WHEREAS AGRIM FINCAP PRIVATE LIMITED (hereinafter referred to as the "Company", "Data Fiduciary", "Lender", or
"Us") is a Systemically Important / Base Layer Non-Banking Financial Company registered with the Reserve Bank of India
("RBI") and listed on the Bombay Stock Exchange ("BSE");

AND WHEREAS the Company is engaged in the business of extending credit facilities, term loans, and other financial products
to its customers (hereinafter referred to as the "Data Principal", "Borrower", or "You"), utilizing digital lending platforms
owned by the Company or its authorized Lending Service Providers ("LSPs");

NOW THEREFORE, this Privacy Policy (the "Policy") is promulgated to articulate the Company’s protocol regarding the
collection, retention, processing, and disclosure of Sensitive Personal Data or Information ("SPDI"). This Policy is drafted
pursuant to and in compliance with:

1. The Digital Personal Data Protection Act, 2023 ("DPDP Act"); 2. RBI Guidelines on Digital Lending, 2022
and Master Directions (NBFC) Directions, 2016; 3. Information Technology Act, 2000 (and associated SPDI
Rules, 2011);
4. Prevention of Money Laundering Act, 2002 ("PMLA").

By executing the Loan Agreement or accessing the Company’s digital platforms, You unequivocally acknowledge, covenant,
and consent to the terms herein.

For the purposes of this Policy, the following terms shall hold the meanings ascribed below:

• "Cookies" shall denote small text files placed on Your device to store data that can be recalled by a web server in the
domain that placed the cookie.

• "Data Fiduciary" shall mean AGRIM FINCAP PRIVATE LIMITED, which determines the purpose and means of
processing personal data.

• "Lending Service Provider (LSP)" shall mean an agent or entity appointed by the Company to carry out borrower
acquisition, pricing support, servicing, monitoring, or recovery of loans.

• "Digital Lending App (DLA)" shall mean the mobile application/web platform owned by the Company or its LSPs.

• "Legitimate Use" shall have the meaning assigned under Section 7 of the DPDP Act, 2023.

The Company adheres to the principle of "Data Minimization" and collects only such data as is statutorily required or strictly
necessary for credit assessment ("Need-to-Know" basis).

3.1. Identity and Know Your Customer (KYC) Data

Pursuant to the Master Direction – KYC Direction, 2016, we collect:

Biographic Data: Full Name, Date of Birth, Gender, Marital Status, Father’s/Spouse’s Name.

• Proof of Identity & Address (OVDs): Aadhaar (via Offline XML/Secure QR/DigiLocker), PAN Card, Voter ID,
Passport, or Driving License.

• Facial Biometrics: A live photograph (Selfie) captured for the sole purpose of "Liveness Check" and matching against
OVDs.

3.2. Financial and Credit Profile

To evaluate creditworthiness and repayment capacity:

• Banking Data: Bank Account Number, IFSC, MICR, and Account Type (for e-NACH/Auto-Debit registration).

• Income Parameters: Salary Slips, Income Tax Returns (ITR), GST Filings, and Bank Statements.

• Credit History: Credit Information Reports (CIR) procured from Credit Information Companies (CICs) such as
TransUnion CIBIL, Experian, Equifax, and CRIF.

3.3. Technical and Telemetry Data (Fraud Prevention)

To ensure the security of the transaction and prevent fraud:

• Device Identifiers: IP Address, International Mobile Equipment Identity (IMEI), Advertising ID (AD-ID), Operating
System information.

• Geo-Location: One-time capture of GPS coordinates strictly during the customer onboarding/KYC process to satisfy
the "Video Customer Identification Process (V-CIP)" or physical verification norms.

NOTWITHSTANDING anything contained herein, the Company (and its LSPs/DLAs) explicitly disclaims the collection of the
following data categories. We do not request, access, or store:

1. Phone Book / Contacts: We strictly refrain from accessing Your contact list.

2. Media and Gallery: We do not access Your photos, videos, or internal storage.

3. Call Logs / Telephony Data: We do not track Your call history.

4. Biometrics: Fingerprints or Iris Scans are processed solely by the UIDAI/Authentication agencies and are not stored
by the Company.

Your Personal Data shall be processed solely for the following Legitimate Purposes:

1. Credit Underwriting & Risk Assessment: To determine eligibility, credit limits, and applicable interest rates based on
proprietary algorithms.

2. Loan Lifecycle Management: Disbursement of funds, generation of Repayment Schedules, collection of EMIs, and
issuance of "No Objection Certificates" (NOC).

3. Statutory Reporting: o Submission of credit data to Credit Information Companies (CICs) on a monthly
basis. o Reporting to the Central Registry of Securitisation Asset Reconstruction and Security Interest
(CERSAI).

o Filing of default reports with National E-Governance Services Ltd (NeSL).

4. Regulatory Compliance: Compliance with PMLA (Anti-Money Laundering), FATCA, and SEBI (Listing Obligations
and Disclosure Requirements).

5. Legal Recourse: Utilization of data for recovery proceedings under the Negotiable Instruments Act, 1881 or the
Payment and Settlement Systems Act, 2007 in the event of default.

The Company maintains strict confidentiality of Your data. Disclosure is made strictly on a "Need-to-Know" basis to the following
categories of recipients:

• Lending Service Providers (LSPs): Limited data (Application Status, Sanction Terms) is shared with the LSP
through whom You applied, strictly to facilitate the interface.

Co-Lenders: In the event of a Co-Lending Arrangement (CLM) with another Bank/NBFC, data shall be shared with
the partner institution.

• Statutory Bodies: RBI, SEBI, FIU-IND, Income Tax Authorities, and Law Enforcement Agencies (LEAs) upon receipt
of a valid legal mandate.

• Third-Party Service Providers: Entities engaged for specific operational functions, including: o KYC
Verification Agencies: (e.g., NSDL, UIDAI authorized ASAs). o Payment Aggregators: (e.g., Razorpay, Cashfree)
for fund routing. o Document Execution: (e.g., Leegality, NeSL) for e-Stamping and e-Signing.

Cross-Border Transfer: The Company stores all data exclusively on servers located within the territorial jurisdiction of India.
No credit information is transferred offshore.

The Company shall retain Your personal data in accordance with the following schedule:

1. Active Accounts: For the entire tenure of the credit facility.

2. Closed Accounts: For a period of Eight (8) Years from the date of loan closure or account termination, as mandated

by the Prevention of Money Laundering Act, 2002 and the Income Tax Act, 1961.

3. Destruction: Upon expiry of the statutory retention period, data shall be permanently expunged or anonymized using
industry-standard secure deletion protocols (e.g., NIST 800-88).

8.1. The Usage of Cookies

The Company utilizes "Cookies" and similar technologies (pixels, tags, SDKs) to enhance user experience, ensure
platform security, and analyze traffic. By accessing Our Platform, You consent to the placement of Cookies on Your device.


8.2. Categories of Cookies We Use
Category Description Necessity


Strictly Nec Cookies - Essential for the Platform to function (e.g.,CSRF protection, and load balancing) - Mandatory

Performance Analytics Cookies - These collect aggregated, anonymous dataAnalytics, Firebase). They help Us detect performace - Optional

Functionality - These remember Your preferences (e.g., la personalized experience. - Optional

Fraud PreveCookies - "Device Fingerprinting" cookies that analyz prevent identity theft or account takeovers. - Mandatory

8.3. Web Beacons and Pixel Tags

We may use "Pixel Tags" (tiny graphics with a unique identifier) in our emails to determine if You have opened an email or clicked on a link. This helps Us gauge the effectiveness of our communications (e.g., Loan Sanction Letters or Due Date Reminders).

8.4. Management of Cookies (Opt-Out Mechanism)

Most web browsers automatically accept cookies. You can modify Your browser settings to decline cookies if You prefer.

• Chrome: Settings > Privacy and Security > Cookies and other site data.

• Safari: Preferences > Privacy > Block all cookies.

• Impact of Disabling: Please note that if You choose to decline Strictly Necessary Cookies, You may be unable to access the Loan Application Dashboard or sign into Your account securely.

The Company implements reasonable security practices and procedures as per ISO/IEC 27001 standards:

Encryption: Data at rest is encrypted using AES-256 bit encryption. Data in transit is secured via TLS 1.2/1.3 protocols.

• Access Control: Strict Role-Based Access Control (RBAC) ensures only authorized personnel access sensitive data.

• Vulnerability Management: Regular VAPT (Vulnerability Assessment and Penetration Testing) is conducted on our digital infrastructure.

Under the DPDP Act, 2023, You are vested with the following rights:

1. Right to Access: You may request a summary of personal data processed and the identities of all Data Processors.

2. Right to Correction: You may request rectification of inaccurate or incomplete personal data.

3. Right to Grievance Redressal: You have the right to a readily available means of grievance redressal.

4. Right to Nominate: You may nominate an individual to exercise Your rights in the event of death or incapacity.

In compliance with the RBI Integrated Ombudsman Scheme, 2021, the Company has established a robust grievance redressal framework.

Level 1: Grievance Redressal Officer (GRO)

For any discrepancies, data privacy concerns, or service-related complaints:

• Name: Bal Kishan Bhardwaj

• Designation: Grievance Redressal Officer

• Address: AGRIMFINCAP PRIVATE LIMITED, 276 , First Floor, Gagan Vihar, Shahdara, Delhi – 110051 India
• Email: [care@agrimfincap.com]

• Contact No: 9355570545


Level 2: Reserve Bank of India (RBI)

If the complaint remains unresolved for a period of 30 (Thirty) days, or if You are dissatisfied with the resolution, You may approach the RBI Ombudsman via the CMS Portal:

• Web Portal: https://cms.rbi.org.in

• Email: crpc@rbi.org.in

While the Company employs best-in-class security measures, it shall not be held liable for any loss, damage, or misuse of data resulting from Force Majeure events, including but not limited to cyber-attacks, acts of God, strikes, lockouts, or failure of telecommunication networks, provided the Company has demonstrated due diligence.

This Policy shall be governed by and construed in accordance with the laws of the Republic of India.

ANY DISPUTE arising out of or in connection with this Policy, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts located in New Delhi, India, to the exclusion of all other courts.

The Company reserves the right to amend, modify, or supplement this Policy at any time to align with changes in applicable laws (RBI/SEBI Regulations). The "Last Updated" date at the inception of this document shall indicate the effective date of the current version

By clicking "I Accept" or proceeding with the Loan Application, You certify that You have read, understood, and agreed to the terms of this Privacy Policy.

Agrim Fincap Private Limited ("the Company"), being an NBFC-COR ND-NSI regulated under the Master Direction – NBFC – Scale Based Regulation (SBR), 2023, recognises that responsible, compliant and well-governed outsourcing of financial and non-financial activities is critical for maintaining operational integrity, ensuring customer protection, and upholding regulatory expectations.

The Company acknowledges that the act of outsourcing does not diminish its obligations to customers or dilute the standards of conduct demanded by the Reserve Bank of India ("RBI"). The Company remains entirely responsible, at all times, for outsourced operations and for the conduct, competence and integrity of all service providers acting on its behalf.

This Policy establishes the principles, governance systems, internal controls, oversight mechanisms, and risk management framework governing every outsourcing arrangement undertaken by the Company. It reflects the Company's adherence to the RBI Master Direction on Outsourcing of Financial Services, the RBI Digital Lending Guidelines (2022 onwards), the Consumer Protection Framework for Regulated Entities, and all related circulars, notifications, and supervisory expectations.

The primary objective of this Outsourcing Policy is to ensure that any outsourced activity is conducted in a manner that fully preserves the Company's regulatory compliance, operational standards, customer rights, data confidentiality obligations, and the supervisory authority of the RBI.

This Policy governs all outsourcing relationships, including but not limited to Loan Service Providers (LSPs), Digital Lending Applications (DLAs), technology vendors, tele-calling partners, collection agencies, data processing entities, KYC partners, field verification agencies, and any other service provider engaged in activities that may affect customers, compliance, risk, operations, or governance.

The Policy applies uniformly to all functions outsourced by the Company, irrespective of whether the outsourcing is domestic or digital, internal or external, front-end or back-end, customer-facing or support-oriented.

The Company recognises that outsourcing is an operational arrangement and not a transfer of responsibility. All regulatory, supervisory and fiduciary obligations remain solely with Agrim Fincap Private Limited, irrespective of the extent, nature, or manner of outsourced activity.

Every outsourced service shall be subject to direction, oversight, audit and control by the Company, and the Company shall always retain the right to intervene, inspect, modify or terminate the arrangement in the interest of regulatory compliance or customer protection.

At all times, the Company shall ensure that outsourcing does not impair its ability to meet obligations to customers; compromise its financial soundness; hinder the RBI's ability to supervise its operations; or expose the Company to unmanaged operational, legal, reputational, strategic or cybersecurity risks.

The Company may outsource operational, administrative, technological or customer-facing functions, provided such outsourcing does not contravene any statutory or regulatory restriction.

Core decision-making functions involving credit sanction, risk acceptance, pricing decisions, regulatory reporting, or strategic management shall always remain with the Company and shall never be outsourced, directly or indirectly.

Any activity which may create a conflict of interest, compromise internal controls, distort risk oversight, or impede the Company's ability to comply with law shall not be outsourced.

All outsourcing proposals shall be evaluated through a structured review process assessing their impact on operational resilience, data security, regulatory compliance and risk exposure. The Board of Directors shall approve the Policy and shall receive periodic reports on significant outsourcing arrangements.

The senior management of the Company shall be responsible for ensuring that outsourcing contracts are aligned with regulatory expectations, that due diligence is conducted prior to engagement of service providers, and that adequate oversight is maintained throughout the duration of the arrangement.

The Risk Management Committee, constituted under Regulation 21 of SEBI (LODR) Regulations, 2015, shall periodically review outsourced arrangements as part of the Company's enterprise risk framework.

The Risk Management Committee and Compliance Department shall continuously supervise outsourced functions to ensure conformity with RBI's prudential and conduct norms.

Any arrangement involving Default Loss Guarantee (DLG/FLDG), if undertaken, shall strictly comply with RBI's DLG Guidelines including 5% cap, fixed DLG set, and mandatory Board approval.

Before entering into any outsourcing agreement, the Company shall undertake detailed due diligence of the service provider's competence, experience, financial soundness, governance practices, data handling protocols, cybersecurity framework, compliance history, human resource standards, and operational resilience.

The due diligence shall include verification of legal standing, reputation, regulatory track record, and the service provider's ability to meet business continuity expectations under adverse conditions. In cases involving LSPs, DLAs, tele-calling agencies or recovery partners, additional due diligence relating to behavioural conduct, customer interaction protocols, and adherence to RBI's Digital Lending Guidelines shall be undertaken.

Service providers lacking appropriate risk controls, data protection standards, or ethical safeguards shall not be engaged.

Every outsourcing arrangement shall be governed by a written, legally enforceable agreement clearly defining responsibilities, service standards, data protection obligations, confidentiality requirements, audit rights, termination rights, contingency provisions, indemnities, and compliance obligations.

Contracts shall firmly establish that the service provider acts under the direction and control of the Company, and that no element of the arrangement creates a principal–agent shift of regulatory obligations. All agreements shall explicitly restrict the service provider from subcontracting critical activities without the prior written consent of the Company.

The Company shall retain unrestricted right to audit the operations, systems, personnel and records of the service provider at any time.

Outsourced activities shall be continuously supervised to ensure performance in accordance with regulatory and contractual standards. The Company shall maintain oversight through MIS reporting, compliance reviews, surprise checks, call audits, data security validations, and risk-based monitoring.

For LSPs and DLAs, the Company shall ensure adherence to RBI's Digital Lending norms, including limitations on data collection, prohibition on direct customer charges, and restrictions on access to customer devices or contact lists.

The Company shall periodically evaluate the performance, conduct and compliance status of each service provider and shall take corrective action, including termination, if deviations are observed.

Where an outsourced service is customer-facing, the Company shall ensure that the service provider maintains the same high standards of fairness, courtesy, transparency and professionalism as are expected of the Company's own employees.

The Company shall ensure that outsourcing does not compromise grievance mechanisms, turnaround times, quality of communication, data confidentiality, or behavioural norms expected under the regulatory framework.

LSPs, recovery agents, tele-calling agencies and digital platforms acting on behalf of the Company shall be expressly bound to follow the Company's Fair Practices Code, Collection Policy, Digital Guidelines Policy and Privacy Policy. Under no circumstances shall any LSP, DLA or outsourced entity charge any fee, commission or amount to the customer. All charges to the customer shall only be levied directly by the Company.

Issuance of the Key Fact Statement (KFS), loan documents, and sanction letters shall remain the exclusive responsibility of the Company and shall not be delegated to any LSP or service provider.

No service provider, including any LSP, DLA, payment partner, technology vendor or outsourced agency, shall initiate or facilitate any automatic debit, e-mandate, UPI collect request, NACH mandate, or any other form of electronic payment instruction on behalf of the Company without the borrower's prior, explicit and verifiable consent, in full compliance with applicable RBI regulations.

All payment instructions must originate strictly through customer-authorised channels, and any deviation or attempt to initiate an unauthorised debit shall constitute a material breach of the outsourcing arrangement and may result in immediate termination, disciplinary action, and regulatory reporting where required.

All service providers handling sensitive information shall be bound by stringent confidentiality commitments aligned with the Information Technology Act, SPDI Rules, and RBI Digital Lending data governance framework.

Customer data shall not be misused, stored in unapproved locations, shared with unauthorised entities, or accessed for any purpose other than the execution of the outsourced task. The Company shall adopt continuous monitoring to ensure data integrity, cybersecurity readiness, and protection from breaches.

DLAs and LSPs shall not access customer mobile resources such as contact lists, media files, call logs or telecommunication details, except as permitted expressly by RBI for KYC with one-time explicit consent.

In the event of any data compromise, incident or breach, the service provider shall immediately notify the Company, and the Company shall take necessary remedial, reporting and containment actions.

The Company shall ensure that each service provider maintains an appropriate Business Continuity Plan (BCP) and Disaster Recovery (DR) capability. Outsourcing arrangements shall be structured to preserve continuity of critical services even in situations of operational disruption.

The Company shall maintain alternative arrangements or fallback options for critical outsourced activities to ensure that operations are not impaired and that customers do not suffer prejudice.

All outsourced activities shall remain fully accessible to the RBI for inspection, audit, supervision or enquiry. Service providers shall be contractually obligated to cooperate fully with the RBI and to make available all records, systems, and documents required by the regulator.

The Company shall disclose outsourcing arrangements in any regulatory return, compliance submission or supervisory process when mandated.

Customers shall not experience any dilution of rights or delays in grievance handling as a consequence of outsourcing. All customer grievances arising from outsourced functions shall be treated as grievances of the Company itself and processed in accordance with the Company's Grievance Redressal Mechanism. The Company shall ensure that outsourcing never becomes a barrier between the customer and the Company's obligation to redress complaints, provide transparency, or maintain service quality.

Internal Audit shall independently assess the risk, strength and adequacy of outsourced arrangements and shall report deviations or vulnerabilities to senior management and the Board.

The Company shall maintain complete documentation and audit trails for each outsourced activity, including due diligence records, agreements, compliance reports and monitoring outcomes.

This Policy shall be reviewed at least annually, or earlier if required by regulatory updates, supervisory observations, operational developments or changes in risk profile. Amendments shall take effect only upon approval by the Board of Directors.

The most recent version of this Policy shall be made available at the Company's Corporate Office at Noida and provided to relevant stakeholders and regulators upon request.