Privacy policy
1. Purpose
This policy outlines the principles and procedures for the retention and deletion of
customer and operational data in compliance with the Reserve Bank of India's Digital
Lending Directions, 2025, the Information Technology Act, 2000, and other applicable legal
and regulatory requirements.
2. Scope
This policy applies to all data collected, stored, processed, and deleted by AFI Dhanvridhi,
its Lending Service Providers (LSPs), Digital Lending Apps (DLAs), and associated partners
throughout the digital lending lifecycle.
3. Regulatory Reference
- RBI Circular: Reserve Bank of India (Digital Lending) Directions, 2025 (Ref: RBI/2025-
26/36 DOR.STR.REC.19/21.07.001/2025-26 dated May 8, 2025).
- Section 9.1: Data privacy and storage.
- Adherence to applicable provisions of the IT Act and RBI Master Directions.
4. Key Principles
- Consent-Based Data Collection: Data is collected only with explicit consent of the
customer.
- Data Minimization: Only necessary data relevant to the lending process will be collected.
- Purpose Limitation: Data will be used only for the purposes explicitly stated at the time of collection.
- Storage Limitation: Data will not be retained beyond the period necessary for the purpose.
5. Data Retention Periods
6. Data Deletion Guidelines
- Automatic Deletion: Systems will trigger automatic deletion of expired records through scheduled jobs.
- Manual Deletion Requests: Customers may request deletion of non-mandatory data. Such requests will be honored within 30 days post-verification.
- Deletion Confirmation: Audit trail and confirmation of deletion will be recorded and archived.
7. Storage and Security
- All data will be stored within servers located in India, as mandated by RBI.
- Encryption at rest and in transit must be ensured.
- Access to data is restricted based on roles and responsibilities under a strict need-to-know basis.
8. Responsibilities
- Chief Information Security Officer (CISO) - Kumar Saurabh
Responsible for overseeing compliance with this policy, ensuring that all information
security practices are in place and adhered to across the organization.
- Data Protection Officer (DPO) - Kumar Saurabh
Ensures timely deletion of customer data as per regulatory norms and addresses
customer grievances related to data protection and privacy.
- IT Team
Implements and monitors technical processes to maintain system security, data
integrity, and compliance with internal policies.
- Legal Team - Pankaj Walia
Responsible for overseeing compliance with this policy, ensuring that all information security practices are in place and adhered to across the organization.
9. Audit & Monitoring
- Annual data audits to ensure compliance with RBI norms.
- Third-party cybersecurity audit every financial year.
- Maintenance of deletion logs and retention registry for 10 years for audit purposes.
10. Policy Review and Updates
This policy will be reviewed annually or earlier if:
- RBI or Government regulations are amended.
- Significant change in company’s data processing practices occurs.