Legal
Privacy Policy
Effective 24 June 2026
loanos is operated by a Reserve Bank of India registered Non-Banking Financial Company that provides digital personal loans. Protecting the personal and financial information you share with us during onboarding, KYC, decisioning, disbursal, and servicing is fundamental to how we build this product. This policy explains what we collect, why we collect it, the consent on which we rely, and the rights you hold under the Digital Personal Data Protection Act, 2023.
01Data we collect
We collect personal data that you provide directly, data generated as you use loanos, and data we receive from authorised third parties such as KYC providers, account aggregators, and credit bureaus. We only collect what is necessary to assess, disburse, and service a loan in line with RBI directions and applicable law.
- Identity and KYC: PAN (stored and displayed only in masked form, e.g. ABCDE****F), Aadhaar-based eKYC verification result and Virtual ID (we do not store the full Aadhaar number in clear text), name, date of birth, gender, and address.
- Financial: bank account number (masked, e.g. XXXX XXXX 4321) and IFSC, income and employment details, UPI handle, and e-NACH mandate details for repayment.
- Biometric and liveness: selfie and liveness-check artefacts captured during video or photo KYC, used solely to confirm you are the applicant.
- Device and technical: device identifier, operating system, IP address, app version, and diagnostic logs.
- Location: approximate location at the time of application, where you grant the permission, to support fraud checks and regulatory geo-tagging.
- Contact and communications: mobile number, email address, and records of your interactions with our support and collections teams.
02How and why we use your data
We process your data to deliver the lending service you have requested and to meet our legal and regulatory obligations as an NBFC. Each use is tied to a specific, lawful purpose, and we do not use your data for unrelated purposes without fresh consent.
- Verifying your identity and eligibility through KYC and document checks.
- Underwriting and credit decisioning, including affordability and debt-to-income assessment.
- Disbursing approved loans and collecting repayments via UPI and e-NACH.
- Detecting and preventing fraud, money laundering, and misuse of the platform.
- Meeting reporting, audit, and record-keeping obligations under RBI, PMLA, and tax law.
- Providing customer support and sending transactional and statutory communications.
03Consent and the basis for processing
We rely primarily on your explicit, informed consent, captured at the point of collection through clear, unbundled notices. Where the law permits, we may also process data for certain legitimate uses, such as compliance with a legal obligation or to perform the loan agreement you have entered into with us.
Consent for KYC, credit-bureau enquiries, and e-NACH mandates is obtained separately so that you understand exactly what you are authorising. You may withdraw consent at any time, though doing so may mean we can no longer offer or continue a loan, and we will retain data we are legally required to keep.
04Credit bureau enquiries and reporting
With your consent, we make enquiries to credit information companies such as CIBIL (TransUnion) and Experian to obtain your credit score and report as part of underwriting. As a registered lender we are also required to report your loan account, repayment behaviour, and outstanding balances to these bureaus on a periodic basis.
Credit-bureau reporting affects your credit history. On-time repayments help your score, while missed or delayed payments may be reported and can lower it. You can raise disputes about bureau data directly with the relevant credit information company or through our grievance officer.
05Sharing with vendors and lending partners
We do not sell your personal data. We share it only with parties who help us deliver the service, under contracts that require them to protect your data and use it solely for the agreed purpose.
- KYC, liveness, and document-verification providers.
- Account aggregators and bank-statement analysis providers, where you consent.
- Credit information companies (CIBIL, Experian) for enquiries and reporting.
- Payment and mandate partners for UPI, e-NACH, and disbursal.
- eSign and digital-signature providers for the loan agreement.
- Co-lending or lending partners, where a loan is jointly funded, on a need-to-know basis.
- Regulators, law-enforcement, and courts, where required by law or valid legal process.
06Data security
We apply technical and organisational safeguards designed to protect your data against unauthorised access, alteration, disclosure, or loss. Data is encrypted in transit and at rest using industry-standard 256-bit encryption, and access is restricted to authorised personnel on a least-privilege basis.
We monitor our systems, maintain audit trails, and mask sensitive identifiers such as PAN and bank account numbers wherever they are displayed or logged. No system can be guaranteed perfectly secure, but we work continuously to reduce risk and will notify you and the relevant authorities of a reportable data breach as required by law.
07Data retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy and to meet our legal and regulatory obligations. RBI, PMLA, and tax requirements oblige us to keep certain loan, KYC, and transaction records for defined periods after your relationship with us ends.
When data is no longer required and we are not obliged to retain it, we delete it or irreversibly anonymise it.
08Your rights under the DPDP Act 2023
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have rights over the personal data we hold about you. You can exercise these rights by contacting our Data Protection Officer using the details below.
- Access a summary of the personal data we process about you and how it is processed.
- Request correction, completion, or updating of inaccurate or incomplete data.
- Request erasure of data that is no longer necessary, subject to legal retention requirements.
- Withdraw consent previously given, as easily as it was given.
- Nominate another individual to exercise your rights in the event of death or incapacity.
- Raise a grievance with us, and escalate to the Data Protection Board of India if unresolved.
09Cookies and children
Our web surfaces use cookies and similar technologies for essential functionality, security, and to understand how the product is used so we can improve it. You can manage non-essential cookies through your browser settings; disabling some may affect functionality.
loanos is intended for individuals who are at least 18 years of age. We do not knowingly offer loans to, or knowingly collect personal data from, children. If we learn that we have collected a child’s data without verifiable parental consent, we will delete it.
10Changes to this policy
We may update this policy from time to time to reflect changes in our services, technology, or legal and regulatory requirements. When we make material changes, we will update the effective date above and notify you through the app or by other appropriate means before the changes take effect.
11Contact the Data Protection Officer and Grievance Officer
For any questions, requests, or complaints about your personal data or this policy, please contact our Data Protection Officer and Grievance Officer.
- Data Protection Officer: dpo@loanos.example
- Grievance Officer: grievance@loanos.example
- Postal address: The Grievance Officer, loanos, Bengaluru, Karnataka, India.
- We aim to acknowledge requests within a reasonable period and to resolve grievances in line with RBI and DPDP Act timelines.
This document is an illustrative template for the loanos prototype and does not constitute legal advice or a binding agreement.