KredSetu सेतु हेतु · ऋण बाजार
Back to Home

Legal

Privacy Policy

Last updated: June 2, 2026 · Effective from app version: KredSetu Android v1.0.2

How KredSetu handles user data

KredSetu, a Lending Service Provider operated by Resilience Engineering Private Limited, is committed to protecting customer information and processing personal data only for legitimate lending facilitation, verification, fraud prevention, servicing, and compliance purposes.

1. Information we collect

We may collect the following categories of information when you use our website or app:

  1. Identity and KYC information: name, mobile number, email, PAN number, date of birth, and PAN card front or back images you submit. This information is used for KYC, identity verification, underwriting, and fraud prevention.
  2. Financial information: income details, bank statements, and employment information, as well as loan amount, tenure, total repayment, interest, and installment plan selected by you. This information is used for eligibility checks and lender underwriting.
  3. Technical and risk-control information: device model, IP address, browser data, app version, Advertising ID, installed apps list limited to apps with a launcher activity, and one-time approximate location if you grant permission. This information is used for security, anti-fraud controls, analytics, and troubleshooting.
  4. Communication records: support messages, OTP delivery status, and grievance submissions. This information is used for service operations and customer support.
  5. Emergency contact information: two emergency contacts consisting of relationship, name, and phone number, entered manually by you or selected through the system contacts picker. We do not request READ_CONTACTS and do not read your full contact list.
  6. Financial SMS data: with your consent, we collect financial-related SMS data from the recent assessment period, including sender name or number, received time, and SMS content after filtering for financial relevance. This is used for cash-flow assessment, credit-risk evaluation, transaction verification, and fraud prevention.

2. How we use information

  • To facilitate onboarding, eligibility checks, and loan application flows.
  • To complete PAN-based KYC, document verification, and related underwriting checks.
  • To assess cash flow, repayment ability, and fraud indicators using user-provided data and consented financial SMS signals.
  • To verify serviceability, device integrity, and risk signals through approximate location, Advertising ID, and installed app metadata.
  • To share required application data with the RBI-registered NBFC lending partner disclosed below, and with the specific processors named in section 4.
  • To comply with legal, regulatory, audit, and anti-fraud obligations.
  • To improve user experience, support performance monitoring, and resolve complaints.

3. Specific data types and purposes

  1. PAN card information: When you complete KYC, we collect your PAN number, name, date of birth, and PAN card images. This is used for customer due diligence, identity verification, and underwriting. It may be shared with Narainsons Investments Finance and Consultancy Pvt. Ltd. and authorized KYC partners strictly for verification and lending purposes.
  2. Emergency contacts: You provide two emergency contacts consisting of relationship, name, and phone number. These are used for loan servicing and fraud prevention. They may be shared with our NBFC partner for the same purpose.
  3. Approximate location: If you grant location permission when prompted, we collect your approximate latitude or longitude one time in the foreground after an in-app disclosure. This is used to confirm serviceability and detect fraud. You may decline this permission, and the app remains usable.
  4. Installed apps list: For fraud prevention, we collect the list of apps on your device that have a launcher activity. We do not read app contents or usage statistics.
  5. Advertising ID: We collect the Google Advertising ID for attribution analytics and anti-fraud device identification. You may reset or limit it in your device settings.
  6. Financial SMS data: With your consent, we access only financial-related SMS data required for lending assessment and fraud prevention. We include messages that contain financial keywords such as bill, borrow, balance, bank, money, debit, wallet, pay, EMI, loan, credit, account, and repayment, and we exclude messages from senders with 10 to 12 digit numeric-only personal mobile numbers. We use this data to analyse lending behaviour, transaction patterns, repayment ability, credit risk, and fraud indicators. KredSetu does not sell your SMS content or use it for unrelated marketing.

4. Information sharing — named third parties

We do not sell personal data. Data is shared only with the specific third parties listed below, each for a defined purpose. Any future additions to this list will be disclosed by an update to this policy before such sharing begins.

  1. Narainsons Investments Finance and Consultancy Pvt. Ltd. (CIN: U74899DL1995PTC067793): RBI-registered NBFC lending partner for credit assessment, underwriting, sanction, disbursal, servicing, and collections.
  2. TransUnion CIBIL Ltd. / Experian Credit Information Company of India Pvt. Ltd.: credit information companies used for credit report and score retrieval with user consent.
  3. RBI-empanelled KYC / eKYC service providers (KUA / AUA / DigiLocker partners): identity verification vendors used for Aadhaar OTP eKYC, PAN validation, and document verification.
  4. Licensed cloud infrastructure provider hosted in India data region: cloud and hosting processor used for secure storage and transport of application data.
  5. DLT-registered SMS gateway and licensed email / transactional messaging provider: communication processor used for OTP delivery, transaction alerts, and service notifications.
  6. Adjust and similar attribution or analytics processors approved by us: attribution, install measurement, analytics, and anti-fraud device identification using Advertising ID and related technical signals.
  7. Government authorities, regulators, courts, and law-enforcement: statutory recipients where required for binding legal orders or regulatory reporting.

Specific vendor names within a category (e.g., the exact KYC vendor or SMS gateway) can be disclosed on request at grievance@kredsetu.in and are maintained under the data processing register held by Resilience Engineering Pvt. Ltd.

Installed apps data is used internally for fraud prevention. We do not share the raw apps list with unrelated third parties, although aggregated or hashed risk signals derived from it may be shared with approved risk-control processors where required for fraud detection.

5. Permissions summary

  • Internet: required to communicate with our servers and support app functionality.
  • Advertising ID: required for attribution analytics and anti-fraud device identification.
  • Camera: required during KYC to capture PAN images or live verification when you tap to start those steps.
  • Approximate location: optional, one-time, foreground-only, and used for fraud prevention and serviceability checks.
  • SMS: requested with your consent to access financial-related SMS data for lending assessment and fraud prevention.

6. Data we do not collect

  • We do not read your full contact list.
  • We do not read or transmit your call logs.
  • We do not access your photo gallery except images you explicitly select or capture for KYC.
  • We do not track your precise GPS location.
  • We do not perform background location tracking when the app is closed.

7. Data storage, retention, and protection

KredSetu uses commercially reasonable safeguards including access controls, encrypted transport, restricted operational access, and audit processes. Data is retained only for the period necessary to fulfil legal and business obligations. PAN data, KYC records, and related lending records may be retained for the duration of the lending relationship plus up to 8 years where required by RBI, PMLA, or other applicable law.

8. User choices and deletion requests

  • You may request correction of inaccurate data.
  • You may request deletion of eligible data, including PAN data, KYC photos, emergency contacts, location data, installed apps data, and SMS-derived assessment data, through in-app account cancellation, consent withdrawal, or the grievance channel.
  • Deletion or restriction requests are processed within a reasonable period, typically within 30 days, subject to legal and regulatory retention requirements.
  • You may deny optional permissions where the product flow allows it.

9. Contact

For privacy questions or data requests, contact the support or grievance team through the channels published on the KredSetu website.