Overview
KreditBee is a popular digital lending platform that provides quick personal loans. Because they are lending money to people without collateral, they collect massive amounts of personal data — including your SMS logs, GPS location, and contact lists — to figure out if you’re a “safe” borrower.
Under the DPDP Act, KreditBee is a Data Fiduciary (the company that decides how and why your data is processed). Since they handle such sensitive financial and behavioral info, the stakes are incredibly high for them to get privacy right.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
KreditBee uses bundled consent. When you sign up, you agree to everything at once: credit scoring, marketing, and sharing data with partners.
What the policy says: “By clicking on the ‘Proceed’ button… you expressly consent to our use and disclosure of your Personal Information.”
The problem: The DPDP Act says consent must be specific and informed. You should be able to say “Yes to the loan” but “No to marketing calls.” Right now, KreditBee makes it an all-or-nothing deal, which is a major red flag under Section 6.
What the law requires: A Notice must be given before or at the time of consent, explaining exactly what data is collected and for what specific purpose, in clear and plain language.
Section 7 — Certain Legitimate Uses 🔴
KreditBee claims they can process data for “internal business purposes” and “improving the App.”
The problem: Under the new law, “Legitimate Use” is very narrow. It’s for things like medical emergencies or government functions. Most of KreditBee’s “internal purposes” actually require explicit consent from the Data Principal (that’s you — the person the data belongs to). They can’t just bypass your permission by calling it a business necessity.
Section 8 — Obligations of Data Fiduciary ✅
KreditBee scores well here because they already follow strict RBI (Reserve Bank of India) rules.
What the policy says: They mention using 128-bit SSL encryption and storing data on servers in India.
What the law requires: A Data Fiduciary must have “reasonable security safeguards” to prevent a Data Breach (where your info gets stolen or leaked). KreditBee’s alignment with financial security standards gives them a strong foundation here.
Section 9 — Data Retention 🔴
This is a big gap for most fintechs.
What the policy says: “We will retain your information for as long as it is necessary for the purposes for which it was collected… or as required by law.”
The problem: This is too vague. DPDP Section 9 says once the purpose is over (e.g., you’ve paid off your loan and closed your account), the company must delete the data unless a specific law (like tax law) says they must keep it. KreditBee doesn’t give a clear “expiry date” for your personal info.
Section 11 — Rights of Data Principal ⚠️
As a Data Principal, you have the right to see, correct, and erase your data.
What the policy says: They allow you to “review and correct” info. However, they make the “Right to Erasure” (deleting your data) very difficult if you have an active relationship with them.
The problem: They haven’t updated their policy to include the Right to Nominate (Section 14). This is the right to pick someone else to manage your data rights if you pass away or become unable to do so.
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: They list a Nodal Officer and a Grievance Redressal Officer with an email address.
The problem: Under DPDP, if the company doesn’t solve your problem, you have a legal right to complain to the Data Protection Board of India. KreditBee’s policy doesn’t mention this escalation path yet, leaving users in the dark about their full legal options.
Section 16 — Cross-Border Data Transfer ✅
KreditBee states that they store data on cloud servers located in India.
Why it matters: The DPDP Act allows the government to restrict data from being sent to certain “blacklisted” countries. By keeping data in India, KreditBee avoids most of the risks associated with Section 16.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Legality | High | ”All-or-nothing” consent could be ruled invalid, stopping operations. |
| Data Minimization | High | Collecting SMS/Contacts is now heavily restricted by RBI and DPDP. |
| Retention Risk | Medium | Holding data indefinitely could lead to massive fines if a leak occurs. |
| User Rights | Medium | Lack of “Right to Nominate” is a technical non-compliance. |
Recommendations
- Unbundle your consent: Give users checkboxes. Let them opt-out of “Partner Marketing” while still getting their loan.
- Add a “Data Deletion” button: Make it easy for people who have closed their accounts to request a full wipe of their behavioral data (like SMS logs).
- Update the Grievance section: Explicitly mention that users can approach the Data Protection Board if they aren’t satisfied with the internal fix.
- Define “As long as required”: Tell the user: “We keep KYC for 10 years for RBI, but we delete your GPS history 30 days after the loan is closed.”
- Add a “Nominee” field: Let users add a nominee to their profile to stay compliant with Section 14.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.