Agrim Fincap Private Limited ("the Company"), recognising the critical role of digital platforms, Loan Service Providers (LSPs), Digital Lending Applications (DLAs), and technology infrastructure in contemporary financial intermediation, adopts this Credit Policy covering digital lending requirements in alignment with the Reserve Bank of India (Non-Banking Financial Companies – Credit Facilities) Directions, 2025, RBI/DOR/2025-26/347DOR.CRE.REC.266/07-01-008/2025-26 dated November 28, 2025 or any successions thereof. The Company acknowledges that digital lending must be conducted responsibly, transparently, securely and with full respect for the rights, dignity and privacy of customers.

This Policy sets out the governance structure, operating framework, technological safeguards, data governance system, cyber-hygiene standards, consent architecture and compliance responsibilities applicable to all digital lending activities undertaken directly by the Company or through LSPs or DLAs acting on its behalf.

The purpose of this Policy is to govern the entire digital lending lifecycle of the Company, covering every digital interface, platform, technology, workflow, outsourced service, data flow and process that facilitates or supports lending activities. The Policy applies to digital onboarding of customers, KYC verification, loan application processing, credit assessment, disbursement, servicing, collections, grievance redressal, and closure.

It covers all relationships with LSPs and DLAs, whether customer-facing or backend-focused, and extends to all digital systems owned, rented or accessed by the Company. Every employee, officer, authorised representative, outsourced agent, service provider, or partner utilising digital systems in connection with the Company's lending operations shall adhere strictly to this Policy.

The Company adopts a governance structure ensuring that digital lending operations remain fully compliant with RBI's aforesaid Master Direction. All digital processes shall remain under the control, supervision and monitoring of the Company, and no digital activity shall dilute or transfer the Company's regulatory obligations.

The Risk Management function shall conduct periodic reviews of digital processes, security systems, partner integrations, and data-handling practices to ensure continuous compliance.

The Board shall receive periodic reports describing the performance of digital lending channels, technology risks, customer grievances, digital fraud patterns, and compliance indicators.

The Company shall ensure that digitally signed documents (on the letter head of the NBFC) viz., KFS, summary of loan product, sanction letter, terms and conditions, account statements, privacy policies of the NBFC / LSP with respect to storage and usage of borrowers' data, etc. shall automatically flow to the borrower on the registered and verified email / SMS upon execution of the loan contract / transactions.

In case of a loan default, when a recovery agent is assigned for recovery or there is a change in the recovery agent already assigned, the particulars of such recovery agent authorised to approach the borrower for recovery shall be communicated to the borrower through email / SMS before the recovery agent contacts the borrower for recovery.

Disbursement of loan shall always be made into the bank account of the borrower except for disbursals covered exclusively under statutory or regulatory mandate (of the Reserve Bank or of any other regulator), flow of money between lenders for co-lending transactions and disbursals for specific end use, provided the loan is disbursed directly into the bank account of the end-beneficiary. The Company shall ensure that in no case, disbursal is made to a third-party account, including the accounts of LSP, except as provided for in this Chapter on 'Digital Lending'.

The Company shall ensure that all loan servicing, repayment, etc. is executed by the borrower directly in the Company's bank account without any pass-through account/ pool account of any third party, including the accounts of LSP.

The flow of funds between the bank accounts of the borrower and the Company shall not be controlled either directly or indirectly by a third-party, including the LSP. The Company will ensure that fees, charges, reimbursements, etc. payable to LSP are paid directly by the Company and are not charged to or collected from the borrowers separately by LSP.

In case of delinquent loans, the Company may deploy physical interface to recover loans in cash, wherever necessary. However, any recovery by cash shall be duly reflected in full in the borrower's account on the same day and the Company shall ensure that any fees, charges, etc., payable to LSPs for such recovery are paid directly by the Company and are not charged by LSP to the borrower either directly or indirectly from the recovery proceeds.

The borrower shall be given an explicit option to exit a digital loan by paying the principal and the proportionate APR without any penalty during an initial "cooling-off period". The cooling off period shall be 3 days. For borrower continuing with the loan even after cooling-off period, pre-payment shall continue to be allowed as per Reserve Bank of India (Non-Banking Financial Companies - Responsible Business Conduct) Directions, 2025.

The Company may retain a reasonable one-time processing fee, if the customer exits the loan during the cooling-off period. This, if applicable, shall be disclosed to the customer upfront in KFS.

All matters relating to the collection, use, processing, security, and storage of data shall be governed by the Company's Privacy Policy, as amended from time to time. The Company shall implement appropriate technical and organizational measures to safeguard data against unauthorized access, disclosure, alteration, or loss. Such data handling practices shall at all times be carried out in compliance with applicable laws, regulations, and regulatory directions in force, and in accordance with the provisions and standards prescribed under the Company's Privacy Policy.

The Company shall enter into comprehensive service-level agreements with every LSP, DLA or outsourced partner. The agreements shall contain detailed provisions on confidentiality, data use, cybersecurity controls, liability, audit rights, customer conduct, and termination rights.

The Company shall periodically audit the functioning of LSPs and DLAs, review data access logs, inspect cybersecurity safeguards, and examine their adherence to customer-protection obligations.

The Company shall periodically audit the functioning of LSPs for the loan portfolios originated with the support of them.

No DLA or LSP shall use the Company's name, branding or license without written authorisation.

If any complaint lodged by the borrower against the Company or the LSP engaged by the Company is rejected wholly or partly by the Company, or the borrower is not satisfied with the reply; or the borrower has not received any reply within 30 days of receipt of complaint by the Company, the said borrower can send a physical complaint to "Centralised Receipt and Processing Centre, 4th Floor, Reserve Bank of India, Sector -17, Central Vista, Chandigarh - 160017" as per the grievance redressal mechanism prescribed by the Reserve Bank.

This Policy shall be reviewed annually or sooner in response to changes in RBI provisions, cybersecurity notifications, technology evolution or operational updates. Any revision shall require approval of the Board of Directors and shall thereafter be communicated across all operational and digital channels.