VPN tunneling. API access for clients is secured via rotating Bearer Tokens and strictly enforced IP whitelisting.
  • Vulnerability Management: Our software development lifecycle integrates continuous security testing. We conduct regular Vulnerability Assessment and Penetration Testing (VAPT) via independent, CERT-In empaneled security auditors to identify and patch zero-day vulnerabilities.
  • Intrusion Detection: We deploy state-of-the-art Web Application Firewalls (WAF) and real-time Intrusion Detection/Prevention Systems (IDS/IPS) to automatically identify and block malicious payloads, SQL injections, and unusual traffic spikes indicative of DDoS attacks.

10. Data Retention, Archival, and Destruction Protocols

We strictly adhere to the principle of data minimization and storage limitation. We retain personal data only for the exact duration necessary to fulfill the operational, financial, or legal purposes for which it was originally collected.

  • Ephemeral API Processing: For endpoints where KenilGlobal acts merely as a pass-through Data Processor (e.g., identity verification checks), the end-user payload is processed in volatile memory, the validation result is logged, and the core identifying data is cryptographically purged almost immediately following the transaction completion.
  • Corporate Console Data: Client account details, billing histories, and API key configurations are retained for the active lifecycle of the account, plus an additional regulatory period (typically 5 to 8 years) to comply with Indian corporate and taxation laws.
  • Security Logs: Network logs, IP access histories, and security telemetry are retained on rolling 180-day cycles as mandated by CERT-In directives, after which they are either anonymized for statistical analysis or securely overwritten.
  • Data Destruction: When data reaches the end of its retention lifecycle, we employ secure digital wiping standards (such as DoD 5220.22-M algorithms) to ensure that the information is rendered permanently unrecoverable from our physical and virtual storage arrays.

11. Cookies, Web Beacons, and Telemetry Data

The KenilGlobal website and web console utilize cookies (small encrypted text files stored on your device) and similar tracking technologies to ensure seamless session management and operational security.

  • Strictly Necessary Cookies: Essential for authenticating your session, preventing Cross-Site Request Forgery (CSRF) attacks, and maintaining the state of your login across page reloads. The platform cannot function securely without these.
  • Performance and Analytics Cookies: Used to understand how users interact with our console, identifying UI bottlenecks, and measuring page load times. This data is highly aggregated and does not personally identify individuals.

You may configure your web browser to refuse all non-essential cookies or alert you when cookies are being sent. However, disabling session or security cookies will immediately break the functionality of the KenilGlobal authenticated console.

12. Statutory Rights of the Data Principal

The DPDP Act, 2023 grants significant, non-negotiable rights to Indian citizens regarding their digital personal data. KenilGlobal fully supports and provides infrastructural mechanisms to respect these rights:

  • Right to Access Information: You hold the right to request confirmation of whether we are processing your personal data, a comprehensive summary of that data, and the identities of all third-party Data Fiduciaries with whom it has been shared.
  • Right to Correction and Erasure (Right to be Forgotten): You may request that we correct inaccurate, out-of-date, or incomplete data records. Furthermore, you may request the complete erasure of your personal data from our systems once the specific operational purpose has been met, or if you withdraw your consent, provided there is no overriding legal mandate requiring us to retain it.
  • Right to Nominate: In the event of your death or physical/mental incapacitation, you have the right to nominate another individual to exercise your privacy rights under the Act on your behalf.
  • Right to Grievance Redressal: You possess the absolute right to lodge formal complaints regarding our data processing activities. Our Grievance Officer is legally bound to resolve your concerns within the statutory timeframes before the matter can be escalated to the Data Protection Board of India.

13. Data Breach and Incident Response Management

Despite deploying military-grade security architectures, no system connected to the internet can claim absolute invulnerability. In the highly unlikely event of a digital data breach, unauthorized access, or catastrophic hardware compromise that materially impacts the confidentiality of personal data, KenilGlobal has established a strict, immediate-action Incident Response Protocol. We will notify the Data Protection Board of India (DPBI) and the Indian Computer Emergency Response Team (CERT-In) within the strict statutory deadlines (currently mandated at 6 hours for critical cyber incidents). Concurrently, we will immediately notify all affected Data Principals and enterprise clients, providing transparent details regarding the nature of the breach, the specific data categories exposed, and the active mitigations being deployed to secure the network.

14. Automated Decision Making and Profiling

KenilGlobal’s core infrastructure is designed to return factual, verified data points requested by our API consumers. We do not engage in unauthorized algorithmic profiling, nor do we independently use personal data to make automated decisions that produce significant legal or financial effects on the Data Principal. The ultimate decision to onboard a user, grant a loan, or reject an application based on our API responses lies entirely within the sole discretion and legal responsibility of our enterprise client (the Data Fiduciary).

15. Policy Modifications and Amendments

The technology landscape and the legal frameworks governing it are in a constant state of rapid evolution. Consequently, KenilGlobal reserves the unilateral right to update, modify, add, or remove portions of this Privacy Policy at any time. Significant changes that materially alter how we process your personal data will be communicated to registered enterprise clients via direct email notifications and prominent banners within the API console. The "Last Updated" date at the top of this document signifies the effective date of the current policy version. Continued use of our platforms following such modifications constitutes your formal acknowledgement and acceptance of the revised terms.

16. Grievance Redressal and Contact Details

We take our obligations under the DPDP Act and the IT Rules remarkably seriously. If you have any deep technical concerns regarding data privacy, wish to exercise your statutory rights as a Data Principal, or need to report a suspected security vulnerability, please direct your communications to our formally appointed Data Protection & Grievance Officer.

Compliance & Data Protection Officer | KenilGlobal Tech

sunil@kenilglobal.com

+91 76270 83968

Corporate Entity: KENILGLOBAL TECH (OPC) PRIVATE LIMITED
Registered under the Companies Act, 2013, India.

This document is an electronic record generated by a computer system and does not require any physical or digital signatures.