You’re not alone — talk to someone now

Free, confidential, 24/7. If you are in immediate danger, call 112.

All support options — women’s, cybercrime & emergency
loantrap.org
Report
← All articlesहिंदी में पढ़ें →

Digital Loan Apps & How to Verify Them

Why a loan app demanding your contacts or gallery is a danger sign

A loan app asking for your full contacts list or photo gallery is a serious red flag under RBI's Digital Lending Directions and the DPDP Act. Here is why, and what you can do about it.

If a loan app has asked for permission to read your full contacts list or your entire photo gallery, and something about it felt off — trust that instinct. It is not a normal part of borrowing money, and noticing it does not make you difficult or suspicious. It makes you careful. This article explains, calmly and clearly, why these permissions are a danger sign, what Indian rules say about them, and what you can do whether you are about to borrow or already have.

A loan needs your ability to repay — not your address book

Think about what a lender genuinely needs to make a credit decision: your identity, your income or repayment capacity, and your bank details for disbursal and repayment. None of that requires the phone numbers of your relatives, your child's school group, or your colleagues. None of it requires the private photos in your gallery.

So when an app insists on "Allow access to Contacts" or "Allow access to Photos/Media" as a condition of getting your loan, ask the simple question: why would a lawful lender need this to lend me money? In the overwhelming majority of cases, the honest answer is that this data is not for assessing your loan at all. It is collected so that, if there is ever a dispute, the operator has a ready-made list of people to contact and material to apply pressure. That is not credit assessment. That is leverage.

What RBI's Digital Lending Directions actually say

RBI's Digital Lending Directions were introduced precisely because of this kind of overreach. In plain terms, the framework requires that:

  • Data collected by a digital lending app must be need-based — only what is genuinely required to provide the loan — and collected with your clear, explicit consent.
  • Apps should not access borrowers' phone resources like the contact list, call logs, or media/gallery for recovery or pressure purposes. A one-time access for a specific, disclosed, need-based purpose (for example, a single KYC step) is different from bulk, ongoing harvesting of your entire address book and photos.
  • You must be told who is collecting the data, why, and you must be able to withdraw consent and have your data dealt with appropriately.

So a demand for your whole contacts list or gallery is not a neutral technical setting. It runs against the spirit and, often, the letter of the Directions. It is one of the clearest, most reliable danger signs that an app intends to use social pressure rather than lawful recovery.

If you want a structured way to check the lender behind an app and spot these issues before you commit, the loantrap.org /check tool walks you through it step by step.

The DPDP Act 2023: your data is not free for the taking

Beyond RBI's rules, the Digital Personal Data Protection (DPDP) Act 2023 governs how anyone may handle your personal data in India. Two ideas from it are worth holding onto:

  1. Consent must be free, specific, informed and unambiguous — and limited to the stated purpose. Bundling "give us your entire contacts list" into a take-it-or-leave-it loan screen is the opposite of free, specific consent.
  2. Purpose limitation — data collected for one purpose cannot lawfully be repurposed. Even if an app somehow justified reading a contact for verification, using your contacts to call and shame you later is a different, unlawful purpose.

In short: your address book and your photographs are your personal data and your contacts' personal data. An app does not get a blank cheque over them simply because you needed a loan.

How the pressure usually unfolds — described generically

Understanding the pattern helps you recognise it early. These are general red-flag behaviours, not accusations against any specific company:

  • The app demands contacts and gallery access upfront, sometimes refusing to proceed without it.
  • After disbursal — and often the moment a payment is even slightly late — the borrower starts receiving threats that "we will message everyone in your phone."
  • Family, friends or colleagues report getting calls or messages claiming the borrower is a fraud or a defaulter.
  • In the worst cases, photos from the gallery are altered or morphed and circulated to intimidate.

If any of this is happening to you, please hear this clearly: you have not brought shame on yourself. The shame belongs to the conduct, not to you. Being late on a payment — or even unable to pay — is a financial situation, never a moral failing, and it never justifies threats or the misuse of your private data.

What the law gives you against this conduct

You are not without protection:

  • Harassment and threats — Contacting third parties to humiliate you, or threatening you, can amount to criminal intimidation and related offences under the Bharatiya Nyaya Sanhita (BNS). Threatening to circulate private or morphed images is a serious matter.
  • Data misuse — Scraping and weaponising your contacts and photos can breach the DPDP Act 2023 and the RBI Fair Practices Code, which requires fair, non-abusive dealings with borrowers.
  • Cyber-enabled extortion — If you are being threatened online or your images are being misused, you can report to the national cybercrime helpline 1930 or cybercrime.gov.in. If morphed images are involved, the National Commission for Women (NCW) is also a channel for women facing such abuse.
  • Regulated-lender escalation — Where a registered NBFC or bank sits behind the app, you can escalate through the RBI Ombudsman at cms.rbi.org.in and report on the RBI Sachet portal.

For a guided, calm walkthrough of what to do when harassment has already started, see the loantrap.org /help page.

Practical steps you can take right now

Before you borrow:

  1. Read the permissions screen carefully. If it asks for contacts, call logs, or full gallery access, treat that as a reason to stop.
  2. Check whether the app clearly names the RBI-registered NBFC or bank behind it, and verify that entity using /check.
  3. Prefer lenders whose app requests only need-based, disclosed permissions.

If you have already granted access:

  1. Revoke permissions in your phone settings (Settings → Apps → the app → Permissions) and switch off Contacts and Photos/Media access. On Android and iOS you can disable these without uninstalling.
  2. Uninstall the app if you can, after saving your loan documents.
  3. Withdraw consent in writing where the app provides a route, and ask for your data to be erased.
  4. Preserve evidence — screenshots of permission demands, threatening messages, call logs, and any messages sent to your contacts. The loantrap.org /locker page explains how to store this safely so it is ready if you need to complain or file a report.
  5. Warn your close contacts gently in advance: "You may get a strange call about me; please ignore it, it's a harassment tactic." This single step removes most of the power these tactics rely on.

If you cannot afford a lawyer

You do not have to handle this alone or pay for help you cannot afford. Free legal aid is a right in India. The National Legal Services Authority (NALSA) and your District Legal Services Authority (DLSA) provide qualified legal assistance at no cost to those who are eligible. They can help you respond to harassment, data misuse, and unlawful recovery. The loantrap.org /legal-aid page explains how to reach NALSA/DLSA and what documents to carry.

The bottom line

A genuine lender wants to know whether you can repay. It does not need your address book or your photographs to do that. When an app insists on those permissions, it is usually building a pressure machine, not assessing your credit. Recognising that early — and knowing your rights under RBI's Digital Lending Directions, the DPDP Act, and the BNS — turns a frightening situation into one you can manage with your dignity intact.

This is general information, not legal advice. Rules and procedures change; confirm against current RBI and DPDP guidance and seek qualified help (including free legal aid via NALSA/DLSA) for your specific situation.

Frequently asked questions

Is a loan app allowed to access my contacts and photos?
No legitimate digital lender needs your entire contacts list or photo gallery to assess or disburse a loan. RBI's Digital Lending Directions restrict data access to what is need-based and with explicit consent. Bulk harvesting of contacts and media is a recognised red flag and can also breach the DPDP Act 2023.
Can they legally call my contacts if I miss a payment?
Contacting your friends, family or colleagues to shame or pressure you is not lawful recovery. It can amount to harassment and criminal intimidation under the Bharatiya Nyaya Sanhita, and misusing data scraped from your phone can violate the DPDP Act and the RBI Fair Practices Code.
I already gave permission. What can I do now?
You can revoke app permissions in your phone settings, withdraw consent, uninstall the app, and preserve evidence. If your contacts or photos are being misused to threaten or shame you, report to cybercrime.gov.in or call 1930, and escalate via the RBI Ombudsman or Sachet portal where a regulated lender is involved.

Facing this right now?

Check a lenderDocument it privatelyTalk to someone
✓ Reviewed by qualified advocates · 15/6/2026Last updated 2026-06-13. General information, not legal advice.