Privacy Policy

This Privacy Policy ("Policy") governs the processing of personal data by JMP NEXTGENPAY PRIVATE LIMITED (CIN: U62990GJ2025PTC000000), a company incorporated under the Companies Act, 2013 and having its registered office at 2nd Floor, 201, Devi Arcade, Ashwini Kumar Road, Modi Maholla, Surat, Gujarat – 395008 ("NextGenPay", "Company", "We", "Us"), through its website www.jmpnextgenpay.com, mobile applications and APIs (collectively, the "Platform").

By accessing or using the Platform, you (the "Data Principal") consent to the practices described in this Policy. If you do not agree, please do not use the Platform.

We collect only such personal data as is reasonably necessary to deliver the financial services that you, or the merchant you are transacting with, have requested.

• Identity data — full name, date of birth, gender, photograph, signature.
• Government IDs — Aadhaar number (only for OTP/biometric e-KYC under UIDAI regulations), PAN, Voter ID, Driving Licence, Passport.
• Contact data — postal address, mobile number, email address.
• Financial data — bank account number, IFSC, UPI VPA, card BIN, transaction history, wallet balances.
• Biometric data — fingerprint / iris template captured solely on STQC-certified devices for AePS authentication. Templates are never stored on our servers.
• Device & log data — IP address, device ID, OS version, app version, browser, geo-location at the time of transaction, error logs.
• KYC documents — proof of address, proof of business, GST certificate, shop & establishment licence (for agents).

Your data is processed only for the specific, lawful purposes notified to you at the time of collection, in accordance with Section 7 of the DPDP Act, 2023:

• Customer onboarding, KYC and re-KYC as required by RBI Master Direction on KYC, 2016 and PMLA, 2002.
• Processing payment, AePS, DMT, BBPS, recharge, travel & PAN service requests initiated by you.
• Detection and prevention of fraud, money-laundering and terror-financing.
• Compliance with statutory and regulatory obligations including responding to lawful requests from RBI, NPCI, UIDAI, FIU-IND, Income-Tax Department, GSTN and law-enforcement agencies.
• Customer support, grievance redressal and dispute resolution.
• Improving the Platform, security testing and product analytics (only on de-identified data).

We do not use your personal data for any purpose other than those listed above without your fresh, free, specific, informed and unambiguous consent.

We do not sell your personal data. We share it only with the parties listed below and strictly to the extent necessary:

• Sponsor banks, payment system providers, card networks (Visa, Mastercard, RuPay), NPCI, BBPCU, UIDAI and acquirer banks to execute your transactions.
• Statutory authorities — RBI, FIU-IND, Income-Tax Department, GSTN, courts, tribunals and law-enforcement agencies when legally compelled.
• Audit, KYC and risk-assessment vendors empanelled by RBI / SEBI / IRDAI, under written confidentiality and DPDP-aligned data processing agreements.
• Cloud infrastructure providers operating data centres located within the territory of India.

All payment system data is stored only in India in compliance with the RBI circular dated 06 April 2018 on Storage of Payment System Data. End-of-day backups are encrypted at rest using AES-256.

We retain personal data for the period mandated by applicable law — typically ten (10) years from the date of completion of the transaction (per Section 12, PMLA, 2002) — after which it is securely deleted or anonymised.

Under the DPDP Act, 2023 you have the right to:

• Access a summary of the personal data we process about you.
• Correct, complete or update inaccurate or misleading data.
• Erase personal data that is no longer required for the original purpose.
• Withdraw your consent at any time (without affecting the lawfulness of prior processing).
• Nominate another individual to exercise your rights in the event of your death or incapacity.
• Lodge a complaint with the Data Protection Board of India.

To exercise any of the above rights, please write to our Grievance Officer at grievance@jmpnextgenpay.com. We will respond within fifteen (15) working days.

We implement reasonable security practices as defined in Rule 8 of the SPDI Rules, 2011 and the RBI Master Direction on Digital Payment Security Controls, 2021, including: ISO/IEC 27001:2022 certified ISMS, PCI-DSS v4.0 Level-1 controls, mTLS-only APIs, HSM-backed key management, role-based access, 24×7 SOC monitoring and annual VAPT by a CERT-In empanelled auditor.

Any personal-data breach will be reported to the Data Protection Board of India and to affected Data Principals within seventy-two (72) hours of detection, as required by the DPDP Act, 2023, together with the nature, scope and mitigation measures taken. Cyber-security incidents are reported to CERT-In within six (6) hours as per the directions dated 28 April 2022.

The Platform is not intended for use by individuals below 18 years of age. We will not knowingly process personal data of a child without the verifiable consent of a parent or lawful guardian.

We may amend this Policy from time to time. Material changes will be notified through the Platform and / or by email at least seven (7) days before they take effect.

In accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the IT (Intermediary Guidelines & Digital Media Ethics Code) Rules, 2021, the contact details of our Grievance Officer are published on this website and on the Grievance Redressal page below.