1. Introduction
OneNDF is committed to protecting the privacy and security of personal information shared by users, borrowers, co-applicants, guarantors, and other individuals who interact with the OneNDF website, platform, and digital lending interfaces.
This Privacy Policy explains:
- what personal data OneNDF collects,
- how such data is used,
- with whom it may be shared,
- how long it may be retained,
- how consent may be managed or withdrawn,
- how deletion requests are handled, and
- how users may contact OneNDF for privacy or grievance-related concerns.
2. Data collected by OneNDF
OneNDF may collect and process the following categories of personal information, depending on the services requested and the stage of the customer journey:
2.1 Identity and contact information
- name
- mobile number
- email address
- residential or business address
- date of birth
- PAN and other KYC-related details, where applicable
2.2 Loan and application information
- type of loan sought
- requested loan amount
- proposed tenure
- purpose of loan
- property details
- employment / business profile
- income and turnover-related information
- documents uploaded in connection with the application
2.3 Financial and eligibility information
- credit bureau-related inputs and outputs
- banking-related information and derived analysis
- GST-related information and derived analysis
- lender matching and eligibility outputs
- application progression and lender response status
2.4 Technical and usage information
- device information
- browser type
- IP address
- session and login details
- system logs
- cookie or analytics data, where applicable
2.5 Consent and communication records
- consent granted by the user
- date/time of consent
- consent withdrawal logs
- customer support records
- call notes
- complaint and grievance records
3. Purposes of processing
OneNDF processes personal information only for lawful, disclosed, and relevant purposes, including:
- borrower onboarding
- identity verification
- eligibility assessment
- lender matching
- sharing information with matched lenders, where consented or otherwise legally permitted
- servicing support
- fraud prevention and risk checks
- audit and compliance
- communications relating to an active application or service request
- grievance handling
- analytics and platform improvement, where applicable and permitted
4. Third parties allowed to collect or receive personal information through the DLA
OneNDF may permit certain third parties to collect, receive, validate, process, or transmit personal information through the OneNDF digital lending application, website, or related interfaces, strictly for the disclosed purposes connected to the digital lending journey. RBI requires that such details be disclosed in the privacy policy.
Such third parties may include, where applicable:
4.1 Credit and financial assessment partners
- credit bureau / credit information providers
- banking statement analysis providers
- GST / financial verification providers
4.2 Identity and document verification partners
- KYC verification providers
- OCR / document validation partners
- video verification or onboarding support providers, where applicable
4.3 Communication and service partners
- OTP providers
- SMS, email, and WhatsApp communication providers
- customer support / ticketing providers
4.4 Infrastructure and technology partners
- secure cloud hosting providers
- storage, monitoring, security, and analytics providers
- API and integration partners used for platform functionality
4.5 Matched lenders / regulated entities
- banks, NBFCs, HFCs, or other regulated entities to whom the borrower's information is shared for loan processing, where consented or otherwise legally permitted
OneNDF may disclose the identity or category of such third parties, the purpose of such collection or receipt, and the type of data involved in the relevant privacy notice, consent flow, or partner disclosures.
5. Consent
Where consent is the basis of processing, OneNDF shall seek consent in clear and plain language. Under the DPDP Act, consent must be free, specific, informed, unconditional, unambiguous, and given by clear affirmative action. The Act also requires that withdrawal be as easy as giving consent.
OneNDF may seek separate consent for:
- loan matching and processing
- bureau / financial data access
- sharing with matched lenders
- marketing and promotional communication
- analytics or non-essential cookies, where applicable
OneNDF shall not share personal information with third parties for purposes requiring consent unless such consent has been obtained, except where sharing is required under applicable law, regulation, court order, or regulatory direction. RBI's framework expressly requires explicit consent before sharing personal information with third parties, except as required by law.
6. Revocation of consent
A user may withdraw consent at any time through the OneNDF website, digital lending interface, or by contacting OneNDF through the published grievance/privacy channels. The DPDP Act gives data principals the right to withdraw consent at any time, and requires the data fiduciary to cease and cause its processors to cease processing within a reasonable time unless retention/processing is required by law.
Upon withdrawal of consent:
- OneNDF shall stop further processing for the withdrawn purpose, to the extent operationally and legally possible
- OneNDF shall stop future sharing with new lenders, where applicable
- marketing communication shall be stopped where marketing consent is withdrawn
- processing already undertaken before withdrawal shall remain valid
- OneNDF may continue to retain or process limited data where required for legal, regulatory, audit, fraud prevention, grievance handling, servicing, contractual, or dispute-resolution purposes
Withdrawal of consent may result in the inability to continue some or all services requested by the user.
7. Data retention
OneNDF retains personal information only for as long as necessary for the disclosed purpose, or for such longer period as may be required for legal, regulatory, audit, fraud prevention, grievance, contractual, or dispute-resolution purposes. RBI requires clear disclosure of storage and retention policy, and the DPDP Act permits continued retention where required for compliance with law.
Indicative retention periods may include:
- lead / enquiry data: up to 12 months from last activity
- incomplete applications: up to 12 months from last activity
- rejected / withdrawn applications: up to 24 months from closure
- KYC, application, underwriting, consent, audit, grievance, and key transaction records: up to 8 years, or such longer period as may be required by applicable law, contractual requirement, or legal hold
- communications not linked to active disputes: up to 3 years
- marketing suppression records: up to 5 years, to ensure the user is not contacted again contrary to their preference
OneNDF may anonymise data instead of deleting it where lawful and appropriate.
8. Deletion and forgetting requests
A user may request deletion or erasure of eligible personal data. Under the DPDP Act, a data principal may request erasure, and the data fiduciary must erase the data unless retention is necessary for the specified purpose or for compliance with law.
Upon receiving such a request, OneNDF shall review:
- whether the data is still required for the stated purpose,
- whether the data must be retained under law,
- whether the data is subject to audit, complaint, fraud, contractual, or litigation hold,
- whether deletion can be carried out immediately or only after expiry of the applicable retention period
Where deletion is allowed, OneNDF shall take reasonable steps to delete or anonymise the relevant data from active systems and, as applicable, from backup and archival systems in line with internal deletion schedules.
9. Restrictions on use of data
OneNDF shall not:
- sell personal data,
- use personal data for undisclosed purposes,
- access mobile phone resources beyond what is necessary and lawfully permitted,
- continue marketing communication after withdrawal of marketing consent,
- retain data indefinitely without lawful purpose
RBI's 2022 digital lending framework also restricts storage of certain categories such as biometric data by DLA/LSP systems unless permitted by law, and requires need-based collection.
10. Security and breach handling
OneNDF implements reasonable technical and organisational measures to protect personal information, including access controls, logging, secure transmission, encryption where appropriate, and internal incident-response processes.
In the event of an actual or suspected data security incident, OneNDF may:
- isolate affected systems,
- investigate the nature and extent of the incident,
- take remedial and containment measures,
- notify affected parties, partners, or authorities where legally required or contractually necessary,
- maintain records of the incident and corrective action taken
11. Grievance redressal and privacy contact
RBI requires LSPs with a borrower interface to appoint a nodal grievance redressal officer.
For privacy concerns, consent withdrawal, deletion requests, or grievance-related issues, users may contact:
Name: Shipra Kochhar
Organization: Devick Biz Solutions Pvt Ltd
Address: 310, Third Floor, Gagandeep Building, Rajendra Place, New Delhi – 110008
Phone: +91 9971022410, +91 8130021297
Email: finance@dbspl.co.in
If a complaint is not satisfactorily resolved within the applicable timeline, the user may also use the grievance escalation channels made available by the concerned lender / regulated entity and, where applicable, RBI's Complaint Management System.
12. Updates to this Privacy Policy
OneNDF may update this Privacy Policy from time to time to reflect regulatory changes, platform changes, lender integration changes, operational requirements, or security updates. The latest version shall be made available prominently on the OneNDF website and relevant digital lending interfaces.