1. Introduction
SOZO ADVISORY PRIVATE LIMITED and its affiliated entities (collectively referred to as “SOZO,” “the Company,” “We,” “Us,” or “Our”) place paramount importance on protecting your personal information (“Personal Data”) and maintaining your trust.
This Privacy Policy (“Policy”) explains how SOZO collects, processes, uses, stores and discloses Personal Data when you access or use our products, mobile applications, websites, or related services (collectively, “Services”).
By using our products, services and website, you hereby acknowledge that you have read, understood, and agree to the processing of your Personal Data in accordance with the terms of this Privacy Policy and our Terms of Use. This Policy does not apply to our commercial partners, financial institutions or service providers, each of whom may maintain their own privacy policy. We recommend reviewing the respective privacy policies of those entities when you interact with them.
2. Scope of Services
SOZO provides a range of financial, analytical, and AI-assisted services through its platform (“Services”). Depending on the features you choose to use and the products you access through the Platform, the Services may include the following:
Credit card facilitation and issuance: SOZO facilitates the discovery, application and (where applicable) issuance of credit cards offered by partner banks and other regulated financial institutions, including support services such as eligibility checks, onboarding, verification, and status tracking.
Reward optimisation and user guidance: SOZO provides personalised insights, analytics, reminders and guidance intended to help you track and maximise rewards, cashback and benefits associated with your cards and transactions. This may include recommendations on reward redemption and optimal usage patterns, based on the information available to us and your usage of the Platform.
AI-driven insights and recommendations: SOZO may use AI and Machine Learning models to analyse spending behaviour, transaction patterns and reward utilisation (to the extent such information is available and permitted) and to recommend suitable products, offers and actions. SOZO aims to deploy such models with privacy safeguards and responsible data practices.
UPI payments: Where enabled, SOZO facilitates UPI-based payments and related features in accordance with applicable platform rules and partner/network requirements.
Bill payments through BBPS: SOZO may enable bill payments through the Bharat Bill Payment System (BBPS), including (illustratively) credit card bill payments, rent payments, electricity, gas, water, telecom and other biller categories supported on the Platform.
Vouchers, gift cards, and store purchases: SOZO may enable users to browse, purchase and redeem vouchers, gift cards and other products or services offered through SOZO Store or partner channels, including fulfilment, delivery and support-related features.
Credit score and credit health services: With your consent, SOZO may facilitate credit score fetching (for example, CIBIL score) and provide credit health indicators, monitoring, and related insights using information received from authorised credit bureaus or partners.
Loan and credit product facilitation. SOZO may facilitate access to loans and other credit products offered by regulated lenders and NBFCs, including enabling application flows, verification, servicing support and related communications, subject to applicable laws and partner terms.
3. Information We Collect
Pursuant to this Policy, SOZO ADVISORY PRIVATE LIMITED (including the Keyy website) collects and processes the following categories of information.
A. User provided information
For you to use the Keyy application and related Services, it is a prerequisite that you share certain information during registration and while using specific features on the Platform. Typically, for registration and basic account access, we may collect personal details such as your name, mobile number, email address, date of birth, and PAN.
For enabling certain Services (for example, credit card issuance, UPI/BBPS payments, credit score services, vouchers/store purchases, or credit product facilitation), we may require supplementary information including (as applicable) your residential address, financial details, credit/debit card particulars, income/eligibility information, reward identifiers and other officially valid documents required for verification and compliance.
Not sharing the requisite information may result in certain features being restricted, unavailable or unusable. For example, if you do not provide address/verification information when required, services dependent on verification or delivery/fulfilment may not be completed; similarly, not providing KYC information may restrict access to regulated services.
Device permissions: Where you choose to provide device permissions (such as contacts, photos, camera, location, microphone, SMS, storage, phone calls, NFC and similar permissions depending on your device/OS), SOZO may retrieve, retain and use the data made available through such permissions only to the extent necessary for the relevant feature (e.g., KYC/verification, fraud prevention, payment enablement, support). You retain the right to revoke access by amending permissions within your device settings; however, revoking key permissions may impact the availability or functioning of certain features.
Email linking / Gmail access (only if you enable it). If you explicitly choose to link your email account (e.g., Gmail) to Keyy, we may access and process limited financial communications that help us provide and improve the Services. This may include bank account statements and alerts, credit card statements and billing emails, transaction confirmations, receipts, payment notifications, hotel & flight loyalty emails, credit card [points deduction emails and financial-service communications from regulated entities. We do not access or read personal emails that are unrelated to financial transactions and are not required for providing the Service. This access is based on your explicit consent and you may revoke access through your email/provider settings or within the app flows, subject to service impact.
B. Information Generated through Use of Keyy application/website
Through your use of our application/website, we may generate and collect information relating to:
(i) your interactions with the Platform and (ii) the technical environment in which you use it. This includes details of the Services you avail, your interactions with features, rewards claimed, and transactional details relating to your use of SOZO services or services offered through our partners. This also includes information you generate during general interaction with SOZO, including during customer support communications.
When you access our application or websites, we may log technical data such as your IP address, browser type, mobile operating system, manufacturer and model of your device, preferred language, access time and duration of use, and (where required) approximate or precise location signals depending on device permissions and legal/regulatory needs. This information helps us maintain service continuity, diagnose issues, prevent fraud, and improve performance.
C. Information from Third Parties
Upon receiving your explicit consent (or where otherwise permitted under applicable law for service delivery/compliance), we may request or receive information about you from third parties to furnish specific services and authenticate your information. This may include:
Credit bureaus: With your explicit consent, we may request and receive your credit information from credit bureaus (such as CIBIL, Experian or other licensed credit information companies) for purposes including fetching your credit score, providing credit health insights, monitoring changes in your score, and enabling you to make informed decisions about credit products available through our Platform.
Banks and financial partners: With your explicit consent (and where required for providing the Service), we may receive data from our partner banks, NBFCs and other regulated financial institutions to process or facilitate credit card issuance, undertake eligibility checks and verification, enable account linking, validate transactions, and support payment-related or card-related features (including confirmations, reversals, chargebacks/refunds, and dispute handling where applicable).
KYC registries and verification agencies: With your explicit consent, we may obtain verification-related information from KYC registries, identity verification service providers, and authorized repositories, to verify your identity, carry out customer due diligence, and meet applicable legal/regulatory requirements. This may include validating details contained in your KYC documents and ensuring that the information you provide matches official records.
Reward partners, billers, merchants and insurers: With your explicit consent (or where necessary to fulfil a request initiated by you), we may receive information from reward partners, billers, merchants, and insurers to process redemptions, fulfil vouchers/benefits, complete bill payments, deliver offers, and provide or administer insurance-related services (where applicable). This information may include confirmation of fulfilment, status updates, and service-related data required to complete your request on the Platform.
4. Use of Artificial Intelligence and Data Analytics
SOZO uses Artificial Intelligence (“AI”), Machine Learning (“ML”) and data analytics to power and continuously improve the Services. These systems help us understand patterns in how users interact with the Platform and enable us to deliver insights and features that are more relevant, accurate, and secure. AI/ML may operate on data you provide, data generated through your use of the Services and data received from authorised third parties (where consented), strictly for the purposes described in this Policy. The use of AI, ML is done for following:
Behaviour, spending and rewards pattern analysis: Our AI/ML systems may analyse user behaviour on the Platform (for example, feature usage, interaction flows, and engagement), and where applicable, analyse card/UPI spending signals and reward-utilisation patterns that are made available to us through your transactions or account-linked services. This allows us to generate insights such as spending categorisation, recurring payment indicators, due-date reminders, reward tracking, and other value-added analytics designed to improve your financial decision-making.
Personalised guidance for optimization: We may use AI/ML to provide customised guidance such as suggesting the most suitable card for a given transaction, advising on reward redemption opportunities, and helping you optimise spending to maximise rewards, cashback, or other benefits. Such guidance is generated based on observed patterns and eligibility signals and is intended to be informational; it does not constitute personalised financial advice unless explicitly stated. You remain responsible for your final decisions and actions.
Recommendations for offers and financial products: Our systems may recommend offers, credit cards, loans, or other financial products that appear suitable for your profile based on eligibility indicators, usage patterns, and partner-provided product parameters. These recommendations are meant to improve discovery and convenience. Where such recommendations involve sharing information with a regulated partner (e.g., a bank/NBFC for eligibility/issuance), we do so only as required for your request and in accordance with your consent and applicable law.
Fraud detection and risk controls: AI/ML may also be used to enhance platform security, prevent fraud, and protect user accounts. This may include identifying unusual login patterns, high-risk device signals, suspicious transaction behavior, abnormal usage activity, or potential account takeover attempts. Risk scoring and security checks may be automated to help us block, delay, or flag certain activities for verification to safeguard users and the Platform.
Ethical use and privacy-by-design: We design and deploy AI/ML features with privacy and security safeguards, and we take reasonable measures to ensure such systems operate in line with applicable laws and responsible data practices. This includes limiting access to authorised personnel, applying technical safeguards, monitoring systems for misuse, and maintaining internal controls for how models are developed and used.
Anonymisation / pseudonymisation for training (where feasible): Wherever feasible, we anonymise or pseudonymise Personal Data before using it for model training, testing, and analytics, so that data is less likely to be linked back to an identifiable individual. Where anonymisation is not feasible for a particular use-case (for example, real-time fraud prevention or delivering account-specific insights), we process only what is necessary for that purpose and apply appropriate safeguards and retention controls.
5. Purpose of Processing and Use of Data
The Personal Data and other information collected by SOZO may be collected, stored, used and processed to (i) deliver, operate, personalise, measure and improve our Services; and (ii) create and maintain a safe, secure, and trusted environment on the Platform, including for compliance with our legal and regulatory obligations and internal policies.
In doing so, we may process your Personal Data to perform our contract with you (i.e., to provide the Services you request), to comply with applicable laws, for legitimate business interests (such as security and service improvement), and based on your consent where such consent is required (for example, certain permissions, credit bureau access, or marketing communications).
A. Deliver, operate, measure and enhance Services
We use your Personal Data to create and manage your account, verify your identity and enable you to access the Platform and use the Services. This includes onboarding, authentication, user support and maintaining your profile and preferences as required for service delivery.
Your Personal Data is also used to process applications and service requests you initiate through the Platform—such as facilitation of credit card issuance, loan/credit product journeys, enabling UPI/BBPS or similar payment flows (as applicable) and helping you access rewards or offers. Where relevant, we may process transaction-related information to complete payments, confirmations, refunds/chargebacks, dispute resolution and other operational needs connected with the Services.
We also use Personal Data for essential internal purposes such as troubleshooting, fixing software bugs, resolving operational issues, conducting internal audits, testing, research, analytics, monitoring usage/activity trends and improving product performance and reliability. These activities help us understand what is working well, what needs improvement, and how we can make the user experience smoother and safer.
Where feasible, we may aggregate, anonymise or pseudonymise data to reduce privacy risk while using it for analytics and improvements. However, certain purposes (such as real-time transaction processing, account-specific insights and fraud prevention) may require processing identifiable data.
Marketing and promotions (optional): If we send you promotional communications, we will do so in line with applicable law and your preferences. Where your consent is required, we will take it before sending marketing messages. You can opt out at any time by using unsubscribe links (where provided), changing your in-app preferences (if available) or contacting us through our support channels. Opting out of marketing will not affect important service-related communications (such as security alerts, regulatory messages or transaction confirmations).
B. Personalization and user insights
We may use your Personal Data and usage data to personalise your experience on the Platform. This may include recommending credit cards, offers, rewards, or financial products that may be relevant based on your usage patterns, eligibility indicators, and preferences.
We may also use your data to provide insights such as spending summaries, reward tracking, reminders, and credit health indicators (where such services are enabled and consented). These insights are intended to help you better understand your financial activity and make more informed choices.
To improve our Services at scale, we may run aggregated analytics and performance measurement, so we can evaluate feature effectiveness, user journeys, and outcomes—without unnecessary exposure of identifiable information.
C. Security, fraud prevention, and regulatory compliance
We use your Personal Data to protect you, other users, and SOZO from fraud, unauthorised access, misuse, suspicious transactions and other harmful activities. This may include monitoring logins, device signals, transaction patterns, and abnormal behaviour to detect and prevent account takeover, payment fraud, abuse, or policy violations.
We also process Personal Data to comply with applicable legal and regulatory obligations, including requirements that may arise under RBI/NPCI frameworks (where relevant to payments), credit information regulations (for bureau-related services), KYC/AML and related compliance requirements, and other applicable laws.
We may maintain certain records (including KYC and transaction records) for statutory retention periods or for legitimate purposes such as audits, dispute resolution, fraud prevention, and enforcement of legal rights.
6. Data Sharing and Disclosure
We may share your Personal Data only on a need-to-know basis and only to the extent necessary to provide the Services, comply with law, protect users, or operate our business. We do not share your Personal Data with third parties for their independent marketing purposes unless you have expressly consented or such sharing is otherwise permitted by law.
A. Sharing with partner banks and NBFCs
Where you apply for or use credit cards, loans, or other credit products through the Platform, we may share relevant information with partner banks, NBFCs, and regulated financial institutions for purposes such as eligibility checks, underwriting support (as applicable), verification, issuance/servicing, transaction enablement, customer support, and dispute resolution. Such sharing is limited to what is necessary for the specific product/service you request.
B. Sharing with technology partners and infrastructure providers
We may share information with technology partners and service providers who support our infrastructure and operations—such as hosting providers, analytics providers, customer support tools, messaging providers, payment infrastructure partners (UPI/BBPS/wallet rails, if applicable), and security/fraud tools—so that we can operate the Platform reliably and securely.
Where RBI data localisation or similar requirements apply to a service, we will take reasonable steps to ensure processing and storage arrangements are structured accordingly.
C. Sharing with reward partners, merchants, billers, and insurers
If you choose to redeem offers, vouchers, rewards, or access services provided through partners (including billers or insurers where applicable), we may share required information with reward partners, merchants, billers, and insurers to enable fulfilment, confirm redemption status, provide service delivery updates, and resolve issues related to fulfilment or claims.
D. Sharing with credit bureaus
With your consent (where required), we may share or obtain relevant information with/from credit bureaus to fetch your credit score, provide credit monitoring/insights, or update records as part of an authorised credit-related service flow.
E. Disclosure to regulators and authorities
We may disclose your Personal Data to regulators, government authorities, and law enforcement agencies (such as RBI, NPCI, UIDAI, FIU or other competent authorities) where such disclosure is required under applicable law, lawful process, regulatory directions, or to protect our rights, users, or the public.
F. Sharing with group entities
We may share limited Personal Data with group entities/affiliates for purposes such as internal analytics, product improvement, security, fraud prevention, risk management, and compliance subject to appropriate safeguards and access controls.
G. Safeguards when sharing data
Before sharing Personal Data with service providers or partners, SOZO may undertake appropriate diligence and require them to follow reasonable security practices, confidentiality obligations, and data protection commitments. Where third parties process your Personal Data on our behalf, they are expected to use it only for the purposes for which it is shared and in accordance with applicable contractual and legal requirements.
Please note that if a third party is providing a product/service to you (for example, a bank/NBFC/insurer/merchant), their handling of your data may also be governed by their own policies and terms. We encourage you to review their privacy policies to understand their practices.
H. No sale or rent of Personal Data
SOZO does not sell, rent, or lease your Personal Data to third parties.
7. Cookies and Tracking
Cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's device. They help us recognize your device, remember your preferences, and support smooth functioning of the Platform during your session.
We use cookies and similar tracking tools to maintain session integrity, which means they help keep you logged in securely and reduce the need for repeated logins or entering your password multiple times during a single session. In certain cases, some features of the Platform may work only when cookies are enabled.
Cookies also help us understand user engagement and personalise your experience. For example, they allow us to remember your settings and preferences, and help us show content or features in a way that is more relevant to your usage and interests.
In addition, we use cookies to analyse traffic, monitor performance trends, and improve the Platform. This includes understanding which pages/features are being used, diagnosing errors, and measuring the effectiveness of promotions or communications, so we can enhance the Services and improve reliability.
You may choose to disable cookies through your browser or device settings (where permitted). However, if you do so, some parts of the Platform may not function properly, certain features may become unavailable, and you may be required to log in again or re-enter your password more frequently.
8. Data Storage, Retention and Localization
A. Data Storage and Localisation
SOZO stores and processes financial and payment-related data in a manner that is consistent with applicable regulatory requirements. In particular, all financial and payment data is stored within India, in line with the Reserve Bank of India’s data localisation requirements and other applicable directions. Where we engage infrastructure or technology service providers to host or process such data on our behalf, we take reasonable measures to ensure that data storage arrangements are structured to meet localisation obligations and to maintain appropriate security safeguards.
B. Data Retention
SOZO retains Personal Data only for as long as it is necessary to provide the Services requested by you, to maintain and improve the Platform, to prevent fraud and misuse and to comply with our legal, regulatory, audit and contractual obligations. The period for which we retain information may vary depending on the nature of the data, the purpose for which it was collected and the applicable legal or regulatory retention requirements (including requirements relating to KYC, transactions, grievance handling, dispute resolution, record-keeping and enforcement of legal rights). We also retain limited information where required to investigate or prevent suspected fraud, misuse or security incidents.
C. Account Deletion, Erasure and Exceptions
If you choose to delete your account, SOZO will take steps to securely erase or de-identify (anonymise/pseudonymise, where applicable) your associated Personal Data and transactional information that is no longer required for the purposes stated in this Policy. However, please note that SOZO may continue to retain certain information where retention is mandated or permitted under applicable law or regulatory requirements, or where it is reasonably necessary for legitimate purposes such as completing pending transactions, resolving disputes, responding to lawful requests, maintaining audit trails, preventing fraud, and enforcing our legal rights. Once such retention is no longer required, we will dispose of such information in a secure manner consistent with reasonable data protection practices.
9. Security Practices
SOZO implements multi-layered security controls designed to protect your Personal Data and reduce the risk of unauthorised access, loss, misuse, alteration, or disclosure. These measures are applied across our systems, processes, and infrastructure, and are periodically reviewed and strengthened based on risk, technological developments, and applicable regulatory expectations.
Encryption of sensitive information: We use encryption and other protective techniques to safeguard sensitive information (including payment-related data and other confidential identifiers) while it is stored and, where applicable, while it is being processed. Where feasible, we apply strong encryption standards to reduce the risk of exposure of sensitive data.
Secure transmission: We transmit data using secure communication protocols such as HTTPS and TLS, which help protect information exchanged between your device and our servers from interception or tampering.
Security testing and audits: We conduct periodic security reviews and monitoring, which may include audits, vulnerability assessments, and penetration testing, to identify potential weaknesses and address them in a timely manner. We may also use automated monitoring and alerting to detect abnormal activity and respond quickly.
Access controls and confidentiality: Access to Personal Data is restricted to authorised personnel only, and is provided strictly on a need-to-know basis for legitimate business purposes such as service delivery, customer support, compliance, and security. We maintain access controls and internal safeguards to ensure that Personal Data is handled responsibly and in line with this Policy.
10. Account Termination / Deactivation
SOZO provides all users the option to delete (terminate) or deactivate their account,and where applicable, to reactivate an account at a later stage. You may submit a request to delete your SOZO/Keyy account at any time through the in-app support/help section (where available) or by writing to care@thekeyy.com Upon receiving and verifying such request, we will proceed to delete information associated with your account, which may include (as applicable) your profile details, linked accounts, device identifiers, transaction history, preferences, reward-related information, and any active sessions or authorisations connected with your account.
There may be circumstances in which we may not be able to immediately execute deletion, such as where: (i) there is an ongoing complaint or dispute; (ii) there are pending or incomplete transactions; (iii) there are unresolved chargeback/refund or claim-related matters; (iv) there is suspected fraud, misuse, or security investigation connected to the account; (v) we are required to retain specific records for regulatory, audit, legal, or compliance purposes (including KYC/transaction record-keeping obligations, where applicable). In such cases, we will retain only such information as is reasonably necessary for the relevant purpose and for the duration required. Once the reason preventing deletion is resolved and retention is no longer required, the relevant information is securely deleted in accordance with our retention practices.
In addition to deletion, you may also request deactivation/archival of your account. Deactivation temporarily restricts access to the Platform until you submit a reactivation request (subject to identity verification and any applicable checks). This option may be useful if you wish to pause usage without permanently deleting your account.
11. Access, Rectification and Updation of Information
We support and encourage users to contact us for any questions, concerns or requests relating to their Personal Data and this Privacy Policy.
Depending on the feature and the information category, you may be able to view, correct, or update certain Personal Data directly within the application. If any information is not available for self-service updates, or if you believe any Personal Data we hold is inaccurate, incomplete, or outdated, you may request access, rectification, or updating by contacting our support team at care@thekeyy.com. For security reasons, before acting on a request, we may ask you to verify your identity and provide additional details necessary to process your request safely. We will respond to your request within a reasonable time and in line with applicable legal requirements.
12. Retention
SOZO retains Personal Data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required under applicable law, regulatory requirements, audit obligations, dispute resolution, fraud prevention, or enforcement of legal rights. Once Personal Data is no longer required for the above purposes, we take reasonable steps to securely delete, destroy, or irreversibly anonymise such data in accordance with our internal policies and reasonable security practices.
13. Security Breach Handling
SOZO maintains a comprehensive breach response framework to be activated in the event of any data security incident and take steps to ensure that the Company’s response procedures align with applicable legal and regulatory requirements including those relevant to digital lending and payments (where applicable).
In the unlikely event of a security incident that may impact user data, SOZO will take immediate measures to contain and investigate the incident, assess its scope and potential impact and implement appropriate corrective and remedial actions to address the cause and reduce the risk of recurrence.
Where required under applicable law, regulatory directions, or contractual obligations with its regulated partners, SOZO will also notify relevant regulators/authorities, partner banks/NBFCs/lenders, other affected partners and impacted users, within the timelines and in the manner prescribed.
14. Compliance
SOZO follows industry-standard security and privacy practices and implements controls aligned with applicable certifications and regulatory expectations.
SOZO also complies with the RBI data localisation requirements applicable to payments and ensures that payment and financial transaction data is stored on servers located within India, in accordance with applicable directives and norms.
Where SOZO accesses or processes data via Google APIs (for example, where you choose to link your Google account), our use of such information is in accordance with the Google API Services User Data Policy, including the Limited Use requirements.
15. Eligibility and use by Minors
Our Services are intended solely for individuals who are 18 (eighteen) years of age or older. By accessing or using the Services, you represent that you are at least 18 years old and are legally competent to enter into a binding contract under applicable law.
SOZO does not knowingly collect, use or process Personal Data of any person below the age of 18. If we learn that we have inadvertently collected Personal Data from a minor, we will take reasonable steps to delete such information from our records as soon as practicable unless retention is required by applicable law.
If you believe that a minor has provided Personal Data to us, or if you are a parent/guardian and wish to raise a request in this regard, please contact us at wecare@thekeyy.com and we will take appropriate action.
16. Modifications to Privacy Policy
SOZO reserves the right to alter, modify and amend this policy at any point of time, taking effect immediately after updating. SOZO reserves the right to modify this policy at its discretion from time to time. Any amendments shall take effect immediately upon posting the revised Privacy Policy. We advise you to periodically review this page for the most recent information on our privacy practices. Your usage of the SOZO application shall be deemed to be consent to the Privacy Policy as modified from time to time.
17. Grievance Redressal Officer
In the event of any grievance pertaining to our privacy policy or practices involving the usage of data, the Grievance Redressal Officer may be contacted.
For any concerns regarding your experience with SOZO, reach out to us via our support channels i.e. email. If your issue remains unresolved, you can escalate it to our Grievance Redressal Officer : Himanshu Shah; Email id: himanshu@thekeyy.com ; Registered office Address: 487, Godhuli, near Lendra Park, Ramdaspeth, Nagpur – 440010.
18. Contact Us
If you have any questions, concerns or requests relating to this Privacy Policy or the handling of your Personal Data, please feel free to contact us at:
Email Id: info@sozo.inWebsite: www.thekeyy.com
Issued in Member Interest by SOZO ADVISORY PRIVATE LIMITED