Every year, over 1.8 lakh companies are registered in India through the Ministry of Corporate Affairs. Shortly after incorporation, founders consistently report receiving unsolicited calls and emails from banks, vendors, and brokers despite never sharing their contact details with these parties. This article traces the likely MCA data path, identifies the provenance gap in India's B2B data supply chain, and explains what the Digital Personal Data Protection Act requires companies to prove before the enforcement deadline.
‍

For Neostra, this is not just a founder annoyance. It is a data provenance problem.

If a business buys, imports, enriches, or reuses personal data for outreach, it should be able to prove where the record came from, what purpose allows its use, who handled it, how long it is retained, and whether opt-outs can be honoured across the chain.
‍

The practical question is no longer just: "Can we reach this person?" It is: "Can we prove why we are allowed to use this personal data?"

What founders have observed and what an RTI confirmed

Founders have publicly reported unsolicited outreach shortly after incorporation. BestMediaInfo reported in July 2025 that entrepreneurs were seeing promotional emails and calls from banks, insurance sellers, courier services, IT vendors, and others soon after company registration. Taxscan later reported on an RTI request to MCA about access to directors' personal contact information, including mobile numbers, email IDs, and addresses.
‍

According to Taxscan's report, MCA said it does not share personal contact information of directors with private entities except for purposes connected to ease of doing business during incorporation and with the consent of concerned directors.
‍

That answer makes the downstream question sharper: if a company receives a contact record and uses it for outreach, can it show the source and permission trail?

Public corporate record is not a marketing permission, why DPDPA treats them differently

Corporate registries serve a legitimate purpose. Investors, creditors, regulators, journalists, vendors, and citizens need ways to verify companies and statutory filings.
‍

But public corporate transparency and personal-data reuse are not the same thing.

A company name, incorporation date, registered address, or director name may be available through public or statutory records.

That does not automatically explain:

• Why a personal mobile number is used for promotional calls
• How an email address entered a marketing campaign
• Why a record is retained indefinitely
• Why the person cannot find out where the outreach came from

This is the gap companies need to audit.

‍

The likely MCA data path: how incorporation records become sales leads

We are not claiming one single path explains every call or email. But the common risk pattern looks like this:

MCA / public company record → data aggregator or scraper → enriched director profile → lead list / API / CRM import → bank / vendor / broker outreach

The risk often sits in the fields around the public company record:

• Personal mobile number
• Personal email address
• Residential address
• WhatsApp availability
• Inferred role
• Enrichment source
• Consent or provenance status
• Suppression or opt-out history

If a sales or growth team cannot explain those fields, it cannot explain the outreach.

‍

The DPDPA evidence deadline: what companies must prove

Several core provisions of India's Digital Personal Data Protection Act are scheduled to come into force eighteen months from the November 13, 2025 Gazette notification. For companies planning privacy operations, that points to a readiness window that is already closing.

These three answers will not constitute an audit trail under DPDPA:

• "The vendor said it is compliant."
• "It is public data."
• "Everyone in the industry uses this."

‍

Data provenance audit checklist for Indian companies

Many teams treat lead sourcing as a procurement decision asking whether a list is fresh, relevant, and includes phone numbers. Those are commercial questions. They are not enough.
‍

Before enforcement, companies should add provenance questions to every sourcing decision:

• Where did each record come from?
• Was it collected directly, purchased, scraped, enriched, inferred, or received from a partner?
• What notice was given to the individual at the time of collection?
• What consent, purpose, or other legal basis is being relied on?
• Were phone numbers or emails added from a different source?
• Which vendors, affiliates, agencies, or tools touched the record?
• Has the person opted out anywhere in the chain?
• Can opt-outs flow back to vendors, or only stop inside your CRM?
• Can you produce this evidence if asked?

‍

What responsible companies should do: high-risk datasets

Start with your highest-risk datasets:

1. Newly incorporated company lists
2. Founder or director contact lists
3. Purchased or enriched B2B databases
4. Loan, insurance, real-estate, education, healthcare, or recruitment leads
5. Old CRM imports with unclear source
6. WhatsApp and call-centre lists
7. Partner and affiliate leads

For each dataset, maintain a provenance record with: dataset name, owner, source, vendor, collection method, original purpose, current purpose, consent or provenance evidence, retention rule, opt-out handling, risk level, and action required.

Most companies will find the issue quickly: the data is being used every day, but the evidence is missing.

‍

What founders can do after incorporation to reduce personal data exposure

Founders cannot fully control how public corporate records are accessed and reused. But they can reduce exposure:

• Use business contact details in filings wherever possible
• Keep a separate incorporation or admin email address not used elsewhere
• Track early outreach: sender, channel, timing, claimed source, and opt-out response
• Ask callers directly where they obtained your contact information
• Avoid vendors that cannot explain their data source
• Keep unsubscribe and suppression records from day one

This will not solve the system-level problem, but it creates evidence.

‍

What we are not claiming

• We are not claiming every bank, vendor, broker, consultant, or service provider obtains incorporation-linked data through the same route.
• We are not claiming MCA data access is inherently illegal.
• We are not claiming every post-incorporation outreach event is a DPDPA violation.
• We are not naming any specific company as misusing data unless separately verified.
• We are not giving legal advice.

‍

We are saying something narrower and more practical: when personal data connected to incorporation records becomes sales or marketing fuel, downstream companies need to be able to prove source, purpose, consent or provenance, vendor trail, retention, and suppression. Without that proof, the company is carrying a data provenance risk.

‍

Audit your data provenance with Neostra

DPDPA readiness is not just a privacy policy rewrite. It is not just a consent banner.

For many Indian companies, the real readiness gap is inside sales, marketing, vendors, support, and data tools.
If your team buys, enriches, imports, or reuses customer or prospect data, start with one question:

Can you prove where each record came from and what allows you to use it?

Start your DPDPA readiness audit - DPDPA Readiness Program (Free Access)

‍

Sources

• MeitY Gazette notification, November 13, 2025 - https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf
• MeitY Digital Personal Data Protection Rules, 2025 - https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa
• MCA privacy policy - https://www.mca.gov.in/MCA21/dca/common/MCAprivacypolicy.pdf
• MCA CDM Portal (registry figures) - https://www.mcacdm.nic.in
• BestMediaInfo, July 28, 2025 - https://bestmediainfo.com/mediainfo/mediainfo-digital/heres-how-the-ministry-of-corporate-affairs-open-database-is-fueling-a-spam-bazaar-9585974
• Taxscan, October 22, 2025 - https://www.taxscan.in/top-stories/rti-reveals-mca-discloses-who-has-access-to-company-directors-personal-data-1435440

‍