Back to Corra Club

Corra Club – Privacy Policy

Last Updated: 09 May 2026

Version: 2.0

This Privacy Policy explains how Corra Club (“Corra Club”, “we”, “our”, “us”), operated by Corra Technologies Private Limited, collects, processes, stores, uses, and shares your personal data when you use our mobile application (“App”), website, or any related services (collectively, “Platform”).

This Policy complies with the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”), the Information Technology Act, 2000 and the rules framed thereunder, and Google Play’s User Data policy, including Google Play’s SMS and Call Log Permissions policy.

By installing the App, accessing the Platform, or using any of our services, you consent to the data practices described in this Policy. If you do not agree, please uninstall the App and discontinue use of the Platform.

1. Data Fiduciary Details

Legal Entity Name: Corra Technologies Private Limited

Registered Address: D 406, Sispal Vihar, Sohna Road, Sector 49, 122018

Email (Grievance Officer): rohit.singh@clubcorra.com

Phone: +91 8768995553

Corra Club acts as a Data Fiduciary under the DPDP Act.

2. Categories of Personal Data We Collect

a) Identity & Contact Information

  • Mobile number (required for account creation and authentication)
  • Full name
  • Email address (optional)
  • City, date of birth, gender (optional)

b) Account & Transaction Data

  • Corra Coin balance and transaction history
  • Earn and redeem transaction records
  • Uploaded receipts and invoice images
  • Brand selections and coupon redemptions
  • Badge and tier status

c) Payment Information

  • UPI ID (for cashback payments)

d) Receipt Verification Data

  • Uploaded receipt images and PDF invoices
  • OCR-extracted information (brand name, bill amount, date, order ID)
  • Tamper-detection and duplicate-detection results

e) Financial SMS Data (Android App Only)

Important: This section applies only to users of the Corra Club Android mobile application who grant SMS read permission.

With your explicit consent, the App reads only financial and transactional SMS messages sent by 6-digit alphanumeric sender IDs (e.g., bank transaction alerts such as “VM-HDFCBK”, “AD-SBIINB”) from your device inbox. This includes:

  • Transaction amount, date, and merchant/payee name from bank debit/credit alerts
  • UPI transaction reference numbers
  • Payment confirmation details from financial institutions

We do NOT collect, read, or store:

  • Personal SMS messages (sent by 10-digit phone numbers or personal contacts)
  • OTP or one-time password messages
  • Promotional or marketing SMS
  • SMS content from messaging apps (WhatsApp, Telegram, etc.)

Financial SMS data is used solely to cross-verify uploaded purchase receipts against actual bank transaction records, enabling automated fraud detection and faster transaction approval. This data is not used for advertising, credit scoring, profiling, marketing, or any purpose unrelated to receipt verification.

f) Device & Technical Data

  • IP address
  • Device model, operating system, and browser information
  • Unique device identifiers
  • Authentication cookies and tokens
  • App usage analytics (via PostHog)

3. Collection of Financial SMS Information

3.1 Purpose & Core Functionality

Corra Club is a coalition loyalty program where users earn rewards (“Corra Coins”) by uploading purchase receipts from partner brands. To verify the authenticity of these receipts and prevent fraudulent submissions, the App reads financial SMS from your device to cross-match uploaded receipt data (amount, date, merchant) against your actual bank transaction records.

This SMS-based transaction verification is a core functionality of the App. Without it, the App would need to rely solely on manual receipt review, which is slower, less accurate, and more susceptible to fraud.

3.2 What We Read

  • Only SMS from 6-digit alphanumeric sender IDs (financial institutions such as banks, UPI providers, and payment platforms)
  • Transaction details: amount debited/credited, date, merchant/payee name, UPI reference number, and account identifier
  • This includes historical financial SMS already present on your device at the time of granting permission

3.3 What We Do NOT Read

  • Personal messages from contacts (10-digit numbers)
  • OTPs, one-time passwords, or verification codes
  • Promotional, marketing, or spam SMS
  • Messages from social media, messaging apps, or email

3.4 How Financial SMS Data Is Used

  • Receipt Verification: Cross-matching uploaded receipt details (brand, amount, date) against bank transaction SMS to confirm that a genuine purchase occurred
  • Fraud Detection: Identifying potentially fraudulent or tampered receipts by detecting mismatches between the receipt and the corresponding bank debit
  • Faster Approval: Enabling automated verification and faster Corra Coin crediting when receipt data matches bank SMS data

3.5 How Financial SMS Data Is NOT Used

Financial SMS data is never used for:

  • Advertising, ad targeting, or ad personalization
  • Credit scoring, credit assessment, or lending decisions
  • User profiling or behavioral targeting
  • Selling or renting to any third party
  • Any purpose unrelated to receipt and transaction verification within the Corra Club platform

3.6 User Consent & Control

  • SMS read permission is requested only after displaying a prominent in-app disclosure screen explaining exactly what data will be collected and why
  • You must provide explicit, affirmative consent (tap “I Agree”) before any SMS data is accessed
  • Declining SMS permission does not prevent you from using the App; receipt uploads will continue to work with manual verification (which may take longer)
  • You can revoke SMS permission at any time via your device’s Settings > Apps > Corra Club > Permissions
  • Upon revoking permission, the App will immediately stop reading SMS data. Previously collected financial SMS data will be deleted from our servers within 30 days of revocation, unless retention is required by law

4. Third-Party SDK for SMS Processing

The App integrates a third-party SDK provided by Digitap.ai (“Digitap”, operated by FinBox Technologies Private Limited) to process financial SMS data on our behalf. This SDK:

  • Reads only financial SMS from 6-digit alphanumeric senders on your device
  • Extracts structured transaction data (amount, date, merchant, reference number) from those SMS
  • Transmits the extracted financial transaction data to Digitap’s secure servers and to Corra Club’s servers for receipt verification

Digitap’s Data Handling

  • Digitap acts as a Data Processor under a written data processing agreement with Corra Technologies Private Limited
  • Digitap processes SMS data strictly for the purpose of transaction verification as instructed by us
  • Digitap employs separation of environments, segregation of duties, strict role-based access control on a documented, authorized, need-to-use basis
  • Data stored by Digitap is protected with application-level encryption, with key management services limiting access
  • Digitap does not sell, rent, or share your SMS data with any other third party
  • Digitap does not use your SMS data for credit scoring, lending, advertising, or any purpose other than providing the transaction verification service to Corra Club

Digitap’s hosting provider employs industry-standard security measures including anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, and application control solutions.

5. Gmail Integration & Google API Data Access

Corra Club may allow users to connect their Gmail account to automatically detect purchase receipts from partner brands.

If a user chooses to connect Gmail:

  • The platform reads only emails necessary to identify purchase receipts relevant to Corra Club reward submissions
  • The platform does not read unrelated personal emails
  • Only receipt-related metadata such as brand name, bill amount, and purchase date may be extracted
  • Email content is processed only for the purpose of identifying eligible receipts

Corra Club does NOT:

  • Sell Gmail user data
  • Use Gmail data for advertising
  • Use Gmail data to train AI models
  • Transfer Gmail data to third parties except for providing core platform functionality

Users may disconnect Gmail access at any time through their Google Account settings.

Corra Club’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Purpose of Processing

Personal data is processed for the following lawful purposes:

  • Account creation and authentication: Verifying your identity via OTP sent to your mobile number
  • Reward calculation and transaction management: Computing Corra Coins earned and redeemed, maintaining transaction history
  • Receipt and transaction verification: Validating uploaded receipts via OCR, tamper detection, and cross-verification with financial SMS data
  • Fraud detection and prevention: Identifying and preventing fraudulent receipt submissions, tampered invoices, and misuse of the loyalty program
  • Cashback payments: Processing UPI-based cashback payouts
  • Communication: Sending transaction updates, reward notifications, and service announcements via WhatsApp and in-app notifications
  • Analytics and product improvement: Understanding usage patterns to improve the Platform
  • Compliance with legal obligations: Meeting requirements under applicable Indian law

7. Data Sharing

We may share personal data with the following categories of recipients, and only to the extent necessary for the stated purposes:

Service Providers

  • Cloud infrastructure: Amazon Web Services (AWS) for hosting and data storage
  • OTP and messaging: Chatzy (WhatsApp-based OTP and notifications)
  • OCR processing: Google Document AI and Veryfi for receipt text extraction
  • Analytics: PostHog for product analytics

Transaction Verification Partners

  • Digitap.ai (FinBox Technologies Private Limited): Receives financial SMS data from your device for the purpose of extracting structured transaction information used to verify receipt authenticity. Digitap does not receive personal SMS, does not use the data for credit scoring or advertising, and processes data solely as instructed by Corra Technologies Private Limited.

Payment Infrastructure

  • UPI and banking networks for processing cashback payments

Partner Brands

  • Aggregated, anonymized transaction data may be shared with partner brands for program analytics. No personally identifiable information is shared with brands without your separate consent.

Legal Authorities

Where required under applicable law, regulation, court order, or governmental request.

We do not sell, rent, or trade personal data, including SMS data, to any third party for advertising, marketing, or any commercial purpose unrelated to the Corra Club platform.

8. Data Retention

Personal data is retained only as long as necessary to fulfil the purposes for which it was collected:

  • Account data: Retained while your account remains active. Deleted within 90 days of account deletion request, subject to legal retention requirements.
  • Transaction records and receipts: Retained for a minimum of 3 years from the transaction date for audit and fraud-prevention purposes, or longer if required by law.
  • Financial SMS data: Extracted transaction data is retained only as long as needed for receipt verification (typically 90 days from the associated transaction). Raw SMS content is not stored on our servers; only structured data fields (amount, date, merchant, reference) are retained.
  • Analytics data: Retained in anonymized or aggregated form for product improvement.

9. Data Security

We implement reasonable physical, administrative, and technical safeguards to protect your data, including:

  • All data is encrypted in transit using TLS/SSL encryption
  • Database storage with encryption at rest (AWS RDS)
  • Role-based access control for administrative systems
  • Secure authentication via OTP verification
  • Access logging and audit trails
  • Regular security reviews of information collection, storage, and processing practices
  • Restricted access to personal data limited to employees, contractors, and agents with a documented need-to-know basis, bound by contractual confidentiality obligations

Our third-party service providers, including Digitap, are contractually required to implement equivalent or higher security standards and are prohibited from using your data beyond the scope of the services they provide to us.

10. App Permissions

The Corra Club Android App requests the following device permissions. Each permission is used solely for the stated purpose:

SMS Read Permission (READ_SMS)

To read financial transaction SMS from 6-digit alphanumeric senders for cross-verifying uploaded purchase receipts against bank records and detecting fraud. Only financial SMS is accessed. Personal messages are never read. This permission is optional; the App functions without it.

Camera Permission

To photograph purchase receipts and invoices for reward submission.

Storage / Photo Library Permission

To select receipt images or PDF invoices from your device for upload.

Internet Access

Required for all network communication between the App and our servers.

Push Notifications

To send transaction updates, reward notifications, and service announcements.

11. User Rights

Under the DPDP Act and applicable laws, you have the right to:

  • Access: Request a summary of your personal data held by us and the processing activities performed on it
  • Correction: Request correction of inaccurate or incomplete personal data
  • Deletion: Request erasure of your personal data, subject to legal retention obligations
  • Withdraw Consent: Withdraw consent for data processing at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
  • Grievance: Submit complaints regarding data handling to our Grievance Officer
  • Nomination: Nominate another individual to exercise your data rights on your behalf in the event of your incapacity or death, as provided under the DPDP Act

To exercise any of these rights, contact us at: rohit.singh@clubcorra.com. We will respond within 30 days.

12. Data Deletion

You may request deletion of your personal data by:

  • Emailing rohit.singh@clubcorra.com with the subject “Data Deletion Request”
  • Using the in-app account deletion option (Profile > Delete Account)

Upon receiving a verified deletion request, we will delete your personal data within 90 days, except where retention is required by law, for ongoing fraud investigations, or for legitimate financial audit purposes.

To specifically request deletion of financial SMS data collected from your device, you may revoke the SMS read permission in your device settings and email us to confirm deletion from our servers.

13. Revoking Gmail Access

Users who have connected Gmail may revoke access at any time via:

Google Account → Security → Third-party apps with account access

Revoking Gmail access will stop future email scanning. Previously extracted receipt data will be retained per our standard data retention policy.

14. Children’s Data

Corra Club is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete such data promptly.

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Changes will be posted on this page with a revised “Last Updated” date. For material changes (such as changes to how SMS data is collected or shared), we will provide notice via:

  • An in-app notification
  • An update to the “Last Updated” date at the top of this page
  • A WhatsApp notification, where applicable

Continued use of the Platform after changes are posted constitutes acceptance of the updated Privacy Policy.

16. Governing Law & Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Gurugram, Haryana, India.

17. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, the details of the Grievance Officer are:

Name: Rohit Kumar Singh

Designation: Grievance Officer

Email: rohit.singh@clubcorra.com

Phone: +91 8768995553

Address: D 406, Sispal Vihar, Sohna Road, Sector 49, Gurugram, Haryana 122018

The Grievance Officer will acknowledge your complaint within 24 hours and resolve it within 15 days from the date of receipt.