Celestium Financial Ltd. Bangalore | Chennai

Privacy policy

Privacy Policy

Last Updated: June 2026

1. Introduction

Celestium Financial Limited ("Celestium", "we", "us", "our") is an NBFC registered with the Reserve Bank of India, with its registered office at No.160/200, First Floor, Ramakrishna Mutt Road, Mandaveli, Chennai 600028, and its operational office and books of account maintained at No. 28, 1st Floor, Bhadrappa Layout, Outer Ring Road, Maruthi Nagar, Nagashetty Halli, Bangalore 560094. We provide business and personal loans to individuals, professionals, SMEs, MSMEs, sole proprietors, and corporate entities across India.

For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDPA"), Celestium Financial Limited is the Data Fiduciary — the entity that determines the purpose and means of processing your personal data.

This Privacy Policy ("Policy") describes how we collect, use, store, share, and protect your personal information. It constitutes an electronic record under the Information Technology Act, 2000, the DPDPA, and the DPDP Rules, 2025, and is issued in compliance with:

  • RBI Master Direction on KYC, 2025
  • RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices, 2024
  • RBI Master Circular on AML/CFT Standards
  • Prevention of Money Laundering Act, 2002 (PMLA)
  • SARFAESI Act, 2002
  • Reserve Bank of India Act, 1934 and applicable NBFC Master Directions

By engaging with our services or providing your personal information, you accept and agree to the practices described in this Policy.

2. Scope

This Policy applies to all personal data collected by Celestium in connection with our loan products and financial services, covering:

  • Prospective customers making loan enquiries
  • Existing customers availing business or personal loans
  • Guarantors and co-applicants on a loan application
  • Agents and intermediaries acting on behalf of customers

3. Grievance Officer

We have appointed a Grievance Officer in accordance with the IT Act, 2000 and DPDPA. For any query, grievance, or concern regarding your personal data:

  • Customer Complaints: Mahesh, Operations Team — 080 – 23515156
  • Escalations: Babu, Operations Head — 044 – 45094446
  • Email: info@celestium.in
  • Address: No. 28, 1st Floor, Bhadrappa Layout, Maruthinagar, Outer Ring Road, Nagashettyhalli, Bangalore – 560094

Grievances will be acknowledged within 5 business days and resolved within 7 to 10 working days of receipt.

4. Data We Collect

4.1 Personal Information

For identity verification, KYC, and loan processing:

  • Full name, date of birth, gender
  • Residential and business address
  • Mobile number and email address
  • PAN, Aadhaar (with consent), photographs, and signatures

4.2 Financial Information

For credit assessment and loan processing:

  • Bank account details (account number, IFSC, account type) and NACH mandate details
  • Bank statements (preceding 12 months) and income tax returns (preceding 3 years)
  • Annual income, employment type, employer/business details, and additional income sources

4.3 KYC and Identity Documents

As required under RBI regulations:

  • Proof of identity (PAN, Aadhaar, passport, voter ID, or driving licence)
  • Proof of address (utility bills, rent agreement, or other accepted documents)
  • Proof of business ownership or incorporation (for business loans)

We may retrieve KYC records from the Central KYC Records Registry (CKYCR) and KYC Registration Agencies (KRA) where applicable.

4.4 Interaction Records

When you contact us by phone, email, or in person, we may collect and retain records of telephone conversations (which may be recorded for quality and compliance purposes), email correspondence, notes from meetings or branch visits, and documents submitted to us.

4.5 Website and Cookie Data

When you visit www.celestium.in, we may collect limited non-personal technical information through cookies or analytics tools, including device type, browser, pages visited, and time spent on the site. This data is used only in aggregated, anonymised form for website performance and improvement. It does not identify you individually. You may disable cookies through your browser settings; this will not affect your ability to interact with us through other channels.

5. How We Collect Your Information

We collect personal information through:

  • In-person visits to our offices in Bangalore and Chennai
  • Telephone calls and email correspondence
  • Loan application forms (physical or digital)
  • Authorised third-party agents and brokers
  • Credit bureaus (e.g., CIBIL, Experian), CKYCR, and KRAs
  • Our website www.celestium.in (see Section 4.5)
  • Government and regulatory databases as permitted under applicable law

6. How We Use Your Information

We use your personal information to:

  • Verify your identity and complete KYC and due diligence
  • Assess creditworthiness and process your loan application — which may involve automated analysis tools such as bank statement analysers (see Section 6.1 below)
  • Disburse approved loans and set up NACH mandates
  • Communicate regarding your loan account and repayment schedule
  • Comply with legal and regulatory obligations under RBI guidelines and Indian law
  • Detect, prevent, and investigate fraud, defaults, or illegal conduct
  • Resolve disputes and enforce loan agreements
  • Contact you about other loan products or services (subject to your consent or opt-out)
  • Conduct internal analytics, risk modelling, and credit analysis
  • Any other purpose for which your explicit consent is obtained at the time of collection

6.1 Automated Decision-Making

In assessing your loan application, we may use technology-assisted or automated tools — including bank statement analysers — to evaluate cash flows, income patterns, and repayment capacity. While these tools inform the credit assessment process, final decisions on loan sanction or rejection are made by Celestium's credit team and are not solely based on automated processing.

7. Disclosure and Sharing of Your Information

We treat your personal information with strict confidentiality and do not sell it. We share your information only as follows:

7.1 Credit Bureaus

We share personal and financial information with licensed credit bureaus (CIBIL, Experian, CRIF High Mark, Equifax) as required under RBI guidelines for credit assessment and reporting.

7.2 Legal and Regulatory Obligations

We may disclose your information without prior notice if required by a court order, government directive, statutory authority, or applicable law, including for fraud prevention, law enforcement cooperation, or credit risk reduction.

7.3 Business Transfers

In the event of a merger, acquisition, restructuring, amalgamation, or asset sale, your information may be transferred to the successor entity as part of that transaction.

7.4 Professional Advisors

We may share your information with legal advisors, auditors, and compliance consultants on a strictly need-to-know and confidential basis.

7.5 Your Consent

For any disclosure not described above, we will seek your explicit written consent. By engaging with our services, you provide consent to sharing as described in this Policy.

8. Data Storage and Security

8.1 Storage and Data Localisation

All personal and financial information is stored on servers located within India, in compliance with the DPDPA and applicable data localisation requirements. Celestium does not transfer your personal data outside India.

8.2 Security Measures

We implement reasonable physical, administrative, and technical safeguards, including:

  • Encryption of sensitive data during transmission
  • Restricted access on a need-to-know basis
  • Contractual confidentiality obligations for staff and agents handling your data
  • Periodic review of information collection, storage, and processing practices
  • Physical security measures at our offices

No electronic storage method is completely secure. While we strive to protect your information, absolute security cannot be guaranteed.

8.3 Consent Records

We maintain verifiable records of all consents obtained from you in accordance with DPDPA requirements. These records are retained for the applicable periods set out in Section 9.

8.4 Data Breach Notification

In the event of a personal data breach, our obligations include:

  • CERT-In: Report cyber security incidents within 6 hours of becoming aware, as mandated under RBI's IT Governance Master Direction, 2024
  • RBI: Notify our RBI supervisory team per prescribed timelines and procedures
  • Data Protection Board of India (DPBI): Notify without undue delay as required under the DPDPA
  • Affected Customers: Notify of the nature of the breach, data impacted, and mitigation steps without undue delay

No personal information subject to an active breach investigation will be destroyed until the investigation is fully resolved.

9. Data Retention

We retain your personal information as long as necessary to fulfil the purposes in this Policy, comply with legal and regulatory obligations, and resolve disputes. The retention periods below are minimum periods mandated under applicable RBI regulations and law. Where multiple regulations prescribe different minimums for the same data category, the longer period applies. Retention may be extended for ongoing litigation, regulatory proceedings, audits, or investigations.

We may retain information in anonymised, non-attributable form for analytical purposes beyond the above periods, provided such retention cannot identify you.

9.1 Data Deletion

Upon expiry of the applicable retention period:

  • Electronic records will be permanently deleted from all company systems
  • Physical documents will be destroyed by authorised shredding services
  • No personal information subject to ongoing legal proceedings, regulatory inquiries, audits, or investigations will be destroyed until that matter is fully resolved

10. Your Rights

As a data principal under the DPDPA and as a customer of an RBI-regulated entity, you have the following rights:

  • Right to Access: Request a summary of your personal information being processed, the purposes, and third parties with whom it has been shared. We will respond within 30 days.
  • Right to Correction: Request correction of inaccurate or incomplete information by writing to info@celestium.in with supporting documentation.
  • Right to Erasure: Request deletion of your personal information where there is no compelling reason to continue processing. Note: mandatory retention obligations under RBI, PMLA, SARFAESI, and KYC Master Direction (Section 9) override erasure requests.
  • Right to Withdraw Consent: Withdraw consent at any time by writing to info@celestium.in. This may affect our ability to continue providing services. Withdrawal does not affect the lawfulness of prior processing.
  • Right to Nominate: Nominate an individual to exercise your data protection rights in the event of your death or incapacity, as prescribed under the DPDPA.
  • Right to Opt-Out of Marketing: Opt out of marketing communications by contacting info@celestium.in. This does not affect mandatory service communications.
  • Right to Human Review of Automated Decisions: Request a human review of any automated credit assessment that materially affects your loan application (see Section 6.1).
  • Right to Grievance Redressal: File a grievance with our Grievance Officer (Section 3). Unresolved grievances may be escalated to the Data Protection Board of India once constituted under the DPDPA.
  • Consent Manager: You may provide, manage, review, or withdraw consent through a registered consent manager as recognised under the DPDPA and DPDP Rules, 2025.

11. KYC Compliance and Periodic Updation

As an RBI-regulated NBFC, we conduct and periodically update KYC for all customers per the RBI Master Direction on KYC, 2025. KYC updation frequency depends on risk classification:

  • Low-risk customers: every 10 years
  • Medium-risk customers: every 8 years
  • High-risk customers: every 2 years

We will contact you when KYC renewal is due. Failure to complete periodic KYC updation may result in restrictions on your account or loan facilities. KYC records are uploaded to the CKYCR within 10 working days of onboarding, as mandated by the RBI.

12. Anti-Money Laundering (AML) and CFT Obligations

Celestium Financial Limited is a reporting entity under the PMLA, 2002. In compliance with AML and CFT obligations, we:

  • Verify your identity and source of funds before disbursing any loan
  • Screen details against applicable sanctions lists and Politically Exposed Persons (PEP) databases
  • Monitor transactions for suspicious activity
  • Report suspicious transactions to the Financial Intelligence Unit – India (FIU-IND) without prior notice to you, as required under the PMLA
  • Retain all AML-related records for a minimum of 10 years

We are legally prohibited from disclosing whether a suspicious transaction report has been filed in relation to your account.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Material changes will be communicated to existing customers via email or other written communication. Your continued engagement with our services following notification of changes constitutes your acceptance of the revised Policy.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Bangalore, Karnataka.

15. Contact Us

Celestium Financial Limited
No. 28, 1st Floor, Bhadrappa Layout, Maruthinagar, Outer Ring Road, Nagashettyhalli, Bangalore – 560094
Phone (Bangalore): 080 – 23515156
Phone (Chennai): 044 – 45094446
Email: info@celestium.in

This Privacy Policy is effective as of the date of last update stated above and supersedes all prior versions.