Overview
Fi Money (Epifi Technologies) is a neo-banking platform that helps working professionals manage their savings and investments. Because they sit between you and a traditional bank, they handle extremely sensitive data: your income, your PAN card, your spending habits, and your KYC documents.
Under the DPDP Act (Digital Personal Data Protection Act, 2023), Fi is a Data Fiduciary — that’s just a fancy way of saying they are the ones responsible for deciding how your data is used and keeping it safe. You are the Data Principal, meaning you are the boss of your own data. If Fi gets this relationship wrong, they face fines that could reach ₹250 Crores.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
If you try to read Fi’s policy today, you might hit a “404 page not found” error. This is a huge problem. Under the law, a company must provide a Notice that is clear and accessible at all times.
What the policy says: “By signing up, you agree to our Terms and Privacy Policy.”
What the law requires: Consent must be specific and granular. You should be able to say “Yes” to banking services but “No” to marketing calls.
The problem: Fi uses bundled consent. It’s an all-or-nothing deal. The DPDP Act says consent must be “freely given,” and “take-it-or-leave-it” checkboxes for non-essential services are now a major legal risk.
Section 7 — Certain Legitimate Uses ⚠️
Fi may process some data without your direct “Yes” for specific reasons, like preventing fraud or complying with a court order.
What the policy says: Fi often cites “legitimate business interests” for things like improving their app or personalizing your experience.
What the law requires: The new law is much stricter. “Legitimate uses” (Section 7) are mostly limited to things like medical emergencies or state functions.
The problem: Fi cannot claim “legitimate use” to track your spending habits just to sell you a credit card. They must ask for your specific permission for that now.
Section 8 — Obligations of Data Fiduciary ✅
Fi shines here because they have to follow strict RBI rules. They act as a Data Fiduciary (the entity that calls the shots on your data).
What the policy says: They mention “bank-grade security,” “encryption,” and “secure servers.”
What the law requires: You must have “reasonable security safeguards” to prevent data breaches.
Strength: Since Fi works with Federal Bank, their technical security is likely top-notch. However, DPDP also requires them to notify you and the government if a breach happens—something their current policy doesn’t explicitly detail.
Section 9 — Data Retention 🔴
What the policy says: “We retain your info as long as your account is active or as needed to provide you services.”
What the law requires: Once the purpose of collecting the data is over (e.g., you close your account), the company must delete your data.
The problem: “As long as necessary” is too vague. Fi needs to say: “We keep KYC for 5 years because the law requires it, but we delete your app usage data 30 days after you close your account.” Without these timelines, they are in violation of Section 9.
Section 11 — Rights of Data Principal ⚠️
As a Data Principal (the owner of the data), you have new superpowers under the DPDP Act.
The problem: Fi’s current policy focuses on the right to “access and correct” data. But they miss two big ones:
- The Right to Erasure: You can ask them to delete everything they don’t legally have to keep.
- The Right to Nominate: You can name someone else to manage your data rights if you are no longer able to. Fi’s policy currently ignores this.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: They provide an email address for a Grievance Officer.
What the law requires: You must have an easy way to complain, and if you aren’t happy, you must be told how to escalate it to the Data Protection Board of India.
The problem: Fi’s policy doesn’t mention the Data Protection Board at all. It’s like a store having a complaint box but not telling you that the Consumer Court exists.
Section 16 — Cross-Border Data Transfer ✅
What the policy says: Data is generally stored in India, but may be shared with partners who use global cloud services.
What the law requires: Data can be sent abroad unless the Indian government “blacklists” certain countries.
The situation: Currently, Fi is safe here as long as they aren’t sending data to restricted jurisdictions, but they need to be more transparent about exactly where the data goes when it leaves India.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | Bundled consent may be ruled invalid, stopping data processing. |
| Notice Compliance | Critical | Broken policy links are a direct violation of the duty to inform. |
| Data Deletion | High | Keeping data indefinitely after account closure leads to fines. |
| User Rights | Medium | Missing “Right to Nominate” is a technical non-compliance. |
Recommendations
- Fix the Link: Ensure the privacy policy is accessible 24/7. A 404 error is a regulatory magnet.
- Unbundle Consent: Add separate toggles for “Banking Services” (Required) and “Marketing/Analytics” (Optional).
- Add a Deletion Schedule: Tell users exactly how many years their data stays in the system after they leave.
- Update Grievance Language: Explicitly mention the Data Protection Board of India as the next step for unhappy users.
- Add Nomination Rights: Include a simple form in the app where a user can name a “Data Nominee.”
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.