Understanding Personally Identifiable Information (PII)

Personally Identifiable Information refers to any data that can be used to identify a natural person, either on its own or in conjunction with other accessible information. This encompasses names, contact details, government-issued IDs, tax information, and any other information relating to customers, employees, consultants, or vendors. As an organization, we also recognize the sensitivities associated with data governed by international regulations like the GDPR and commit to processing such data with due care and compliance.

Collection and Use of Personal and Business Data

Finnoto collects only the data that is necessary for legitimate business operations. This typically occurs when users create an account, sign up for an event, or interact with our services. Data collected includes basic details like name, contact number, and address, as well as identity documents such as PAN or Aadhar. In the context of employment or engagement, we may also retain employment agreements, performance records, and other related documentation. Additionally, when using FSPL‘s digital assets, certain monitoring data may be captured to ensure security and compliance.

As part of our service delivery, we also collect and process client business data such as order information, payment records, invoice details, and settlement data. All such business-critical data is handled with the same degree of care and is subject to the same principles of privacy, integrity, and security outlined in this policy. This includes secure storage, role-based access, consent-driven sharing, and rigorous processing controls in accordance with our ISO 27001:2022 and SOC 2 Type II certified frameworks.

The personal and business information we collect is used solely to facilitate and enhance our services, maintain contractual obligations, fulfill payroll and administrative functions, ensure legal compliance (such as with health, safety, or immigration laws), and strengthen our IT and cybersecurity infrastructure. Every piece of data we handle serves an agreed business purpose, and any additional processing is undertaken only after receiving informed consent from the individual or client concerned.

Our internal systems incorporate validation mechanisms to ensure accuracy and completeness of data, supported by role-based access controls and audit logs. System-generated outputs, like invoices or reports, are reviewed and verified before dissemination. Access is restricted and closely monitored, ensuring that only authorized personnel can view or handle specific categories of information.

Data Storage and Protection Measures

Customer data is securely hosted on Amazon Web Services (AWS) in India, utilizing regions such as Mumbai and Hyderabad. Our infrastructure is designed for redundancy and disaster recovery, with all sensitive information encrypted both at rest and in transit. Encryption keys are managed through AWS Key Management Service (KMS), and data access is logically partitioned per customer.

To further protect this information, we implement rigorous access control protocols, disabling employee access to production systems by default and enabling it only through a tightly governed approval process. Customer data is not stored on any local devices or endpoints; instead, it remains securely housed within our cloud environment. Monitoring tools like AWS Sentry, CloudWatch, and Oh Dear allow real-time visibility and rapid incident response, with alerts directed to key personnel through multiple channels.

As a SOC 2 Type II certified organization, Finnoto follows comprehensive controls to ensure data confidentiality, privacy, and processing integrity. This includes continuous monitoring, periodic audits, and risk assessments to safeguard all sensitive data throughout its lifecycle.

Sharing and Disclosure of Information

Finnoto has a clear and strict policy: we do not sell or share personal information for profit. However, there are situations where disclosure may be required, such as compliance with legal mandates or regulatory inquiries. In such cases, disclosures are conducted transparently, and wherever feasible, individuals are informed about the nature and purpose of such disclosures.

Data may also be shared with affiliates, service providers, or business partners who are contractually bound to process data only on our behalf, under stringent privacy and security clauses. In scenarios where disclosures are based on customer consent, we ensure that such consent is explicit and purpose-specific. All disclosures are documented in our Personal Information Disclosure Log, and only designated roles within our organization's—such as the CEO, CTO, CISO, or Legal Counsel—are authorized to approve such disclosures.

Data Retention and Disposal

Finnoto retains data only for as long as it is necessary to fulfill the business purposes or to comply with legal, contractual, or operational requirements. Once data is no longer needed, we anonymize or securely dispose of it in accordance with legal standards. In the case of former employees or contractors, some data may be preserved for legitimate business purposes, such as references or benefit claims.

We also maintain archival records of transactions, ensuring long-term access while keeping them encrypted and under strict access controls. Our disposal practices are aligned with both data protection regulations and our internal record retention policies.

Security Practices and Employee Accountability

Our information security framework is aligned with ISO 27001:2022 and validated through our SOC 2 Type II certification. We implement strong technical safeguards, conduct regular vulnerability assessments, and maintain a culture of security awareness throughout the organization. Access to production systems is logged and audited, while intrusion detection and vulnerability scanning are regularly conducted. Employees undergo mandatory security training upon joining and receive regular refreshers thereafter.

Accountability is core to our culture. Employees are expected to follow best practices in handling sensitive data, such as adhering to a clean desk policy and reporting any suspicious activity or policy violations promptly. Despite our efforts, we acknowledge that the internet is not entirely secure, and we encourage users to maintain the confidentiality of their credentials and use secured systems.

Your Rights and Contact Information

Finnoto offers individuals the ability to access, rectify, delete, or request portability of their personal data. You may also opt out of receiving marketing communications at any time. Requests can be directed to security@finnoto.com and will be handled in a timely and transparent manner. In some cases, residual copies may be retained to comply with legal or backup requirements.

In the event of a data breach, we follow a well-defined notification protocol that includes informing affected individuals, regulators, and business partners, depending on the severity and applicable regulations. If you have any concerns about your personal data, please contact our Global Privacy Office or the Grievance Officer in India at +91-7506390511 or via grievance@finnoto.com.