Privacy Policy

Sitapur Basic Shikshak Vetan Bhogi Sahkari Rin Samiti Ltd. ("we", "us", "our", "the Society") is committed to protecting the privacy and personal data of our members and website visitors. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have regarding your data.

1. Scope

This policy applies to all personal data processed by us through our website at https://apnisuno.com, our mobile-web application, and at our physical office. By using our services, you consent to the practices described below.

2. Information We Collect

2.1 Personal Identification Data

• Full name, father's/spouse's name, date of birth, gender
• Permanent and local addresses
• Mobile number, email address
• Aadhar number (for KYC), PAN number
• Photograph
• EHRMS Code (verified via Manav Sampada portal)

2.2 Employment & Financial Data

• Designation, department, branch affiliation
• Joining date, retirement date
• Basic salary, DA, HRA, deductions, net salary
• Bank account details (for salary transfer and loan disbursement)
• Salary slips and bank statements
• Loan history and repayment records

2.3 Technical Data

• IP address, browser type, device type
• Login timestamps, session data, audit logs
• Biometric credentials (if enabled — stored as cryptographic keys, not fingerprint images)

3. How We Use Your Information

We use your personal data strictly for the following legitimate purposes:

• Membership processing: verifying eligibility, issuing Member ID
• Account management: maintaining savings, FD, RD, and loan accounts
• Loan evaluation: assessing repayment capacity and creditworthiness
• Compliance: meeting statutory obligations under the UP Co-operative Societies Act and Income Tax Act
• Communication: sending account statements, EMI reminders, notifications, and updates
• Security: preventing fraud, unauthorized access, and maintaining audit trails
• Service improvement: analyzing usage patterns (in aggregated form) to improve features

4. Legal Basis (DPDP Act Section 7)

We process your data based on:

• Your consent (given at the time of membership registration)
• Legitimate use for the purpose for which you have voluntarily provided data
• Compliance with law (e.g., maintaining records under Co-operative Societies Act)

5. Who We Share Your Data With

We do not sell your personal data. We share it only with:

• Authorized administrators within our Society (Secretary, Managing Director, Treasurer) for operational purposes
• Government-approved auditors during our mandatory annual audit
• Regulatory authorities when legally required (UP Cooperative Societies Registrar, Income Tax, law enforcement under valid orders)
• Service providers under confidentiality agreement:
  • Hosting provider (for storing data securely)
  • SMS/Email gateway (for sending OTPs and notifications)
  • Payment gateway (for processing member payments)

We never share data with advertisers, data brokers, or unrelated commercial entities.

6. Data Security

We implement industry-standard security measures:

• All passwords are hashed using bcrypt (never stored in plain text)
• All communications are over HTTPS (TLS 1.2+)
• Sessions are HttpOnly and SameSite=Lax cookies
• CSRF tokens protect all state-changing actions
• Database access is restricted by role-based permissions
• Every sensitive action is logged in an immutable audit trail
• Biometric data never leaves your device (only public-key cryptographic credentials are stored)
• OTPs expire within 5 minutes and are single-use
• Sensitive folders are protected from direct web access

7. Data Retention

We retain your personal data only as long as necessary:

• Active membership: as long as you are a member
• After membership ends: 7 years (statutory requirement for financial records)
• Audit logs: 10 years
• Session data: 2 hours after logout
• OTP records: auto-deleted after 5 minutes or use

8. Your Rights (DPDP Act Chapter III)

As a data principal, you have the following rights:

• Right to access: view all personal data we hold about you (available in your dashboard)
• Right to correction: update inaccurate or outdated information
• Right to erasure: request deletion of data no longer needed (subject to statutory retention)
• Right to grievance redressal: contact our Data Protection Officer (DPO)
• Right to nominate: authorize someone to exercise your rights in case of death or incapacity
• Right to withdraw consent: at any time, though this may affect service availability

To exercise any of these rights, email ecsbstp@gmail.com with subject line "Privacy Request". We respond within 30 days.

9. Cookies & Tracking

We use only essential cookies:

• Session cookies (required for login)
• CSRF protection cookies (security)
• Language preference cookies (remembers your English/Hindi choice)
• Theme preference (dark/light mode, stored in browser's local storage)

We do not use third-party tracking cookies, advertising pixels, or analytics that identify individual users.

10. Children's Data

Our services are exclusively for salary-drawing adult employees. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, please contact us immediately.

11. Changes to This Policy

We may update this policy to reflect changes in law or our practices. Any material changes will be notified via email and prominently displayed on our website for 30 days before taking effect.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and DPDP Act, 2023:

Grievance Officer & Data Protection Officer:
The Secretary, Sitapur Basic Shikshak Vetan Bhogi Sahkari Rin Samiti Ltd.
Email: ecsbstp@gmail.com
Phone: +91-9648213061
Address: 39, Holinagar, Janpad Sitapur, UP - 261001

Complaints are acknowledged within 24 hours and resolved within 15 working days. Unresolved complaints can be escalated to the Data Protection Board of India.

13. Contact

For any questions about this policy, contact us at ecsbstp@gmail.com or visit our contact page.