← Back to Home

GDPR Compliance

Last Updated: January 07, 2026 | Effective Date: January 07, 2026

1. Executive Summary

1.1 Document Purpose

This GDPR Compliance Document outlines CredFill's commitment to full compliance with the General Data Protection Regulation (GDPR) 2016/679 and explains how we protect the personal data of users in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK).

Scope: This document applies to all CredFill users located in or accessing from EU/EEA/UK territories, regardless of their nationality or residence.

1.2 CredFill's GDPR Commitment

CredFill acknowledges that:

  1. GDPR grants data subjects comprehensive rights and protections
  2. Data processing must be lawful, fair, and transparent
  3. Users have rights to access, correct, delete, and port their data
  4. Automated decision-making must be subject to human review
  5. Data processors must be held accountable for security
  6. Data protection is a fundamental right

CredFill Pledge: We commit to treating all users with GDPR-standard protections, even where data is processed outside the EU/EEA.

2. CredFill's GDPR Role and Status

2.1 Data Controller Status

Definition: A data controller determines the purposes and means of data processing.

CredFill's Controller Responsibilities:

  • Determine what data to collect for service delivery
  • Decide how data is processed (storage, analysis, sharing)
  • Establish retention periods
  • Define security measures
  • Respond to data subject requests
  • Maintain compliance documentation

2.2 Data Processors and Processor Relationships

Processors Engaged by CredFill:

Processor Purpose Category Data Transfer
AWS India Cloud hosting and data storage Infrastructure Intra-country (India)
Microsoft Azure India Backup and disaster recovery Infrastructure Intra-country (India)
Razorpay Payment processing Financial Limited data (non-sensitive)
Twilio SMS and WhatsApp API Communications Transactional only
CIBIL/Experian Credit score retrieval Credit reporting Limited to credit data

Data Processing Agreements (DPA):

  • All processors bound by written Data Processing Agreements
  • DPA includes GDPR-required terms: purpose, data categories, security measures, breach notification
  • Processors may not sub-subcontract without CredFill's written authorization
  • Users can request list of current sub-processors

3. Legal Basis for GDPR Processing

3.1 GDPR Article 6 Lawfulness Basis

CredFill processes personal data only when a legal basis exists under GDPR Article 6:

1. Consent (Article 6(1)(a))

When Consent Applies:

  • Marketing and promotional communications
  • Analytics and usage tracking beyond what's necessary for service
  • Automated decision-making that significantly affects you
  • Cross-service data sharing (ecosystem integration)
  • Third-party data sharing beyond service requirements

2. Contract (Article 6(1)(b))

When Contract Applies:

  • Delivering ITR filing service
  • Delivering compliance service
  • Delivering CBDO service
  • Delivering lending service

3. Legal Obligation (Article 6(1)(c))

When Legal Obligation Applies:

  • Indian Income Tax Act requirements
  • Indian GST Act requirements
  • Indian Companies Act requirements
  • AML/KYC requirements (RBI guidelines, PMLA)

4. Legitimate Interest (Article 6(1)(f))

When Legitimate Interest Applies:

  • Fraud prevention and security
  • Platform improvement and user experience optimization
  • Business analytics and performance monitoring
  • Defending against legal claims

4. International Data Transfers

4.1 Transfer Challenge

Regulatory Challenge: India is not on the EU adequacy list (EU Commission Decision). Therefore, transferring personal data from EU to India requires specific legal mechanisms.

CredFill's Situation:

  • Data controllers: CredFill (India-based)
  • Data storage: India-based servers (AWS, Azure India)
  • Service delivery: Primarily for Indian market (but EU users accessing)
  • Result: EU/EEA user data must be transferred outside EU/EEA

4.2 Legal Mechanisms for Data Transfer

1. Standard Contractual Clauses (SCC) - Article 46(2)(c)

CredFill uses EU-approved Standard Contractual Clauses that:

  • Establish legal framework for data transfer
  • Bind both exporting and importing entities to GDPR-equivalent protection
  • Include data processor confidentiality commitments
  • Provide comprehensive technical and organizational security measures
  • Ensure data subject rights (access, correction, deletion, portability)

2. Your Explicit Consent (Article 49(1)(a))

  • During registration, EU/EEA users provide explicit consent to data transfer to India
  • Consent is informed (includes notice of transfer, implications, and risks)
  • Can be withdrawn anytime (with effect going forward)

4.3 Supplementary Safeguards

  • Enhanced Encryption: Sensitive data encrypted before transmission with AES-256
  • Restricted Access: EU data flagged and tracked separately with access limited to employees with documented need
  • Regular Risk Assessment: Quarterly review of data protection laws in India vs. GDPR

5. Data Subject Rights (GDPR Chapter III)

5.1 Comprehensive Rights Overview

GDPR grants data subjects eight fundamental rights. CredFill commits to full compliance:

Right 1: Right to be Informed (Articles 13-14)

  • Clear, transparent privacy information
  • Explanation of data collection, purposes, and processing
  • Disclosure of rights and remedies available

Right 2: Right of Access (Article 15)

What You Can Request:

  • Copy of all personal data CredFill holds about you
  • Categories of data and sources
  • Purposes of processing and legal basis
  • Recipients of your data
  • Retention period for your data

How to Exercise: Email vikash@credfill.com with subject: "Data Access Request"

Right 3: Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data. Submit request to vikash@credfill.com.

Right 4: Right to Erasure (Article 17) - "Right to be Forgotten"

Grounds for Erasure:

  • Data is no longer necessary for the purpose collected
  • You withdraw consent and no other legal basis exists
  • You object to processing and no overriding legitimate interest
  • Data was processed unlawfully

Exceptions: Data required for legal obligations (Income Tax Act 7-year retention, GST Act 6-7 year retention, RBI guidelines 7-year retention)

Right 5: Right to Restrict Processing (Article 18)

You can restrict processing when you dispute accuracy, processing is unlawful, or while your objection is pending.

Right 6: Right to Data Portability (Article 20)

You can receive your data in structured, machine-readable format (CSV, JSON, PDF, XML) and transmit to another provider.

Right 7: Right to Object (Article 21)

You can object to processing based on legitimate interest, direct marketing, and profiling.

Right 8: Rights Related to Automated Decision-Making (Article 22)

For automated decisions with significant effect (like loan matching), you have:

  • Right to information about automated decision logic
  • Right to human intervention
  • Right to challenge the decision
  • Right to opt-out

5.2 Exercising Your Rights

Standard Process:

  1. Submit written request to vikash@credfill.com
  2. Include Account ID and proof of identity
  3. CredFill acknowledges within 5 business days
  4. Action taken within 30 days

Fees: First request per calendar year: Free. Subsequent requests: Administrative fee (Rs. 0-500)

6. Data Breach Notification

6.1 Breach Definition

A personal data breach is unauthorized or accidental: access, disclosure, loss, destruction, or alteration of personal data.

6.2 Notification Obligations (Article 33)

Within 72 hours of discovering a breach, CredFill must notify the relevant supervisory authority (DPA).

6.3 Notification to You (Article 34)

When a breach presents high risk to your rights and freedoms:

  • Email or SMS notification within 72 hours
  • Description of the breach and data affected
  • Likely consequences
  • Measures being taken
  • Contact for further information

7. Supervisory Authorities and Complaints

7.1 Your Right to Complain

GDPR guarantees your right to lodge a complaint with your national data protection authority (DPA).

7.2 National DPAs (Examples)

Jurisdiction Authority Website
Germany BfDI (Federal) or State DPA bfdi.bund.de
France CNIL cnil.fr
Ireland Data Protection Commission dataprotection.ie
UK Information Commissioner's Office (ICO) ico.org.uk

7.3 Right to Compensation (Article 82)

If you suffer damage from GDPR violation, you can claim compensation from CredFill for:

  • Material damage (financial loss)
  • Non-material damage (distress, embarrassment, reputation harm)
  • Legal costs and attorney fees

8. Data Protection Officer (DPO)

8.1 CredFill's DPO

Role: Independent oversight of data protection compliance

Responsibilities:

  • Monitor GDPR compliance
  • Provide advice on data protection obligations
  • Handle data subject requests
  • Investigate complaints and breaches
  • Serve as contact point for supervisory authorities

Contact:

9. Contact Information for GDPR Matters

9.1 CredFill GDPR Contacts

Data Protection Officer (DPO):

GDPR Compliance Manager:

Customer Support (GDPR Requests):

10. GDPR Compliance Checklist

CredFill commits to the following GDPR compliance measures:

  • Privacy by Design: Data protection integrated into all services and products
  • Legal Basis Assessment: Every processing activity has clear legal basis
  • Data Minimization: Collect and process only necessary data
  • Transparency: Clear privacy notices, accessible privacy policy, understandable language
  • Data Subject Rights: Full implementation of all GDPR rights
  • Consent Management: Explicit, informed, granular consent with easy withdrawal
  • International Transfers: Use of Standard Contractual Clauses (SCC)
  • Data Protection Officer: Appointed DPO with independent oversight
  • Breach Notification: 72-hour reporting to DPA; notification to affected users
  • Security Measures: Technical and organizational safeguards (encryption, access controls)
  • Documentation: Maintain records of processing activities and compliance measures

11. Updates to GDPR Compliance

This GDPR Compliance Document may be updated:

  • When GDPR interpretation changes (EU DPA guidelines)
  • When CredFill's processing changes
  • When new certifications are obtained
  • Annually for transparency

Update Process:

  • Updated version posted with new "Last Updated" date
  • Material changes notified to EU/EEA users
  • Previous versions maintained (version history)

Document Version: 1.0

Last Updated: January 07, 2026

Effective Date: January 07, 2026

Classification: Confidential - For EU/EEA Users and Regulatory Authorities

Authority: CredFill GDPR Compliance Team and Data Protection Officer

This GDPR Compliance Document is a comprehensive guide to CredFill's data protection practices for EU/EEA users. For questions, contact vikash@credfill.com.