Effective Date: 01 January 2026
Regulatory Alignment: Digital Personal Data Protection Act, 2023 (India)

SECTION 1 — GOVERNANCE PHILOSOPHY AND DATA PROTECTION MANDATE

Fab Capital operates a technology-driven debt marketplace platform designed to enable start-ups and growth-stage enterprises to access capital with transparency, execution discipline, and speed. Because capital facilitation inherently requires verification, risk evaluation, regulatory screening, and financial ecosystem coordination, the processing of personal data forms a necessary and controlled component of our platform architecture.

Protection of personal data is not treated merely as a compliance requirement but as a governance obligation embedded into our operational, technical, and contractual frameworks. This Privacy Policy establishes the comprehensive standards governing how personal data is collected, classified, processed, stored, disclosed, retained, secured, and disposed of within the Fab Capital service ecosystem.

This Policy is intended to provide full transparency regarding processing activities and to satisfy statutory disclosure expectations under applicable Indian data protection and technology laws.

SECTION 2 — APPLICABILITY, COVERED INTERACTIONS, AND DATA PRINCIPAL SCOPE

This Policy applies to all personal data processed in connection with:

• Website access and browsing activities
• Platform on boarding and registration workflows
• Capital facilitation and funding coordination
• Start-up and enterprise verification procedures
• Investor and lender coordination processes
• KYC and compliance verification flows
• Advisory and capital specialist engagement
• Customer support interactions
• Communications across digital, telephonic, and messaging channels
• Partner, vendor, and professional service engagement where personal data is involved

The term User or Data Principal includes:

• Individual founders
• Directors and authorized signatories
• Start-up representatives
• Business applicants
• Guarantors and promoters
• Platform registrants
• Communication correspondents
• Any individual whose personal data is submitted in connection with platform services

This Policy governs personal data only and excludes anonymised datasets that cannot reasonably identify an individual.

SECTION 3 — ROLE OF FAB CAPITAL AS DATA FIDUCIARY

For purposes of applicable data protection law, Fab Capital functions as a Data Fiduciary with respect to personal data processed for platform operation, capital facilitation, verification, and analytics, compliance, and security purposes.

Where third-party verification agencies, lenders, KYC providers, analytics vendors, or infrastructure partners process personal data on our behalf, they operate as Data Processors under contractual confidentiality, security, and lawful processing obligations.

Where independent lenders or financial institutions receive personal data as part of funding workflows, they may act as separate Data Fiduciaries under their own privacy frameworks.

SECTION 4 — LAWFUL BASES OF PROCESSING

Personal data processing is undertaken only on legally sustainable grounds, including:

• Explicit and informed consent
• Platform on boarding authorization
• Service performance necessity
• Funding workflow execution necessity
• Statutory KYC and regulatory verification requirements
• Fraud detection and financial risk mitigation
• Legal compliance obligations
• Contractual enforcement requirements
• Dispute defence and rights protection
• Legitimate platform security and system integrity purposes

Where processing is mandatory for regulatory or contractual reasons, refusal to provide required data may result in inability to on board, verify, or facilitate funding services.

Consent may be withdrawn subject to statutory retention duties and contractual funding obligations.

SECTION 5 — DATA MINIMIZATION AND PURPOSE LIMITATION PRINCIPLE

Fab Capital adheres to strict data minimization and purpose limitation principles. Only personal data reasonably necessary for defined operational, legal, regulatory, security, or service purposes is collected and processed.

Processing activities are purpose-bound and are not expanded beyond disclosed or legally permitted uses without additional lawful basis.

SECTION 6 — STRUCTURED DATA CATEGORIES PROCESSED

Personal data processed may include the following structured classes:

1. Identity and Legal Verification Data

• Full legal name
• Date of birth (where required)
• Government identification numbers
• PAN, Aadhaar, Passport, Voter ID, Driver’s License
• Director and promoter credentials
• Authorization documents
• Signature and verification artifacts

1. Regulatory and KYC Data

• KYC documentation
• AML screening records
• Compliance verification outputs
• Risk classification indicators
• Credit bureau coordination data

1. Professional and Organizational Data

• Business designation
• Role authorization
• Company affiliation
• Board or promoter status

1. Contact and Correspondence Data

• Email addresses
• Telephone numbers
• Messaging handles
• Service communications
• Support records
• Call recordings where permitted by law

1. Technical and System Data

• Device identifiers
• IP addresses
• Access timestamps
• Browser and OS configuration
• Session logs
• Network metadata

1. Usage and Behavioural Intelligence

• Platform navigation patterns
• Feature utilization data
• Workflow progression metrics
• Interaction logs

1. Communication and Marketing Preferences

• Notification settings
• Outreach preferences
• Consent flags
• Survey responses

SECTION 7 — PROCESSING OBJECTIVES AND OPERATIONAL USE CASES

Personal data may be processed for the following expanded operational purposes:

• Platform identity establishment
• Secure account creation
• Founder and entity verification
• Capital eligibility assessment
• Lender matching workflows
• Underwriting coordination
• Risk profiling and fraud screening
• Regulatory KYC/AML compliance
• Creditworthiness coordination with partners
• Capital structuring workflows
• Investor due diligence support
• Platform performance analytics
• Security and anomaly detection
• System abuse prevention
• Payment and obligation reminders
• Legal notice handling
• Contract enforcement
• Audit and reporting compliance
• Platform feature optimization
• Service quality monitoring
• Dispute investigation
• Regulatory reporting obligations

Aggregated and anonymised analytics datasets may be generated for internal intelligence and performance improvement.

SECTION 8 — DATA COLLECTION CHANNELS AND SOURCES

Personal data may be obtained through:

• Direct user submissions
• Application and on boarding forms
• KYC uploads
• Platform workflows
• Communication channels
• Customer support exchanges
• Telephonic interactions
• Automated cookies and tracking tools
• Device telemetry systems
• Third-party KYC and verification partners
• Credit and compliance agencies
• Lawfully authorized data sources

We do not control user-initiated public disclosures on third-party platforms.

SECTION 9 — DATA SHARING AND DISCLOSURE CONTROLS

Personal data may be disclosed under controlled safeguards to:

• Lending partners and capital providers
• Financial institutions
• Regulated NBFCs and banks
• KYC and verification vendors
• Technology infrastructure providers
• Cloud hosting partners
• Analytics and fraud detection services
• Legal and audit professionals
• Compliance consultants
• Rating and credit agencies
• Regulators and statutory authorities
• Courts and enforcement agencies
• Successor entities in mergers or restructuring

All sharing occurs under confidentiality, purpose limitation, and security controls.

SECTION 10 — DATA LOCALIZATION AND CROSS-BORDER RESTRICTIONS

Primary storage systems are located within India. Cross-border transfer, if ever required, will occur only with lawful safeguards, contractual protections, and regulatory permissibility.

SECTION 11 — RETENTION, ARCHIVAL, AND ERASURE FRAMEWORK

Retention periods are determined based on:

• Regulatory requirements
• Funding lifecycle duration
• Contractual obligations
• Audit requirements
• Risk defence needs
• Legal limitation periods

Deletion or anonymisation is performed once lawful retention necessity expires. Erasure requests are honoured unless restricted by law, ongoing funding obligations, or dispute requirements.

SECTION 12 — INFORMATION SECURITY ARCHITECTURE

Fab Capital maintains layered safeguards including:

• Encryption controls
• Role-based access
• Authentication mechanisms
• Secure hosting infrastructure
• Activity monitoring
• Intrusion detection
• Incident response protocols
• Vendor security audits
• Compliance security frameworks

Security measures are continuously upgraded based on threat intelligence and regulatory standards.

SECTION 13 — COOKIE, TRACKING, AND SESSION TECHNOLOGIES

We deploy cookies and tracking technologies for:

• Session continuity
• Fraud detection
• Platform stability
• User preference memory
• Performance analytics

Users may disable cookies, but functionality limitations may result.

SECTION 14 — THIRD-PARTY PLATFORMS AND EXTERNAL LINKS

External links are governed by independent privacy frameworks. Fab Capital assumes no responsibility for third-party data handling practices.

SECTION 15 — DATA PRINCIPAL RIGHTS

Subject to applicable law, users may exercise:

• Right of access
• Right of correction
• Right of erasure
• Right to withdraw consent
• Right to restrict processing
• Right to know sharing recipients
• Right to nominate representatives

Requests are processed after identity verification.

SECTION 16 — POLICY AMENDMENTS AND VERSION CONTROL

This Policy may be revised to reflect:

• Legal changes
• Regulatory updates
• Platform expansion
• Security enhancements
• Operational changes

Updated versions take effect upon publication.

SECTION 17 — GRIEVANCE AND DATA RIGHTS CONTACT CHANNEL

Privacy and data rights requests may be submitted to the designated Grievance Officer through official Fab Capital contact channels published on the platform.