DPDP for Microfinance MFIs
Learn how MFIs and NBFC-MFIs should handle KYC, borrower consent, field data, credit partners and deletion under DPDP.
Discuss this page with an LLM
Now replace the sandwich shop with your Microfinance company. Where does personal data enter? Where does it sit? Who else touches it?
Microfinance DPDP Self-Check
Start here to understand why DPDP is relevant to Microfinance. Before any other task, first understand how personal data moves through the business.
What is Microfinance?
In this context, Microfinance means the websites, apps, operations, support teams, customer records, employee systems, vendor tools and data workflows that collect or use personal data.
Children's data
- Do you collect age, class, school, parent details or learning progress?
- Can you separate child, parent and guardian data?
- Do you know which users are under 18?
Consent
- Can you prove where consent came from?
- Is consent collected before data is used for the stated purpose?
- Can consent be withdrawn without breaking the entire account flow?
Tracking and profiling
- Do you track usage, performance, attention, behavior or drop-offs?
- Is any of this used for ads, recommendations or nudges?
- Are analytics tools collecting user identifiers?
Vendors and SDKs
- Which CRMs, email tools, payment tools, analytics tools and support tools receive personal data?
- Do contracts say they process data only on your instructions?
- Can you delete or export data from each vendor?
Retention
- What happens when the service ends?
- What happens when a user leaves?
- What data is kept for certificates, invoices, disputes or regulatory records?
First action
- Map one user journey from sign-up to completion.
- Mark where data is collected, stored, shared, used for communication and deleted.
If this self-check exposed more than three unclear answers, the next useful step is a DPDP data journey map.
Book a DPDP clarity callMicrofinance Company Analyses
Groww
Groww's provided privacy policy text is incredibly sparse, acting more as a placeholder than a comprehensive statement. For a major fintech player handling sensitive financial data, this complete lack of detail regarding consent, data principal rights, security, and retention under the DPDP Act 2023 presents extreme regulatory and reputational risk.
PhonePe
PhonePe's privacy policy is extensive and handles vast financial data, but lacks explicit reference to the DPDP Act, 2023. Significant updates are needed, particularly concerning granular consent, clear data retention timelines, and proper escalation paths to the Data Protection Board, to ensure full compliance with the new privacy regime.
Fi Money
Fi Money offers a slick user experience, but its privacy framework remains stuck in the pre-DPDP era. While bank-grade security is a plus, the lack of specific consent controls and the current inaccessibility of policy pages create significant legal risks under the new Act.
Upstox
Upstox, handling investment data for 1Cr+ users, scores 50/100 on DPDP readiness. Like Zerodha and Groww, SEBI compliance provides a baseline, but DPDP adds consent granularity and data rights requirements beyond what securities regulation demands. API trading users create additional data governance challenges.
BharatPe
BharatPe's policy is built on the old 'I Agree' checkbox model which doesn't fly under India's new law. While they score well on keeping data in India, their consent process is too broad and lacks the control users are now legally entitled to.
Paytm
Paytm's privacy policy is extensive but rooted in IT Act 2000 compliance rather than DPDP Act 2023. With 350M+ users' financial data at stake, the absence of explicit DPDP alignment — particularly around consent granularity, data principal rights, and Data Protection Board mechanisms — creates significant regulatory exposure.
Jupiter
Jupiter has a clean, readable policy but it still feels like it was written for the old laws. While they are transparent about what they take, they lack the specific 'delete-on-request' and 'granular consent' rules that the new Indian law demands.
Razorpay
Razorpay's privacy policy covers standard bases but lacks specific DPDP Act 2023 alignment. Key gaps include vague data retention timelines and missing references to the Data Protection Board grievance mechanism.
Bajaj Finserv
Bajaj Finserv shows strong technical security but fails on the DPDP Act’s requirement for 'unbundled' consent. While their retention transparency is better than most, their control over your data remains heavily weighted in favor of the company rather than the individual.
CRED
CRED's privacy policy strongly emphasizes user consent and robust security, including RBI data localization for payment data. However, it requires clearer DPDP alignment regarding truly 'freely given' consent, specific data retention timelines, comprehensive Data Principal rights, and the Data Protection Board as a grievance escalation channel.
Angel One
Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.
Frequently asked questions
Can we still use Aadhaar for KYC?
Yes, but your consent form must explicitly state that Aadhaar is for identity verification only. You cannot use that same Aadhaar data to pre-fill applications for third-party insurance products without a separate, itemized notice.
Do we need consent for credit bureau reporting?
Reporting to Credit Information Companies (CICs) is a legal obligation. DPDP allows processing without consent for "legal obligations," but you must still provide a notice to the borrower that this reporting will occur.
How do we handle consent for illiterate borrowers?
You must provide the notice in the language the borrower speaks. Since DPDP requires a clear notice before consent, field agents should read a localized script or play an audio recording before the borrower provides a thumbprint.