Kotak Mahindra Life Insurance Company Limited (KLI) is committed to protecting customer's privacy and
providing you with a secure experience on its website.
This Privacy Policy applies to KLI's website and the services offered on the website. By divulging any
information to KLI you agree to the terms and conditions of this Privacy Policy. The Privacy Policy
describes the method of collection, use and access of customer's Personal Information.
Personal Information and Sensitive Personal Data or Information
"Personal information" means any information that relates to a natural person, which, either directly or
indirectly, in combination with other information available or likely to be available with a body
corporate, is capable of identifying such person.
“Sensitive Personal Data or Information” of a person means such personal information which consists
of information relating to;— (i) password; (ii) financial information such as Bank account or credit
card or debit card or other payment instrument details ; (iii) physical, physiological and mental health
condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii)
any detail relating to the above clauses as provided to body corporate for providing service; and (viii)
any of the information received under above clauses by body corporate for processing, stored or
processed under lawful contract or otherwise: provided that, any information that is freely available or
accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for
the time being in force shall not be regarded as sensitive personal data or information for the purposes
of these rules.
Collection of Personal Information
KLI may collect customer's Personal Information, including your Sensitive Personal Data or Information
during the usage of KLI's website and while availing KLI's services on the website.
Use of Customer Information
KLI may use customer's Personal Information for the purpose of providing you services and related
activities, enhancing customer experience on its website, improve its website, promotion and marketing of
its products and services, other communications and statistical analysis. Also, KLI may use such
Personal Information for purposes permitted by law.
Disclosure of Personal Information
KLI may share customer's Personal Information for the purpose of provision of services and related
activities to the customer or for purposes permitted by law. Additionally, such personal Information may be
shared in accordance with customer's consent provided to KLI from time to time through various modes.
KLI may disclose customer's Personal Information to any of its associates and affiliates, without any
limitation.
KLI may disclose customer's Personal Information, to third parties, for the following purposes:
- To comply with legal requirements, legal process, legal or regulatory directive / instruction; or
- To enforce the terms and conditions of the products or services; or
- To protect or defend KLI's rights, interests and property or that of its associates and affiliates, or that of its or its affiliate's employees, consultants etc.; or
- For statistical analysis; or
- For fraud prevention purposes; or
- To outsource such activities which are not prohibited to be outsourced by law; or
- As permitted or required by law.
KLI shall not be held liable for disclosure of Personal Information or in accordance with this
Privacy Policy or in terms of any other agreement with the customer.
Aadhaar Specific Requirements
For the purpose of imparting various services to the customers, KLI collects identity information from
the Aadhaar number holder, such as Aadhaar number/Virtual ID and demographic/biometric
information, to conduct Aadhaar authentication with UIDAI.
Disclosure of information to Aadhaar number holder
- At the time of authentication, the following information shall be provided to the Aadhaar
number holder:
- KLI shall ensure that the above stated information is provided to the Aadhaar number holder
in local language as well.
Consent taken from Aadhaar number holder
- Once the information pertaining to Aadhaar authentication is communicated to the Aadhaar
number holder, KLI shall obtain consent from Aadhaar number holder in physical or
electronic form
- KLI shall maintain logs or records of the consent obtained in the manner and form as
specified by UIDAI for this purpose.
- Aadhaar number holder may, at any time, revoke consent given to KLI for storing his e-KYC
data or for sharing it with third parties, and upon such revocation, KLI shall delete the e-KYC
data and cease any further sharing.
Data Processing
- KLI shall use Aadhaar authentication facility only for the purpose that is informed and
allowed by UIDAI.
- The identity information shall not be used by KLI for any purpose other than that specified to
the Aadhaar number holder at the time of submitting identity information for authentication.
- The identity information shall not be disclosed further without the prior consent of the
Aadhaar number holder
Data Retention
- KLI shall maintain logs of authentication transactions for a period of two years, during which
period an Aadhaar number holder shall have the right to access such logs, in accordance with
the procedure laid down for the same.
- Subsequently, logs shall be archived for a period of five years or the number of years as
required by the laws or regulations governing KLI, whichever is later, and upon expiry of the
said period, the logs shall be deleted except those records required to be retained by a court or
required to be retained for any pending disputes.
Grievance Redressal
- KLI shall provide effective grievance handling mechanism via multiple channels such as
website, call-center, mobile application, SMS, physical center etc.
- KLI may share the authentication logs of an Aadhaar number holder with the concerned
Aadhaar number holder upon his request or for grievance redressal and resolution of disputes
or with the UIDAI for audit purposes.
Security Safeguards
- KLI have been classified as local AUA by UIDAI and do not store Aadhaar number of its
customers.
- KLI shall ensure that authentication devices used to capture biometrics of Aadhaar number
holder are STQC/UIDAI certified registered devices, which encrypt the biometric information
at device level.
- KLI shall ensure that the core biometric information collected from the Aadhaar number
holder is not stored, shared or published for any purpose whatsoever, and no copy of the core
biometric information is retained with it
- After collecting the Aadhaar number and necessary demographic and / or biometric
information and/ or OTP from the Aadhaar number holder, KLI’s client application shall
immediately package and encrypt these input parameters into PID block before any
transmission, as per the specifications laid down by the UIDAI, and shall send it to server of
the requesting entity using secure protocols
- KLI shall store, with consent of the Aadhaar number holder, e-KYC data of an Aadhaar
number holder, received upon e-KYC authentication, in encrypted form.
- KLI shall maintain logs of the authentication transactions processed by it, containing the
following transaction details:
i. In case of Local AUAs where Aadhaar number is not returned by UIDAI and storage is not permitted,
respective UID token shall be stored in place of Aadhaar number.
ii. specified parameters of authentication request submitted
iii. specified parameters received as authentication response
iv. the record of disclosure of information to the Aadhaar number holder at the time of authentication
v. record of consent of the Aadhaar number holder for authentication
- KLI shall store the keys used for digital signing of request XML and for decrypting e-KYC
response data received from UIDAI in HSM, in compliance with the circular released by
UIDAI in this matter.
- KLI shall ensure that the application used for Aadhaar authentication is audited by
information system auditor(s) certified by STQC/CERT-IN and compliance audit report is
submitted to UIDAI.
- KLI shall ensure that the operations and systems are audited by information systems auditor
certified by a recognized body on an annual basis, to ensure compliance with the UIDAI’s
standards and specifications.
- KLI shall conduct a background check and sign a confidentiality agreement/NDA with all
personnel/agency handling Aadhaar related information.
- Periodic information security trainings shall be conducted for all KLI personnel involved in
Aadhaar related authentication services. The training shall include all relevant security
guidelines per the UIDAI information security policy for Authentication, Aadhaar Act, 2016
and Aadhaar Regulations, 2016 and all circulars/notices published from time to time.
- KLI shall not publish any personal identifiable data including Aadhaar in public
domain/websites etc.
- KLI shall have its servers used for Aadhaar authentication operations to be located within
data centers located in India.
- KLI shall ensure compliance to Aadhaar Act 2016 and its regulations, Aadhaar and Other
Laws (Amendment) Act 2019 and various other circulars and notices released by UIDAI from
time to time.
Accuracy of Personal Information
Customers are required to keep their Personal Information accurate and up to date.
Security
KLI have taken reasonable measures to protect customer's Personal Information in accordance with this
Privacy Policy. The internet, however, cannot be guaranteed to be completely secure, and KLI cannot
ensure or warrant the security of any Personal Information provided by customer.
Amendments
KLI reserves the right to update/amend or replace this Privacy Policy from time to time.