Privacy policy.

01Who we are

NxxtCard is a digital loan facilitation service operated by Heyx India Pvt. Ltd., a private limited company incorporated under the Companies Act, 2013, with its registered office at 1st Cross, Halasahalli Road, Varthur, Bengaluru — 560087, Karnataka, India. Throughout this document "NxxtCard", "we", "us" and "our" refer to Heyx India Pvt. Ltd.

We act as a marketing, technology and sourcing partner for Reserve Bank of India ("RBI") regulated banks, NBFCs and lending institutions. We do not ourselves lend money, hold deposits, or carry out credit underwriting. The final lender is always disclosed to you before you sign any loan document.

02Data we collect

To match you with the right lender and operate our platform we collect the following categories of information:

a. Information you give us directly

• Name, date of birth, gender, marital status and residential address
• Phone number, WhatsApp number, email address
• PAN, Aadhaar (last four digits only on this site; full Aadhaar handled via DigiLocker on the lender's side), GSTIN and other government identifiers required by lenders
• Employment, business or self-employment details — company name, designation, vintage, industry, monthly income / turnover
• Banking information — IFSC, account number, last six months of statements (you upload these; we transmit them to lenders)
• Loan amount requested, tenure, end-use and supporting documents

b. Information we collect automatically

• Device information — IP address, browser type and version, operating system, screen resolution
• Usage information — pages visited, links clicked, time spent, referring URL
• Cookies, local storage and similar technologies (see Section 5)

c. Information from third parties

• Credit information from Credit Information Companies ("CICs") such as CIBIL, Experian, Equifax and CRIF High Mark — pulled only with your explicit consent and only as a soft enquiry at the matching stage
• Bank statement analysis from RBI-licensed Account Aggregators where you have consented
• GSTN data via authorised gateways when you connect your GST account
• Information from referral partners (DSAs, CAs, channel partners) who introduced you to us

03How we use your data

We use the information described above only for the following purposes:

• Eligibility matching — to algorithmically determine which lenders are most likely to approve your application based on their declared appetite
• Application submission — to forward your file to lenders you have explicitly selected or consented to
• Service operations — to communicate status updates, request missing documents, schedule calls and provide customer support
• Fraud prevention & security — to detect, prevent and investigate fraud, money-laundering, identity theft and breaches
• Legal compliance — to meet our obligations under Indian law including the Information Technology Act 2000, RBI guidelines, and tax statutes
• Product improvement — to analyse aggregated, de-identified usage patterns and make our matching engine more accurate
• Marketing — to send product information you have opted in to receive; you can unsubscribe at any time

04Who we share data with

We share your information only with the following recipients, and only to the extent required:

• Lenders you select or consent to — banks, NBFCs and other RBI-regulated lending institutions that may sanction your loan. They become the data controller of any data you submit to them.
• Credit Information Companies — for soft and (after your written consent) hard credit enquiries
• Account Aggregators & KYC partners — licensed entities that fetch your bank statements, GST data and KYC documents at your request
• Service providers — cloud hosting (data resident in India), email/SMS gateways, analytics, customer support tools — all bound by written confidentiality and processing agreements
• Professional advisors — auditors, lawyers, chartered accountants under strict confidentiality
• Regulators & law enforcement — when required by law, court order or to enforce our Terms
• Successors — in the event of a merger, acquisition or sale of business, subject to the same protections described here

05Cookies & analytics

We use cookies and similar technologies to remember your preferences, keep you logged in, measure traffic, and improve your experience. You can disable cookies in your browser settings, but parts of the site (such as the application portal) may stop working as a result.

We use privacy-respecting analytics providers that do not build cross-site advertising profiles. We do not run third-party advertising tags on application pages.

06Data security

We follow industry-accepted security practices reasonable for the sensitivity of the data we handle:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for personally identifiable information and documents
• Role-based access control with mandatory two-factor authentication for staff accounts
• Quarterly vulnerability scans and annual third-party penetration tests
• Documented incident-response plan with mandatory regulator and user notification within statutory timelines

Despite these measures, no system on the internet is 100% secure. By using NxxtCard you acknowledge this inherent risk.

07Data retention

We retain your information only as long as is necessary for the purposes for which it was collected. Typical retention periods are:

• Active applications — until the loan is sanctioned, rejected or withdrawn, plus 90 days
• Sanctioned loans — for the tenure of the loan plus 8 years (statutory requirement for financial records)
• Marketing data — until you unsubscribe, then deleted within 30 days
• Analytics & logs — 24 months in identifiable form, after which they are aggregated

08Your rights

Subject to the Information Technology Act, 2000, the SPDI Rules 2011 and the Digital Personal Data Protection Act 2023, you have the right to:

• Access a copy of the personal information we hold about you
• Correct any information that is inaccurate or out of date
• Withdraw consent for any processing that was based on consent
• Request deletion of your information (subject to statutory retention requirements)
• Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity
• Lodge a grievance with our Grievance Officer (details in Section 11) or with the Data Protection Board of India

To exercise these rights, write to hello@nxxtcard.com from the email address associated with your account. We respond within 30 days.

09Children

NxxtCard is intended for adults aged 18 or above engaged in business activities. We do not knowingly collect personal information from anyone under 18. If we learn we have inadvertently received such information, we will delete it immediately.

10Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to registered users via email or in-app banner at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version. Your continued use of NxxtCard after the effective date constitutes acceptance of the updated policy.

11Contact & grievance officer

For any question about this Privacy Policy, requests to exercise your rights, or to raise a grievance, please contact our Grievance Officer:

© 2026 Heyx India Pvt. Ltd. · All rights reserved.