A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Compliance for Micro-Lending and BNPL Apps

Micro-lending and BNPL apps process credit scores, SMS logs, and repayment data. Manage DPDP requirements for digital lending and EMI services.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Compliance for Micro-Lending and BNPL Apps, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Can we use contact lists for debt recovery under DPDP?

Using contact lists to reach out to friends or family for debt recovery is a high-risk activity. DPDP requires specific consent for every purpose, and using data for harassment or third-party pressure violates the principle of purpose limitation.

How does DPDP affect alternative credit scoring using SMS logs?

You must specify exactly what data from SMS logs you are reading and why it is necessary for credit underwriting. General access to all messages is difficult to justify if the goal is only to find utility bill or bank transaction alerts.

Do we need separate consent for the app and the lending NBFC?

Yes, the user must know who the Data Fiduciary is. If the app is a Lending Service Provider (LSP) and the funds come from a partner NBFC, the consent notice must clearly name the NBFC and define their role in processing the loan.

Real-World Examples Companies struggling with this issue

SaaS (Subscription Management & Billing)

Chargebee

58

Chargebee maintains a high global standard of privacy, largely due to its GDPR and CCPA maturity. However, for Indian operations, it suffers from a 'compliance lag' regarding the DPDP Act 2023. Specifically, it misses India-specific nuances such as the Right to Nominate, the requirement for multi-lingual notices, and the statutory link to the Data Protection Board of India. While the data processing is secure, the legal framework is not yet localized for the Indian regulatory environment.

⚠️ Lack of explicit reference to DPDP Act 2023 — policy remains anchored in GDPR/CCPA frameworks
⚠️ No provision for 'Notice' in 22 regional languages as required under Section 6(3)
+4 more gaps detected
Apr 2026 View Report
Travel & Hospitality

Cleartrip

58

Cleartrip’s privacy policy remains heavily anchored in the pre-DPDP regulatory era. While it provides transparency regarding 'what' is collected, it fails the 'how' and 'why' standards of the DPDP Act 2023. Specifically, the lack of granular consent for non-essential processing (marketing vs. fulfillment) and the omission of new statutory rights like nomination and DPBI escalation represent significant compliance gaps for a major travel intermediary handling sensitive passport and financial data.

⚠️ Still references IT Act 2000 and SPDI Rules rather than the DPDP Act 2023 framework
⚠️ Consent is largely bundled with the booking process and Terms of Use, lacking granular opt-ins
+4 more gaps detected
Apr 2026 View Report
Fintech / Wealthtech

Coin by Zerodha (Zerodha Broking Ltd.)

62

Zerodha maintains a robust privacy framework governed by SEBI regulations and the IT Act 2000. However, as of early 2026, the policy for its Coin platform remains in a 'transitional' state regarding the DPDP Act 2023. While security measures are top-tier, the policy fails to incorporate specific statutory rights like the Right to Nominate and fails the 'Notice' accessibility requirements regarding regional languages and granular consent management.

⚠️ Absence of Section 14 'Right to Nominate' — no framework for data principal succession
⚠️ Notice not provided in 22 languages as required under Section 5(3) of DPDP Act
+4 more gaps detected
Mar 2026 View Report
Book clarity call