Privacy Policy

ORIX India is committed to protecting the privacy, confidentiality and integrity of Personal Data (as defined below) that we collect, hold, process and transfer in connection with our operations in India. This Privacy Policy (“Policy”) sets out how we collect, use, store, transfer and dispose of Personal Data, and the rights available to individuals whose data we process (“Data Principals”).

This Policy sets forth how ORIX India and its subsidiaries and affiliates in India (collectively, “we,” “our,” “us,” or “ORIX India”) collect, process, store, share, transfer, and otherwise handle digital Personal Data of Data Principal(s) in accordance with the following applicable data privacy laws :

  • 1. Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”)
  • 2. Information Technology Act, 2000
  • 3. The Information Technology (reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011.

We urge you to read this Policy carefully. It is a supplement to means by which we may provide more specific notices (for example in our contracts, our website, mobile applications, service platforms) and does not replace any such specific notice.

By engaging with us (for example by providing your data, becoming a customer, applying for employment, using our website, or otherwise) you signify your acceptance of the terms of this Policy (to the extent relevant).

1. Definitions

In this Policy, the following terms have the meanings set out below (and other capitalised terms bear the meanings given elsewhere in the DPDP Act, DPDP Rules or this Policy):

    • “Digital Personal Data” means Personal Data in digital form, which has been or is being processed by ORIX India.
    • Personal Data means data about a natural person who is identifiable either by such data or in relation to such data, and which is in digital form.
    • Data Principal means the natural person to whom the Personal Data relates.
    • Data Fiduciary means any person who alone or in conjunction with others determines the purpose and means of processing Personal Data.
    • Data Processor means a person who processes Personal Data on behalf of a Data Fiduciary.
    • Consent means a free, specific, informed, clear and unambiguous indication of the Data Principal’s wish by which they, by a statement or clear affirmative action, signify agreement to the processing of their Personal Data for one or more Specified Purposes.
    • “Retention Period” means how long we hold Personal Data in accordance with our retention policy and legal obligations.
    • Other terms used in this Policy will have the meanings given to them in the DPDP Act / DPDP Rules, as applicable.
      • sources.

2. Scope and Applicability

  • 2.1. This Policy applies to all Digital Personal Data collected, received, stored, processed or transferred by ORIX India through its operations in India (including via websites, mobile applications, service portals, marketing campaigns, finance/lease operations, vendor onboarding, HR/employee management, customer service, etc.).
  • 2.2. This Policy applies to Data Principals who are in India or whose Personal Data is processed in connection with an offer of goods or services to them in India, employees, job-applicants, contractors, vendors, visitors to our website/mobile-app/platform, and other individuals whose Personal Data we handle.
  • 2.3. This Policy does not apply to Personal Data in non-digital form or publicly available Personal Data (where expressly excluded under the DPDP Act).
  • 2.4. ORIX India is committed to ensuring that all officers, employees, contractors and service providers comply with applicable data protection laws and internal policies. We periodically review and enhance our data protection framework, technical safeguards and organisational measures to ensure continuous improvement and alignment with evolving legal and regulatory requirements.

3. Purpose of Processing and Lawful Basis

In our processing of your Personal Data, we adhere to the following key principles (mirroring the DPDP Act / Rules)

    • Lawfulness, fairness & transparency – We process your data only where there is a lawful basis and in a fair and transparent manner.
    • Purpose limitation – We collect Personal Data for specified, explicit and legitimate purposes and will not further process it in a manner incompatible with those purposes. Where this Policy refers to “legitimate business interests” or similar lawful bases, such processing is undertaken strictly in accordance with the grounds permitted under the DPDP Act and applicable rules, and subject to safeguards to ensure that the rights of Data Principals are not overridden.
    • Storage limitation – We retain Personal Data only for as long as needed for the purposes stated, or as required under law or contractual obligations.
    • Security – We implement appropriate technical and organizational measures to safeguard Personal Data from unauthorised or unlawful processing, accidental loss, destruction or damage.

4. What Personal Data We Collect

We collect different types of Personal Data depending on your relationship with ORIX India and the Specified Purpose of processing. The broad categories include, but are not limited to:

4.1. Customer / Prospective Customer Data (including lease, lending, business transportation services, rent-a-car services, MyChoize car rental services, fleet management services):
    • Identity data: name, gender, photograph, national ID (PAN, Aadhaar or equivalent where required), passport, driver’s licence, etc.
    • Contact data: postal address, email address, telephone / mobile number, alternate contact details, emergency contact.
    • Financial data: bank account/credit card details, credit score information, employment details.
    • Vehicle / asset data: Geolocation (where applicable for vehicle tracking or service delivery); Vehicle usage logs and telematics data;
    • Correspondence data: records of communications with us (calls, chat logs, emails).
    • Marketing / preference data: your preferences, opt-in/opt-out status, survey responses.
    • Citizenship and nationality – (Only if the Data Principal is a resident/citizen of EU countries);
4.2. Vendor / Supplier Data:
    • Contact person data: name, designation, address, telephone/mobile, email, Identity documents.
    • Contract data: scope of services/goods, background checks, due diligence documentation.
    • Payment/transaction data: bank account, tax identification, invoicing, payment history.
    • Compliance data: certificates, permits, licenses, insurance, statutory registrations, safety/quality audit reports, health & safety data.
    • Correspondence and performance data: communications, scorecards, service KPI data.
4.3. Employee / Workforce / Contractor Data:
    • Identity and contact details: name, photograph, date of birth, address, email, mobile number, emergency contact, Identity documents.
    • Employment/contract data: job application, curriculum vitae, background verification, employment contract, salary, benefits, allowances, appraisal records.
    • Attendance/time-keeping, leave and absence records, travel records.
    • Bank account for salary credit, tax / PF/ESIC / insurance / statutory deduction data.
    • Health & medical data (where required for benefits, insurance, occupational health).
    • Performance and disciplinary data.
    • Training records, qualification/certification details, ID card access logs.
    • Contractor/temporary staff data in analogous fashion.
4.4. Website, Mobile App & Digital Interaction Data:
    • Technical data: device identifiers, browser type/version, operating system, IP address, geolocation (where permitted/used), cookies, usage logs.
    • Behavioural/analytics data: pages visited, duration, clicks, navigation path, form entries (where consented), marketing campaign interaction.
    • Communication data: emails sent to/from us, support chat logs, feedback.
    • Marketing preference data: newsletter sign-up, event attendance, survey responses.
4.5. Other categories:

As required for legal/regulatory or specific business purposes (e.g., fraud prevention, litigation, legal opinion/advisory, internal audit, group consolidation, mergers & acquisitions, reporting to authorities). In the event of a merger, acquisition, business transfer, restructuring or sale of assets, Personal Data may be transferred as part of such transaction, subject to applicable law and appropriate safeguards.

Each such Specified Purpose will be clearly notified to you via a notice or consent mechanism as required by the DPDP Act/Rules. You may choose to withdraw consent (where required) or opt-out of certain processing (see Section 7 below).

5. Specified Purpose for Processing

Where required under the DPDP Act / Rules, ORIX India relies on one or more lawful bases for processing, which may include:

    • Your explicit consent (in instances where processing cannot be justified otherwise).
    • Processing necessary for the performance of a contract/service which ORIX India has agreed to render to which you are a party.
    • Processing required to comply with a legal obligation.
    • Processing necessary for our legitimate business interests.
    • Other bases specifically set out in the DPDP Act/Rules as may be notified.

(Each of which shall individually or together, as the context may require, be referred to as the “Specified Purpose”)

Where consent is relied upon, you will at the time of collection be given clear notice and asked to provide affirmative action, and you may withdraw consent at any time. Data Principals may refuse to provide Personal Data to us but the decision not to provide certain Personal Data to us may result in ORIX India not being able to provide certain products and services to such Data Principals.

6. Sharing, Disclosure & Cross-Border Transfer

  • 6.1. We may share your Personal Data with our group companies, service providers, third party vendors (processors), contractors, agents, Data Processors and sub-processors, credit bureaus, government/regulatory authorities, auditors, business partners and other entities (where you have given your explicit consent or as required pursuant to applicable laws) for the Specified Purpose described above.
  • 6.2. Where we engage a Data Processor, we will do so only under a lawful contract requiring the processor to implement equivalent security safeguards and to act only on our documented instructions.
  • 6.3. Cross-border transfers: When Personal Data is transferred outside India, we will ensure that such transfers are consistent with the DPDP Act/Rules. We will rely on applicable safeguards (contractual, organisational, technical) and only transfer to jurisdictions permitted under law. We will provide you notice of cross-border transfers where required.

7. Rights of Data Principals

Under the DPDP Act and DPDP Rules you, as a Data Principal, have certain rights. These include:

    • Right to access your Personal Data processed by us and obtain summary information of the processing.
    • Right to correction: you may ask us to correct inaccurate or incomplete data.
    • Right to erasure: you may request deletion of your Personal Data which you earlier consented to, unless retention is required under law or justified otherwise.
    • Right to withdraw consent: you may withdraw consent given earlier, and we will cease processing on that basis unless there is another lawful basis.
    • Right to lodge grievance/complaint with us (see Section 10) and, in certain cases, with the Data Protection Board of India (“DPBI”).
    • Right to restrict or object to processing in certain circumstances (for example direct marketing).

    • We will enable you to exercise these rights through our designated contact (see Section 10). We will respond to requests in accordance with applicable law and within any specified timelines under DPDP Rules.

    8. Retention and Deletion

    • 8.1. We will retain your Personal Data only for as long as needed to fulfil the Specified Purposes for which it was collected, or as required by applicable law or contract, whichever is longer.
    • 8.2. On deletion/erasure, we will take reasonable steps to securely destroy or anonymise Personal Data so that it cannot be re-identifiable.
    • 8.3. Back-ups, archival copies and logs may be retained beyond the deletion date if strictly needed for legal/regulatory/compliance purposes.

    9. Security, Incident Response & Breach Notification

    • 9.1. ORIX India has implemented appropriate technical and organisational measures (including encryption, access controls, network security, physical safeguards, logging/monitoring, periodic reviews) to protect Personal Data from unauthorised or unlawful processing, accidental loss, destruction or damage.
    • 9.2. We conduct regular risk assessments, audits, staff training, vendor assessments and implement privacy-by-design across our processes and systems.
    • 9.3. In the event of a Personal Data breach (i.e., unauthorised or accidental access, acquisition, disclosure, destruction or loss of Personal Data), ORIX India will:
      • notify the affected Data Principals without undue delay (and in any event as required by the DPDP Rules) of the nature of the breach, likely consequences, steps taken or to be taken, and any mitigation that the Data Principal may take; and
      • notify the DPBI of the breach within the timeframe required under law (once specified).
      • We will maintain records of breaches and remedial actions including lessons learned, root cause analysis and preventive steps for future.
      • Where required by law, we may provide periodic reports of significant incidents to regulators or supervisory authorities.

    10. Data Protection Officer & Grievance Redressal

    • 10.1. ORIX India has appointed a Data Protection Officer or designated contact (“DPO/Contact”) who will be responsible for overseeing compliance with this Policy and the DPDP Act/Rules. You may reach the DPO/Contact at:
      Name: Mr Arif Mistry
      Email: dpo@orixindia.com
      Phone: +912260605336
      Address: Plot No 94, Marol Cooperative Industrial Estate,Andheri-kurla Road; Andheri East; Mumbai 400059
    • 10.2. You may contact the DPO/Contact to exercise your rights (access, correction, erasure, withdrawal of consent, objection, portability (if applicable)), or raise a grievance regarding our processing of your Personal Data.
    • 10.3. We aim to respond to all grievances within 15 working days (or such timeframe as stipulated under applicable law). If you are dissatisfied with our response, you may lodge a complaint with the Data Protection Board of India or other regulatory authority, as permitted under law.
    • 10.4. We will maintain a record of all grievances received and their resolution status.

    11. Cookies and Other Tracking Technologies

    • 11.1. We may use cookies, web beacons, pixel tags, SDKs, device identifiers and other tracking technologies to gather technical, usage and analytics data via our websites, mobile apps and digital services.
    • 11.2. Where required, we will obtain your consent before placing non-essential cookies or tracking technologies, and provide you options to refuse or withdraw such consent.
    • 11.3. We provide explanations of cookie usage and you may manage your cookie preferences via [link to cookie notice/settings].
    • 11.4. The information collected via tracking may be used for analytics, service improvement, marketing (if consented), fraud prevention and user experience; all such processing will adhere to the DPDP Act/Rules and the principles in this Policy.

    12. Changes to the Policy

    We may amend or update this Policy from time to time in order to reflect changes in our processing operations, business model, regulatory requirements, or technological developments. We will post the updated Policy on our website and indicate the revision date. For material changes (that affect your rights or how we use your Personal Data), we will provide you with notice and where required seek fresh consent.

    13. Effective Date and Review

    This Policy is effective from April 07, 2026, until superseded by a later version. We will review the Policy annually (or more frequently if needed) to ensure continuing compliance with law and best practice.

    14. Contact Us:

    If you have any questions, concerns or feedback about this Policy or our handling of your Personal Data, you may contact us at:
    Email: dpo@orixindia.com
    Phone: +912260605336
    Address: Plot No 94, Marol Cooperative Industrial Estate,Andheri-kurla Road; Andheri East; Mumbai 400059

    We will endeavor to respond to your query as soon as practicable.