Is a loan from Toofan Loan or Subhlakshmi Finance legal in India?

Both Toofan Loan's operator, Satisfaction Commercial Pvt Ltd, and Subhlakshmi Finance are RBI-registered entities. Being registered does not put a lender above the rules: it must still follow the RBI Fair Practices Code and protect your personal data under the DPDP Act, 2023. The documented mass emails — Toofan's to roughly 269 borrowers and Subhlakshmi's to roughly 190 — exposed borrowers' addresses to each other, which is exactly the kind of personal-data exposure those rules exist to prevent. If your data was exposed, raise it with the lender's grievance officer and report it on RBI Sachet.

Can a loan app expose my email or identity to other borrowers?

No. An email address tied to a person is personal data under the DPDP Act, 2023, and a lender is a custodian with a duty to protect it. Sending a recovery email with every borrower's address in the To or Cc field — instead of the hidden Bcc field — reveals each person's identity and debt to hundreds of strangers. That runs against both the DPDP safeguarding duty and the RBI privacy principle that your borrowing must not be disclosed to others. Save the email with full headers as evidence and report it.

Can a loan app call my office or family about my debt?

No. Under the RBI Fair Practices Code, the lender and its recovery agents must not contact your employer, family, friends, neighbours or references about your loan, and must not disclose your debt to them. They also cannot call before 8 a.m. or after 7 p.m., and cannot threaten, abuse or publicly shame you. The Regulated Entity remains accountable for whatever its agents or app do on its behalf.

How do I report a loan-app data breach or exposure to the authorities?

First save evidence — the email with full headers showing every exposed address, plus screenshots and dates. Then raise a written complaint with the lender's grievance officer, and report the conduct on RBI Sachet at sachet.rbi.org.in. If the lender does not resolve it within 30 days, escalate to the RBI Ombudsman through the Centralised Receipt and Processing Centre (CRPC). If your data has been scraped, misused, or used for blackmail or extortion, report it at cybercrime.gov.in or call 1930. You can also file before a consumer commission.

What does the DPDP Act, 2023 say about loan-app data?

The Digital Personal Data Protection Act, 2023 treats your personal data — including an email address tied to you — as something the collecting organisation must protect, use only for the purpose you gave it for, and guard with reasonable security safeguards. The entity handling your data is a custodian (Data Fiduciary) with a duty of care, not an owner free to do as it pleases. Carelessly exposing a borrower's identity to other borrowers is the kind of harm the Act is designed to prevent.

Can I be jailed for not repaying a loan in India?

Being unable to repay a loan is, by itself, a civil matter — you cannot be jailed simply for being unable to pay. If a recovery agent threatens you with arrest over a defaulted loan to pressure you into paying, that threat is itself a form of unlawful pressure. Separate questions, such as cheque dishonour or genuine fraud, are governed by their own laws and are different from mere inability to pay. Keep a record of any such threats and report them through the official channels.

Toofan Loan and Subhlakshmi Finance: When a Recovery Email Exposed Hundreds of Borrowers

Toofan Loan (Satisfaction Commercial Pvt Ltd) sent one recovery email to ~269 borrowers, and Subhlakshmi Finance one to ~190, with all addresses exposed in To/Cc. Both are RBI-registered. Your DPDP and RBI rights, and how to report data exposure via Sachet, the CRPC and cybercrime.gov.in.

Two recovery emails, hundreds of borrowers exposed to each other

A single recovery-demand email from Toofan Loan — an app operated by Satisfaction Commercial Pvt Ltd — was sent to roughly 269 borrowers at once, with every recipient's email address placed in the visible To and Cc fields instead of the hidden Bcc field. In one click, hundreds of borrowers could see each other's identities, and learn that everyone on that list was being chased over a loan.

It was not an isolated lapse. In a separate documented case, a recovery email from Subhlakshmi Finance — an RBI-registered NBFC — was sent to roughly 190 borrowers with all of their addresses exposed in the Cc field. Two mass emails, two lenders, the same failure: the people on the list were turned into a published directory of who is in debt.

Both Toofan Loan's operator and Subhlakshmi Finance are RBI-registered entities. That matters. This is not a story about some shadowy offshore app you can simply uninstall. These are entities inside the regulated system, and the way borrower data was handled in these emails is exactly the kind of personal-data exposure that India's new privacy law was written to prevent.

Why an exposed email list is so dangerous

To an outsider, putting addresses in Cc instead of Bcc looks like a clerical slip. For a borrower, the consequences are serious and lasting.

First, it broadcasts the one fact most people want kept private: that they owe money and are behind on it. A recovery email is, by its nature, a statement of debt. When 269 — or 190 — such addresses sit in the open, every recipient now knows that every other person on that list is a defaulting borrower. Many email addresses contain a real name. Some are work addresses. A borrower who told no one about a loan can suddenly find that hundreds of strangers, possibly including someone they know, have seen their name on a debt list.

Second, an exposed list is a ready-made target. Email addresses scraped from a leak like this can be sold, harvested for phishing, or used to seed further harassment. People already under financial pressure are precisely the people fraudsters look for: a scammer who knows you are a stressed borrower can pose as a "settlement agent" or a "loan officer" and sound convincing. One careless Cc field can feed a chain of follow-on scams that has nothing to do with the original lender.

Third, the damage cannot be undone. Once an email is sent, it sits in hundreds of inboxes the sender no longer controls. There is no recall. This is why the law treats the protection of personal data as the lender's job, not something the borrower has to chase after the fact.

What the DPDP Act, 2023 expects

The Digital Personal Data Protection Act, 2023 (DPDP) is India's dedicated personal-data law, and an email address tied to a person is personal data under it. The framework rests on a simple, common-sense idea: an organisation that collects your personal data to do business with you must protect it, use it only for the purpose you gave it for, and guard it with reasonable security safeguards. Exposing a borrower's identity to a few hundred other borrowers is the opposite of that.

The DPDP framework treats the entity handling your data as a Data Fiduciary — a custodian with a duty of care — not an owner free to do as it likes. A custodian who lets a list of borrowers' identities spill into the open has, on the face of it, failed the basic safeguarding duty the Act is built around. You do not need to prove malice. The point of a data-protection regime is that careless exposure counts too, because the harm to you is the same whether the leak was deliberate or sloppy.

Read alongside the RBI's rules for regulated lenders, the obligation is doubly clear: a Regulated Entity is responsible for how borrower data is collected, stored and communicated, and it stays responsible even when the work is done through an app or a recovery team.

Know your rights under the RBI Fair Practices Code

Data exposure rarely travels alone. It usually sits beside other recovery conduct, so it helps to know the full set of protections the RBI's Fair Practices Code gives every borrower of a regulated lender.

Calling hours are limited. Recovery agents may not contact you before 8 a.m. or after 7 p.m. Calls outside that window are a breach of the Code.
Your circle is off-limits. The lender and its agents must not call your employer, family, friends, neighbours or references about your debt, and must not disclose your borrowing to them. A mass email that reveals your debt to other borrowers runs against the same privacy principle.
No abuse, threats or public shaming. Recovery must be civil. Intimidation, abusive language, and any attempt to humiliate you in front of others are not permitted.
The cost must be disclosed in writing. The Annual Percentage Rate (APR) and the full cost of the loan must be set out in the Key Facts Statement (KFS) — the one-page summary every regulated lender must give you before you borrow. If the true cost was never disclosed there, that itself is a serious gap.
Recovery only by lawful means. Agents may pursue a genuine dues claim, but only through lawful, dignified methods.
The Regulated Entity is accountable for its agents. You do not have to untangle which app, call centre or third party did what. The RBI holds the registered lender answerable for the conduct of everyone recovering on its behalf.

One more right deserves to be stated plainly, because frightened borrowers are so often misled about it. Being unable to repay a loan is, by itself, a civil matter. You cannot be jailed simply because you cannot pay. If anyone threatens you with "arrest" over a defaulted loan as a way to make you pay, that threat is itself a form of unlawful pressure. (This is a general statement about inability to pay — separate questions such as cheque dishonour or genuine fraud are governed by their own laws and are not what is described here.)

How to report a data exposure

If a lender has exposed your email or identity in a mass message, or is harassing you, you have clear official channels. Keep evidence first — save the email with its full header showing every address, take screenshots, and note dates and times. Then use these routes.

Raise it with the lender's grievance officer. Every regulated lender must have a named grievance redressal officer. Send a written complaint describing the exposure and asking for it to be fixed and confirmed. This is the required first step, and it starts the clock.
RBI Sachet — sachet.rbi.org.in. Use the RBI's Sachet portal to report conduct by a lender or app, including misuse or careless handling of borrower data.
RBI Ombudsman via the CRPC. If the lender does not resolve your complaint within 30 days, or rejects it, you can escalate to the RBI Ombudsman. Complaints are received through the RBI's Centralised Receipt and Processing Centre (CRPC). Approaching the lender first and giving it 30 days is a precondition for the Ombudsman route.
National Cyber Crime Reporting Portal — cybercrime.gov.in, helpline 1930. If your data was exposed, scraped or misused, or if exposure has led to blackmail, extortion or criminal harassment, report it on the national cybercrime portal or call 1930. Act quickly — the sooner data misuse is reported, the more can be done.
Consumer commission. A lender's failure to protect your data and the harm it causes can also be a deficiency in service. You have the right to file a complaint before the appropriate consumer commission (district, state or national, depending on the amount involved).

Throughout, hold on to your evidence. The exposed email itself, with full headers, is the single most useful document you have.

Where this fits in the bigger picture

These two emails are part of the wider investigation into how loan apps in India treat borrower data and dignity. Data exposure is one face of a broader pattern that also includes an employer-contact harassment case — where the borrower's workplace was dragged into the recovery. Different lenders, different tactics, the same lesson: your data and your dignity are protected by law, and the channels above exist precisely so that you do not have to absorb the harm in silence.

Any company named in this article may submit a factual correction or response through our right-of-reply channel.