Smart Agent — Privacy Policy

1 Scope & Acceptance

This Privacy Policy ("Policy") is published by Apna Infotech ("Company," "we," "us," or "our") and governs the collection, processing, storage, and protection of personal and operational data in connection with the Smart Agent application ("App"), website ("Web"), and all related services (collectively, the "Service").

By accessing, registering for, or using the Service in any manner, you ("User," "Agent," or "Subscriber") confirm that you have read, fully understood, and agreed to the practices described in this Policy. If you do not agree with any part of this Policy, you must immediately discontinue use of the Service.

2 Information We Collect

We collect the minimum information necessary to provide, maintain, and improve the Service. The categories of information we may collect are:

A. Account Information

• Full name, email address, and mobile phone number provided during registration
• Account login credentials (passwords are stored in encrypted/hashed form and never in plain text)
• Subscription plan details and billing history

B. User-Entered Business Data

• Client names, mobile numbers, addresses, and identification details that you enter into the CRM
• Insurance policy details including policy numbers, insurer names, premiums, and expiry dates
• Commission rates and financial records entered by you
• Client documents uploaded by you (policy copies, ID proofs, RC documents, etc.)

C. Vehicle & Public Data

• RC (Registration Certificate) details and challan records retrieved on your request from publicly available government databases such as Parivahan and e-Challan portals
• This is public government data that you request for business purposes — we do not collect or store it independently

D. Technical & Operational Data

• Basic server-side operational logs necessary for maintaining system security, diagnosing errors, and preventing abuse
• Device type and browser/app version for technical compatibility purposes
• IP address for session security and fraud prevention only

3 How We Use Your Information

All information collected through the Service is used exclusively for the following purposes:

• Service Delivery: To provide, operate, and maintain all features and functionalities of the Smart Agent platform
• Account Management: To create, manage, authenticate, and secure your account
• Renewal Reminders: To send policy renewal alerts to you via the platform as configured by you — we do not use your contact information for unsolicited marketing communications
• Customer Support: To respond to your support requests, troubleshoot technical issues, and resolve disputes
• Service Improvement: To anonymize and aggregate non-personally identifiable usage data for internal product development and feature improvement only
• Legal Compliance: To comply with applicable Indian laws, court orders, or valid government requests where mandatory
• Security & Fraud Prevention: To monitor for suspicious activity, prevent unauthorized access, and protect the integrity of the Service

4 Data Sharing — Our No-Share Promise

Your data — and your clients' data — belongs to you. We act as a custodian of that data on your behalf, using it solely to power the tools you use. The moment you stop using Smart Agent, your data is no longer active in our systems, and can be deleted upon request.

Below is a complete summary of all data sharing scenarios and our position on each:

5 Payment Processing

Subscription payments for the Smart Agent platform are processed securely by PhonePe Pvt Ltd, a licensed payment aggregator regulated by the Reserve Bank of India (RBI). Regarding payment data:

• When you make a payment, your payment details (UPI ID, card number, bank information) are transmitted directly and securely to PhonePe's encrypted payment gateway
• Apna Infotech does not receive, store, or have access to your full payment credentials at any point in the transaction
• We receive only a transaction confirmation (success/failure) and your subscription record update from PhonePe — no payment instrument details are retained by us
• All payment data is handled exclusively in accordance with PhonePe's own Privacy Policy, available at: www.phonepe.com/privacy-policy/
• Your name and registered email/mobile may be shared with PhonePe only as required to identify and authenticate the payment transaction

6 Cookies & Tracking Technologies

We may use minimal, strictly necessary session tokens to maintain your authenticated login state for the duration of your session. These session identifiers:

• Exist only for the duration of your active session and expire upon logout or inactivity
• Are never used for tracking, profiling, advertising, or analytics purposes
• Are not accessible to any third-party system or tool
• Do not collect any personally identifiable information beyond verifying your authenticated session

7 Usage Monitoring & Analytics

The only operational data we collect beyond what you actively enter are:

• Server-side error logs: Technical logs generated when the system encounters an error or exception, used exclusively for debugging and maintaining service stability
• Authentication logs: Records of login attempts (successful and failed) retained for a limited period for account security monitoring and fraud prevention
• System performance metrics: Aggregated, non-identifiable server performance data to ensure uptime and response quality

None of these operational logs are shared with third parties, used for profiling, or connected to your individual identity for any purpose other than service security and stability.

8 Data Storage & Security

We take the security of your data seriously and implement commercially reasonable, industry-standard technical and organizational measures to protect it from unauthorized access, disclosure, alteration, or destruction:

• Encrypted Storage: All sensitive data like password stored in our systems is encrypted
• Secure Transmission: All data transmitted between your device and our servers is protected by HTTPS/TLS encryption
• Password Hashing: Account passwords are stored using one-way cryptographic hashing and are never stored or accessible in plain text — not even to our team
• Access Controls: Access to production data is restricted to authorized personnel on a strict need-to-know basis, with role-based access controls enforced
• Secure Cloud Infrastructure: The Service is hosted on professionally managed, secure cloud infrastructure with regular security reviews and updates

9 Data Retention & Deletion

We retain your data only for as long as is necessary to provide the Service or as required by applicable Indian law:

• Active Account: All data associated with your account is retained for the duration of your active subscription and any subsequent grace period
• Account Deletion: Upon your request to delete your account, we will remove your actively accessible data from our production systems within a reasonable processing period, typically within 30 days of the confirmed deletion request
• Legal Retention Obligations: Certain transactional, billing, and identity data may be retained for longer periods where required by Indian tax laws, financial regulations, or other applicable legal obligations — even after account deletion
• Backup Systems: Deleted data may persist in encrypted backup archives for a limited technical recovery period before being permanently purged. Data in backup archives is not accessible or usable by the Company during this period
• Irrecoverability: Once data has been permanently deleted from both active systems and backup archives, it cannot be recovered. We recommend exporting any data you may need before requesting account deletion

10 External Government Data (RC & Challan)

The Service provides the ability to fetch publicly available vehicle registration (RC) details and challan (traffic violation) information from data provider(External API), on your request and for your business use. Regarding this external data:

• This information is sourced from publicly accessible systems. The Company does not independently create, modify, or certify this data
• The accuracy, completeness, currency, and availability of data is entirely outside the Company's control. Databases may have outdated records, processing delays, or data gaps
• Results of RC or Challan checks performed through Smart Agent must be independently verified through official government portals before being relied upon for any legal, insurance, regulatory, or professional decision
• The Company is not responsible for any consequence — including claim disputes, policy errors, regulatory actions, or financial loss — arising from reliance on data retrieved through the Service without independent verification

11 Your Rights & Controls

As a user of Smart Agent, you have the following rights with respect to your personal data, subject to applicable Indian law including the Digital Personal Data Protection (DPDP) Act 2023:

• Right of Access: You may request a summary of the personal data we hold about your account at any time by contacting us
• Right to Correction: You may update or correct most of your account information directly through the platform settings. For corrections requiring Company assistance, contact our support team
• Right to Deletion: You may request deletion of your account and associated data, subject to the retention obligations described in Section 9
• Right to Data Portability: You may request an export of your account data in a structured format before deleting your account
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time. Note that withdrawal of consent may affect your ability to use certain features of the Service
• Right to Grievance Redressal: You have the right to raise a privacy complaint with us and receive a response within a reasonable timeframe

12 User Responsibilities

While we are committed to protecting the data within our systems, you have your own privacy and data responsibilities as an operator of the Service:

• Client Consent: You must obtain, document, and maintain explicit consent from each of your clients before entering, storing, or processing their personal information in Smart Agent. The Company bears no liability for any privacy breach, regulatory action, or legal dispute arising from your failure to obtain adequate client consent
• Data Accuracy: You are solely responsible for the accuracy and legality of all data you enter into the Service. The Company does not verify client data you input
• Credential Security: Maintain strong, unique passwords for your Smart Agent account. Do not share your login credentials with unauthorized individuals. You are accountable for all activity that occurs under your account
• Data Verification: Independently verify all government-sourced data (RC, Challan) before using it for professional purposes
• DPDP Compliance: Ensure your use of the Service complies with the Digital Personal Data Protection Act 2023 and all applicable data protection regulations relevant to your professional activities
• Device Security: Secure the devices used to access Smart Agent with appropriate passwords, screen locks, and updated security software
• Data Backup: Maintain your own periodic backups of critical data. While we implement data protection measures, the Company is not responsible for data loss resulting from events outside our reasonable control

13 Children's Privacy

The Smart Agent Service is designed exclusively for adult insurance professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect, solicit, or process personal data from children under the age of 18.

If we become aware that we have inadvertently collected personal information from a minor without appropriate parental or guardian consent, we will take immediate steps to delete that information from our systems. If you believe we may have collected information from or about a minor, please contact us immediately at info@apnainfotech.com.

14 Legal Compliance & Mandatory Disclosure

Notwithstanding our no-share commitment, Apna Infotech may be required to disclose certain information in the following strictly limited circumstances:

• Valid Legal Order: In response to a valid court order, warrant, subpoena, or binding directive from a competent Indian judicial authority
• Government Authority Request: In response to a lawful request from an authorized Indian government agency, regulatory body, or law enforcement authority with proper jurisdiction
• Legal Rights Protection: Where disclosure is necessary to protect and enforce the Company's legal rights, to prevent fraud, or to respond to a security threat that cannot otherwise be addressed

15 Force Majeure & Security Incidents

Despite implementing robust security measures, the Company is not liable for data loss, unauthorized access, or service interruption resulting from events beyond our reasonable control, including:

• Sophisticated cyberattacks, ransomware, distributed denial-of-service (DDoS) attacks, or zero-day exploits targeting our infrastructure
• Natural disasters, floods, earthquakes, fires, or other acts of God affecting data center operations
• Failures or outages of cloud infrastructure, internet service providers, or telecommunications networks operated by third parties
• Power outages, hardware failures, or other technical events outside the Company's operational control
• Government-ordered shutdowns, sanctions, or regulatory actions affecting platform availability
• Pandemics, epidemics, or public health emergencies impacting Company operations

In the event of a security incident that has materially affected your data, we will make commercially reasonable efforts to notify you through your registered contact details in a timely manner, consistent with our legal obligations.

16 Limitation of Liability

To the maximum extent permitted by applicable Indian law, the Company's liability in connection with any privacy or data-related matter shall be subject to the limitations set forth in our Terms and Conditions. Specifically, the Company shall not be liable for:

• Loss, corruption, or unauthorized access to data resulting from the User's failure to maintain adequate credential or device security
• Privacy breaches arising from your failure to obtain proper client consent before storing their data in the Service
• Consequences arising from reliance on inaccurate or outdated government data retrieved through the Service
• Data loss resulting from force majeure events as described in Section 15
• Any regulatory penalty, fine, or disciplinary action arising from your personal data handling practices in connection with the Service
• Indirect, consequential, incidental, or punitive damages of any kind arising from a data or privacy incident

In all cases, the Company's maximum aggregate liability for privacy-related claims shall not exceed the total subscription fees paid by you in the three (3) months preceding the relevant claim.

17 User Indemnification

You agree to defend, indemnify, and hold harmless Apna Infotech, its directors, officers, employees, and agents from and against any and all claims, liabilities, damages, penalties, fines, legal costs, and expenses arising out of or in connection with:

• Your failure to obtain, maintain, or document proper consent from your clients for digital storage and processing of their personal data
• Incorrect, fraudulent, or unauthorized data uploaded or entered by you into the Service
• Any privacy complaint, regulatory investigation, or legal action initiated by your clients or any third party against the Company in connection with your professional activities
• Your non-compliance with the Digital Personal Data Protection Act 2023 or any other applicable data protection regulation
• Your use of the Service in violation of this Policy, the Terms and Conditions, or any applicable law

18 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or the features of the Service. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Make the updated Policy accessible at this URL
• Where changes are material, make reasonable efforts to notify active users through their registered email address or through a notice within the platform

19 Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, including but not limited to the Information Technology Act 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the Digital Personal Data Protection (DPDP) Act 2023.

Any dispute arising from or in connection with this Policy shall be subject to the dispute resolution process set forth in our Terms and Conditions, with proceedings conducted in Nokha, Bikaner, Rajasthan, India.

20 Contact Us

For any questions, concerns, data requests, or complaints relating to this Privacy Policy or your data within Smart Agent, please contact our designated Privacy Point of Contact: