Legal & Compliance

Privacy Policy

LendShield Technologies Private Limited is committed to protecting the privacy and security of all personal data entrusted to us. This Policy explains our practices in accordance with applicable Indian laws and regulations.

📅 Effective: 28 May 2026🔄 Version 1.0📍 Governing Law: India🏢 LendShield Technologies Private Limited
📋This Privacy Policy is effective from 28 May 2026 and applies to all users, clients, and visitors interacting with LendShield Technologies Private Limited and its products — LendShield Core, LendShield Pulse, and LendShield Guard.
🏛️
Section 01

Overview & Applicability

LendShield Technologies Private Limited ("LendShield", "we", "us", or "our") is a technology company incorporated as a private limited company under the Companies Act, 2013 (CIN: U62011GJ2026PTC180383), with its registered office in Ahmedabad, Gujarat, India. We develop and operate lending technology platforms for regulated financial institutions across India.

This Privacy Policy ("Policy") governs the collection, processing, storage, transfer, and deletion of Personal Data and Sensitive Personal Data or Information (SPDI) as defined under applicable Indian laws. It applies to:

  • Visitors to our website at lendshield.in
  • Prospective and current institutional clients (NBFCs, Banks, HFCs, Fintechs)
  • Individuals whose data is processed through our platforms on behalf of our institutional clients
  • Employees, contractors, and consultants of LendShield
  • Any person who contacts us via email, form, or other communication channels
⚠️
B2B Data Processor Notice

LendShield primarily operates as a Data Processor on behalf of our institutional clients (who are the Data Fiduciaries / Controllers). End-borrower data processed through our platforms is governed by the respective client's privacy policy and their regulatory obligations. Our clients remain responsible for obtaining valid consent from their customers.

⚖️
Section 02

Regulatory Framework

Our privacy practices are designed to comply with the following laws, regulations, guidelines, and directions issued by competent authorities in India:

Data Protection

Digital Personal Data Protection Act, 2023 (DPDPA)

India's primary data protection legislation governing the processing of digital personal data of individuals within India.

IT Act

Information Technology Act, 2000 & IT (Amendment) Act, 2008

Governs cybersecurity, electronic records, digital signatures, and data protection obligations (Section 43A & Section 72A).

IT Rules

IT (Reasonable Security Practices and SPDI) Rules, 2011

Mandates collection, processing and storage standards for Sensitive Personal Data or Information (SPDI).

RBI

RBI Digital Lending Guidelines & Amendments

Directions on data collection, storage, purpose limitation, and consent for Regulated Entities and Lending Service Providers.

RBI

RBI Master Direction — KYC Directions, 2016 (updated)

Customer identification, due diligence, and record-keeping requirements applicable to financial institutions.

RBI

RBI Data Localisation Directions

Requirement to store payment system data and related financial data exclusively within India.

FIU-IND

Prevention of Money Laundering Act, 2002 (PMLA) & Rules

Anti-money laundering obligations including reporting of STR and CTR to FIU-IND.

MCA

Companies Act, 2013

Corporate governance and record-keeping obligations for companies registered in India.

MCA

Companies Act, 2013 (applicable provisions)

Provisions applicable to related parties, financial reporting, and audit trails where relevant.

Tax

Income Tax Act, 1961 & TDS Provisions

Record-keeping and reporting obligations under Indian income tax laws applicable to our business.

GST

GST Act, 2017 & Rules

Tax record retention and invoice management requirements under India's GST framework.

RBI

Account Aggregator Framework (RBI)

Consent architecture and data flow standards for financial information sharing through the AA ecosystem, where applicable.

ℹ️
DPDPA 2023 — Implementation Note

The Digital Personal Data Protection Act, 2023 is being implemented in phases by the Government of India. LendShield is actively aligning its processes, systems, and documentation to be fully compliant as the DPDPA Rules are notified and come into force. Our practices already reflect the spirit of the Act.

📦
Section 03

Data We Collect

We collect only the minimum data necessary for the purposes described in this Policy (data minimisation principle). The categories of data we process include:

CategoryExamplesSourceClassification
Contact & IdentityName, email address, job title, institution name, phone (where voluntarily provided)Website forms, emails, demosPersonal Data
Account & Access DataLogin credentials (hashed), session tokens, IP address, device identifiersPlatform login, API accessPersonal Data
KYC / Business VerificationGST number, PAN of entity, authorised signatory details, certificate of incorporationOnboarding processPersonal Data / SPDI
Financial Transaction Data (on behalf of clients)Loan application data, credit bureau responses, repayment recordsClient platform integrationSPDI / Confidential
Usage & Behavioural DataPages visited, features used, click patterns, session durationAnalytics tools, server logsTechnical Data
Communication DataEmails, support tickets, demo requests, feedbackDirect communicationPersonal Data
Contractual & Billing DataService agreements, invoices, payment recordsBusiness operationsConfidential

We do not directly collect Aadhaar numbers, biometric data, or financial account credentials from end-borrowers through our website. Such data, where processed through our platform on behalf of institutional clients, is governed by the client's consent framework and their obligations under applicable law.

🎯
Section 04

Purpose & Legal Basis for Processing

Under the DPDPA 2023 and IT (SPDI) Rules 2011, we process personal data only for specified, explicit, and legitimate purposes. The table below sets out each lawful basis, the precise trigger for its application, and the activities it covers:

Legal BasisWhen It AppliesData & Activities Covered
ConsentYou voluntarily submit a web form on lendshield.in. Consent is obtained via an explicit opt-in checkbox on every contact, demo-request, and newsletter sign-up form — no data is submitted until the box is ticked.Name, business email, company name, job title, and message text collected through website forms. Used to send the requested response (demo booking, callback), product update emails, regulatory digest newsletters, and event invitations. You may withdraw consent at any time by emailing office@lendshield.in with the subject "Withdraw Consent". Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Contractual NecessityYou or your institution enters into a Master Service Agreement (MSA) or Statement of Work with LendShield.All processing required to onboard institutional clients; provision and support of LendShield Core, Pulse, and Guard; user account management; software updates and maintenance; service-level monitoring; invoice issuance and payment processing.
Legal ObligationProcessing is expressly required by Indian law, a regulatory direction, court order, or government directive.AML/CFT transaction monitoring and mandatory filing of Suspicious Transaction Reports (STR) and Cash Transaction Reports (CTR) with FIU-IND under PMLA 2002; maintenance of KYC records per RBI KYC Master Directions 2016; income tax record retention under the Income Tax Act 1961; GST invoice and return maintenance under the GST Act 2017; responses to lawful regulatory inspections and judicial orders.
Legitimate InterestsProcessing is necessary for LendShield's legitimate business interests, provided those interests are not overridden by the fundamental rights of data principals (a balancing test is applied).Real-time security monitoring, intrusion detection, and fraud prevention; aggregated platform usage analytics to improve product features; system performance and reliability monitoring; internal audit trails; business continuity planning. Personal data used under this basis is pseudonymised or aggregated wherever feasible.
Vital InterestsA credible and serious threat to the life or physical safety of a person exists and no other lawful basis is available in time.Disclosure of minimum necessary personal data to emergency services, law enforcement, or relevant authorities solely to avert or respond to the immediate threat. Such processing is logged, reviewed, and documented.
🛡️
Purpose Limitation

We do not use personal data for any purpose beyond what is stated in this Policy without obtaining fresh, explicit consent or establishing a separate lawful basis. We do not sell, rent, or trade personal data to third parties for any commercial purpose.

🔗
Section 05

Data Sharing & Disclosure

We share personal data only in the following circumstances and only to the extent necessary:

RecipientPurposeSafeguard
Cloud Infrastructure Providers (India-hosted)Hosting, storage, and computing services for our platformData Processing Agreements; servers located in India
Credit Information Companies (CIBIL, Experian, CRIF, Equifax)Bureau enquiries and data furnishing — on behalf of institutional clientsRBI-mandated data sharing framework; client-authorised
FIU-IND (Financial Intelligence Unit — India)Mandatory reporting of STR/CTR under PMLA 2002Statutory legal obligation
RBI and other RegulatorsRegulatory inspections, audit requests, statutory disclosuresLawful order / statutory obligation
KYC Registration Agencies (KRA)KYC verification for institutional onboardingSEBI / RBI regulated entities
Payment Gateway / Banking PartnersBilling and invoicing for our servicesPCI-DSS compliance; contractual safeguards
Legal & Professional AdvisorsLegal counsel, statutory auditors, tax consultantsProfessional confidentiality obligations
Law Enforcement / CourtsResponse to lawful warrants, court orders, or government directivesVerified legal process only

We do not transfer personal data outside India except where required by law or expressly consented to. All cross-border transfers (if any) comply with applicable RBI data localisation requirements and the DPDPA 2023 framework.

🗃️
Section 06

Data Retention

We retain personal data only for as long as necessary to fulfil the stated purposes, or as required by applicable law:

Data TypeRetention PeriodLegal Basis
Loan / credit-related records (client data)8 years from loan closureRBI guidelines; PMLA 2002
KYC records5 years after end of client relationshipRBI KYC Master Directions 2016
AML / STR / CTR records5 yearsPMLA 2002, Rule 7
Financial / accounting records8 yearsIncome Tax Act 1961; Companies Act 2013
GST invoices and records8 yearsGST Act 2017
Website enquiry / contact form data2 years or until consent withdrawnConsent / Legitimate interest
Employee / contractor dataDuration of engagement + 5 yearsLabour laws; contractual obligation
Server / access logs90 days (rolling)Security monitoring

Upon expiry of retention periods, data is securely deleted or anonymised in accordance with our data destruction procedures.

🔒
Section 07

Security Safeguards

We implement reasonable security practices and procedures as required under Rule 8 of the IT (SPDI) Rules, 2011 and consistent with the DPDPA 2023. Our technical and organisational measures include:

  • Encryption at rest and in transit — All data stored and transmitted using AES-256 and TLS 1.2+ encryption standards.
  • Access controls — Role-based access control (RBAC) with principle of least privilege; multi-factor authentication (MFA) for all administrative access.
  • Data residency — All data is stored on servers located within India, in compliance with RBI data localisation requirements.
  • Audit trails — Immutable logs of all data access, modifications, and deletions maintained for regulatory inspection.
  • Incident response — Documented breach detection, containment, and notification procedures in place.
  • Employee training — Regular data protection and security awareness training for all staff with access to personal data.
  • Vendor assessments — Third-party service providers are assessed for security compliance before onboarding and contractually bound to equivalent standards.
  • Secure development — Security is embedded into our software development lifecycle (SDLC) including code reviews and dependency scanning.
⚠️
Personal Data Breach Notification

In the event of a personal data breach affecting your data, we will notify the affected data principals and the Data Protection Board of India (once operational) within the timeframes prescribed under the DPDPA 2023.

Section 08

Your Rights as a Data Principal

Under the DPDPA 2023 and IT (SPDI) Rules 2011, individuals whose data we process directly have the following rights:

👁️

Right to Access

Request a summary of your personal data processed by us and the purposes of processing.

✏️

Right to Correction

Request correction of inaccurate or incomplete personal data.

🗑️

Right to Erasure

Request deletion of your personal data where it is no longer necessary (subject to legal retention obligations).

🚫

Right to Withdraw Consent

Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of prior processing.

📋

Right to Grievance Redressal

File a complaint with our Grievance Officer and escalate to the Data Protection Board of India if unresolved.

🏛️

Right to Nominate

Nominate another individual to exercise your rights on your behalf in the event of death or incapacity.

To exercise any of the above rights, write to office@lendshield.in with the subject line "Data Principal Rights Request". We will respond within 30 days of receipt of a valid request.

Where we process your data as a Data Processor on behalf of an institutional client, please direct your rights requests to that institution (the Data Fiduciary). We will support our clients in responding to such requests.

🍪
Section 09

Cookies & Tracking Technologies

Our website (lendshield.in) uses the following types of cookies and tracking technologies:

  • Strictly Necessary Cookies — Essential for the website to function (session management, security). These cannot be disabled.
  • Analytics Cookies — Used to understand how visitors interact with our website (pages visited, session duration). We use privacy-respecting analytics tools with data stored in India where possible.
  • Preference Cookies — Remember your settings and preferences to improve your experience.

We do not use advertising or behavioural tracking cookies. We do not share website visitor data with ad networks or data brokers. You can manage cookie preferences through your browser settings.

📮
Section 10

Grievance Redressal

In accordance with the Information Technology Act, 2000 and the DPDPA 2023, LendShield has designated a Grievance Officer to address privacy-related concerns. Any grievance related to this Policy should be submitted in writing to:

🏢
Grievance Officer — LendShield Technologies Private Limited

CIN: U62011GJ2026PTC180383
Email: office@lendshield.in
Subject Line: "Privacy Grievance"
Response Time: Within 30 days of receipt

If your grievance is not resolved to your satisfaction within 30 days, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or seek recourse under applicable Indian law.

🔄
Section 11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Effective Date" at the top of this Policy
  • Post a notice on our website for a minimum of 30 days
  • Send an email notification to registered users and active clients where the change materially affects them

Your continued use of our services after the effective date of the updated Policy constitutes acceptance of the revised terms.

✉️
Section 12

Contact Us

For any questions, requests, or concerns related to this Privacy Policy, please contact us at:

📬
LendShield Technologies Private Limited

Email: office@lendshield.in
Business Hours: Monday – Friday, 9:00 AM – 6:30 PM IST

Questions About Your Data?

Our team is happy to walk you through our privacy practices and data protection measures.

Get in Touch →