Privacy Policy

Kotak Mahindra Life Insurance Company Limited (KLI) is committed to protecting customer's privacy and providing you with a secure experience on its website.

This Privacy Policy applies to KLI's website and the services offered on the website. By divulging any information to KLI you agree to the terms and conditions of this Privacy Policy. The Privacy Policy describes the method of collection, use and access of customer's Personal Information.

Personal Information and Sensitive Personal Data or Information

"Personal information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

“Sensitive Personal Data or Information” of a person means such personal information which consists of information relating to;— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Collection of Personal Information

KLI may collect customer's Personal Information, including your Sensitive Personal Data or Information during the usage of KLI's website and while availing KLI's services on the website.

Use of Customer Information

KLI may use customer's Personal Information for the purpose of providing you services and related activities, enhancing customer experience on its website, improve its website, promotion and marketing of its products and services, other communications and statistical analysis. Also, KLI may use such Personal Information for purposes permitted by law.

Disclosure of Personal Information

KLI may share customer's Personal Information for the purpose of provision of services and related activities to the customer or for purposes permitted by law. Additionally, such personal Information may be shared in accordance with customer's consent provided to KLI from time to time through various modes.

KLI may disclose customer's Personal Information to any of its associates and affiliates, without any limitation.

KLI may disclose customer's Personal Information, to third parties, for the following purposes:

• To comply with legal requirements, legal process, legal or regulatory directive / instruction; or
• To enforce the terms and conditions of the products or services; or
• To protect or defend KLI's rights, interests and property or that of its associates and affiliates, or that of its or its affiliate's employees, consultants etc.; or
• For statistical analysis; or
• For fraud prevention purposes; or
• To outsource such activities which are not prohibited to be outsourced by law; or
• As permitted or required by law.

KLI shall not be held liable for disclosure of Personal Information or in accordance with this Privacy Policy or in terms of any other agreement with the customer.

Aadhaar Specific Requirements

For the purpose of imparting various services to the customers, KLI collects identity information from the Aadhaar number holder, such as Aadhaar number/Virtual ID and demographic/biometric information, to conduct Aadhaar authentication with UIDAI.

• Disclosure of information to Aadhaar number holder

  • At the time of authentication, the following information shall be provided to the Aadhaar number holder:
  • KLI shall ensure that the above stated information is provided to the Aadhaar number holder in local language as well.

• Consent taken from Aadhaar number holder

  • Once the information pertaining to Aadhaar authentication is communicated to the Aadhaar number holder, KLI shall obtain consent from Aadhaar number holder in physical or electronic form
  • KLI shall maintain logs or records of the consent obtained in the manner and form as specified by UIDAI for this purpose.
  • Aadhaar number holder may, at any time, revoke consent given to KLI for storing his e-KYC data or for sharing it with third parties, and upon such revocation, KLI shall delete the e-KYC data and cease any further sharing.

• Data Processing

  • KLI shall use Aadhaar authentication facility only for the purpose that is informed and allowed by UIDAI.
  • The identity information shall not be used by KLI for any purpose other than that specified to the Aadhaar number holder at the time of submitting identity information for authentication.
  • The identity information shall not be disclosed further without the prior consent of the Aadhaar number holder

• Data Retention

  • KLI shall maintain logs of authentication transactions for a period of two years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure laid down for the same.
  • Subsequently, logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing KLI, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.

• Grievance Redressal

  • KLI shall provide effective grievance handling mechanism via multiple channels such as website, call-center, mobile application, SMS, physical center etc.
  • KLI may share the authentication logs of an Aadhaar number holder with the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the UIDAI for audit purposes.

• Security Safeguards

  • KLI have been classified as local AUA by UIDAI and do not store Aadhaar number of its customers.
  • KLI shall ensure that authentication devices used to capture biometrics of Aadhaar number holder are STQC/UIDAI certified registered devices, which encrypt the biometric information at device level.
  • KLI shall ensure that the core biometric information collected from the Aadhaar number holder is not stored, shared or published for any purpose whatsoever, and no copy of the core biometric information is retained with it
  • After collecting the Aadhaar number and necessary demographic and / or biometric information and/ or OTP from the Aadhaar number holder, KLI’s client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the UIDAI, and shall send it to server of the requesting entity using secure protocols
  • KLI shall store, with consent of the Aadhaar number holder, e-KYC data of an Aadhaar number holder, received upon e-KYC authentication, in encrypted form.
  • KLI shall maintain logs of the authentication transactions processed by it, containing the following transaction details:
    i. In case of Local AUAs where Aadhaar number is not returned by UIDAI and storage is not permitted, respective UID token shall be stored in place of Aadhaar number.
    ii. specified parameters of authentication request submitted
    iii. specified parameters received as authentication response
    iv. the record of disclosure of information to the Aadhaar number holder at the time of authentication
    v. record of consent of the Aadhaar number holder for authentication
    
  • KLI shall store the keys used for digital signing of request XML and for decrypting e-KYC response data received from UIDAI in HSM, in compliance with the circular released by UIDAI in this matter.
  • KLI shall ensure that the application used for Aadhaar authentication is audited by information system auditor(s) certified by STQC/CERT-IN and compliance audit report is submitted to UIDAI.
  • KLI shall ensure that the operations and systems are audited by information systems auditor certified by a recognized body on an annual basis, to ensure compliance with the UIDAI’s standards and specifications.
  • KLI shall conduct a background check and sign a confidentiality agreement/NDA with all personnel/agency handling Aadhaar related information.
  • Periodic information security trainings shall be conducted for all KLI personnel involved in Aadhaar related authentication services. The training shall include all relevant security guidelines per the UIDAI information security policy for Authentication, Aadhaar Act, 2016 and Aadhaar Regulations, 2016 and all circulars/notices published from time to time.
  • KLI shall not publish any personal identifiable data including Aadhaar in public domain/websites etc.
  • KLI shall have its servers used for Aadhaar authentication operations to be located within data centers located in India.
  • KLI shall ensure compliance to Aadhaar Act 2016 and its regulations, Aadhaar and Other Laws (Amendment) Act 2019 and various other circulars and notices released by UIDAI from time to time.

Accuracy of Personal Information

Customers are required to keep their Personal Information accurate and up to date.

Security

KLI have taken reasonable measures to protect customer's Personal Information in accordance with this Privacy Policy. The internet, however, cannot be guaranteed to be completely secure, and KLI cannot ensure or warrant the security of any Personal Information provided by customer.

Amendments

KLI reserves the right to update/amend or replace this Privacy Policy from time to time.