Regulatory Section

Introduction

Shivalik Small Finance Bank Limited (“The Bank”) recognizes the expectations of its customers with regard to privacy, confidentiality and security of their personal information that resides with the Bank. Keeping personal information of customers secure and using it solely for activities related to the Bank and preventing any misuse thereof is the top priority of the Bank. The Bank has adopted the privacy policy (“the Policy”). aimed at protecting the personal information entrusted and disclosed by the customers. The Policy governs the way by which the Bank collects, uses, discloses, stores, secures, and dispose of personal information and sensitive personal data or information.

Definitions

“Personal Information” means any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with the Bank, is capable of identifying such person. “Sensitive personal date or information” means such personal information which consists of information relating to:

• Password
• Financial information such as Bank account or credit card/debit card or other payment instrument details
• Biometric information
• Medical records and history
• Sexual Orientation
• Any detail relating to the above clauses as provided to body corporate for providing services
• Any other information received under above clauses by body corporate for processing, stored, or processed under lawful contact or otherwise. Provided, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purpose of this policy.

Applicability

Information can be broadly categorized as publicly available information and nonpublic (both personal and financial) information. Non-public information is covered under this privacy policy. Publicly available information is any information which Bank reasonably believes is lawfully publicly available. The nature ofthe information, not the source of the information, determines whether it is publicly available informationfor purposes of the privacy policy.

This policy is applicable to personal and sensitive information collected by the Bank or its affiliates directly from the customer or through the Bank’s online portals, mobile apps, and electronic communications, alsoany information collected by the Bank’s server from the customer browser.

Use of Customer Information

Bank will only use Customer’s Information as permitted under applicable law or pursuant to contractual obligations. Most commonly, Customer Information is used to perform the Services or to comply with a legal/contractual obligation. Customer Information is used without limitation, for the following purposes:

• To verify Customer identity to register, create and operate Customer account(s) with us
• To provide the Services to Customer
• To comply with legal obligations
• To administer and protect our business and the Services, including for troubleshooting, dataanalysis, system testing, and performing internal operations
• For risk control, fraud detection, and prevention
• To perform our obligations that arise out of the arrangement bank is about to enter or have entered with the customer
• To respond to court orders, establish or exercise our legal rights, or defend ourselves against legal claims
• To improve customer service to effectively respond to service requests and support needs
• To improve the functionality of our Services based on the information and feedback bank receives from Customer
• To send notifications to manage our relationship with customer including notification of changes to our Services, send customer information and updates pertaining to the Services they have availed, and to receive occasional company news and updates related to us or the Services
• To monitor trends and personalise customer experience
• To market and advertise the Services to customer
• To improve our business; and
• To conduct training and AI-based skill training

Bank collect customers personal information when customers open an account or apply for a loan, useMobile Banking, or enroll in a service or use one of bank’s other financial products or services. Personal information includes, customer’s name, PAN no or ADHAAR no., Home Address and other personalinformation, financial history and transactions, account balances and payment history; consumer report information (CIBIL report), assets and investment experience. Bank also may receive information about customers from information services and consumer reporting agencies.

Prior to the collection of information including sensitive personal data or information, the bank will provide an option to the provider of the information to provide or not to provide the data or information sought to be collected. The provider of information will, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the bank.

The Bank will not publish the sensitive personal data or information.

The information collected will be used for the purpose for which it has been collected.

The Bank will not retain the information for permeant than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

Our social media Pages

When customer engage with bank on bank’s social media pages, they can make certain information available to bank as well as other participants, from their social media profile, postings, and other interactions. Customers may be able to control what data they share, and with whom, through privacy settings on these social media sites.

Any information customer share or interactions customers may have while participating on those platforms is subjected to the privacy policies and terms of use of those social media platforms. Bank may but is not obligated to monitor and archive conversations with Bank’s social media accounts and on Bank’s social media pages. Bank monitors and may archive the conversations customers have with our representatives.

When customers visit Bank’s social media sites where customer information is shared with bank, the use of that information is subject to these Privacy Practices, as well as to bank Terms of Use.

Disclosure of Customer information

The personal information shall not be disclosed by the Bank to any other organization except:

• Where the disclosure has been agreed in written contract or otherwise between the Bank and the customer
• The information is shared with any third party by an order under the law and the Bank is required to disclose the personal information to a third party on a need- to -know basis, provided that in such case the Bank shall inform such third party of the confidential nature of the personal information and shall keep the same standards of information/data security as that of the Bank
• To help complete a transaction initiated by the customer
• To perform support services through an outsourced entity provided it conforms to the Privacy Policy of the Bank
• To provide customer with better services and a range of offers and services available
• The disclosure is necessary for compliance of a legal obligation
• The information is shared with Government agencies mandated under law
• To protect the interests of Shivalik Bank, its affiliates, group companies, members, constituents, or of other persons

The Bank may monitor, record, store and use any telephone, email, or other electronic communications with customer for training purposes, so that bank can check any instructions given to us and to improve the quality of our customer service. Bank will monitor network traffic (used to access bank hosted applications) from time to time for problem solving.

Other Online Information the bank Collect and Use

Bank may collect and use other information, such as:

Cookies: Cookies are pieces of data stored directly on the device/browser customer are using when theyvisit our website. Bank may read cookies to collect information such as browser type, date and time spent on our website, and pages visited. Information collected through cookies may be used for security purposes, to facilitate navigation, to display information more effectively, to personalize and enrich customer experience, to recognize device, gather statistical information about the usage of the website, to monitor responses to our advertisements and to assist us with resolving website questions.

The cookies in customer computer cannot read hard drive, obtain any information from browser, or command computer to perform any action. They are designed so that they cannot be sent to another site or be retrieved by any non-Bank of India web server.

Cookies can be "persistent" or "session" cookies. Persistent cookies remain on customer personal computeror mobile device when they go offline, while session cookies are deleted as soon as the web browser is closed.

Customer can disable use of cookies through their browser settings. In this case our services may not be optimally effective.

IP Address: Customer IP Address is a number that is automatically and dynamically assigned to the device that the customer is using by their Internet Service Provider (ISP) or it is statically obtained by customer. AnIP Address is identified and logged automatically in our server log files whenever a user visits the website, along with the time of the visit and the page(s) that were visited. Bank uses IP Addresses for keeping activitylogs and having forensic capabilities if required for investigation purposes.

Details of device used for online banking: For secure online banking the bank provide the facility of multifactor authentication. One of the factors can be the endpoint devices used by the customer to do the banking. For security reasons, Bank obtain the endpoint details to bind it to customer account so that this endpoint device acts as a second factor.

Private Security Keys: For security reasons Bank may use PKI based authentication / digital certificate technologies. Bank may place a private key on their PC or mobile device to help us identify customer or their devices.

Biometrics: Bank may use some customer biometric information with the use of customer fingerprint, facial, or eye biometric information or behavioral biometric like how customer use keyboard, mouse, or movetheir finger on the screen etc.

Bank never ask for the information like passwords, PIN (Personal identification No.), OTP (One-time passwords), card numbers, CVV / CVC and expiry date from anyone. The bank advises all not to share this with anyone including Bank officials nor keep it in any readable form.

Customer’s Rights and Obligations

If the customer wishes to review Information provided on online applications, he can contact us to request a copy of the personal account information the customer provided through our customer service numbers. The Bank may charge a fee for certain Information that is requested. It may also be possible for Customers to review and change contact information such as address, phone, and e-mail information by signing on and updating their personal profile. To protect customer privacy, proof of identity or other authentication is required any time the customer can contact us.

Bank shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient will be corrected or amended as feasible. Further, if providers of information wish to access or correct or delete any of the personal data held by the Bank, or if the he/she has any questions concerning the Privacy Statement, he may contact the Bank via regular mail to info@shivalikbank.com

In providing the telephone, facsimile number, postal and e-mail address or similar details, the customer agrees that the Bank may contact him by these methods to keep him informed about the Bank’s products and services or for any other reason. If the customer prefers not to be kept informed of the Bank ‘s products and services, he should intimate the Bank at the mail info@shivalikbank.com

The customers shall not disclose, in any manner whatsoever, any information relating to Shivalik Small Finance Bank, or its affiliates of a confidential nature obtained while availing the services through the website. Failure to comply with this obligation shall be deemed a serious breach of the terms herein and shall entitle Shivalik Bank or its affiliates to terminate the services without prejudice to any damages, to which the customer may be entitled otherwise.

Third-party Services

Shivalik Bank shares personal information with third-parties only as permitted and required by law, as per Bank’s approved guidelines and customer consent in connection with the administration, processing, and servicing of account and account-related transactions, in order to perform services for customer and on their behalf, for example, credit reporting agencies, bill payment processors, credit, debit and ATM card processing networks, data processing companies, insurers, marketing and other companies in order to offer and/or provide financial products and services to customer, and in response to legal or regulatory requirement, court order and/or other legal process or investigation. For all third-party outsourcing of services, the information is shared and used as per the service level agreement and non-disclosure agreement.

The disclosure of sensitive personal data or information by body corporate to any third party will require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporateand provider of information, or where the disclosure is necessary for compliance of a legal obligation.

Any third party receiving sensitive personal data or information from the bank will not disclose it further.

The Bank may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under the SPDI Rules.

Security of Customer Information

The security of Customer information is a priority and shall be ensured by maintaining physical, electronic, and procedural safeguards that meet applicable laws to protect customer information against loss, misuse, damage and unauthorized access, modifications, or disclosures. Shivalik Bank uses appropriately secure encryption for the transmission of Customer Information. Employees shall be trained in the proper handlingof Customer information. When other companies are used to provide services on behalf of the Bank, it shall ensure that such companies protect the confidentiality of Customer information they receive in the same manner the Bank protects. The Bank shall continuously review and enhance its security policies and security measures to consistently maintain a high level of security.

The Customer is required to cooperate with the Bank to ensure the security of the Customer Information, and it is recommended that the Customer necessarily chooses their passwords carefully such that no unauthorised access is made by a third party. To make the password complex and difficult for others to guess, the Customer should use a combination of alphabets, numbers, and special characters (like! @, #, $,etc.). The Customer should not disclose their password to anyone or keep any written or other record of the password such that a third party could access it.

Amendments

The Bank shall reserve the right to change or update this Policy or practice, at any time with reasonable notice to customers on Bank’s website so that customers are always aware of the information, which is collected, for what purpose Bank uses it, and under what circumstances, if any, Bank may disclose it. By virtue of this privacy policy, the customer assents to collection, use, transfer, disclosure, retention, and other processing of her/his personal information, including sensitive personal information, as described inthis Policy.

Disclaimer

Customer might have provided the same non-public information to other entities without the knowledge or permission of Shivalik Bank. Shivalik Bank will not be held liable for disclosure or sharing of such information from these sources.

Contact Us

The Bank shall encourage customer enquiries, feedback and complaints which shall help to identify and improve the services provided to the customers. For any questions about this Privacy policy, or process of handling Customer Information, or may otherwise, you may reach out to us with your queries, grievances, feedback, and comments at info@shivalikbank.com or contact our Data Protection officer, whose details are provided below:

Name: Mr. Mohit Gautam

Designation: Data Protection Officer

Email: DPO@shivalikbank.com

Shivalik Bank value your relationship and will always strive to ensure your privacy.