Privacy Policy
Last updated: January 2025 • Credoverify India Private Limited, Vasant Kunj, South Delhi – 110070
1. Introduction
Credoverify India Private Limited ("Credoverify", "we", "us", "our") is committed to protecting the privacy and security of personal data processed in connection with our field investigation and verification services. This Privacy Policy describes how we collect, use, store, share, and protect personal information relating to loan applicants whose data is submitted to us by our institutional clients (banks and NBFCs), as well as data relating to our clients, website visitors, and employees.
2. Legal Framework
This Privacy Policy is drafted in compliance with the Digital Personal Data Protection (DPDP) Act 2023, the Information Technology Act 2000 and the IT (Amendment) Act 2008, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Reserve Bank of India guidelines on data security and outsourcing, and our ISO certification requirements. Credoverify acts as a Data Processor on behalf of institutional clients (who are Data Fiduciaries under the DPDP Act) in relation to loan applicant data.
3. Data We Collect
In the course of providing verification services, we may process the following categories of personal data: (a) Identity Data: name, photograph, date of birth, government-issued ID numbers (PAN, Aadhaar, Passport, Voter ID); (b) Contact Data: residential address, workplace address, phone number, email address; (c) Financial Data: income details, employment information, bank statements, CIBIL scores, ITR documents; (d) Background Data: employment history, criminal record checks, court records; (e) Field Observation Data: photographs, GPS coordinates, field executive observations during physical visits. We collect only the minimum data necessary for the specific verification commissioned by the client.
4. Lawful Basis for Processing
Credoverify processes personal data on the following lawful bases: (a) Contractual Necessity: processing necessary to perform our verification services pursuant to our agreements with institutional clients; (b) Legitimate Interests: fraud prevention, credit risk management, and regulatory compliance in the context of banking and NBFC operations; (c) Legal Obligation: compliance with RBI directives, court orders, or other applicable legal requirements; (d) Consent: where the loan applicant has provided valid consent to their bank or NBFC for third-party verification, which is passed down to us through the client's data processing agreement.
5. Use of Personal Data
Personal data submitted to Credoverify is used exclusively for the following purposes: (a) Conducting the specific field investigation or digital verification commissioned by the requesting institution; (b) Generating and delivering verification reports to the requesting institution; (c) Internal quality control, auditing, and compliance monitoring; (d) Complying with regulatory requirements, RBI directives, or court orders. Personal data is never used for marketing, profiling, or any purpose beyond the commissioned verification. Aggregated, anonymized statistical data may be used to improve our services.
6. Data Sharing and Disclosure
Credoverify does not sell, rent, or trade personal data. Data may be shared only in the following limited circumstances: (a) With the requesting institutional client, in the form of a structured verification report; (b) With sub-contracted field executives, strictly on a need-to-know basis, subject to confidentiality agreements; (c) With government authorities, law enforcement, or regulators when required by law; (d) With credit bureaus (such as CIBIL, Equifax, Experian) where data retrieval is part of the commissioned service. All third parties engaged by Credoverify are bound by data protection obligations equivalent to those in this Policy.
7. Data Retention
Verification reports and associated personal data are retained for a period of seven (7) years from the date of report delivery, in accordance with banking sector regulatory requirements and standard industry practice in India. After the retention period, data is securely deleted or anonymized. Clients may request deletion of specific data subject to applicable legal and regulatory requirements. Data required for active legal proceedings may be retained until resolution of such proceedings.
8. Data Security
Credoverify employs a comprehensive set of technical and organizational security measures including: end-to-end encryption of data in transit and at rest; role-based access controls limiting data access to authorized personnel only; regular security audits and vulnerability assessments; strict Data Loss Prevention (DLP) controls in accordance with the DLP Act; audit logs for all data access and processing activities; employee training on data security and DPDP Act compliance. Despite these measures, no data transmission over the internet or storage system can be guaranteed to be 100% secure.
9. Rights of Data Principals
Under the DPDP Act 2023, individuals (Data Principals) whose data is processed have certain rights including: (a) Right to Access: to know what personal data we hold about them; (b) Right to Correction: to correct inaccurate personal data; (c) Right to Erasure: to request deletion of data, subject to legal retention requirements; (d) Right to Grievance Redressal: to raise concerns with our designated Data Protection Officer. Since Credoverify acts as a Data Processor, requests from individuals should ideally be directed to the originating bank or NBFC (Data Fiduciary). We will co-operate with reasonable data subject requests forwarded through institutional clients.
10. Website and Cookie Policy
Our website (credoverify.com) may collect limited non-personal data through cookies and analytics tools for website performance and user experience purposes. This includes pages visited, browser type, and approximate geographic location. No sensitive personal financial data is collected through the website. You may configure your browser to reject cookies; this will not affect your ability to access our website. We do not use third-party advertising cookies.
11. Data Protection Officer
Credoverify India Private Limited has designated a Data Protection Officer (DPO) responsible for overseeing compliance with the DPDP Act 2023 and this Privacy Policy. The DPO can be contacted at: Email: contact@credoverify.com | Address: 7, Lower Ground Floor, L.S.C. B-1, Vasant Kunj, South Delhi – 110070, Delhi. Individuals or institutions with privacy concerns, data requests, or complaints should direct them to the DPO.
12. Policy Updates
Credoverify reserves the right to update this Privacy Policy to reflect changes in law, regulatory requirements, or our business practices. Material changes will be communicated to institutional clients via email or through our portal. The date of the most recent update is indicated at the top of this Policy. Continued use of our services after the effective date of an updated Policy constitutes acceptance of the changes.
Privacy questions or requests?
Contact our DPO at contact@credoverify.com or see our Terms & Conditions.