Drip Capital, Inc. Privacy Policy

Drip provides lines of credit which can be used to pay for raw material, inventory or other short term needs and help small businesses fulfill customer orders. These lines of credit can help you grow your business and take on orders from larger buyers.

This Privacy Policy describes the information that Drip Capital Inc. and its affiliates (“Drip Capital”) collects about you, how we use and protect this information, and the choices you can make about how we use this information. This policy applies to information, including any information that can be used to identify an individual (“Personal Information”), collected about you by Drip Capital in different methods, including via the website. Your privacy matters to us, so please get to know our privacy practices and contact us with any questions.

Introduction

This policy has been developed to support Drip Capital’s (further referred to as ‘DC’ or organization) direction, and for establishing policy, procedures and controls for privacy, in order to establish a Privacy Information Management System (PIMS) in line with all applicable regulatory, operational and contractual requirements.

To provide adequate protection for its customers’ personal information, DC has built a strong PIMS in alignment with identified requirements from British Standard BS 10012:2018 and ISO 27701.

Responsibility

DC will implement necessary controls and practices at all levels to protect personal information stored and processed on its systems and ensure that such information is carefully protected.

DC requires all employees to ensure that they have read and understood Drip’s privacy policies and strictly adhere to them.

Policy Statement and Objectives

This privacy policy sets out how DC securely collects, stores, processes, transfers, shares and uses data that identifies or is associated with you (“Personal Information”) when you use DC’s website or services or generally interact with DC.

The privacy of individuals, including its customers and clients, is of utmost importance to DC. DC and its businesses in the US, India and Mexico adhere to several privacy management policies and practices as part of a global commitment to protecting personal information. In particular, this policy explains how DC, its employees, partners and vendors will collect, use, store, share, transmit, delete or otherwise process (collectively “process”) personal information in accordance with its Data Protection & Privacy Principles.

Scope and Applicability

This Policy covers personal information that DC collects directly from Customers / business associates of DC and all its subsidiaries.

This policy applies to information security across all internal and business Information Systems, services and related practices in all locations where DC conducts business.

Information covered within Policy

    In this Policy, the term “Personal Information” implies any personally identifiable information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.
    The term, “Data Subject” refers to the person whose data is being collected or processed by DC.
    In this Policy, the term “Sensitive Personal Information” means Personal Information that also comprises information relating to:

  • Passwords
  • Financial information
  • Physical, physiological and mental health conditions
  • Sexual orientation
  • Biometric information
  • Any detail relating to the above clauses as provided to the body corporate for providing service; and
  • Any of the information received under the above clauses by the body corporate for processing, stored or processed under lawful contract or otherwise

    Sensitive Personal Information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force.
    DC fully supports and adheres to the Principles of Data Protection and respects the rights of individuals as set out in the Standard and shall ensure that the personal information for which it is responsible will:

  • Be obtained and processed fairly and lawfully and shall not be processed unless the processing is necessary for the purposes defined under the standard
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
  • Be adequate, relevant and not excessive for those purposes
  • Be accurate and kept up to date
  • Be processed in accordance with the data subject’s rights (in accordance with California privacy law - CPRA)
  • Be kept secure from unauthorized access, accidental loss or destruction;
  • Only be transferred to a country where proper Laws & Regulations related to Privacy are adhered

Notice of Collection of Information

    As part of your agreement with DC, the company will collect, store and process your private information for fair, legal business and operational purposes.
    This Notice sets out the basis upon which DC may collect, use, disclose or otherwise process personal and financial data of its customers and business associates in accordance with the applicable acts and regulations.
    DC may collect personal information in the context of your agreement with DC, including, without limitation, your:

  • Company Name
  • Location
  • Contact details including mailing address, telephone numbers, email address
  • Registration details
  • Company identification number
  • Other relevant identification details
  • Details of financial health
  • Credit history
  • Financial information
  • Account number and other relevant details
  • Bank account details;
  • Tax-related information
  • Photographs and other relevant audio-visual information;
  • Records related to usage, access, surveillance etc within DC premises and systems;
  • Owner Identification Number (locally specific)
  • Contact information of persons associated with the company
  • Any additional information provided to us by you as our customer

    Consent of customers will be sought and received, for any collection and processing of all categories of data.
    The above information may be collected and processed by the company directly or by an authorized representative of the company:

  • As a part of the internal process in DC
  • At any later stage of your agreement with DC

Restricted Collection of Information

  • (a) DC will only collect personal and sensitive Information that is required and by lawful, fairly and non-intrusively. Collecting this Information enables us to offer you services that help you with your business needs. Depending on the business need you apply for, DC also collects information necessary to set up and maintain that business service.
  • (b) DC will only collect Information needed for lawful purposes related to the business service and only after your explicit consent in the course of your agreement with us.
  • (c) You can always deny or withdraw your consent at a later stage as per the process described in subsequent sections further, in accordance with regional applicable laws.
  • (d) Generally, DC collects Information directly from you. However, DC may also collect personal information about you from third parties including CICs and vendors.

If you would like to know the name and address of agencies, which are associated with DC to collect and retain your Information, you can contact privacy@dripcapital.com.

Access & Modification to Information

Customers can, at any time, request for their personal information being stored or processed by DC, in accordance with regional applicable laws. DC will respond to your request as per the established procedures. DC has reasonable procedures in place, to enable you to access the information being stored and/or processed by us.

To provide you access to information quickly and easily, the information requested will be provided in the prescribed format as per DC’s internal guidelines. Access will be restricted when the request is made without sufficient grounds.

Contact privacy@dripcapital.com to know more about how to access your personal information with DC.

You can also exercise your right to amend inaccurate or incomplete personal information, in accordance with regional applicable laws. The rationale for providing the Information Provider with the right of correction is to ensure that the data quality of their information is maintained and DC will take all reasonable steps to ensure this. In case DC refuses to amend your personal information, on request, DC will provide you reasons for the rejection.

Contact privacy@dripcapital.com to know more about how to request an amendment to your personal information stored with DC.

However, it should be noted that the privacy statement is only applicable to the personal information being shared by the data subject and does not apply to information interpreted for offering business services to you. DC also reserves the right not to share the information being collected from other sources, such as background check agencies, credit agencies, etc.

Option to Consent

The consent to personal information is always voluntary, informed and current. DC gives customers an option to withdraw consent, in accordance with regional applicable laws, for using your personal information being granted to us. In that case, you may approach privacy@dripcapital.com. However, in such cases, DC may not be able to continue to provide you with the business services for which the personal information was provided by you.

DC also gives customers the option of having their personal information included or removed from marketing lists and bulk mailers used for marketing. This includes product and service offers from us and those made in conjunction with our business partners.

Processing and Use of Information

    Generally, DC collects and processes personal information for the following purposes:

  • To establish and authenticate your identity
  • To communicate with you and to contact you with offers from time to time
  • To meet our legal and regulatory obligations
  • To provide the business services as requested by you
  • To carry out our regular business operations
  • To fulfill the terms of the agreement with you

    In addition to the above-listed purpose, DC may process your personal information to be compliant with existing or new legal or regulatory requirements without any explicit approval from you regarding the same.
    Your personal information that is collected will be processed /used by DC for the following purposes and DC may disclose your personal information to authorized and designated third parties where necessary as a part of the following purposes:

  • Performing obligations under or in connection with your contract of agreement with us as per the business service availed
  • Managing and terminating our agreement relationship with you,
  • Performing obligations under or in connection with the provision of our services to our clients;
  • Planning and managing the day-to-day work and operations.
  • For executing the processes and formalities related to the Termination of the contract, and
  • Facilitating our compliance with laws, customs and regulations which may be applicable to us from time to time.

The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).

Recipients of Personal Information

    DC may share your personal information with the following:

  • Credit Information companies (CICs): DC may share your personal information with CICs to fetch data required for the execution of our services to you.
  • Purpose - This information is required for CICs to supply DC with credit performance history which is used by Drip to run risk assessment.
  • Risk Services: DC works with external 3rd parties to evaluate the risk of transactions
  • Purpose - This information is required to gather information which is used by DC to validate & verify transactions
  • Insurance providers: DC may share your personal information with 3rd party insurance providers to assess the risk and protect the transactions.
  • Purpose - Insurance providers require this information to provide credit insurance coverage for debtors of a transaction
  • Law enforcement, regulators and other parties for legal reasons: DC may share your personal information with third parties as required by law or if DC reasonably believes that such action is necessary to (i) comply with the law and the reasonable requests of law enforcement; (ii) detect and investigate illegal activities and breaches of agreements; and/or (iii) exercise or protect the rights, property, or personal safety of DC, its users or others.
  • Purpose - This information is required to gather litigation history used to run risk assessments
  • Legal Firms: DC may share your personal information with our external legal partners, consultants and counsels in case of any legal action
  • Purpose - In a scenario where DC needs to collect outstanding amounts from concerned parties, DC may engage the services of legal agencies to facilitate collections.
  • Marketing and advertising: From time to time DC may contact you with information about our products and services, including sending you marketing messages and asking for your feedback on our products and services. Most marketing messages DC sends will be by email. For some marketing messages, DC may use personal information DC collects about you to help us determine the most relevant marketing information to share with you. Unsubscribing from marketing emails will not unsubscribe you from system notifications that DC needs to send as part of the services DC provides. From time to time, DC may need to contact you by email or via our support team.

Security & Confidentiality of Information

DC will keep your personal information confidential and limit access to those who specifically need it to conduct their business activities, except as otherwise permitted by applicable law. DC refers to industry standards and uses reasonable administrative, technical and physical security measures to protect your personal information from unauthorized access, destruction, use, modification or disclosure.

A robust information Security Management system (ISMS) is being established within DC that governs the systems and practices. This ISMS is being established and managed in alignment with global best practices and certified towards ISO/IEC 27001:2013 standard. The system is subject to strong controls including ongoing monitoring, periodic Security testing, internal/external audits and verifications. DC also ensures that any business associates/ subcontractors/ subsidiaries/ third party agencies DC engages to access/ process/ store your personal information also adhere to the reasonable security practices to protect your personal information to provide the same level of protection for data as required under the Principles and applicable laws and regulations.

Integrity & Retention of Information

DC uses appropriate technology and well-defined employee practices to process your data promptly and accurately. DC will not keep your personal information longer than is necessary, except as otherwise required by applicable law.

DC destroys all personal information that is no longer needed for the purposes for which DC collected it unless its retention is required to satisfy legal, regulatory or accounting requirements, to protect our interests or for auditory purposes. DC ensures to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

Personal Information Handling

    Every DC employee/business associate/relevant individual, who deals with or comes into contact with personal information of a customer regardless of its origin, shall have a responsibility to comply with the applicable law concerning data privacy, this policy and specific privacy practices.
    The Relevant Individual should seek advice in the event of any ambiguity while dealing with personal information or in understanding this Policy.
    The processing of personal information is defined as encompassing everything that DC does with personal information including the sharing, transferring or disclosing of personal information to another organization or internally.
    DC ensures that its employees/relevant Individuals shall be diligent and extend caution while dealing with personal information of customers, in the course of performance of their duties and shall also, at all times, will:

  • a. Respect personal information that they have access to and treat it in the manner in which they would expect their personal details to be treated.
  • b. Prevent any unauthorized person from having access to any computer systems processing personal information, and especially:
  • i. Unauthorized reading, copying, alteration, deletion or removal of data;
  • ii. Unauthorized data input, disclosure, uploading, transmission/transfer of personal information;
  • iii. Abide by DC information security and privacy policies and procedures;
  • c. Ensure that authorized users of a data-processing system can access only the personal information to which their access right refers.
  • d. Keep a record of which personal information has been shared, when and to whom.
  • e. Not provide any personal information to any third party without an approval from the Information Security team,
  • f. Ensure that personal information processed on behalf of a third party (client) can be processed only in the manner prescribed by a such third party,
  • g. Ensure that, during the communication of personal information and transfer of storage media, the data cannot be read, copied or erased without authorization.
  • h. Immediately, on becoming aware, report and notify any vulnerabilities and privacy-related breach/security breaches (including potential risks) to the SecOps team.
  • DC takes non-compliance to this policy by DC’s employees very seriously and may take disciplinary actions including but not limited to Employee dismissal or Relevant Individual termination.

Sharing & Disclosure of Information

All the personal information within the context of DC will be disclosed to and be accessible by only limited, designated personnel within DC, as per DC’s organizational policies and applicable acts/regulations. These personnel could be part of any of the registered companies within the organization.

DC may share your personal information with third parties where it is necessary to provide you with products or services or as part of the nature of our relationship with you. DC will only share the personal information where DC has previously informed or been authorized by you, in connection with efforts to reduce fraud or criminal activity or as permitted by law.

DC will disclose personal information with third parties only when you have given us your prior permission or where it’s part of our contractual arrangements with you. In certain circumstances like but not limited to, requests from the Government Agencies mandated to receive such information or as an obligation under an order of Law, DC will not seek your permission to disclose your personal information.

DC has established procedures which will reasonably ensure that your personal information will not be disclosed by us or any agencies/ third party associated with us, any further than absolutely required.

Transfer of Information

    DC is committed to ensuring that personal information is stored in respective regions as much as possible, in alignment with the applicable laws and regulations.
    However, in certain scenarios, DC might need to transfer and store the data in the US or in India or in another region/country in alignment with the corporate information and technology architecture and practices. Whenever such a need for inter-country transfer arises, the company will ensure adequate compliance with the laws and regulations through measures such as ensuring:

  • The data transfer is in alignment with the applicable acts and regulations and/or
  • Restriction of transfer, storage, retention and processing is limited to only those as required for the fulfillment of the employment contract and related requirements and commitments.
  • Adequate controls and reasonable security practices are put in place to ensure effective data protection on par with the requirement of the acts and regulations.

Privacy Grievance Redressal

Any concerns, disputes, discrepancies or grievances with respect to the processing of personal information can be referred to the directed to privacy@dripcapital.com. The privacy team will redress the grievance within 45 days from the date of receipt of any such grievance. This channel is specific for Privacy related grievances. All anonymous or third-person grievances would not be registered / acted upon.

Changes to Privacy Policy

DC reserves the right to update this privacy policy at any time, as a part of our continual improvement and as part of our objective to align with applicable laws and regulations.

DC will notify you about any future changes in the privacy policy and provide you with access to the new/changed privacy policy as and when DC makes any substantial updates.

DC may also continue to notify you from time to time about any new/changed aspects in the processing of your personal information.

Further questions

If you have any questions or need further information regarding this policy, you may contact us via the means provided in this document.

These terms and conditions shall be governed by and construed in accordance with the laws of India and any dispute shall be referred to privacy@dripcapital.com.

Enforcement and Compliance

    This privacy policy is enforced effectively in the organization through practices and measures such as:

  • Ensuring effective and adequate awareness through:
  • Onboarding process of new employees and customers
  • Periodic and ongoing information Security awareness initiatives
  • Periodic and need-based communication on Policy and updates from CISO/ ISMS team

  • Ensuring effective compliance with the Policy through:
  • Internal checks and reviews
  • Internal and External Audits

  • Breach of this Policy will invoke appropriate corrections and corrective actions as per DC’s internal Processes. Serious and persistent breaches may constitute gross misconduct & result in invoking Disciplinary actions from DC management.

Exception

Currently, there are no exceptions established within DC for this Policy.

Any exception to this policy should be authorized by the DC Management or Privacy Officer or any person specifically designated and authorized by the Management.

Targeted Advertising

DC may collect information about how you use or connect to our Website, or the types of other websites, social media services, content and ads that you view to customize the ads on our Website, that are visible to you when you visit our Website or use our products or services.

Customer’s rights on their Personal Information - California-US residents only

    In accordance with applicable privacy law, you have the following rights in respect of your personal information that DC holds:

  • a. Right to Delete:
    • A customer has the right to request for deletion of personal information all in full or partial. DC has the right to store, maintain and process all or any information which is not personal.
  • b. Right to Correct:
    • A customer has the right to request for modification or updation of personal information collected by DC if seen as inaccurate or incorrect by the customer.
  • c. Right to Access/Know:
    • A customer has the right to request to disclose the following about the personal information collected about the customer:
  • i. The categories of personal information collected
  • ii. The categories of sources from which the personal information was collected
  • iii. The categories of third parties to which/whom the personal information was disclosed
  • iv. The purpose of collecting and sharing of personal information
  • v. The actual personal information collected in full
  • d. Right to know what personal information is sold and to whom:
  • i. A customer has the right to request to disclose what or if the personal information is sold to a third party.
  • e. Right to opt-out of Sale or Sharing of personal information:
  • i. A customer has the right, at any time, to direct DC to stop sharing personal information with third parties.
  • f. Right to limit usage of personal information:
  • i. A customer has the right, at any time, to direct DC to limit the usage of the personal information to that use which is necessary for DC to perform its services.
  • g. Right to no Retaliation following opt-out or Exercise of other rights:
  • i. DC shall not discriminate against a customer who has exercised one or more of the rights above.


Californian customers can exercise said rights by reaching out to privacy@dripcapital.com.

However, it should be noted that the privacy statement is only applicable to the Personal Information being shared by the data subject and not relating to information interpreted for offering the business services. DC reserves the right not to share the information being collected from other sources, such as background check agencies, credit agencies, etc.

DC may not be able to continue to provide you with the business services for which the personal information was provided by you if execution of all/any of the above rights leads to the disruption of DC’s business.

Cookies

DC may automatically collect information relating to such matters as the total number of visits to this website, the number of visitors to each page of this website, the Internet Protocol (IP) addresses of our visitors, and the time spent on this Website. DC may use this information, which is collected in and remains in aggregate form, to understand how our visitors use this Website so that DC can improve it. DC may also use your IP address to help diagnose problems with our servers and for purposes of system administration. From time to time, DC may share aggregated, non-personal information with our agents, business partners, consultants, or other third parties. Some non-personal information may be collected through cookies. Cookies are used by most major websites. A cookie is a text file stored on a user’s computer hard drive containing information about the user. Cookies can enable us to track the interests of our users to enhance their experience on this Website and to deliver content specific to a user’s interests. DC may place a cookie in the browser file of your computer when you visit this Website. These cookies are generally not linked to personal information. If you request that the Website store your username and/or password, the cookie will be linked to your username and/or password, and hence will track your navigation path around the Website. You may delete or decline the cookie using the tools in your web browser. Although you may still use this website without the cookie, some parts of the website may not work properly for you.

Third-Party Websites

As a convenience to you, DC may provide links to other websites maintained by independent third parties. DC is not responsible for the privacy practices of independent third parties. DC encourages you to be aware when you leave this Website and to read the privacy policies of any other websites that you may visit. Our Website includes social media features, such as the Facebook log-in or interactive mini-programs that run on our Website. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. These social media features and widgets are either hosted by a third party or hosted directly on our Website. Your interactions with these features are governed by the privacy policy of the company providing them.

Disclaimer* : This policy applies to entities based in both the United States and India.
Effective Date: March 1, 2015