PRIVACY POLICY
Loanvittus.com
Operated by: Vittus Fintech Private Limited
Last Updated: 16 April 2026
1. Introduction
This Privacy Policy (“Policy”) explains how Vittus Fintech Private Limited (“Company”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data of users (“you”, “your”) when you access or use the website www.loanvittus.com, any related mobile application, or any service we provide (together, the “Platform”).
We operate the Platform as a Lending Service Provider (LSP) and Digital Lending App (DLA) under the Reserve Bank of India (Digital Lending) Directions, 2025 (“RBI DLD 2025”). For the purposes of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Company is the Data Fiduciary in respect of personal data collected through the Platform, and you are the Data Principal.
This Policy should be read together with our Terms & Conditions, Fair Practice Code, Disclaimer, and Grievance Redressal Policy.
2. Scope and Consent
By providing your personal data on the Platform, you give your free, specific, informed, unconditional, and unambiguous consent to the collection and processing described in this Policy, in the manner required by the DPDP Act. You may withdraw consent at any time by writing to our Grievance Officer; the consequences of withdrawal, including inability to continue with a loan application, are explained in Section 10.
Wherever specific processing requires a purpose-specific consent (for example, credit bureau checks, sharing with a specific lender, or marketing communications), we will obtain that consent separately through a distinct, clearly worded notice within the Platform.
3. Personal Data We Collect
We collect only data reasonably necessary for the purposes stated in Section 5.
3.1 Identity and Contact Data
Name, date of birth, gender, PAN, masked Aadhaar (via DigiLocker / Offline XML only), residential and business address, mobile number, email address, photograph (for video-KYC).
3.2 Financial Data
Monthly income, employment details, business turnover and vintage, GSTIN, bank account number and IFSC (for disbursal), ITR / financial statements (where applicable), existing credit obligations, and credit bureau reports.
3.3 Transaction and Usage Data
Loan products viewed, applications submitted, EMI / eligibility calculator inputs, DPR / CMA inputs, communications with us, and service history.
3.4 Device and Technical Data
IP address, device identifier, operating system, browser type, app version, approximate geolocation (derived from IP), cookies, and session logs – used for security, fraud prevention, and Platform analytics.
3.5 Device Permissions (Mobile Application, where applicable)
Our DLA will request only the minimum permissions necessary:
• Camera – for video-KYC and document upload
• One-time SMS (OTP auto-read) – for OTP verification, limited strictly to OTP messages
• Storage (scoped) – for uploading documents you choose
We do not access your contacts, phone gallery, call logs, media files, or background location. This is in line with the RBI DLD 2025.
3.5 Sensitive / Special Categories
We do not process information about your religion, caste, political opinion, or biometric data, except masked Aadhaar strictly for KYC.
3.5 Children’s Data
The Platform is not intended for persons under 18. We do not knowingly process the personal data of minors. If you believe a minor has submitted data, please contact the Grievance Officer for deletion.
4. How We Collect Data
(a) Directly from you – when you register, complete KYC, upload documents, fill loan or DPR/CMA forms, or contact support.
(b) Automatically – through cookies, analytics tools, and server logs when you use the Platform.
(c) From third parties – credit information companies (TransUnion CIBIL, Experian India, Equifax India, CRIF High Mark), partner REs, KYC / verification agencies, DigiLocker, Account Aggregators (only with your explicit consent), and government databases accessed through authorised APIs.
5. Purposes of Processing
2.2 KYC Information
| Purpose | Description |
| Loan facilitation | Enabling your loan enquiry, application, and communication with partner REs |
| KYC and identity verification | Compliance with PML Act, 2002 and RBI KYC Master Directions |
| Credit assessment | Sharing your data with credit bureaus and the relevant RE for eligibility and underwriting |
| Non-lending services | Generating Detailed Project Reports (DPR), CMA Data, Subsidy Assessment, and providing Business Consultation |
| Platform operation | Account creation, authentication, fraud prevention, security monitoring |
| Service communications | Transactional SMS / email / WhatsApp regarding your application, documents, or support requests |
| Legal and regulatory compliance | Record-keeping, reporting to RBI, responding to lawful requests from authorities |
| Analytics and improvement | Aggregated, de-identified analysis to improve the Platform |
5.1 No Cross-Marketing Without Separate Consent
We will not use personal data collected for loan facilitation to market other financial products or services without your separate, express, purpose-specific consent, captured independently of the loan application consent. You may withdraw marketing consent at any time without affecting any loan in progress.
6. Sharing of Personal Data
We share personal data only where necessary for the purposes above, and only with the categories of recipients listed below:
| Recipient | Purpose |
| Partner REs (banks, NBFCs – list at /partner-lenders) | Loan application processing, underwriting, disbursal, servicing |
| Credit information companies | Credit report generation and reporting |
| KYC and verification agencies | Identity, address, employment, income verification |
| Payment system providers / Account Aggregators | Disbursal, repayment routing (directly between RE and borrower), consented financial data sharing |
| Technology service providers | Cloud hosting, analytics, communication, customer support – under strict data processing agreements |
| Regulators, law-enforcement, and courts | Where required by law or valid legal process |
We do not sell your personal data to any third party.
6.1 Account Aggregator Framework
Where you choose to share financial data through the Reserve Bank of India’s Account Aggregator (AA) framework, consent is captured exclusively through the dedicated consent artefact of the RBI licensed AA you have selected. The consent artefact records the Financial Information User (FIU) – which will be the Company or the relevant partner Regulated Entity – along with the data categories, purpose, frequency, and duration of access.
You may revoke or pause your AA consent at any time through the AA application. Revocation stops all future data fetches under that consent; data already received under a valid consent will continue to be governed by this Policy and retained in accordance with Section 9 (Data Retention). AA-sourced financial information is used only for the purposes for which consent was given and is not shared further except as described above.
7. Direct Disbursal - No Funds Handling
In line with RBI DLD 2025, all loan disbursals flow directly from the partner RE to your verified bank account, and all repayments flow directly from you to the RE. The Company does not operate any pool, nodal, or escrow account through which borrower funds pass.
8. Data Storage, Localisation, and Security
8.1 Location: Personal data is stored on servers located within India, in accordance with RBI data localisation requirements.
8.2 Security measures: We use industry-standard technical and organisational safeguards, including TLS / SSL for data in transit, encryption at rest for sensitive fields, role-based access controls, network and application firewalls, logging and monitoring, periodic vulnerability assessments, and annual security audits by qualified assessors.
8.3 No system is perfectly secure: While we take reasonable steps to protect your data, no electronic transmission or storage is fully immune to risk. You are responsible for maintaining the confidentiality of your login credentials.
8.4 Breach notification: In the event of a personal data breach, we will notify affected Data Principals and the Data Protection Board of India in the manner and within the timelines required under the DPDP Act. In parallel, where the incident constitutes a reportable cyber-security incident, we will notify the Indian Computer Emergency Response Team (CERT-In) within the timelines specified under
the CERT-In Directions dated 28 April 2022, including the six-hour reporting requirement for specified incident categories.
9. Data Retention
We retain your personal data only as long as necessary for the purposes for which it was collected and for the retention periods required by law:
| Data Category | Retention Period |
| KYC records | 10 years after loan closure or account closure, per Rule 10 of the PML (Maintenance of Records) Rules, 2005 |
| Loan application and servicing data | Credit evaluation |
| Transaction logs (IT-side) | Loan disbursement |
| Unsuccessful / withdrawn applications | Risk assessment |
| Marketing consent records | Until consent is withdrawn, plus 2 years for audit trail |
On expiry of the retention period, data will be securely deleted or irreversibly anonymised.
10. Your Rights as a Data Principal (DPDP Act, 2023)
You have the following rights in respect of your personal data:
| Right | What it means |
| Right to access | Obtain a summary of personal data we process about you and the processing activities |
| Right to correction and erasure | Correct inaccurate data, complete incomplete data, update outdated data, and erase data no longer required (subject to legal retention obligations) |
| Right to withdraw consent | Withdraw consent at any time. Withdrawal does not affect processing done before withdrawal |
| Right to grievance redressal | File a complaint with our Grievance Officer (Section 14) and escalate to the Data Protection Board if unresolved |
| Right to nominate | Nominate an individual to exercise your rights in the event of your death or incapacity |
To exercise any right, write to grievance@loanvittus.com with the subject line “DPDP Rights Request.” We will respond within the timelines prescribed under applicable law.
Consequences of withdrawal or deletion. If you withdraw consent or request deletion during an active loan process, we may be unable to continue processing your application; data required by law or by the partner RE’s record-keeping obligations will continue to be retained for the mandated period.
11. Aadhaar Handling
We collect Aadhaar data only through DigiLocker or Aadhaar Offline eKYC (XML / QR) and in masked form, in compliance with the Aadhaar Act, 2016 and UIDAI regulations. Aadhaar numbers are not stored in full, not used as a primary identifier, and not shared with any entity other than as permitted by the Aadhaar Act.
12. Cookies
The Platform uses cookies and similar technologies for session management, preferences, analytics, and fraud prevention. We classify cookies into the following categories:
Essential / Strictly necessary. Required for core Platform functionality – session management, authentication, security, CSRF protection, and load balancing. These cannot be disabled without breaking the Platform.
Analytics / Performance. Help us understand how users interact with the Platform so that we can improve it. You may disable these through the cookie consent banner or your browser settings.
Functional / Preferences. Remember your preferences such as language and display choices.Optional; you may disable these.
Marketing / Advertising. Used only where you have given separate, explicit marketing consent. Off by default. May be withdrawn at any time through the cookie banner or by writing to grievance@loanvittus.com.
A standalone Cookie Policy may be issued separately; where published, it will be linked here. Disabling non-essential cookies will not affect your ability to use the Platform for its primary purpose, but some features may not function as intended.
13. Third-Party Links
The Platform may link to partner RE websites, government portals (e.g., Udyam, PMEGP, UIDAI), and other third-party resources. We do not control, endorse, or take responsibility for their privacy practices. Please review their privacy policies separately.
14. Grievance Officer / DPDP Contact
For any question, concern, consent withdrawal, or exercise of rights under this Policy:
| Grievance Officer | Vittus Fintech Private Limited |
| Name | Jaiyash Bhutada |
| Designation | CA |
| grievance@loanvittus.com | |
| Phone | +91 7620469659 |
| Working hours | Monday to Saturday, 10:00 AM – 6:30 PM IST (Sunday closed) |
| Registered office | 377, Nakshatra, 2 nd Floor, Block B, Gandhi Nagar, Nagpur – 440010 |
We acknowledge every request within 48 hours and resolve within 30 days. If your complaint is not resolved satisfactorily, you may escalate to:
- RBI Complaint Management System: https://cms.rbi.org.in
- Sachet Portal (RBI): https://sachet.rbi.org.in
- Data Protection Board of India (under the DPDP Act, 2023, once operational)
15. Business Transfer
In the event of a merger, acquisition, investment, reorganisation, or transfer of all or substantially all of our assets, your personal data may be transferred to the successor entity, subject to the same level of protection under this Policy.
16. Force Majeure
We will not be in breach of this Policy to the extent that performance is prevented or delayed by causes beyond our reasonable control, including acts of God, natural disasters, pandemics, state sponsored cyber-attacks, failures of telecommunication or internet infrastructure, regulatory action, or civil unrest. This clause does not limit our statutory obligations, including breach-notification obligations under Section 8.4.
17. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified via the Platform and through the “Last updated” date at the top. Continued use of the Platform after an update constitutes acknowledgement of the revised Policy.
18. Governing Law and Jurisdiction
This Policy is governed by the laws of India. Subject to applicable consumer protection laws and the DPDP Act grievance mechanism, the courts at Nagpur, India shall have exclusive jurisdiction.
Vittus Fintech Private Limited
CIN: U66190MH2026PTC465595
Registered Office: 377, Nakshatra, 2nd Floor, Block B, Gandhi Nagar, Nagpur – 440010
Email: grievance@loanvittus.com | Phone: +91 7620469659