IT Act 2000 & CERT-In aligned Updated: 11 May 2026

How We Keep Your Data Safe

At Finvastra, financial trust and data security are inseparable. When you share your name, mobile number, or financial details with us, you are trusting us with sensitive information. This page explains exactly how we protect it — and what you can do to stay safe when interacting with financial services online.

TLS 1.3 Encryption

All data transmitted between your browser and our servers is encrypted with TLS 1.3 — the highest current standard.

No Sensitive Storage

We never store bank passwords, full Aadhaar numbers, OTPs, or payment instrument details in our systems.

Access Controls

Personal data is accessible only to authorised team members with a defined, role-based need. Access is logged and reviewed.

Incident Response

We have documented procedures for responding to data incidents, including CERT-In notification timelines per DPDP Act 2023.

Regular Audits

Security configurations, third-party integrations, and access logs are reviewed periodically for vulnerabilities and anomalies.

Minimal Data Principle

We collect only what is strictly necessary for the service you requested. Nothing is stored “just in case.”

Encryption & Transmission Security

Our website operates exclusively over HTTPS. The HTTPS padlock visible in your browser confirms that:

All data submitted through our forms is encrypted in transit using TLS 1.3 (or TLS 1.2 minimum for older browsers).
Our SSL certificate is issued by a trusted Certificate Authority and renewed automatically before expiry.
HTTP connections are automatically redirected to HTTPS — no unencrypted form submissions are possible.
Strict Transport Security (HSTS) headers instruct your browser to always use HTTPS for our domain.

If you ever see a certificate error or “Not Secure” warning when visiting www.finvastra.com, do not submit any form. Report it immediately to security@finvastra.com.

What Data We Store — and How

Our website is hosted on GitHub Pages (Microsoft infrastructure). Our advisory operations use cloud-based CRM tools. Data handling standards:

Enquiry data (name, mobile, city, service) — stored in our CRM with role-based access controls. Retained for 3 years.
CIBIL Check data (name, PAN, DOB) — transmitted directly to TransUnion CIBIL API over encrypted channels. Not stored in our primary database beyond what is required for audit compliance.
Analytics data — collected anonymously via Google Analytics (GTM). No personally identifiable information is sent to analytics systems without explicit consent.
No passwords — our Platform does not have user accounts or login functionality. No passwords are ever stored.
No payment data — we do not process or store any credit card, UPI, or banking credential information.

Regulatory Compliance

Our information security practices are aligned with the following Indian regulatory frameworks:

Information Technology Act 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 — our security practices meet the “reasonable security practices” standard prescribed under Section 43A.
Digital Personal Data Protection Act 2023 (DPDP Act) — data minimisation, purpose limitation, consent management, and data principal rights are implemented in accordance with the Act.
CERT-In Guidelines — our incident response procedures are aligned with CERT-In cybersecurity directives, including reporting timelines for significant incidents.
IRDAI Cybersecurity Guidelines — applicable to our insurance advisory operations.
RBI Outsourcing Guidelines — our DSA loan facilitation operations comply with RBI guidelines on outsourcing and data handling by Direct Sales Agents.

Protecting Yourself Online

Always do

Verify you are on www.finvastra.com (check the padlock)
Contact us only through official numbers and emails listed on this site
Report suspicious messages claiming to be from Finvastra
Use our website to verify any call you receive from someone claiming to be a Finvastra advisor
Accept cookies only if you understand and consent to our cookie policy

Never do

Share OTPs with anyone claiming to be from Finvastra — we never ask for OTPs
Transfer money to any “Finvastra” account without verifying the request via official channels
Share your bank account password, net banking credentials, or full Aadhaar number
Click links in unsolicited WhatsApp messages claiming loan approvals from Finvastra
Submit forms on any domain other than www.finvastra.com

Our Team Security Practices

All Finvastra employees and advisors who handle customer data are subject to:

Confidentiality agreements covering customer personal and financial information;
Role-based access to CRM and customer data — advisors can only access the cases assigned to them;
Prohibition on downloading, exporting, or sharing customer data outside of authorised advisory workflows;
Immediate data access revocation upon termination of employment or advisory relationship;
Annual security awareness training covering phishing, social engineering, and data handling best practices.

Third-Party Security

We carefully evaluate the security practices of third-party services integrated into our Platform:

GitHub Pages — enterprise-grade infrastructure with SOC 2 Type II compliance.
Google Analytics / GTM — data is anonymised; no personal identifiers are sent to Google Analytics without consent.
TransUnion CIBIL API — industry-standard API with mutual TLS authentication; data transmitted only for CIBIL score retrieval with explicit user consent.
WhatsApp Business API — end-to-end encrypted messaging; no sensitive financial data is shared over WhatsApp.

Data Breach Response

In the event of a data breach or security incident that may affect your personal data, we will:

Identify and contain the breach within 6 hours of detection;
Assess the nature and scope of the breach within 24 hours;
Notify affected users as required by the DPDP Act 2023;
Report significant incidents to CERT-In within the prescribed timeline;
Take remediation steps and publish a summary of the incident and response on this page.

Vulnerability Disclosure

We welcome responsible security disclosures. If you discover a vulnerability in our Platform or services, please report it to us privately before disclosing it publicly. This allows us to investigate and remediate the issue to protect our users.

Responsible Disclosure Contact

Email: security@finvastra.com

Please include: a description of the vulnerability, reproduction steps, and any proof-of-concept (without exploiting it to access real user data).

We will acknowledge your report within 48 hours and provide a timeline for remediation. We ask for a minimum of 30 days to address the issue before public disclosure.

We do not offer a formal bug bounty programme at this time, but we genuinely appreciate responsible disclosures and will acknowledge your contribution if desired.

Contact for Security Concerns

For any security-related questions, concerns, or to report suspicious activity:

Email: security@finvastra.com
Phone: +91 92475 19004 (Mon–Sat, 9 AM–6 PM IST)
Address: Unit 305, 3rd Floor, Imperial Towers, 7-1-617/A, Ameerpet, Hyderabad, Telangana 500038

Also see our Privacy Policy and Terms of Service for related information on data handling and user rights.