You needed a loan. Maybe it was for a home. Maybe a medical emergency, a wedding, a business. You did what anyone does - you went online, searched for the best rate, and filled out an eligibility form.
‍

Name, Mobile number, Monthly income - How much you need & clicked on submit.
‍

Within the hour, your phone started ringing.

First it was the lender you expected,
Then another lender you did not contact,
Then a broker,
Then someone offering insurance you never asked about.

A week later, a call about a credit card.
A month later, someone who already knows your approximate salary and the fact that you were looking for a loan, but cannot tell you where they got that information.
‍

You registered on DND. The calls slowed for a day or two. Then they came back.

Sound familiar?

This is not bad luck. This is not your phone being hacked.

This is the loan lead-generation system in India working exactly as it was built to and it is a system that DPDPA is now starting to hold accountable.

6.4 crore loan applications in six months. Each one a data record.

India's digital lending market has grown at a pace that is hard to picture.

In just the first half of FY 2025-26, digital lenders sanctioned 6.4 crore personal loans worth Rs 97,381 crore and that is 80% of all personal loan volumes in the country by number, according to FACE's Digital Personal Loans Market Report based on CRIF High Mark data.
‍

As of September 2025, 5.99 crore digital personal loan accounts were active, with a total outstanding value of Rs 1.28 lakh crore.

Between FY23 and FY24 alone, active personal loans grew from 95.18 million to 127.78 million and a 34.3% jump in one year, per CRIF High Mark's How India Lends FY24 report.

Every single one of those loan journeys started the same way: someone filled out a form. Typed in their name, mobile number, income, and what they needed. That moment, that form submission is where the calls begin.

What actually happens after you hit submit

Here is the part most borrowers do not know.

When you fill out a loan eligibility form on a comparison website, a fintech app, or a bank's website and your data does not go to just that one place and stop.

In most cases, it enters a distribution chain. And the first stop in that chain is often a DSA platform.

DSA stands for Direct Selling Agent. A DSA is not a lender. They are an intermediary, an agent or a company that sources loan applicants and passes them to lenders in exchange for a commission when a loan is disbursed. Think of them as the middlemen between you and the banks.

Here is the critical part: a single DSA platform can be registered with 150 or more banks and NBFCs simultaneously through one agreement. So when you submit your enquiry through a comparison portal or an app that is running on a DSA's backend, your data does not go to one lender. It potentially becomes accessible to every lender in that network.

That is how three different banks can call you within thirty minutes of each other. You did not contact three banks. You contacted one form.

Beyond DSAs, there is an active market for loan lead data. Vendors on IndiaMART openly advertise verified loan seeker databases - PAN India, segmented by loan type, income bracket, employment category, CIBIL score range, and city which are sold to banks, NBFCs, fintech companies, DSA networks, and telecalling teams. Data is delivered by email, WhatsApp, or Google Drive within 24 to 48 hours of purchase.

This is not a grey market. It is a visible, commercially active, publicly listed ecosystem. Your enquiry with your name, mobile number, income, how much you wanted to borrow, and your approximate CIBIL range is a product in that market.

The chain looks like this:

You fill out a form → DSA platform shares with 150+ lenders → lenders pass to sub-agents and brokers → brokers sell to affiliated vendors → insurance sellers, credit card teams, and telecallers start calling

Each person in that chain has their own copy of your record. Each has their own CRM. Each has their own idea of what they are allowed to do with your data. None of them have a way to tell you exactly how they got it.

‍

Why the calls do not stop — even after you say 'NO'

You told one lender to stop calling.
But you did not tell the other twelve parties who already have your number.

You registered on TRAI DND by sending "START 0" to 1909. DND works by blocking calls from registered telemarketers. But here is the loophole: once you have submitted a loan enquiry, many of the subsequent calls can be classified as a follow-up on your existing request not an unsolicited commercial call. That classification removes them from the DND filter entirely.

And even for the calls that are clearly unsolicited, DND only stops the caller you report. It does not reach back through the chain and suppress your record everywhere else it has already been shared.

Think of it this way: DND is like asking one vendor at a market to stop shouting at you. It does not remove your name from the list that was already distributed to fifty other vendors.

The numbers show how badly this is failing:
‍

• Indians received 4,168 crore spam calls in 2025 (Truecaller India Insights Report 2025)
• India ranked 5th most spam-affected country globally and 66% of unknown calls were identified as spam or fraud
• Financial services calls - loan offers, credit cards, investment pitches made up 18% of all spam calls in India (Truecaller Global Spam Report 2025)
• TRAI received 3.11 million complaints about unsolicited commercial communication in 2025, issued 7.31 lakh notices to violators, and disconnected over 21 lakh telecom resources cumulatively since August 2024
• The TRAI DND app saw 84.43% growth in installations in 2025 which tells you exactly how many people are desperately trying to make it stop
  ‍

The problem is not that the regulation does not exist.
The problem is that opting out of one caller does not cascade through a chain that was never designed to receive opt-outs.

‍

What the law now says about this

Under India's Digital Personal Data Protection Act, data collected for a specific purpose can only be used for that purpose.

When you filled out that loan eligibility form, the stated purpose was: assess your eligibility for a loan. That is it.

Using your data to sell insurance is not incidental to evaluating your loan eligibility. Passing your record to a third-party telecalling team three months later is not incidental to evaluating your loan eligibility. Selling your CIBIL range, income, and mobile number to a credit card company is not incidental to evaluating your loan eligibility.

The RBI has been saying a version of this for years. Its 2022 Digital Lending Guidelines required regulated entities to ensure that data collection is need-based, with prior and explicit consent, and with an audit trail. Its updated Digital Lending Directions of May 2025 reinforced this with data collection must be purpose-specific, consent-based, and minimal.

And yet the calls continue.
‍

The gap is not in what the law says. The gap is in what companies can prove. Most lenders and DSAs cannot tell you:
‍

• Where each lead record originally came from
• What the borrower was told when the data was collected
• Which parties have received that record since
• Whether the borrower has opted out anywhere in the chain

That is the provenance gap. And under DPDPA, that gap carries real consequences.

‍

What lending companies need to audit

Many lending teams currently treat lead procurement as a commercial decision. Cost per lead. Freshness of the list. Geographic coverage. Conversion rate.

Those are useful questions. But they are no longer enough.

Before DPDPA enforcement tightens, every lead procurement decision needs a second layer of questions:

• What form or platform did this borrower interact with and what did that form say about how their data would be used?
• Does the consent obtained at collection cover cross-selling, resale, or affiliated outreach?
• Can the vendor actually show you the consent record not just tell you it is compliant?
• If this borrower tells you to stop calling them, can you suppress them across every party you have shared their data with?
• If a regulator asks you to show how you obtained this record, what can you produce?

"The lead vendor said it is compliant" is not an audit trail.

"The borrower filled out a form" does not establish what that form permitted.

"We bought it from a marketplace" does not transfer the consent obligation to the seller.

Under DPDPA, the data fiduciary typically the lender or the platform bears primary responsibility. The fact that a DSA or a lead vendor collected the data does not make that their problem alone. It remains your obligation.

‍

What you can do as a borrower

You cannot fully control this system. But you can make it harder for the chain to follow you.
‍

• Before you submit any loan enquiry, scroll to the privacy notice and check what it says about sharing your data with third parties
• Consider using a secondary mobile number specifically for financial enquiries and one that is not linked to your primary WhatsApp or social accounts
• Register on DND (SMS "START 0" to 1909), it will not stop everything, but it reduces volume
• When an unsolicited caller says they are following up on your loan enquiry, ask them directly: which platform or form did you get my number from? A legitimate caller should be able to answer. Most cannot
• If they cannot name the source, report the number via the TRAI DND app
• Keep a note of opt-out requests and whether calls actually stopped

This creates evidence. And evidence matters more than you might think, as DPDPA enforcement develops.

‍

What we are not claiming

• We are not claiming every lender, DSA, aggregator, or broker handles loan enquiry data improperly.
• We are not claiming every post-enquiry call is a DPDPA violation.
• We are not claiming that loan lead marketplaces are inherently illegal.
• We are not naming any specific company as misusing data unless separately verified.
• We are not giving legal advice.

‍

We are saying something specific: when your loan enquiry data is used for outreach beyond the original stated purpose, or passed to parties you were not told about, the companies doing so are carrying a data liability that is becoming harder to ignore.

‍

Audit your loan lead data with Neostra

The lending sector is one of the highest-risk areas for data provenance gaps in India. Lead data flows through aggregators, DSAs, sub-DSAs, affiliated brokers, and resellers at each handoff, consent and purpose records rarely travel with it.

If your company sources, buys, receives, or acts on loan lead data, one question matters:

Can you prove what the borrower was told, what they consented to, and what authorises every use your team makes of that data?

Start your DPDPA readiness audit - DPDPA Readiness Program (Free Access)

‍

Sources
‍

1. FACE / CRIF High Mark - Digital Personal Loans Market Report, H1 FY25-26, December 2025 - https://www.businesstoday.in/personal-finance/news/story/digital-lending-rises-rs-97381-cr-sanctioned-in-digital-loans-as-online-lending-captures-80-market-share-504840-2025-12-03
2. Business Standard - Digital NBFCs record nearly half of all outstanding personal loans, December 2025 - https://www.business-standard.com/industry/news/digital-nbfcs-record-nearly-half-of-all-outstanding-personal-loans-125120301159_1.html
3. CRIF High Mark - How India Lends FY24 - https://www.marketsandata.com/industry-reports/india-personal-loan-market
4. Truecaller - India Insights Report 2025 - https://www.indiatvnews.com/technology/news/truecaller-india-reported-over-4100-crore-spam-calls-in-2025-2026-02-12-1030019
5. Truecaller - Global Spam Report 2025 - https://www.voicendata.com/telecom/india-fifth-most-spam-hit-market-globally-66-calls-flagged-11802470
6. TRAI - Annual UCC Enforcement Update 2025 - https://ddnews.gov.in/en/trai-cracks-down-on-spam-telemarketers-issues-over-7-lakh-notices-in-2025/
7. TRAI - DND ecosystem update 2025 - https://www.businessvibesofindia.com/grip-on-spam-calls-tightened-by-trai/
8. RBI - Guidelines on Digital Lending, September 2022 - https://rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF
9. RBI - Digital Lending Directions, May 2025 - https://www.lexology.com/library/detail.aspx?g=b5bc9efb-1199-41ee-bc2d-4a149573793b
10. Mondaq - DPDPA Compliance for NBFCs, January 2026 - https://www.mondaq.com/india/privacy-protection/1733676/dpdp-act-compliance-for-physical-and-digital-lending-nbfcs
11. MeitY - DPDPA Gazette notification, November 2025 - https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf