1. Purpose

This policy outlines the principles and procedures for the retention and deletion of customer and operational data in compliance with the Reserve Bank of India's Digital Lending Directions, 2025, the Information Technology Act, 2000, and other applicable legal and regulatory requirements.

2. Scope

This policy applies to all data collected, stored, processed, and deleted by AFI Dhanvridhi, its Lending Service Providers (LSPs), Digital Lending Apps (DLAs), and associated partners throughout the digital lending lifecycle.

3. Regulatory Reference
  • RBI Circular: Reserve Bank of India (Digital Lending) Directions, 2025 (Ref: RBI/2025- 26/36 DOR.STR.REC.19/21.07.001/2025-26 dated May 8, 2025).
  • Section 9.1: Data privacy and storage.
  • Adherence to applicable provisions of the IT Act and RBI Master Directions.
4. Key Principles
  • Consent-Based Data Collection: Data is collected only with explicit consent of the customer.
  • Data Minimization: Only necessary data relevant to the lending process will be collected.
  • Purpose Limitation: Data will be used only for the purposes explicitly stated at the time of collection.
  • Storage Limitation: Data will not be retained beyond the period necessary for the purpose.
5. Data Retention Periods Data_retention
6. Data Deletion Guidelines
  • Automatic Deletion: Systems will trigger automatic deletion of expired records through scheduled jobs.
  • Manual Deletion Requests: Customers may request deletion of non-mandatory data. Such requests will be honored within 30 days post-verification.
  • Deletion Confirmation: Audit trail and confirmation of deletion will be recorded and archived.
7. Storage and Security
  • All data will be stored within servers located in India, as mandated by RBI.
  • Encryption at rest and in transit must be ensured.
  • Access to data is restricted based on roles and responsibilities under a strict need-to-know basis.
8. Responsibilities
  • Chief Information Security Officer (CISO) - Kumar Saurabh
    Responsible for overseeing compliance with this policy, ensuring that all information security practices are in place and adhered to across the organization.
  • Data Protection Officer (DPO) - Kumar Saurabh
    Ensures timely deletion of customer data as per regulatory norms and addresses customer grievances related to data protection and privacy.
  • IT Team
    Implements and monitors technical processes to maintain system security, data integrity, and compliance with internal policies.
  • Legal Team - Pankaj Walia
    Responsible for overseeing compliance with this policy, ensuring that all information security practices are in place and adhered to across the organization.
9. Audit & Monitoring
  • Annual data audits to ensure compliance with RBI norms.
  • Third-party cybersecurity audit every financial year.
  • Maintenance of deletion logs and retention registry for 10 years for audit purposes.
10. Policy Review and Updates

This policy will be reviewed annually or earlier if:

  • RBI or Government regulations are amended.
  • Significant change in company’s data processing practices occurs.