LendShield Technologies Private Limited is committed to protecting the privacy and security of all personal data entrusted to us. This Policy explains our practices in accordance with applicable Indian laws and regulations.
LendShield Technologies Private Limited ("LendShield", "we", "us", or "our") is a technology company incorporated as a private limited company under the Companies Act, 2013 (CIN: U62011GJ2026PTC180383), with its registered office in Ahmedabad, Gujarat, India. We develop and operate lending technology platforms for regulated financial institutions across India.
This Privacy Policy ("Policy") governs the collection, processing, storage, transfer, and deletion of Personal Data and Sensitive Personal Data or Information (SPDI) as defined under applicable Indian laws. It applies to:
LendShield primarily operates as a Data Processor on behalf of our institutional clients (who are the Data Fiduciaries / Controllers). End-borrower data processed through our platforms is governed by the respective client's privacy policy and their regulatory obligations. Our clients remain responsible for obtaining valid consent from their customers.
Our privacy practices are designed to comply with the following laws, regulations, guidelines, and directions issued by competent authorities in India:
India's primary data protection legislation governing the processing of digital personal data of individuals within India.
Governs cybersecurity, electronic records, digital signatures, and data protection obligations (Section 43A & Section 72A).
Mandates collection, processing and storage standards for Sensitive Personal Data or Information (SPDI).
Directions on data collection, storage, purpose limitation, and consent for Regulated Entities and Lending Service Providers.
Customer identification, due diligence, and record-keeping requirements applicable to financial institutions.
Requirement to store payment system data and related financial data exclusively within India.
Anti-money laundering obligations including reporting of STR and CTR to FIU-IND.
Corporate governance and record-keeping obligations for companies registered in India.
Provisions applicable to related parties, financial reporting, and audit trails where relevant.
Record-keeping and reporting obligations under Indian income tax laws applicable to our business.
Tax record retention and invoice management requirements under India's GST framework.
Consent architecture and data flow standards for financial information sharing through the AA ecosystem, where applicable.
The Digital Personal Data Protection Act, 2023 is being implemented in phases by the Government of India. LendShield is actively aligning its processes, systems, and documentation to be fully compliant as the DPDPA Rules are notified and come into force. Our practices already reflect the spirit of the Act.
We collect only the minimum data necessary for the purposes described in this Policy (data minimisation principle). The categories of data we process include:
| Category | Examples | Source | Classification |
|---|---|---|---|
| Contact & Identity | Name, email address, job title, institution name, phone (where voluntarily provided) | Website forms, emails, demos | Personal Data |
| Account & Access Data | Login credentials (hashed), session tokens, IP address, device identifiers | Platform login, API access | Personal Data |
| KYC / Business Verification | GST number, PAN of entity, authorised signatory details, certificate of incorporation | Onboarding process | Personal Data / SPDI |
| Financial Transaction Data (on behalf of clients) | Loan application data, credit bureau responses, repayment records | Client platform integration | SPDI / Confidential |
| Usage & Behavioural Data | Pages visited, features used, click patterns, session duration | Analytics tools, server logs | Technical Data |
| Communication Data | Emails, support tickets, demo requests, feedback | Direct communication | Personal Data |
| Contractual & Billing Data | Service agreements, invoices, payment records | Business operations | Confidential |
We do not directly collect Aadhaar numbers, biometric data, or financial account credentials from end-borrowers through our website. Such data, where processed through our platform on behalf of institutional clients, is governed by the client's consent framework and their obligations under applicable law.
Under the DPDPA 2023 and IT (SPDI) Rules 2011, we process personal data only for specified, explicit, and legitimate purposes. The table below sets out each lawful basis, the precise trigger for its application, and the activities it covers:
| Legal Basis | When It Applies | Data & Activities Covered |
|---|---|---|
| Consent | You voluntarily submit a web form on lendshield.in. Consent is obtained via an explicit opt-in checkbox on every contact, demo-request, and newsletter sign-up form — no data is submitted until the box is ticked. | Name, business email, company name, job title, and message text collected through website forms. Used to send the requested response (demo booking, callback), product update emails, regulatory digest newsletters, and event invitations. You may withdraw consent at any time by emailing office@lendshield.in with the subject "Withdraw Consent". Withdrawal does not affect the lawfulness of processing carried out before withdrawal. |
| Contractual Necessity | You or your institution enters into a Master Service Agreement (MSA) or Statement of Work with LendShield. | All processing required to onboard institutional clients; provision and support of LendShield Core, Pulse, and Guard; user account management; software updates and maintenance; service-level monitoring; invoice issuance and payment processing. |
| Legal Obligation | Processing is expressly required by Indian law, a regulatory direction, court order, or government directive. | AML/CFT transaction monitoring and mandatory filing of Suspicious Transaction Reports (STR) and Cash Transaction Reports (CTR) with FIU-IND under PMLA 2002; maintenance of KYC records per RBI KYC Master Directions 2016; income tax record retention under the Income Tax Act 1961; GST invoice and return maintenance under the GST Act 2017; responses to lawful regulatory inspections and judicial orders. |
| Legitimate Interests | Processing is necessary for LendShield's legitimate business interests, provided those interests are not overridden by the fundamental rights of data principals (a balancing test is applied). | Real-time security monitoring, intrusion detection, and fraud prevention; aggregated platform usage analytics to improve product features; system performance and reliability monitoring; internal audit trails; business continuity planning. Personal data used under this basis is pseudonymised or aggregated wherever feasible. |
| Vital Interests | A credible and serious threat to the life or physical safety of a person exists and no other lawful basis is available in time. | Disclosure of minimum necessary personal data to emergency services, law enforcement, or relevant authorities solely to avert or respond to the immediate threat. Such processing is logged, reviewed, and documented. |
We do not use personal data for any purpose beyond what is stated in this Policy without obtaining fresh, explicit consent or establishing a separate lawful basis. We do not sell, rent, or trade personal data to third parties for any commercial purpose.
We share personal data only in the following circumstances and only to the extent necessary:
| Recipient | Purpose | Safeguard |
|---|---|---|
| Cloud Infrastructure Providers (India-hosted) | Hosting, storage, and computing services for our platform | Data Processing Agreements; servers located in India |
| Credit Information Companies (CIBIL, Experian, CRIF, Equifax) | Bureau enquiries and data furnishing — on behalf of institutional clients | RBI-mandated data sharing framework; client-authorised |
| FIU-IND (Financial Intelligence Unit — India) | Mandatory reporting of STR/CTR under PMLA 2002 | Statutory legal obligation |
| RBI and other Regulators | Regulatory inspections, audit requests, statutory disclosures | Lawful order / statutory obligation |
| KYC Registration Agencies (KRA) | KYC verification for institutional onboarding | SEBI / RBI regulated entities |
| Payment Gateway / Banking Partners | Billing and invoicing for our services | PCI-DSS compliance; contractual safeguards |
| Legal & Professional Advisors | Legal counsel, statutory auditors, tax consultants | Professional confidentiality obligations |
| Law Enforcement / Courts | Response to lawful warrants, court orders, or government directives | Verified legal process only |
We do not transfer personal data outside India except where required by law or expressly consented to. All cross-border transfers (if any) comply with applicable RBI data localisation requirements and the DPDPA 2023 framework.
We retain personal data only for as long as necessary to fulfil the stated purposes, or as required by applicable law:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Loan / credit-related records (client data) | 8 years from loan closure | RBI guidelines; PMLA 2002 |
| KYC records | 5 years after end of client relationship | RBI KYC Master Directions 2016 |
| AML / STR / CTR records | 5 years | PMLA 2002, Rule 7 |
| Financial / accounting records | 8 years | Income Tax Act 1961; Companies Act 2013 |
| GST invoices and records | 8 years | GST Act 2017 |
| Website enquiry / contact form data | 2 years or until consent withdrawn | Consent / Legitimate interest |
| Employee / contractor data | Duration of engagement + 5 years | Labour laws; contractual obligation |
| Server / access logs | 90 days (rolling) | Security monitoring |
Upon expiry of retention periods, data is securely deleted or anonymised in accordance with our data destruction procedures.
We implement reasonable security practices and procedures as required under Rule 8 of the IT (SPDI) Rules, 2011 and consistent with the DPDPA 2023. Our technical and organisational measures include:
In the event of a personal data breach affecting your data, we will notify the affected data principals and the Data Protection Board of India (once operational) within the timeframes prescribed under the DPDPA 2023.
Under the DPDPA 2023 and IT (SPDI) Rules 2011, individuals whose data we process directly have the following rights:
Request a summary of your personal data processed by us and the purposes of processing.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data where it is no longer necessary (subject to legal retention obligations).
Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of prior processing.
File a complaint with our Grievance Officer and escalate to the Data Protection Board of India if unresolved.
Nominate another individual to exercise your rights on your behalf in the event of death or incapacity.
To exercise any of the above rights, write to office@lendshield.in with the subject line "Data Principal Rights Request". We will respond within 30 days of receipt of a valid request.
Where we process your data as a Data Processor on behalf of an institutional client, please direct your rights requests to that institution (the Data Fiduciary). We will support our clients in responding to such requests.
Our website (lendshield.in) uses the following types of cookies and tracking technologies:
We do not use advertising or behavioural tracking cookies. We do not share website visitor data with ad networks or data brokers. You can manage cookie preferences through your browser settings.
In accordance with the Information Technology Act, 2000 and the DPDPA 2023, LendShield has designated a Grievance Officer to address privacy-related concerns. Any grievance related to this Policy should be submitted in writing to:
CIN: U62011GJ2026PTC180383
Email: office@lendshield.in
Subject Line: "Privacy Grievance"
Response Time: Within 30 days of receipt
If your grievance is not resolved to your satisfaction within 30 days, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or seek recourse under applicable Indian law.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
Your continued use of our services after the effective date of the updated Policy constitutes acceptance of the revised terms.
For any questions, requests, or concerns related to this Privacy Policy, please contact us at:
Email: office@lendshield.in
Business Hours: Monday – Friday, 9:00 AM – 6:30 PM IST
Our team is happy to walk you through our privacy practices and data protection measures.
Get in Touch →