Get started

Privacy Policy

Last updated: 24 April 2026

UPI Gateway.dev ("we", "us") respects your privacy. This Policy describes the data we collect, how we use it, and your rights. It applies to merchants who sign up for the Service and to end customers who make UPI payments through our infrastructure.

1. Data we collect

From merchants

  • Identity & KYC: name, business name, email, mobile, PAN, Aadhaar (last 4), location.
  • UPI/banking details required to route collections to your account.
  • Account activity: orders, settlements, API/webhook logs, login events.

From end customers

  • UPI VPA, UTR (transaction reference), payer name (as provided by the UPI app).
  • Device/IP for fraud and abuse prevention.

2. How we use data

  • To operate the Service: route UPI collections, reconcile UTRs, deliver webhooks, generate receipts.
  • For risk, fraud, and AML monitoring as required by partner banks and NPCI.
  • For customer support, billing and legal compliance.
  • We do not sell personal data. We do not share data with advertising networks.

3. Legal basis

We process data under the contract you have with us (these terms), to comply with legal obligations (RBI, NPCI, IT Act, DPDP Act 2023), and where you have consented.

4. Sharing

  • Partner banks and UPI providers (HDFC, PhonePe, Paytm and others enabled in your account) for payment processing.
  • Cloud infrastructure and managed-service vendors under data-protection agreements.
  • Law enforcement or regulators when required by law.

5. Security

We use TLS in transit, encryption at rest, signed webhooks (HMAC SHA-256), per-merchant API keys, and row-level security in our database. Access to production data is restricted and audited. No system is 100% secure — please report any security concern via the contact page.

6. Retention

Transaction and KYC records are retained for the period required by RBI and NPCI (typically up to 8 years from the transaction date). Webhook logs are kept for 90 days. You may request export or deletion of personal data subject to legal retention requirements.

7. Your rights (DPDP Act)

  • Access a summary of personal data we hold.
  • Correct inaccurate data via your profile or by contacting us.
  • Request erasure (subject to legal retention).
  • Withdraw consent — note this may require us to suspend the Service.
  • Nominate a person to exercise your rights in the event of incapacity.

8. Cookies

We use a small number of strictly necessary cookies for authentication and session state. We do not use advertising or cross-site tracking cookies.

9. Children

The Service is not directed to anyone under 18 and we do not knowingly collect their data.

10. Grievance Officer

Per the IT Rules 2011 and DPDP Act, our Grievance Officer can be reached via the contact page. We will acknowledge complaints within 24 hours and resolve them within 15 days.

11. Changes

We will post any material changes on this page and notify merchants by email.