1. Introduction

PowerNetPro Pvt. Ltd. (“PowerNetPro,” “we,” “our,” or “us”) is a Private Limited Company incorporated under the Companies Act, 2013, with its registered office in Pune, Maharashtra, India. We operate the website www.powernetpro.com and associated digital platforms (collectively, the “Platform”).

PowerNetPro operates a digital solar platform that enables urban residents and apartment dwellers to reserve virtual solar capacity within commercial-scale solar installations without physical rooftop requirements. Our Platform connects solar capacity hosts (commercial property owners with rooftop solar installations) with subscribers (end users who reserve virtual solar capacity and receive electricity bill credits).

This Privacy Policy explains how we collect, use, store, protect, share, and dispose of your personal data when you access or use our Platform, and the rights you have concerning your personal data. This Privacy Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”), and the Digital Personal Data Protection Act, 2023 (“DPDP Act”), as applicable.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must discontinue use of the Platform immediately.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them:

• “Data Fiduciary” means PowerNetPro Pvt. Ltd., which determines the purpose and means of processing personal data.
• “Data Principal” means the individual to whom the personal data relates, i.e., you, the user of the Platform.
• “Data Processor” means any person or entity that processes personal data on behalf of the Data Fiduciary, including third-party service providers engaged by PowerNetPro.
• “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
• “Sensitive Personal Data or Information (SPDI)” means personal information consisting of passwords, financial information, health data, biometric data, sexual orientation, and any data received under lawful contract, as defined under the IT Rules.
• “Processing” means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• “Consent” means any freely given, specific, informed, and unambiguous indication of the Data Principal’s wishes, signifying agreement to the processing of their personal data.
• “Reservation” means the virtual allocation of solar capacity (measured in kW) selected by a subscriber through the Platform.
• “Credit” means the monetary value corresponding to the electricity generated from a subscriber’s reserved solar capacity, applied as a bill offset or converted to cash.

3. Personal Data We Collect

We collect and process personal data that is necessary for the provision of our services, legal compliance, and to improve your experience on the Platform. The categories of data we collect are as follows:

3.1 Information You Provide Directly

• (a) Registration and Account Information: Full name, date of birth, email address, mobile phone number, residential address, state, and preferred distribution company (DISCOM).
• (b) KYC (Know Your Customer) Verification Data: Aadhaar number (for e-KYC via DigiLocker API), PAN card number (validated against the Income Tax database), Aadhaar front and back images (for manual KYC upload), and optionally, facial liveness check data for manual KYC verification.
• (c) Electricity Connection Details: Consumer number, DISCOM name, billing address, and electricity bill data fetched through the Bharat Bill Payment System (BBPS) API.
• (d) Bank Account Information: Bank account number, IFSC code, and account holder name (verified through penny-drop verification) for cash conversion payouts under Option 2.
• (e) Payment Information: Transaction details processed through Razorpay payment gateway, including Razorpay order IDs, payment status, and payment confirmation details. PowerNetPro does not store credit card, debit card, or net banking credentials; all card data handling is delegated entirely to Razorpay in compliance with PCI-DSS standards.
• (f) Communication Data: Queries, complaints, feedback, and correspondence submitted through customer support channels, email, or the Platform’s contact forms.

3.2 Information Collected Automatically

• (a) Device and Technical Information: IP address, browser type and version, operating system, device type, screen resolution, language preferences, and unique device identifiers.
• (b) Usage Data: Pages visited, features used, time spent on pages, click patterns, navigation paths, referral URLs, and session duration.
• (c) Log Data: Server logs recording access timestamps, request types, response status codes, and error diagnostics.
• (d) Location Data: Approximate geographic location derived from your IP address (we do not collect precise GPS location data).

3.3 Information from Third Parties

• (a) DigiLocker: Aadhaar-based e-KYC verification data, as authorised by you during the verification process.
• (b) NSDL/CDSL: PAN verification results confirming the validity of your PAN card details.
• (c) BBPS (Bharat Bill Payment System): Electricity bill data including bill amount, due date, consumption details, and payment status for DISCOM accounts linked by you.
• (d) Razorpay: Payment confirmation data, transaction status, and refund processing information.

4. Purpose and Legal Basis for Data Processing

We process your personal data for the following purposes and on the following legal bases:

5. Data Sharing and Disclosure

PowerNetPro does not sell, rent, or trade your personal data to any third party for marketing or commercial purposes. We may share your personal data with the following categories of recipients, strictly for the purposes described in this Privacy Policy:

5.1 Third-Party Service Providers

• Razorpay: For processing payment transactions, managing escrow accounts, and handling refunds. Razorpay operates as an independent Data Processor and maintains its own privacy policy and PCI-DSS compliance.
• DigiLocker / UIDAI: For Aadhaar-based e-KYC verification, as authorised by you during the onboarding process.
• NSDL / CDSL: For PAN card validation against the Income Tax database.
• BBPS (NPCI): For fetching your electricity bill data and processing bill payments on your behalf.
• Banking Partners: For NEFT/IMPS disbursements related to cash conversion payouts.
• Twilio / AWS SNS: For delivering OTP messages, transactional SMS notifications, and account alerts.
• AWS SES / SendGrid: For sending email notifications, monthly credit statements, and marketing communications (with your consent).
• Cloud Infrastructure Providers: For hosting the Platform, storing data, and ensuring system availability and disaster recovery.

5.2 Regulatory and Legal Disclosures

We may disclose your personal data where required by law, regulation, legal process, or governmental request, including compliance with orders from courts, tribunals, the Reserve Bank of India (RBI), the Income Tax Department, the Goods and Services Tax Network (GSTN), State Electricity Regulatory Commissions (SERCs), or any other competent authority.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, restructuring, or sale of all or a portion of our assets, your personal data may be transferred to the successor entity, subject to equivalent data protection safeguards.

5.4 With Your Consent

We may share your personal data with additional third parties where you have provided explicit consent for such sharing.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

• Account and Profile Data: Retained for the duration of your active account and for a period of three (3) years after account closure or termination, to address any post-termination queries or disputes.
• KYC Documents (Aadhaar, PAN): Retained for the duration of the Reservation Agreement (up to fifteen years) and for an additional five (5) years thereafter, as required under anti-money laundering regulations and tax compliance obligations.
• Transaction and Payment Records: Retained for a minimum of eight (8) years from the date of the transaction, in compliance with the Income Tax Act, 1961, the GST Act, and other applicable financial regulations.
• Electricity Bill Data: Retained for the duration of the Reservation Agreement and for two (2) years thereafter.
• Credit Ledger and Allocation Records: Retained for the full fifteen-year reservation tenure and for five (5) years thereafter for audit and reconciliation purposes.
• Communication and Support Records: Retained for three (3) years from the date of the last communication.
• Usage and Log Data: Retained for a maximum of twenty-four (24) months, after which it is anonymised or deleted.
• Audit Logs: Retained for a minimum of five (5) years, as required for regulatory and compliance audits.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised using industry-standard data destruction methods.

7. Data Security Measures

PowerNetPro implements robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

7.1 Technical Safeguards

• Encryption of personal data in transit using TLS 1.2 or higher protocols.
• Encryption of sensitive personal data at rest using AES-256 encryption standards.
• Secure API connections for all data transmissions between the Platform and third-party integrations (DigiLocker, BBPS, Razorpay, banking partners).
• Multi-factor authentication for administrative access to backend systems.
• Regular security audits, vulnerability assessments, and penetration testing of the Platform infrastructure.
• Automated backup systems with encrypted storage and disaster recovery protocols.
• Intrusion detection and prevention systems (IDS/IPS) monitoring for anomalous activity.

7.2 Organisational Safeguards

• Role-based access controls (RBAC) limiting access to personal data to authorised personnel only, on a need-to-know basis.
• Mandatory data protection training for all employees and contractors handling personal data.
• Maker-checker approval protocols for all escrow fund movements and sensitive administrative operations.
• Comprehensive audit trails logging all access to and modifications of personal data, including actor identification, timestamp, and IP address.
• Incident response procedures for prompt detection, containment, and notification of data breaches.
• Confidentiality agreements and data processing agreements with all third-party service providers.

7.3 PCI-DSS Compliance

All payment card data handling is delegated entirely to Razorpay, which maintains PCI-DSS Level 1 compliance. No credit card, debit card, or net banking credentials are stored on or transmitted through PowerNetPro’s servers.

7.4 Third-Party Payment Processing

All payment transactions on PowerNetPro are processed through Razorpay Payments Private Limited, an RBI-authorised Payment Aggregator. Razorpay is PCI DSS Level 1 certified. We do not store your credit card, debit card, or UPI details on our servers. All payment data is handled securely by Razorpay in accordance with RBI guidelines. For Razorpay’s privacy practices, please refer to Razorpay’s Privacy Policy at https://razorpay.com/privacy/.

7.5 Data Protection Officer

In accordance with the Digital Personal Data Protection Act, 2023, we have appointed the following Data Protection Officer:

You may contact the Data Protection Officer for any queries regarding your personal data, data access requests, correction requests, or data deletion requests.

8. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, and other applicable Indian laws, you have the following rights concerning your personal data:

• Right to Access: You have the right to obtain confirmation as to whether your personal data is being processed and to access a summary of such data and the processing activities.
• Right to Correction: You have the right to request correction of inaccurate or misleading personal data and to have incomplete data completed.
• Right to Erasure: You have the right to request erasure of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Please note that withdrawal of consent for certain processing activities (such as KYC verification) may result in the inability to continue providing services to you.
• Right to Grievance Redressal: You have the right to lodge a complaint with our Grievance Officer or, if unresolved, with the Data Protection Board of India established under the DPDP Act.
• Right to Nominate: You have the right to nominate any individual who shall, in the event of your death or incapacity, exercise your rights as a Data Principal.

To exercise any of the above rights, please contact our Grievance Officer using the details provided in Section 12 of this Privacy Policy. We will respond to your request within thirty (30) days of receipt.

9. Children’s Privacy

The Platform is intended exclusively for individuals who are eighteen (18) years of age or older. We do not knowingly collect, process, or store personal data of individuals under the age of eighteen. If you are under eighteen years of age, you are not permitted to register on or use the Platform.

If we become aware that we have inadvertently collected personal data from an individual under the age of eighteen, we will take immediate steps to delete such data from our systems. If you believe that we have collected personal data from a minor, please contact our Grievance Officer immediately.

10. Cross-Border Data Transfers

PowerNetPro primarily stores and processes your personal data within India. However, certain third-party service providers engaged by us (such as cloud infrastructure providers, email service providers, and analytics platforms) may process data in servers located outside India.

Where personal data is transferred outside India, we ensure that such transfers comply with the provisions of the DPDP Act, 2023, and that adequate safeguards are in place, including contractual obligations requiring the receiving party to maintain data protection standards equivalent to those required under Indian law. We do not transfer personal data to any country or territory that has been restricted by the Central Government of India under the DPDP Act.

11. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations. When we make material changes to this Privacy Policy, we will notify you through one or more of the following methods:

• A prominent notice displayed on the Platform homepage or within your account dashboard.
• An email notification sent to the email address associated with your account.
• An SMS notification to your registered mobile number.
• An in-app notification for users accessing the Platform through mobile applications.

The “Effective Date” at the top of this Privacy Policy indicates when the latest version took effect. Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

12. Grievance Officer

In accordance with the Information Technology Act, 2000, the IT Rules, 2011, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address your concerns and complaints regarding the processing of your personal data.

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to escalate your complaint to the Data Protection Board of India, as established under the DPDP Act, 2023.

13. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India, including but not limited to the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023.

Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Pune, Maharashtra, India.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at: