Last updated: 1 Oct 2025
Meghdoot Mercantile Private Limited is an NBFC-BL registered with the Reserve Bank of India, holding a valid Certificate of Registration.
CIN: U51909WB1996PTC076952
Registered Office: 3C, 11th Floor, 10 Industry House, Camac Street, Park Circus, Kolkata-700017 (W.B)
We, at Meghdoot Mercantile Private Limited, an RBI-approved NBFC (“Meghdoot” or “We”), understand privacy and its value. Therefore, it is important for us to make You (“You” or “Customer” or “User”), who access our loan products through our approved Digital Lending Apps (DLAs) and Lending Service Providers (LSPs)—including Fatafat Loans (DLA) and CreditSea (LSP)—(collectively, the “Platform”), understand the reason behind collection of your information and its usage and the manner in which we collect, use, store and share information about you (this “Privacy Policy”).
This Privacy Policy has been prepared in compliance with:- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Digital Lending Directions 2025 issued by the Reserve Bank of India (RBI)
- Digital Personal Data Protection Act, 2023
- Other applicable acts, regulations and rules which require the publishing of a privacy policy for handling of or dealing in personal information including sensitive personal data or information and all applicable laws, regulations, guidelines provided by applicable regulatory authorities including but not limited to the RBI
CONSENT
1. General Consent- You hereby provide your explicit, informed, and freely given consent for the collection, processing, storage, sharing, and usage of your data by MEGHDOOT MERCANTILE PRIVATE LIMITED (“Meghdoot”), and, where applicable, by our authorized DLAs/LSPs (e.g., Fatafat Loans, CreditSea) acting on our behalf, solely for the purposes described in this Privacy Policy, and in compliance with applicable Indian laws and regulations.
- Your consent is obtained through clear and auditable means, including (but not limited to) SMS-based consent, OTP-based confirmation, electronic forms, and in-app notifications, depending on the nature of the data being collected.
- We will never collect or use any personal data, financial data, or device-level data without your specific consent for that category of data.
2. SMS- We may, with your explicit consent, read the headers of SMS to determine the type of sender.
- We only read indicative content from recognised 6-digit alphanumeric financial senders for verification purposes.
- Pertinent information (e.g., sender name, indicative content, timestamp) may be collected solely for providing financial and allied services and shared only with our regulated entity and contracted service providers for these purposes.
- We do not read or analyse personal messages or OTPs, except OTPs sent by us for authentication while the app is installed.
- This data may be used to verify financial statistics (income/spend patterns), assist in credit evaluation, enable higher limits/faster approval and detect/prevent fraud.
3. Installed Apps- Our partner apps operating on our behalf may collect the list of installed and system applications on your device and securely share it with our trusted processor, Credeau (www.credeau.com), which provides device-intelligence services to Meghdoot (data controller).
- This data is used to detect potential fraud (e.g., VPNs, gaming or other high-risk apps) and to assess risk more accurately, enabling faster approvals and suitable credit limits.
- The data is collected only after your explicit consent, stored in India, and is not sold.
4. Location & Device Permissions (accessed via Partner Apps)- Location (with consent): collected one-time or as permitted to support:
- serviceability of loan applications
- risk reduction in loan application processing
- providing pre-approved/customised loan offers
- address verification, better credit risk decisions, and KYC purposes
- Device information (limited): device model, OS version, available RAM/storage, network status.
- We do not collect permanently identifiable device numbers (e.g., IMEI, serial numbers).
5. Phone StateWe may request Phone State permission strictly to verify the devices active SIM and network status at the time of onboarding and disbursement, helping us ensure that the transaction corresponds to the rightful customer and is not spoofed.
Your consent specifically includes:- Collection of information required for credit assessment and underwriting of loan products and value-added services.
- Access to your mobile device’s location, camera, and microphone only for e-KYC or video KYC verification purposes.
- Access to your credit bureau data, bank statements, GST returns, and related information (only after express consent for each instance).
- Secure sharing of personal data with regulated entities and service providers for service delivery.
You may withdraw consent anytime by contacting our Grievance Officer or through Platform settings. Withdrawal will not affect prior lawful processing but may impact your ability to access certain services.
We ensure disclosure of the identity of Regulated Entities (RE), Lending Service Providers (LSP), and Digital Lending Apps (DLA) at every stage (platform interface, sanction letter, KFS, loan agreement).
COLLECTION OF INFORMATION
The collection of information is solely for delivering regulated digital lending and non-lending services, in line with:
- RBI Digital Lending Directions, 2025
- Digital Personal Data Protection (DPDP) Act
- IT Act and Rules
Part A: Lending Services – Information for loan facilitation, underwriting, sanction, and disbursal.
Part B: Non-Lending Services – Information for user registration and value-added services.
Categories of Information Collected
User Personal Information – full name, email ID, PAN, address, mobile number, postal code, banking details
Social Account Information – if you register using a Google account, we collect your email ID and public profile details (name, email)
Device Information & Installed Apps Data – unique identifiers, log information (IP, crashes, search queries, date/time), performance data, diagnostic data (used for app functionality, troubleshooting, updates, and a customized experience)
Location, Camera, Microphone Access – location for address verification/KYC; camera for document scanning/e-KYC
Third-Party Information – credit bureau data; KYC/payments providers (e.g., Cashfree, HyperVerge); bank account/UPI details for repayments
User-Provided Information – form submissions, registration details, correspondence, loan applications, KYC documents, etc.
Data Storage & Non-Personal Data – storage only in India (basic personal info retained); aggregated analytics (demographics, usage, behaviour); cookies for identification and user experience improvement
Note: A detailed list of third-party API providers is available in our vendor register and may be provided upon request; integrations are governed by contracts and compliance reviews.
PURPOSE OF COLLECTION & USE OF INFORMATION
We use collected information to:
- Verify identity and complete KYC (as per RBI rules)
- Assess creditworthiness and loan eligibility
- Process loan applications, documentation, disbursement (performed only by Meghdoot), and repayment
- Provide loan servicing, repayment reminders, and financial literacy support
- Detect/prevent fraud, money laundering, terrorism financing, and unlawful activities
- Troubleshoot, resolve disputes, and improve safety
- Deliver personalized experiences, offers, and targeted communications
DISCLOSURE AND SHARING OF INFORMATION
We may share your information with third parties, strictly on a need-to-know basis, and only for lawful purposes:
With RBI-Registered Financial Institutions: We may share your KYC data, credit-related information, repayment behaviour, and other required personal details with RBI-registered NBFCs, banks, or other regulated financial entities to provide you with loan products and related financial services.
With DLAs/LSPs (e.g., Fatafat Loans, CreditSea): Where they act as our facilitators/service providers, they process data on our behalf under confidentiality and data-protection obligations. DLAs/LSPs are not permitted to store borrower data beyond what is necessary for immediate processing.
With Service Providers: We may employ third-party service providers (technology infrastructure, KYC providers, payment gateways, customer support, credit bureau interfaces, fraud-prevention tools, and analytics).
With Credit Bureaus: With your explicit consent, we may share your loan performance details with licensed credit bureaus, which may impact your credit score/profile.
For Legal Compliance: We may disclose personal information if required by law or in good faith to respond to court orders, subpoenas, notices, or other legal processes.
For Corporate Transactions: In the event of a merger, acquisition, sale of assets, restructuring, amalgamation, or financing, your data may be transferred to the successor entity, subject to confidentiality obligations and applicable law.
We will not sell or rent your personal information to any third party without your explicit consent.
DATA RETENTION POLICY
All personal and financial data collected from you is retained only as long as necessary to fulfil the purposes outlined in this Privacy Policy or as required by applicable law, whichever is longer.
As mandated under the RBI’s Digital Lending Guidelines, no personal information, financial information, or device data collected through DLAs/LSPs (e.g., Fatafat Loans or CreditSea) shall be stored by such DLAs/LSPs beyond immediate processing. All such data is stored only with the Regulated Entity, i.e., Meghdoot Mercantile Private Limited, in servers located in India.
Retention timelines:- KYC and credit underwriting records: minimum 10 years (as per PMLA requirements)
- Loan documentation and repayment records: minimum 8 years after closure
- Customer grievances and correspondence: minimum 5 years
- Non-personal aggregated data: retained indefinitely for research/analysis
Data may be retained for longer periods if required for legal, regulatory, or audit purposes.
THIRD-PARTY LINKS, SDKs, AND TECHNOLOGY PARTNERS
The Platform may include links to third-party websites or SDKs for delivering services such as:
- e-KYC verification
- OTP-based authentication
- digital signatures
- payment gateways
- credit bureau integrations
- analytics and performance monitoring
While we ensure that third-party SDKs/partners are compliant with applicable Indian laws and RBI guidelines, we do not control their privacy practices. We encourage you to review their respective privacy policies when you interact with them through our Platform.
Meghdoot exercises due diligence in onboarding and monitoring partners, including confidentiality agreements, data-protection clauses, and audit rights.
COOKIES AND TRACKING TECHNOLOGIES
We use cookies, pixel tags, and similar technologies to enhance your browsing experience, analyse user traffic, and provide customized content.
You may disable cookies from your browser settings, but certain features of the Platform may not function properly if cookies are disabled.
We do not permit third-party advertising cookies or behavioural trackers on our lending apps/websites, in compliance with RBI Digital Lending Guidelines.
SECURITY PRACTICES AND PROCEDURES
We maintain strict physical, electronic, and procedural safeguards to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
- Encryption in transit and at rest, using industry-standard protocols
- Data storage limited to secure servers physically located in India
- Payment information is not stored by us; card/bank/UPI data is processed directly by authorized PCI-DSS-compliant payment gateways
- Role-based, monitored, and logged access to sensitive data
- Regular internal audits, vulnerability assessments, and penetration tests
- Employees/service providers bound by confidentiality agreements
Despite best efforts, no transmission over the Internet or storage system can be guaranteed as 100% secure. By using the Platform, you acknowledge this inherent risk.
USER RIGHTS
As a User of the Platform, you are entitled to the following rights under the Digital Personal Data Protection Act, 2023 and RBI’s Digital Lending Guidelines: Right to Access, Rectification, Withdraw Consent, Erasure (subject to statutory retention), Restrict Processing, Data Portability, and Grievance Redressal.
We will process such requests in accordance with applicable Indian laws. To exercise your rights, please contact our Grievance Officer (details below).
GRIEVANCE OFFICER
In accordance with the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and the RBI’s Digital Lending Guidelines, the name and contact details of the Grievance Officer are provided below:
The Grievance Officer shall acknowledge your complaint within 24 hours of receipt and endeavour to resolve the same within 30 days, as per applicable regulatory framework.
DISPUTE RESOLUTION AND JURISDICTION
Disputes will be resolved through a two-step Alternate Dispute Resolution (ADR) mechanism that shall survive termination/expiry of this Policy.
Mediation: Parties shall attempt amicable resolution within 30 days.
Arbitration: Failing which, disputes shall be referred to arbitration under the Arbitration and Conciliation Act, 1996, conducted by a sole arbitrator appointed by Meghdoot Mercantile Private Limited. Proceedings in English; seat at New Delhi, India. Award final and binding. Courts at New Delhi, India shall have exclusive jurisdiction for residual matters.
GOVERNING LAW
This Privacy Policy shall be governed by, interpreted, and construed in accordance with the laws of India, without regard to conflict of law principles.
UPDATES TO THIS PRIVACY POLICY
Meghdoot reserves the right to amend, modify, or update this Privacy Policy at any time. The revised Privacy Policy will be posted on the Platform with an updated “Last Modified” date.
Continued use signifies your acceptance of the modified Privacy Policy.
ACKNOWLEDGEMENT
By accessing the Platform and availing services of Meghdoot Mercantile Private Limited through our approved DLAs/LSPs (e.g., Fatafat Loans, CreditSea), you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy.