You filled one form on a "compare personal loans" website. Within an hour, five different numbers were calling you about loans you never asked for.

That's not a coincidence. That's the business model.

Digital lending in India runs on a layer most borrowers never see: loan app data brokers and lead generators who exist purely to collect your details once and sell them many times over. The Reserve Bank of India regulates the lender. Almost nobody regulates the person who sold your phone number to that lender in the first place.

How the lead actually gets sold

Here's the chain, stripped down.

You search "instant personal loan" on Google. An ad network — the same auction system that runs every other ad you see — serves you a link to a "check your eligibility" page. You're not signing up with a bank. You're signing up with a lead-gen aggregator.

That aggregator's entire product is your data: name, number, PAN in some cases, income bracket, loan intent. It doesn't lend you anything. It sells that packet to whichever lender or LSP (Lending Service Provider) pays for it.

The catch is that it's rarely sold once. A single lead can be resold to five, eight, sometimes ten lenders simultaneously — which is exactly why your phone starts ringing from numbers you don't recognise, all pitching loans within the same hour.

Why this sits in a legal grey zone

Under India's Digital Lending Directions, the bank or NBFC — the Regulated Entity — carries full legal responsibility for how borrower data is used, even data collected by its LSP partners. That's clear.

What's murkier is the lead-gen layer sitting before the LSP. A pure lead-generation website that has no role in actually disbursing the loan faces a lighter compliance bar than a licensed LSP does — it still gets audited on its disclosures by the partners it sells to, but it isn't itself an RBI-regulated entity.

That gap is where the resale economy lives. Nobody at the RBI is directly checking how many times your number got sold before it reached an actual lender.

The court is now asking the same question

This isn't just a consumer complaint anymore. In January 2026, the Delhi High Court asked the RBI to explain, on affidavit, whether NBFCs are violating borrowers' data protection rights through digital lending apps — and what enforcement action has actually followed the 2025 Digital Lending Directions.

The court gave the RBI six weeks to respond. That's a fairly direct signal that the "who sold my data" question has moved from consumer forums to constitutional courts.

"The app said it was RBI-registered. It wasn't."

That's a line lawyers handling loan-app harassment cases hear constantly from clients. It captures the actual failure point: borrowers assume every lending app on the Play Store answers to the RBI. Most of the worst offenders don't.

The RBI has published a list of over 200 loan apps that were flagged or banned for exactly this reason — apps that misrepresented their regulatory status while running data-harvesting and aggressive recovery operations underneath.

To fight this, the RBI stood up a Digital Lending Apps Directory in mid-2025, where every app tied to a regulated lender must be listed. If an app claiming to offer loans isn't in that directory, it isn't answerable to anyone when your data leaks.

The number that explains why this segment is targeted

Small-ticket personal loans — under ₹1 lakh — are where this entire ecosystem concentrates. Around 87% of all such loans in FY24 were either directly sourced by fintech NBFCs or funnelled through them acting as LSPs.

That's not an accident. Small loans mean thin-file borrowers, first-time credit users, people less likely to notice or question a data-sharing clause buried in a "check eligibility" form. Volume, not scrutiny, is the model.

What you can actually check before you fill that form

Three things, before you tap "check eligibility" anywhere:

Search the app or website name on the RBI's Digital Lending Apps Directory. If it's not there, whatever entity is collecting your data answers to nobody but itself.

Look for a named NBFC or bank partner on the page itself — not just a logo, an actual Certificate of Registration number you can verify.

If you're rejected or ghosted by one "lender," assume your number is already circulating. That's usually the moment the calls start.

The RBI also runs a direct reporting channel — [email protected] — for exactly these cases, and it's worth using once you spot a pattern.

The part nobody tells you upfront

The lender you eventually borrow from is the one name you'll remember. But by the time you signed with them, your data had already passed through an ad network, a lead-gen site, and possibly a broker layer reselling it to competitors you never applied to.

You consented once. Your data didn't stop moving there.