Legal Document

Privacy Policy

📅 Last Updated: June 5, 2026
🏢 Entity: STU Software Private limited
⚖️ Jurisdiction: India (DPDP Act, 2023)

STU Software Private Limited. (hereinafter referred to as "Company", "we", "us", or "our") operates the payment portal and related software applications accessible via https://thestucompany.com/ (hereinafter referred to as the "Platform").

This Privacy Policy forms a comprehensive digital notice issued in compliance with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).

Under the DPDP Act, the Company acts as the "Data Fiduciary" determining the purpose and means of processing your personal data, and you are recognized as the "Data Principal".

Please read this policy carefully before interacting with or processing any payments through our Platform.

1
Categories of Personal Data We Collect

To process financial transactions securely and maintain our digital ecosystem, we collect several categories of personal data. We do not collect any personal data without your knowledge or active participation.

1.1

Identity and Contact Data

Includes your full name, email address, mobile phone number, billing address, and shipping address.

1.2

Financial and Transaction Data

Includes your bank account numbers, UPI IDs, transaction amounts, timestamps of payments, payment status (Success/Failure), and tokenized card identification data.

⚠️

Note on Card Security: In absolute compliance with Reserve Bank of India (RBI) mandates, the Company never directly records, saves, or stores raw credit/debit card numbers, CVV codes, or net banking passwords. All card details are processed and saved securely via encrypted tokens provided by our PCI-DSS certified payment gateway partners.

1.3

Technical and Log Data

Includes your Internet Protocol (IP) address, device operating system, browser type, device fingerprints, unique hardware identifiers, and real-time security event logs.

2
Legal Basis and Purposes of Data Processing

We process your digital personal data only based on legitimate, lawful grounds. The primary grounds for processing include your Explicit Consent and fulfillment of Legitimate Uses (such as executing a contract or complying with statutory laws).

We utilize your data strictly for the following operational workflows:

  • To Execute Transactions: To verify your identity, communicate with banking institutions, and route your payment requests securely to authorized payment aggregators.
  • Fraud Prevention and Risk Mitigation: To run automated security algorithms, monitor velocity patterns, and prevent cybercrimes, identity theft, or unauthorized money transfers.
  • Customer Support and Dispute Resolution: To handle chargebacks, reconcile failed transactions, address customer support queries, and execute valid refunds.
  • Statutory Compliance: To comply with anti-money laundering regulations under the Prevention of Money Laundering Act (PMLA), respond to judicial warrants, and report cyber security incidents to the Indian Computer Emergency Response Team (CERT-In).
3
Data Sharing and Disclosures to Third Parties

The Company does not sell, trade, or rent your personal data to any third-party marketing entities. Your data is shared with external parties (acting as "Data Processors") solely to fulfill your transaction requests:

3.1

Payment Aggregators and Banking Partners

We transfer encrypted transaction payloads to RBI-authorized Payment Aggregators, card networks, and participating issuing banks to process your payments.

💳 Razorpay 💳 Cashfree 💳 Stripe 🏦 Visa 🏦 Mastercard 🏦 RuPay
3.2

Technology Service Providers

We work with cloud-hosting partners who maintain secure data servers located strictly within the sovereign territory of India.

☁️ Hostinger
3.3

Law Enforcement and Government Authorities

We will share personal and technical details with regulatory bodies, tax offices, or law enforcement agencies if required by a formal order under Indian law.

4
Data Storage Location and Retention Policy
4.1

Localized Storage

In compliance with RBI directives on payment data storage, all core payment data, end-to-end transaction details, and log information are stored and processed on secure cloud instances located entirely within India.

4.2

Retention Duration

We retain financial and transaction data for a mandatory minimum period of five (5) to ten (10) years, as legally prescribed under the PMLA, the Companies Act, 2013, and Income Tax rules.

4.3

Mandatory Erasure

Once the legal retention window expires, or upon a valid request for erasure where processing is no longer required for any legitimate use or contractual obligation, the data will be permanently purged or irreversibly anonymized from our live servers.

5
Reasonable Security Practice Standards

The security of your financial data is our highest priority. The Company has put in place robust technical, physical, and managerial controls that comply with Section 43A of the IT Act, 2000 and Rule 8 of the SPDI Rules:

  • All data transmitted through the Platform is encrypted using Transport Layer Security (TLS 1.2 or higher).
  • We use firewalls, continuous security monitoring, end-to-end encryption protocols, and strict internal access control frameworks.
  • Any employee access to user information is confined to a strictly audited, "need-to-know" operational basis.
6
Your Rights as a Data Principal

Under the DPDP Act, 2023, you possess robust statutory rights regarding your personal data held by us. You can exercise these rights by sending a verified digital request to our Grievance Officer:

📋
6.1 — Access & Summary

Right to Access and Summary

You have the right to request a summary of the personal data we hold about you and a description of the identities of third parties with whom it was shared.

✏️
6.2 — Correction & Erasure

Right to Correction and Erasure

You can request the correction of any inaccurate, incomplete, or out-of-date personal data. You can also request erasure of data no longer strictly necessary for transactional or statutory purposes.

🔄
6.3 — Withdraw Consent

Right to Withdraw Consent

You can withdraw your consent to data processing at any time. However, if you withdraw consent, we will be unable to process any subsequent payment transactions for you on the Platform.

👤
6.4 — Nominate

Right to Nominate

You have the right to nominate an individual who, in the event of your death or incapacity, can exercise your rights on your behalf.

📬

Grievance Officer — STU Software Pvt. Ltd.

Submit a verified request via email: stucompany369@gmail.com

Address: NO. 19A-66A, 10th & 11th Main, S-02 Northsquare, Maruthi Layout, Dasarahalli, Hebbal, Karnataka, India — 560024

Acknowledgement within 48 hours of receipt