Privacy Policy
How Zantras collects, processes, retains, and protects personal data — including biometric data and identity documents — under the Digital Personal Data Protection Act, 2023, and applicable Indian law.
1.Introduction#
This Privacy Policy ("Policy") describes how SIMAYU SOLUTIONS PRIVATE LIMITED, an Indian private limited company having its registered office in India and operating under the brand name "Zantras" ("Zantras", "we", "us", "our"), collects, processes, retains, discloses, and protects personal data through the websites zantras.com, api.zantras.com, app.zantras.com, enterprise.zantras.com, and hub.zantras.com and the application-programming interfaces, software development kits, and hosted user-flows made available thereunder (collectively, the "Platform").
Zantras provides business-to-business identity-verification services to enterprise customers — including banks, non-banking financial companies, insurers, payment service providers, and telecommunications operators (each, a "Merchant"). The Merchant's end-customers ("Data Principals") interact with Zantras only through hosted flows invoked by the Merchant.
This Policy is published in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021").
2.Our Role: Processor or Fiduciary?#
Our obligations under the DPDPA depend on the context in which we handle your personal data:
- Data Processor — When we process personal data of a Merchant's end-customer (a Data Principal) on behalf of and under the documented instructions of that Merchant, the Merchant is the Data Fiduciary and Zantras is the Data Processor. The Merchant is responsible for the lawful basis (notice and consent) on which that data is collected. Our processing terms are governed by the Data Processing Agreement.
- Data Fiduciary — When we process personal data of Merchant employees, prospective Merchants, website visitors, job applicants, or other individuals interacting directly with us, Zantras is the Data Fiduciary and this Policy describes the lawful basis, purposes, and retention applicable to that processing.
3.Personal Data We Collect#
The categories of personal data we collect depend on how you interact with the Platform.
3.1From Data Principals (via Merchants)#
- Facial biometric data — video frames captured by AWS Rekognition Face Liveness (challenge-response) and reference photographs uploaded by the Merchant for 1:1 face comparison.
- Identity-document images and extracted fields — Aadhaar (front/back), PAN card, and driving licence images uploaded by the Merchant for optical character recognition (OCR), and the fields extracted therefrom: name, Aadhaar number (masked by default as
XXXX XXXX 1234), PAN number, date of birth, gender, address, pincode, father's name (PAN), and licence number. - Session metadata — session identifier, Merchant identifier, device fingerprint, IP address, timestamps, liveness score, face-match score, and pass/fail outcome.
3.2From Merchant Users and Website Visitors#
- Account data — name, business email, designation, company name, GST and CIN, billing address, payment instrument metadata (we do not store full card numbers).
- Usage data — API calls, request/response metadata (excluding identity-document payloads, which are not logged), dashboard activity, support tickets.
- Website data — IP, user-agent, referrer, page-view events, cookie identifiers (see Cookie Policy).
4.Aadhaar — Important Boundary#
By default, all Aadhaar numbers returned by the OCR endpoint are masked as XXXX XXXX 1234. Unmasked Aadhaar numbers may be returned only to Merchants that have a documented lawful basis under the Aadhaar Act and have explicitly opted in under their service agreement.
5.Purposes of Processing#
We process personal data only for the following purposes:
- Identity verification & liveness detection — performing the verification requested by the Merchant.
- KYC document OCR — extracting fields from identity documents uploaded by the Merchant.
- Fraud prevention — detecting replay attacks, deep-fakes, and stolen-credential reuse.
- API metering & billing — calculating Merchant usage and issuing invoices.
- Security monitoring & audit — investigating incidents and maintaining audit trails required by law.
- Service operation — running and improving the Platform, including capacity planning and reliability engineering.
- Legal compliance — responding to lawful requests from regulators, courts, or law-enforcement agencies.
We do not sell personal data, do not use identity data for advertising, and do not share identity data with any third party other than the sub-processors listed in Section 9.
6.Lawful Basis#
Our lawful basis for processing depends on the data category:
- For Data Principal identity data — processing on behalf of the Merchant under Section 7(b) of the DPDPA, on the consent obtained by the Merchant under Section 6.
- For Merchant account & billing data — contract performance with the Merchant and legal obligation (tax, accounting).
- For website analytics & non-essential cookies — consent obtained via our cookie banner.
- For security logs — legitimate uses under Section 7(f) of the DPDPA.
7.Where Your Data Is Processed#
Zantras processes and stores personal data entirely within India:
- All compute (AWS Lambda) runs in the
ap-south-1(Mumbai) region. - All object storage (Amazon S3) buckets used for identity documents are pinned to
ap-south-1; cross-region replication is disabled. - Session metadata (Amazon DynamoDB) is stored in
ap-south-1. - Access logs (Amazon CloudWatch) are retained in
ap-south-1.
8.How Long We Keep Your Data#
We retain personal data only for as long as necessary for the purpose for which it was collected, then we delete or anonymise it. The table below sets out the standard retention schedule.
| Data category | Retention period | Basis |
|---|---|---|
| Liveness video frames | 90 days from session completion | Operational minimum |
| Face-match reference photos | 90 days from comparison | Operational minimum |
| Aadhaar / PAN / DL document images | 180 days, then automatic deletion | Merchant audit period |
| Extracted OCR fields | 180 days, then automatic deletion | Merchant audit period |
| Session metadata (no biometrics) | 2 years | Fraud-risk audit |
| API access logs (no PII payloads) | 180 days hot, 1 year cold archive | CERT-In Directions, April 2022 |
| Billing & invoicing records | 8 years | Income Tax Act §44AA, GST Act §36 |
| Merchant contracts | 7 years after termination | Limitation Act, 1963 |
9.Sub-processors#
We engage the sub-processors listed below to deliver the Platform. The current authoritative list is published at zantras.com/legal/sub-processors.
| Sub-processor | Purpose | Region | Data category |
|---|---|---|---|
| Amazon Web Services India Pvt Ltd | Lambda, S3, DynamoDB, CloudWatch, SQS, KMS | ap-south-1 (Mumbai) | All categories |
| AWS Rekognition | Face Liveness, CompareFaces | ap-south-1 | Facial biometric data |
| AWS Textract | Aadhaar / PAN / DL OCR | ap-south-1 | Identity-document images |
| AWS SES | Transactional email delivery | ap-south-1 | Email address only |
We notify Merchants of any addition or replacement of a sub-processor at least 30 days in advance. Merchants may object to a change as set out in the Data Processing Agreement.
10.Your Rights as a Data Principal#
Under Sections 11 to 14 of the DPDPA, every Data Principal has the rights set out below. Where Zantras processes your data on behalf of a Merchant, please address your request to that Merchant first; we will assist them in responding.
| Right | How to exercise | Response time |
|---|---|---|
| Access — confirmation and summary of your personal data | Email grievance@zantras.com from the address on record, with proof of identity | Within 30 days |
| Correction — correct inaccurate or incomplete data | Same as Access | Within 30 days |
| Erasure — delete personal data no longer needed | Same as Access | Within 30 days (subject to legal retention) |
| Grievance redressal — readily-available means to register a grievance | See Grievance Redressal Policy | Acknowledged in 24h; resolved in 15 days |
| Nominate — nominate another individual to exercise rights on your behalf | Email grievance@zantras.com | Effective on acceptance |
11.Automated Decisions#
The liveness score and face-match score returned by the Platform are produced by AWS Rekognition machine-learning models. Zantras does not make the final business decision to accept or reject any end-customer; the Merchant alone decides how to act on the score, in line with the Merchant's own underwriting or compliance policy.
12.Children's Data#
Zantras does not knowingly direct the Platform at individuals under the age of 18. Where a Merchant submits a minor's identity document or facial image, the Merchant warrants that it has obtained Verifiable Parental Consent under Section 9 of the DPDPA. We do not perform behavioural tracking, targeted advertising, or profiling on data relating to children.
13.Security#
We protect personal data using a defence-in-depth program aligned with SPDI Rule 8 and ISO/IEC 27001 control objectives:
- TLS 1.2 or higher for data in transit; AES-256 (S3 SSE-KMS) for data at rest.
- AWS IAM least-privilege roles, MFA enforced on all administrative access, quarterly access review.
- Annual third-party penetration test (VAPT); continuous vulnerability scanning.
- NTP synchronisation to NIC / NPL India time sources (CERT-In Directions, Section III).
- 180-day retention of ICT system logs within India (CERT-In Directions, Section IV).
- Incident-response plan with 6-hour CERT-In reporting and 24-hour Merchant notification.
14.Contact#
For any privacy question or to exercise any right described in Section 10, please contact our Grievance Officer:
- Email: grievance@zantras.com
- Postal address: SIMAYU SOLUTIONS PRIVATE LIMITED, India (full address published at zantras.com/legal/grievance-redressal)
For data-protection matters that require escalation beyond our Grievance Officer, you may contact our Data Protection Officer at dpo@zantras.com or file a complaint directly with the Data Protection Board of India.
15.Changes to this Policy#
We may update this Policy from time to time. Material changes — changes that affect your rights or the scope of processing — will be notified by email to registered Merchants and by an in-product banner at least 30 days before they take effect. Editorial changes (typography, links) are recorded in the changelog below without prior notice.
16.Changelog#
- v1.0 — 5 June 2026. Initial publication.