
Earlier today, a nine-member constitution bench of the Supreme Court declared that right to privacy is a fundamental right of Indian citizens. At the same time, a government appointed committee under the chairmanship of a former Supreme Court judge is formulating a data protection law for the country.
Similar to its emerging market counterparts, India is currently undergoing an accelerated pace of adoption of smartphones. As of August 2016, we had more than 70 brands selling smartphones for less than $100. Combined with the data affordability, an outcome of ongoing data price wars in India, millions of people are coming online for the first time. All available indicators point that the trend will continue.
It’s the consequential digital footprint that creates this millennial conundrum. The data generated from the things we buy, the services we consume, and the content we engage with starts to create digital clones of ourselves. Even the most innocuous internet jaunt tracks our behaviour and interests and uses it to feed us new content.
Considering India was a data-starved country up till a few of years ago, this digital footprint is a vastly valuable resource that can unlock a range of new services, products and opportunities for Indians while creating economic value for providers.
Another, if obvious, thing to note about the digital footprint is that it can be extremely personal. The interface between individual and internet today allows for deep-seated attributes of choices and preferences to be accessed, recorded and fossilised in real time in a way that was not possible with the traditional data.
It is no surprise then, that the issue of an individual’s privacy and data protection is gaining steam among the Indian lawmakers at the same time that millions of Indians are coming online at a rapid pace.
Outside of Supreme Court, advanced stage discourse is happening within the industry think tanks to design technical and legal infrastructures for the data heavy India of the not so distant future, geared towards empowering the individual to share their data for unlocking new & better services, while protecting their privacy and security.
What is NIRA’s take?
NIRA is in the business of offering a digital credit product to its customers. We combine traditional with new forms of data to assess creditworthiness of individuals who were previously ‘unscored’, and based on our model, extend them credit. Our customers’ interaction with NIRA will involve sharing their personal data.
We take utmost care about our customers’ privacy and their data security. The customer is the owner of their data which they share with NIRA to get access to NIRA’s products. The shared data with NIRA is used only for the purpose of providing and refining the product that the customer wants.
Here, we summarise NIRA’s privacy policy in three key messages.
1. We take customer data only when they consent to it
NIRA asks its customers for some specific kinds of data including IDs, employment and financial transactions. Some of these are required to meet the regulatory requirements from RBI, and others to help NIRA reliably assess the risk of its customers to make sound credit decisions, an imperative for any lending business. We use the data to make decisions efficiently while providing for a better customer experience.
All of this data is collected from customers is strictly based on consent.
The consent will be revocable at a later time. Should a customer choose to revoke their consent, all except the data required by a regulator or auditor will be permanently deleted. It might be accompanied with partial or complete removal of access to NIRA’s product(s), but it will be the customer’s decision.
2. We will never rent or sell our customers’ data
Without customer knowledge, we will not rent or sell their personal information to 3rd parties. In future, we may introduce new and potentially customised products for users. The level of customization will depend on the data shared.
3. Customer data is secure
When it comes to systems, our app and website encrypts data end-to-end from the origin right to the storage, using the same encryption standards that’s used by banks and during online purchases on card. Customer data will be stored in data centres within India, which are certified for many international and Indian banking security standards. It’s a testament to the security of the servers we use that it’s trusted by the CIA to run their cloud operations. The access to database would be secured through multiple layers of authentication. Only authorised mobile or website users will have access to their own data through APIs. They won’t have direct access to the database.
It is worth highlighting that the security systems and protocols themselves are evolving in time with new threats showing up swiftly followed by new solutions. When operating at scale, NIRA’s security policy will include audits on an ongoing basis to identify and close potential new sources of vulnerabilities, either related to systems or internal processs.
The privacy debate itself is going to evolve in time as digital lives become richer and the merits of use of digital data are tested against its threats. It is going to be a journey. We think this is a start of an ongoing conversation between NIRA and its customers.

