You’re not alone — talk to someone now

Free, confidential, 24/7. If you are in immediate danger, call 112.

All support options — women’s, cybercrime & emergency
loantrap.org
Report
← All articlesहिंदी में पढ़ें →

Scams & Frauds

How loan apps misuse your data — and your DPDP rights

A plain-language guide to how some digital lending apps collect and misuse borrower data, and the rights you have under the DPDP Act 2023 and RBI's Digital Lending Directions to stop it.

When you download a loan app and tap "Allow", you are often handing over far more than your name and PAN. Many borrowers in India discover, only after harassment begins, that an app has copied their entire contact list, photo gallery, location and device details. This article explains, in plain language, how data misuse typically happens, what the law actually says, and the concrete rights you can use to push back. You have done nothing wrong by borrowing money. Repaying a genuine debt and refusing to tolerate harassment are two separate things — and the law is firmly on your side regarding the second.

What loan apps actually collect — and why it matters

A legitimate digital lender needs only a limited set of information to assess and service a loan: your identity (KYC), your repayment capacity, and a way to contact you. Problems begin when an app asks for permissions that have nothing to do with lending.

Common over-collection includes:

  • Full contact list — every name and number stored on your phone.
  • Photo gallery and media — personal images, which can later be used to threaten or morph.
  • Call logs and SMS — to map your relationships and other lenders.
  • Real-time location — beyond what KYC requires.
  • Device identifiers — to track you across apps.

The reason this matters is simple. Once your contacts and photos sit on a recovery agent's server, they become tools of pressure. Borrowers report agents calling their employer, relatives and neighbours, sometimes with edited images or false claims. This is not recovery; it is data being weaponised. RBI's framework was written precisely to stop this, and so was the Digital Personal Data Protection Act, 2023.

If you are unsure whether the app that lent to you is even a regulated entity, our /check tool can help you understand what to look for before you engage further.

What RBI's Digital Lending rules say about your data

The RBI Digital Lending Directions set clear limits on regulated lenders and the apps acting for them. A few principles stand out and are worth knowing in your own words:

  1. Data collection must be need-based. An app can collect only what is genuinely required to provide the loan, and only with your explicit, prior consent. A blanket grab of your contacts or gallery is not need-based.
  2. No access to phone resources like contacts, call logs and gallery. The Directions specifically restrict apps from accessing these, with narrow, one-time exceptions such as a camera for KYC, taken with consent.
  3. You must be able to deny or withdraw consent. Consent cannot be a hidden, all-or-nothing toggle buried in a permissions screen.
  4. No data stored on the app or its servers beyond what is permitted. Biometric data, in particular, must not be stored.
  5. Clear disclosure. The lender must tell you who is collecting data, for what purpose, and with whom it is shared, through a Key Fact Statement and privacy policy.

Under the Fair Practices Code that sits alongside these rules, recovery must remain civil. Calling third parties to shame you, contacting people at odd hours, or using your photos to threaten are all outside what any regulated lender is permitted to do.

Your DPDP Act 2023 rights as a "data principal"

The DPDP Act 2023 treats you as a data principal — the person the data is about — and treats the lender as a data fiduciary. This framing gives you specific, usable rights. You do not need to be a lawyer to invoke them; a clear written request is enough.

  • Right to notice and informed consent. The lender must tell you, before or at the time of collection, what personal data it is taking and the purpose. Consent must be free, specific and unambiguous — not extracted by making the loan impossible to use otherwise.
  • Right to access information. You can ask the lender for a summary of the personal data it holds about you and how it has been processed.
  • Right to correction and erasure. You can ask the lender to correct wrong data and to erase personal data that is no longer needed for the purpose it was collected. Once a loan is closed and there is no legal retention reason, you can ask for your contacts and media to be deleted.
  • Right to grievance redressal. Every data fiduciary must provide an accessible way to complain. The lender must respond within a reasonable, defined period.
  • Right to nominate. You can nominate another person to exercise your rights in case you are unable to.

Importantly, the Act also requires that consent be capable of being withdrawn as easily as it was given. So if you agreed to contact-list access during onboarding, you can later withdraw that consent in writing, and the lender must stop the processing tied to it.

How to exercise your rights, step by step

You do not have to wait for harassment to escalate. Acting early and in writing creates a record. Here is a calm, practical sequence.

1. Preserve evidence first. Before changing anything, take screenshots of the app's permission requests, any threatening messages, calls to your contacts, and the loan's Key Fact Statement. A simple, dated folder is enough. If you want a safe place to keep this together, our /locker explains how to organise and store such records.

2. Revoke app permissions on your phone. Go into your phone settings and turn off the app's access to contacts, photos, SMS and location. This does not erase what was already taken, but it stops further collection.

3. Send a written data request to the grievance officer. Every regulated lender must name a grievance officer. Write to them stating clearly: you withdraw consent for accessing your contacts, media and other non-essential data; you request erasure of that data under the DPDP Act; and you ask for written confirmation. Keep it factual and unemotional.

4. Escalate to the regulator if ignored. If the lender does not respond reasonably, you can complain to the RBI Ombudsman at cms.rbi.org.in, and raise the conduct of the lender or app on the RBI Sachet portal (sachet.rbi.org.in), which is meant for reporting unauthorised entities and grievances.

5. Report criminal misuse. If your data is used to threaten you, your family, or to morph images, this crosses into criminal territory under the Bharatiya Nyaya Sanhita. Report it on the National Cyber Crime Reporting Portal (cybercrime.gov.in) or call 1930. If the harassment targets a woman, the National Commission for Women (NCW) also receives complaints.

If you are not sure which of these routes fits your situation, the guidance at /help walks through the options based on what is happening to you.

Consent screens: what to watch for next time

Prevention is part of protection. Before you accept any future loan app's permissions, slow down at the consent screen. Ask three questions: Does this app genuinely need this to give me a loan? Can I deny this permission and still proceed? Is there a clear privacy policy naming the lender and the grievance officer? If the app forces all-or-nothing access to your contacts and gallery before it will lend, that is a signal to step back. A genuine, regulated lender does not need your friends' phone numbers to assess your repayment capacity.

It also helps to note who the actual regulated lender is, as opposed to the app brand on your screen. Many apps are only the front end; the loan sits with an NBFC or bank. Knowing the regulated entity's name tells you where to send grievances and which Ombudsman scheme applies.

You are not powerless

Data misuse can feel deeply invasive, especially when people you love start receiving calls. It is natural to feel ashamed or frightened. But the misuse of your data is the lender's or agent's wrongdoing, not yours. The DPDP Act 2023 and RBI's Directions exist because regulators recognised exactly this pattern and chose to restrain it. Your contacts, your photos and your dignity are protected categories, and you have named, written rights to demand they be erased and left alone.

Take it one step at a time: preserve, revoke, request in writing, then escalate. Each step builds a record that strengthens your position. And if cost is a barrier to formal help, free legal assistance is available through NALSA and your District Legal Services Authority (DLSA) — our /legal-aid page explains how to reach them.

This is general information, not legal advice. Laws and regulator processes can change, and your specific situation may differ. For advice on your particular case, consider free legal aid through NALSA/DLSA or a qualified professional.

Frequently asked questions

Can a loan app legally access my contacts and photos?
Under RBI's Digital Lending Directions, a regulated lender's app may only collect data that is need-based and with your clear consent. Accessing your full contact list, gallery or call logs to pressure you is not a legitimate need for servicing a loan. You can refuse such permissions, and you can complain if data was taken without genuine consent.
What is my right to erasure under the DPDP Act?
The Digital Personal Data Protection Act 2023 gives you, as a data principal, the right to request correction and erasure of your personal data once it is no longer needed for the purpose it was collected. You make this request in writing to the lender's grievance officer and, if ignored, can escalate to the Data Protection Board once it is operational.
A loan app messaged my family and contacts. What can I do?
Contacting your relatives or contacts to shame or pressure you is barred by the RBI Fair Practices Code and amounts to harassment. Preserve screenshots, file a written grievance with the lender, complain to the RBI Ombudsman via cms.rbi.org.in, and report misuse of data on cybercrime.gov.in or the 1930 helpline if it involves threats.

Facing this right now?

Check a lenderDocument it privatelyTalk to someone
✓ Reviewed by qualified advocates · 15/6/2026Last updated 2026-06-13. General information, not legal advice.