Privacy Policy - Bankonia

Last updated: MAY 20, 2025.

Bankonia is a product of Laraware Private Limited (Narjoga Tower, D-262, Vibhutikhand, Gomtinagar, Lucknow, Uttar Pradesh – 226010) offering Bharat Bill Payment System (BBPS) and mobile recharge services. This Privacy Policy explains how we collect, use, disclose, and protect your personal and sensitive information when you use the Bankonia website and mobile app. It has been prepared to comply with Google Play Store requirements and applicable Indian laws and regulations (including the Information Technology Act, 2000 and its Rules, Aadhaar Act, RBI guidelines, NPCI BBPS standards, and the Digital Personal Data Protection Act, 2023). By using Bankonia’s services, you agree to this policy and to our collection and use of your information as described below.

Information We Collect:

During user onboarding and service use, Bankonia collects the following information in a step-by-step process:

Aadhaar Verification: We collect your 12-digit Aadhaar number and perform e-KYC (via UIDAI) using OTP or biometric authentication. We only transmit Aadhaar data to a licensed Authentication User Agency and do not store your Aadhaar number or biometric information beyond the verification process. All Aadhaar-related processing follows UIDAI and Aadhaar Act confidentiality and security requirements.
PAN Verification: We collect your Permanent Account Number (PAN) and related details (name, date of birth) to verify your identity with the Income Tax Department. The PAN is used for regulatory KYC compliance and fraud prevention. We may store a masked/encrypted copy of your PAN for record-keeping, as permitted by law.
Business Details: For agents or merchants, we collect business information such as entity name, type of business, address, GST number, and authorized representative details. This information is used for account creation, KYC, and regulatory reporting.
Bank Account Details: We collect your bank account information (account number, account holder name, bank name, IFSC) so that we can route payments, commissions, and refunds to your bank account. This sensitive financial information is stored securely and used only to facilitate transactions and verify bank details. (For example, our policies regard bank details as personal information that may include account holder, account number, and related data.)
Document Uploads: We require you to upload scans or photos of identity and address proofs (such as passport, driver’s license, voter ID, utility bill, etc.) as part of KYC. These documents are stored in encrypted form and used to verify your identity. You authorize us to verify any uploaded documents against government or third-party databases.
Video KYC: We perform a live video-based KYC session as per RBI guidelines. During this session, the app will record audio/video of you and your identity document. These recordings are transmitted to a secure KYC verifier and retained only as long as required for audit by regulators. Video KYC ensures face match with your documents. We do not use the video beyond identity verification.
Device and Usage Information: When you use the Bankonia app or website, we may collect technical information automatically, such as your device type, operating system version, IP address, browser or app usage logs, and geolocation (if enabled). For example, we collect data about how you use the app – pages/screens visited, timestamps, and location coordinates – to improve our services and detect fraud. Device identifiers and diagnostic information may also be collected for security and analytics.

All collected information falls under the definition of “personal data” or “personal/sensitive personal data” under Indian law, and we handle it with strict confidentiality and security.

Third-Party Services:

Bankonia uses trusted third-party service providers to process payments and other services. This includes:

Payment Gateways: We integrate with IDFC FIRST Bank and Razorpay to handle payments and settlements. When you make a bill payment or recharge, Bankonia shares only the necessary transaction details (such as your name, email, phone number, and payment amount) with these providers to process the payment. Razorpay and IDFC FIRST Bank have their own privacy and security practices. We rely on their PCI-DSS compliant systems for secure payment processing. (For example, Razorpay’s privacy policy confirms it uses reasonable security practices to protect your data.)
KYC/Verification Providers: For Aadhaar/PAN authentication and credit checks, we use government APIs and authorized KYC agencies. Your KYC data (Aadhaar, PAN, address proof) is shared only with regulators or licensed verification agencies under strict confidentiality.
Analytics and Hosting: We may use analytics services (e.g. Google Analytics/Firebase) to improve app performance and hosting services to store data. These providers may collect usage statistics as described in their policies.

We do not sell or rent your personal information to any third parties. Bankonia only shares user data with third parties as necessary to provide services, as described above, and only with parties that agree to keep the data secure and confidential.

Device Permissions

To enable app functionality, Bankonia may request the following device permissions (only with your consent):

Camera: Used for taking photos of documents or scanning QR codes, and for video KYC.
Microphone: Used during video KYC to record audio.
Contacts: Optional – to help select phone numbers for recharges or to share payment info. (The RBI prohibits broad access to contacts or call logs except for one-time KYC, and Bankonia uses contacts only if you grant permission to pick a number for recharge.)
Location (GPS): Optional – to show nearby billers or auto-fill address. This is used only if you enable location services.
SMS/Phone State: To optionally auto-read OTPs for authentication and to detect your mobile network. Bankonia will request SMS read permission only if necessary to streamline OTP entry (with your permission). Bankonia never stores your SMS messages or phone call logs. In line with RBI guidance, mobile resource access is limited and purpose-specific.
Storage: To save files (e.g. receipts, downloaded documents) on your device if requested.

These permissions are requested only to provide specific features and you can grant or deny them at runtime. For example, as one recharge service notes, apps may collect location, contacts, camera, photos, or device IDs to provide app features.

How We Use and Protect Your Data:

Use of Information: We use your personal data solely to operate and improve our services. Key uses include:
- Service Provision: To set up your account, perform KYC, and provide recharge and bill-payment services as requested.
- Transaction Processing: To execute recharges and bill payments, verify funds, and send transaction notifications. For instance, we use personal information to carry out your instructions for payments and to operate your account.
- Communications: To send you important updates (via email, SMS, or in-app notifications) about your transactions or changes in our services. We may also use your contact information to send transactional messages (e.g. payment receipts) and occasional promotional messages (only if you opt-in).
- Fraud Prevention & Security: To verify your identity, prevent unauthorized access, and monitor for suspicious activity. We use data analytics and security tools to detect fraud and maintain the integrity of our services.
- Legal Compliance: To comply with regulatory requirements (e.g., audit trails under RBI rules, maintaining KYC records as required) and to enforce our Terms of Service. For example, we use your data to comply with financial regulations and retention requirements.
Data Storage and Security: Bankonia stores user data on secure servers located in India, in compliance with RBI data localization requirements. We implement reasonable and industry-standard security measures (such as encryption, access controls, and secure audit trails) to protect your data against unauthorized access, disclosure, or alteration. Only authorized personnel have access to your personal data, and such access is logged and monitored. Despite our efforts, no internet transmission is completely secure; however, we strive to exceed industry-standard protections (for example, by following ISO 27001 guidelines and RBI’s IT security directives).
Data Sharing and Disclosure: Bankonia does not share your personal information for marketing. We only disclose personal data:
- To Law Enforcement or Regulators: If required by law or in response to a court order, government request, or regulatory requirement. Bankonia may share data with law enforcement or government agencies as mandated by statutes (e.g. FATF/CFT, income tax investigations).
- With Banking and Payment Partners: We share relevant information with IDFC FIRST Bank, Razorpay, and billers (via the BBPS network) as needed to process payments. These entities are authorized recipients under our service agreements and maintain confidentiality.
- With KYC/Verification Entities: We share your data with authorized KYC User Agencies and credit information bureaus for identity verification and fraud checks, as required by RBI’s KYC norms.
- In an Emergency: We may disclose information to protect your safety, property, or security, or to enforce our rights and prevent fraud.

In all cases, data sharing is limited to the minimum required and all third parties are contractually bound to protect your data. For example, our sharing practices mirror those of other providers who state they will disclose data only for legal processes or safety.

Your Rights and Controls:

Under Indian law (including the Digital Personal Data Protection Act, 2023) and our policies, you have the following rights regarding your personal data held by Bankonia:

Access & Rectification: You can request a copy of the personal data we hold about you and correct any inaccuracies.
Deletion/Erasure: Where permissible by law (e.g. after account closure and retention period), you can request deletion of your personal data.
Consent Withdrawal: You may withdraw consent for certain processing activities (subject to legal or contractual restrictions). For example, you can opt out of non-transactional marketing communications at any time.
Data Portability: You can request that your personal data be transferred to another service provider, if technically feasible.
Grievance: You have the right to lodge a complaint with Bankonia’s grievance officer (see below). Once notified, we will investigate and respond to your concern. Under the DPDP Act you also have the right to escalate unresolved privacy complaints to the Data Protection Board of India when it becomes operational.

To exercise any right, please contact us at info@bankonia.com with “Data Request” in the subject line. We will verify your identity and respond within the timeframes prescribed by law. We may require proof of identity to honor such requests.

Refund and Cancellation Policy (BBPS and Recharges):

Bankonia follows industry-standard cancellation and refund practices for bill payments and recharges:

Mobile Recharges: Once a recharge is successful, it cannot be canceled or reversed. In line with industry norms, if you recharge a wrong number or if the recharge fails due to a technical issue, you may request a refund. In such cases (incorrect number or technical failure), please contact our support immediately. We will investigate and, if the fault is on our platform, issue a refund to your original payment method promptly (usually within 1–2 business days).
Bill Payments (BBPS): Once a bill payment is completed through BBPS, it generally cannot be canceled or refunded. As NPCI’s procedural guidelines state, any refunds for bill payments must be handled by the biller outside the BBPS platform. If you encounter a situation where you paid the bill but the service provider did not update your account, we will liaise with the biller on your behalf. If the issue is confirmed to be on our end or a system error, we will ensure the biller processes a refund according to NPCI rules.

To request a refund or report a failed transaction, contact Bankonia support at info@bankonia.com with transaction details. We will acknowledge receipt of your request and respond as per our service standards. Please note that refunds will be processed only for verified legitimate cases and any refund will be credited via the original payment source.

Data Retention

Bankonia retains your personal data only as long as necessary to fulfill the purposes described above or as required by law. For example, financial transaction records and KYC documents are typically retained for a legally mandated period (generally at least 3–8 years as per RBI and IT Act requirements). After the retention period, personal data will be securely deleted or anonymized so it can no longer be associated with you. In line with the DPDP Act principles, we limit storage duration to what is strictly necessary for the purpose of collection. We follow the “reasonable security practices” mandated by the IT Act and SPDI Rules in India throughout this process.

Compliance with Laws and Standards:

Bankonia is committed to complying with all applicable Indian laws and industry standards governing privacy and data protection, including:

Information Technology Act, 2000: We adhere to the IT Act and the Rules thereunder (including the SPDI Rules 2011), which mandate reasonable security practices, breach reporting, and protection of sensitive personal data.
Aadhaar Act, 2016: Our Aadhaar usage complies with the Aadhaar Act and UIDAI regulations. We only use Aadhaar for authentication (e-KYC) and do not store the Aadhaar number or biometric data beyond what is permitted.
RBI Guidelines: We follow the Reserve Bank of India’s KYC and IT governance regulations. For instance, the RBI’s new IT Governance Master Direction (2023) and Digital Lending Directions require strong data security and customer protections. We also comply with RBI’s KYC norms for customer onboarding and retention of transaction records.
NPCI (BBPS) Standards: As a BBPS Operating Unit (BBPOU), we follow NPCI’s BBPS procedural guidelines. These rules enforce confidentiality of transactions and outline refund procedures. Bankonia has signed all required agreements (including NDAs) with NPCI and implements required controls.
Data Protection Act (DPDP Act, 2023): Although some provisions are not yet in force, we embrace the DPDP Act’s core principles: we collect and use personal data lawfully and transparently, limit collection to stated purposes, retain data only as long as necessary, ensure accuracy, and take safeguards against unauthorized processing.

By using Bankonia, you acknowledge that you have read and understood this policy and that Bankonia will handle your data as described herein. We regularly review and update our practices to remain in compliance with legal obligations.

Grievance Redressal:

If you have any questions, concerns, or complaints about Bankonia’s handling of your personal data, you may contact our Grievance Officer:

Email: nodal@bankonia.com
Phone: +91-8188949800

We will acknowledge and address your grievance promptly. If you are not satisfied with our response, you may escalate the matter to the appropriate regulatory authority (such as the CERT-In or the Data Protection Board of India, once constituted) as provided under applicable law.

Changes to this Policy:

Bankonia may update this Privacy Policy from time to time (for example, to reflect new legal requirements or changes in our services). We will post the revised policy on our website and app with a new “Last updated” date. We encourage you to review this page periodically. Your continued use of Bankonia after such updates constitutes your acceptance of the revised policy.

Contact Information: For any privacy-related questions or requests, please reach us at info@bankonia.com or call +91-8188949800. We strive to respond to all inquiries in a timely manner.