Privacy Policy & Data Protection

This Privacy Policy describes how ARIFAC (Alliance of Reporting Entities in India for AML/CFT), operated by the Internet and Mobile Association of India (IAMAI) under the guidance of the Financial Intelligence Unit – India (FIU-IND), collects, uses, processes, stores, and protects personal data of individuals ("Data Principals") who access or use ARIFAC platforms, including its website, Learning Management Program (LMP), membership services, and certification programs.

By accessing or using ARIFAC services, you consent to the collection and processing of your personal data in accordance with this Policy and applicable laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 and any amendments thereto.

PLEASE READ THIS PRIVACY POLICY BEFORE USING ARIFAC'S SERVICES. BY USING ARIFAC'S SERVICES OR SUBMITTING THE INFORMATION, YOU AGREE THAT YOU ARE OF THE AGE OF 18 YEARS OR ABOVE AND EXPRESSLY CONSENT TO THE PROCESSING AND USE OF THE INFORMATION ACCORDING TO THE PRIVACY POLICY.

This Policy applies to all users of ARIFAC services, including: (i) Website visitors, (ii) Registered users, (iii) Learners and certification candidates, and (iv) Member organization representatives.

This Policy covers personal data collected through digital platforms, forms, communications, and program participation. By registering on our platform for ARIFAC services, you specifically consent to the use and transmission/transfer/sharing of your personal data and information to provide the services to you.

This Privacy Policy does not apply to companies or entities that ARIFAC does not own or control, or has no contractual relationship with. If you choose not to provide the personal information/personal data that we seek from you, then you may not be able to avail the ARIFAC services and we may also not be able to respond to any queries that you may have.

ARIFAC (and its licensors, if applicable) owns exclusively and absolutely all rights, title and interest, including all related intellectual property rights, in the platform and the ARIFAC services, and any suggestions, ideas, improvements, enhancement requests, feedback, recommendations and other information provided by you relating to the platform and its services.

ARIFAC may collect and process the following categories of personal data: Identity Information (name, date of birth, photograph, Aadhaar/PAN/passport or other identification details), Contact Information (email address, phone number, address), Professional Information (employer details, designation, industry affiliation, work history), Educational and Certification Data (course enrollment, progress, assessment results, certification status), Technical Data (IP address, device details, browser information, login activity), Audio-Visual Data (video, audio, and screen recordings during remote proctored examinations), Transactional Data (payment details processed through authorised payment gateways).

ARIFAC shall collect only such data as is necessary for lawful purposes.

Personal data shall be processed for lawful purposes including: User registration, onboarding, and account management; Delivery of LMP training programs and certification services; Conduct of examinations and identity verification; Issuance, validation, and publication of certifications; Communication of program updates, notifications, and support; Compliance with legal, regulatory, and audit requirements; Prevention of fraud, misuse, or unauthorised access.

Personal data shall not be processed for purposes incompatible with the above.

Processing of personal data shall be based on: Consent provided by the Data Principal at the time of registration or use of services; Legitimate uses permitted under applicable law; Compliance with legal obligations, including regulatory or law enforcement requirements.

Users may withdraw consent where applicable, subject to consequences such as suspension of access to services.

ARIFAC may share personal data only under the following circumstances: With regulatory authorities or law enforcement agencies where required under applicable law; With service providers (e.g., LMS platforms, proctoring providers, payment gateways) under strict confidentiality obligations; With member organisations, where users are nominated participants (limited to program participation data); For certification verification, including publication of certified user lists (name, organisation, certification status); For business transfers: ARIFAC may sell, transfer or otherwise share some or all of its assets, including any personal information, in connection with a merger, acquisition, reorganisation or sale of assets or in the event of bankruptcy.

ARIFAC shall not sell personal data to third parties.

Personal data shall be retained only for as long as necessary to fulfil the purposes outlined in this Policy, including: Certification and audit records; Legal and regulatory compliance; Dispute resolution.

Upon expiry of retention requirements, data shall be securely deleted or anonymised.

ARIFAC shall implement reasonable security safeguards, including: Access controls and authentication mechanisms; Encryption and secure data storage; Monitoring and audit of system access; Secure handling of proctoring data.

However, no system is completely secure, and ARIFAC does not guarantee absolute security.

Under the DPDP Act, users (Data Principals) have the right to: Access information about their personal data; Request correction or updating of inaccurate data; Request erasure of personal data (subject to legal limitations); Withdraw consent (where applicable); Grievance redressal.

Requests may be submitted through the contact details provided in the Grievance Redressal section below.

Users shall ensure that: All personal data provided is accurate and up to date; They do not impersonate or provide false information; They comply with applicable laws and ARIFAC policies.

Personal data may be stored or processed in India or in jurisdictions permitted under applicable laws. ARIFAC shall ensure that such transfers comply with the DPDP Act and applicable safeguards.

The ARIFAC website may use cookies and similar technologies to enhance user experience, analyse usage patterns, and improve services. Users may control cookie preferences through browser settings. If the User does not accept cookies, it may not be able to use all portions and functionality of the Platform.

Third-party websites which are accessible from our platform via links, click-through or banner advertising may use cookies. However, it is important for us to inform you that we have no access or control over such cookies and do not accept responsibility with regards to them.

Our platform may contain links to other third-party websites/platforms. The User's use of websites/platforms to which the platform links is subject to the terms of use and privacy policies located on such third-party websites/platforms.

ARIFAC absolutely disclaims any liability or responsibility for any disclosure by you or anyone on your behalf of any of your personal information/data, which may be posted on any parts of the platform.

ARIFAC may also collect information that your browser sends whenever you visit our platform or when you access the platform by or through a mobile device ("Usage Data").

This Usage Data may include information such as your computer's internet protocol address (e.g. IP address), browser type, browser version, the pages of our Platform that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access the platform by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

We may use and store information about your location if you give us permission to do so ("Location Data"). We use this data to provide features of our platform, to improve and customise our platform.

You can enable or disable location services when you use our platform at any time, through your device settings.

For any queries, requests, or grievances relating to personal data, users may contact the ARIFAC Data Protection / Grievance Officer at: help.arifac@iamai.in

ARIFAC shall address grievances within a reasonable timeframe in accordance with applicable law.

ARIFAC shall not be liable for any unauthorised access, loss, or misuse of personal data or information arising from circumstances beyond its reasonable control, including user-side vulnerabilities or force majeure events.

ARIFAC reserves the right to update or modify this Privacy Policy from time to time. Updated versions shall be published on the ARIFAC website. Users are advised to review the Policy periodically.

Continued use of services shall constitute acceptance of such updates.

This Privacy Policy shall be governed by the laws of India. Any disputes arising shall be subject to the exclusive jurisdiction of the courts in New Delhi, India.