Privacy Policy

1. Data Controller

The data controller responsible for your personal data collected through the LendMitra platform is Karuppali Fin Mithra (OPC) Private Limited("Company", "we", "us", or "LendMitra"), incorporated under the Companies Act, 2013, with its registered office at Kozhikode, Kerala — 673 001, India.

This Privacy Policy applies to all individuals who interact with the LendMitra platform, including DSA Partners, prospective loan applicants referred by our Partners, and visitors to our website. It describes what personal data we collect, why we collect it, how we use it, who we share it with, and how long we retain it.

2. Personal Data We Collect

We collect personal data in the following categories:

Identity information: Full name, date of birth, photograph (if submitted for KYC). Your PAN number is stored in masked format (e.g., ABCDE****F) for display purposes, with the full value held in encrypted storage used solely for verification and agreement preparation.
Contact information: Mobile number, email address (optional), residential address, and district of operation within Kerala.
Financial identifiers: Aadhaar — only the last 4 digits are stored in our systems. Bank account number — only the last 4 digits are retained for display; the full account number is used exclusively for commission disbursement and agreement preparation and is encrypted at rest. IFSC code of your bank branch.
Professional information: Occupation, referral types, estimated network size, and target income range — collected during the Partner onboarding form.
Customer referral data: When you submit a loan referral through the platform, we collect the prospective borrower's name, mobile number, employment details, income range, loan amount requested, and any documents you upload on their behalf. You must obtain their explicit consent before submitting this data (see Section 7).
Technical data: IP address, browser type, device identifiers, pages visited, and interaction timestamps — collected automatically via cookies and analytics.
Communications: Records of WhatsApp messages, support tickets, and email correspondence with our team.

3. How We Use Your Data

We use your personal data for the following lawful purposes:

Partner registration and verification: To verify your identity, assess eligibility, and prepare your DSA Partner agreement with lending institutions.
Loan referral processing: To route loan applications submitted by you to the appropriate lending institution and track the application status.
Commission management: To calculate, process, and disburse commissions owed to you upon successful loan disbursal by a lending partner.
Communication: To send you application status updates, commission notifications, platform announcements, and support responses via WhatsApp, SMS, or email.
Compliance: To fulfil obligations under the Prevention of Money Laundering Act, 2002 (PMLA), RBI Know Your Customer (KYC) norms, the Income Tax Act, 1961 (including TDS on commissions), and the Digital Personal Data Protection Act, 2023.
Platform improvement: To analyse usage patterns, improve user experience, and detect fraud or unauthorised activity.
Legal requirements: To respond to lawful requests from courts, regulators, or law enforcement agencies.

We process your data based on: (a) your consent where required; (b) the performance of the DSA partnership agreement; (c) compliance with legal obligations; and (d) our legitimate interests in operating and securing the platform.

We share your personal data only in the following circumstances:

Partner lending institutions: Your name, PAN, masked Aadhaar, bank account details, and contact information are shared with banks and NBFCs for the purpose of executing the DSA agreement and processing commissions.
Credit bureaus: When you submit a loan referral, the prospective borrower's data may be shared with credit information companies (CIBIL, Experian, Equifax, CRIF High Mark) for the purpose of credit assessment — only with the borrower's explicit prior consent.
Payment processors: Bank account details are shared with our banking partners for commission disbursement via NEFT/IMPS.
Service providers: We use third-party services for hosting (e.g., AWS/Vercel), analytics, and communication (e.g., WhatsApp Business API, email providers). These providers are bound by data processing agreements and are prohibited from using your data for any other purpose.
Legal and regulatory authorities: We may disclose data when required by law, regulation, court order, or regulatory direction from the RBI, SEBI, or other competent authorities.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Data Retention

We retain your personal data for the duration of your active DSA partnership and for a period of five (5) years following termination of the partnership. This extended retention period is required under the Prevention of Money Laundering Act, 2002 (PMLA) and RBI KYC directions, which mandate that records of all financial transactions and client identity verification documents be maintained for at least five years after the business relationship ends.

After the retention period, your data will be securely deleted or irreversibly anonymised. Customer referral data (loan applicant information) is retained for the same five-year period from the date of the last transaction or referral activity.

6. Your Rights Under DPDP Act 2023

Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

Right to access: You may request a summary of the personal data we hold about you and the purposes for which it is processed.
Right to correction: You may request correction of inaccurate or incomplete personal data.
Right to erasure: You may request deletion of your data, subject to our legal obligations under PMLA and other applicable laws. Note that data required for regulatory compliance cannot be erased during the mandatory retention period.
Right to withdraw consent: You may withdraw any consent previously given for data processing. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.
Right to nominate: You may nominate another individual to exercise your data rights in the event of your death or incapacity.
Right to grievance redressal: You have the right to file a complaint with our Grievance Officer (see Section 11) and, if unsatisfied, with the Data Protection Board of India.

To exercise any of these rights, contact us at privacy@lendmitra.in. We will acknowledge your request within 48 hours and respond within 30 days.

7. Credit Bureau (CIBIL) Disclosure

This section is critical for both DSA Partners and loan applicants. For the full standalone notice (including how to check and improve your CIBIL score), see the CIBIL & Credit Bureau Disclosure Notice.

Hard enquiries and consent:When a loan application is submitted to a lending institution through LendMitra, the lending partner may initiate a credit bureau enquiry (commonly called a "hard pull" or "hard enquiry") with one or more credit information companies — including but not limited to TransUnion CIBIL, Experian, Equifax, and CRIF High Mark. A hard enquiry may temporarily impact the applicant's credit score.

Consent is mandatory. Under the Credit Information Companies (Regulation) Act, 2005, and RBI guidelines, no credit bureau enquiry may be initiated without the explicit, informed, and voluntary consent of the individual whose credit information is being accessed. As a DSA Partner, you are solely responsible for obtaining this consent from every prospective borrower before submitting their loan application through LendMitra.

You must ensure that each borrower understands:

A credit enquiry will be made by the lending institution as part of the loan assessment process.
The enquiry will be recorded on their credit report and may affect their credit score.
Their credit information will be shared with the lending institution and the relevant credit bureau(s).
They have the right to refuse consent for the credit enquiry.

LendMitra does not initiate credit bureau enquiries directly. We act solely as an intermediary forwarding the application to the lending institution. Any failure to obtain proper consent is the sole responsibility of the DSA Partner and may result in immediate termination of the partnership.

8. Cookies & Tracking

We use the following types of cookies and tracking technologies:

Essential cookies: Required for the platform to function — session authentication, form state persistence, and security tokens. These cannot be disabled.
Analytics cookies: We use privacy-respecting analytics to understand how visitors interact with the platform. These cookies collect anonymised or pseudonymised data and do not personally identify you.
Functional cookies: Remember your preferences (e.g., language, district selection) to improve your experience.

We do not use advertising cookies or tracking pixels from third-party ad networks. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3 (SSL/HTTPS).
Encryption at rest: Sensitive data fields (PAN, full bank account numbers) are encrypted in our database using AES-256 encryption.
Data masking: PAN numbers are displayed in masked format. Aadhaar is stored as last-4-digits only. Bank account numbers are masked in the UI and only the last 4 digits are displayed.
Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, enforced through role-based access controls (RBAC) and audit logging.
Infrastructure security: Our infrastructure is hosted on SOC 2-compliant cloud providers with regular security patching, network segmentation, and intrusion detection.
Incident response: In the event of a data breach, we will notify affected individuals and the Data Protection Board of India within 72 hours, as required under the DPDP Act, 2023.

While we take all reasonable measures to protect your data, no system is completely secure. We encourage you to keep your login credentials confidential and report any suspected unauthorised access immediately.

10. Children's Data

The LendMitra platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data of a person under 18, we will take immediate steps to delete such data from our systems. If you believe a child's data has been collected, please contact us at privacy@lendmitra.in.

11. Grievance Officer

In compliance with the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address any concerns or complaints regarding the processing of your personal data.

Grievance Officer
Karuppali Fin Mithra (OPC) Private Limited
Kozhikode, Kerala — 673 001
Email: privacy@lendmitra.in

We will acknowledge receipt of your grievance within 48 hours and endeavour to resolve it within 30 days of receipt. If you are not satisfied with the resolution, you may escalate the matter to the Data Protection Board of India.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on the platform. We encourage you to review this page periodically.

Continued use of the LendMitra platform after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

1. Data Controller

2. Personal Data We Collect

We collect personal data in the following categories:

Identity information: Full name, date of birth, photograph (if submitted for KYC). Your PAN number is stored in masked format (e.g., ABCDE****F) for display purposes, with the full value held in encrypted storage used solely for verification and agreement preparation.
Contact information: Mobile number, email address (optional), residential address, and district of operation within Kerala.
Financial identifiers: Aadhaar — only the last 4 digits are stored in our systems. Bank account number — only the last 4 digits are retained for display; the full account number is used exclusively for commission disbursement and agreement preparation and is encrypted at rest. IFSC code of your bank branch.
Professional information: Occupation, referral types, estimated network size, and target income range — collected during the Partner onboarding form.
Customer referral data: When you submit a loan referral through the platform, we collect the prospective borrower's name, mobile number, employment details, income range, loan amount requested, and any documents you upload on their behalf. You must obtain their explicit consent before submitting this data (see Section 7).
Technical data: IP address, browser type, device identifiers, pages visited, and interaction timestamps — collected automatically via cookies and analytics.
Communications: Records of WhatsApp messages, support tickets, and email correspondence with our team.

3. How We Use Your Data

We use your personal data for the following lawful purposes:

Partner registration and verification: To verify your identity, assess eligibility, and prepare your DSA Partner agreement with lending institutions.
Loan referral processing: To route loan applications submitted by you to the appropriate lending institution and track the application status.
Commission management: To calculate, process, and disburse commissions owed to you upon successful loan disbursal by a lending partner.
Communication: To send you application status updates, commission notifications, platform announcements, and support responses via WhatsApp, SMS, or email.
Compliance: To fulfil obligations under the Prevention of Money Laundering Act, 2002 (PMLA), RBI Know Your Customer (KYC) norms, the Income Tax Act, 1961 (including TDS on commissions), and the Digital Personal Data Protection Act, 2023.
Platform improvement: To analyse usage patterns, improve user experience, and detect fraud or unauthorised activity.
Legal requirements: To respond to lawful requests from courts, regulators, or law enforcement agencies.

We share your personal data only in the following circumstances:

Partner lending institutions: Your name, PAN, masked Aadhaar, bank account details, and contact information are shared with banks and NBFCs for the purpose of executing the DSA agreement and processing commissions.
Credit bureaus: When you submit a loan referral, the prospective borrower's data may be shared with credit information companies (CIBIL, Experian, Equifax, CRIF High Mark) for the purpose of credit assessment — only with the borrower's explicit prior consent.
Payment processors: Bank account details are shared with our banking partners for commission disbursement via NEFT/IMPS.
Service providers: We use third-party services for hosting (e.g., AWS/Vercel), analytics, and communication (e.g., WhatsApp Business API, email providers). These providers are bound by data processing agreements and are prohibited from using your data for any other purpose.
Legal and regulatory authorities: We may disclose data when required by law, regulation, court order, or regulatory direction from the RBI, SEBI, or other competent authorities.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Data Retention

6. Your Rights Under DPDP Act 2023

Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

Right to access: You may request a summary of the personal data we hold about you and the purposes for which it is processed.
Right to correction: You may request correction of inaccurate or incomplete personal data.
Right to erasure: You may request deletion of your data, subject to our legal obligations under PMLA and other applicable laws. Note that data required for regulatory compliance cannot be erased during the mandatory retention period.
Right to withdraw consent: You may withdraw any consent previously given for data processing. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.
Right to nominate: You may nominate another individual to exercise your data rights in the event of your death or incapacity.
Right to grievance redressal: You have the right to file a complaint with our Grievance Officer (see Section 11) and, if unsatisfied, with the Data Protection Board of India.

To exercise any of these rights, contact us at privacy@lendmitra.in. We will acknowledge your request within 48 hours and respond within 30 days.

7. Credit Bureau (CIBIL) Disclosure

You must ensure that each borrower understands:

A credit enquiry will be made by the lending institution as part of the loan assessment process.
The enquiry will be recorded on their credit report and may affect their credit score.
Their credit information will be shared with the lending institution and the relevant credit bureau(s).
They have the right to refuse consent for the credit enquiry.

8. Cookies & Tracking

We use the following types of cookies and tracking technologies:

Essential cookies: Required for the platform to function — session authentication, form state persistence, and security tokens. These cannot be disabled.
Analytics cookies: We use privacy-respecting analytics to understand how visitors interact with the platform. These cookies collect anonymised or pseudonymised data and do not personally identify you.
Functional cookies: Remember your preferences (e.g., language, district selection) to improve your experience.

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3 (SSL/HTTPS).
Encryption at rest: Sensitive data fields (PAN, full bank account numbers) are encrypted in our database using AES-256 encryption.
Data masking: PAN numbers are displayed in masked format. Aadhaar is stored as last-4-digits only. Bank account numbers are masked in the UI and only the last 4 digits are displayed.
Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, enforced through role-based access controls (RBAC) and audit logging.
Infrastructure security: Our infrastructure is hosted on SOC 2-compliant cloud providers with regular security patching, network segmentation, and intrusion detection.
Incident response: In the event of a data breach, we will notify affected individuals and the Data Protection Board of India within 72 hours, as required under the DPDP Act, 2023.

10. Children's Data

11. Grievance Officer

In compliance with the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address any concerns or complaints regarding the processing of your personal data.

Grievance Officer
Karuppali Fin Mithra (OPC) Private Limited
Kozhikode, Kerala — 673 001
Email: privacy@lendmitra.in

12. Changes to This Policy

Continued use of the LendMitra platform after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

1. Data Controller

2. Personal Data We Collect

3. How We Use Your Data

4. Data Sharing & Disclosure

5. Data Retention

6. Your Rights Under DPDP Act 2023

7. Credit Bureau (CIBIL) Disclosure

8. Cookies & Tracking

9. Data Security

10. Children's Data

11. Grievance Officer

12. Changes to This Policy

Privacy Policy

1. Data Controller

2. Personal Data We Collect

3. How We Use Your Data

4. Data Sharing & Disclosure

5. Data Retention

6. Your Rights Under DPDP Act 2023

7. Credit Bureau (CIBIL) Disclosure

8. Cookies & Tracking

9. Data Security

10. Children's Data

11. Grievance Officer

12. Changes to This Policy