# DPDP-ready lending assistant policy

## Description

Use this policy when an AI lending assistant processes loan applications, financial documents, credit scores, bank statements, repayment information, KYC context, or underwriting notes.

## Placeholder fields

- Company name: [COMPANY_NAME]
- Lending assistant name: [LENDING_ASSISTANT_NAME]
- Business owner: [BUSINESS_OWNER]
- Compliance owner: [COMPLIANCE_OWNER]
- Security owner: [SECURITY_OWNER]
- Privacy contact: [PRIVACY_CONTACT_EMAIL]
- Effective date: [EFFECTIVE_DATE]

## Approved purposes

[LENDING_ASSISTANT_NAME] may process borrower data only for application intake, document classification, eligibility support, affordability analysis, fraud-risk triage, customer explanation drafting, and human-underwriter assistance.

Borrower data must not be used for unrelated marketing, sale to third parties, or model training unless separate lawful basis, customer notice, and approval are documented.

## Data categories

The assistant may encounter name, contact details, PAN, Aadhaar reference, income data, employment details, bank statements, credit score, repayment history, loan amount, collateral details, and fraud-risk signals. Raw Aadhaar, bank account numbers, card data, OTPs, passwords, and full document images must be redacted or blocked unless strictly required and approved.

## DPDP controls

- Provide a clear notice describing loan-data processing and automated assistance.
- Collect only data necessary for the requested loan product or servicing workflow.
- Separate human underwriting decisions from AI recommendations.
- Redact sensitive financial identifiers before model routing where possible.
- Maintain audit evidence for policy outcomes and automated-decision explanations.
- Support borrower access, correction, grievance, and erasure requests through [PRIVACY_CONTACT_EMAIL].
- Retain lending audit records only for regulatory and contractual periods approved by [COMPLIANCE_OWNER].

## Automated decision safeguards

The assistant must not approve, reject, or modify credit terms without a documented human decision owner. Any customer-facing explanation must state when AI assisted the process.

## Incident response

Suspected financial-data leakage must be escalated to [SECURITY_OWNER] and [COMPLIANCE_OWNER] under the DPDP breach workflow and applicable financial-sector escalation procedures.

This template was reviewed by CrewCheck and aligns with the DPDP Act 2023 obligations.